Going mad - reverse proxy using router certificate not NAS certificate

Currently reading
Going mad - reverse proxy using router certificate not NAS certificate

291
89
NAS
DS920+, DS416slim
Operating system
  1. Windows
Mobile operating system
  1. Android
I can't work out what is going on although I have a hunch or two.

This is to access DSM via my website.

Received a new router from the ISP and had to make a change or two.

My setup is:

1. website uses A record to point to my static IP
2. router forwards the request to my NAS
3. the NAS picks up the request, and should be issuing the SSL/HTTPS certificate for the session

THE PROBLEM: the connection tries to use the SSL certificate of my router, not the LE one for my domain on the DSM - and so the connection fails.

With the old router I used port 443 for the reverse proxy, but 443 doesn't work on the new router (I think reserved by the ISP) so I changed it to 444.

With the old router the above would work simply going to my.website.com. Now I have to go to my.website.com:444. I want to remove the :444 if possible.

There is a reverse proxy picking up 444 and forwarding it to the DSM HTTPS port.

HOWEVER, and this is wherein the general problem lies, I can't work out where my router (especially the old one) would have been picking up the external port used if the website was simply my.website.com. The A record on the website doesn't point to a point, just the static IP.

SO i Was thinking, maybe it worked without :443/:444 before because 443 is the default HTTPS port and therefore it wasn't required?

OR - is there a setting on my router that will somehow redirect a request from my.website.com to port 444 on the DSM? But I don't remember doing this on the old router!

Any help would be greatly appreciated...!
 
Now I have to go to my.website.com:444. I want to remove the :444 if possible.
ok so outside traffic is unable to land on 443 but rather 1st contact is on port 444?

There is a reverse proxy picking up 444 and forwarding it to the DSM HTTPS port.
Where? What is it? It's something on the router? Or a device after the router? If it's after, then you are still coming in as 444 and then redirected to some other port etc. In any case, you have a problem with the
outside world not seeing 443 at all, as long as 1st contact is 444.

maybe it worked without :443/:444 before because 443 is the default HTTPS port and therefore it wasn't required?
All traffic needs ip address and port. The fact that 443 is not visible when using https, is just a "cosmetic" part, in the background, it is using 443

OR - is there a setting on my router that will somehow redirect a request from my.website.com to port 444 on the DSM? But I don't remember doing this on the old router!
Reason for my 2nd question.

ISP could be simply blocking usage of 443 port as a forward port to prevent users for hosting web sites.

You could try and set it up as a DMZ setup, and use your own router after that ISP one. That way you will be able to pass all traffic over ISP onto your own, and there terminate port forwards, firewalls etc. This should work, if, ISP router has support for DMZ configuration.

Also if you can configure it in "bridge" mode with your own router, it should be the same. From what you have written I guess you don't have one more router (your own), but if there will be no way around it, and you don't want to explicitly type in the ports, guess that would be a way to go.

Maybe someone will have more ideas.
 
ok so outside traffic is unable to land on 443 but rather 1st contact is on port 444?

Yep. I was using 443 with the old router but that didn't work so I changed it to 444. And now my router ssl cert is being used...


Where? What is it? It's something on the router? Or a device after the router? If it's after, then you are still coming in as 444 and then redirected to some other port etc. In any case, you have a problem with the
outside world not seeing 443 at all, as long as 1st contact is 444.

I think maybe you have misunderstood a little bit about my setup - 443 is no longer being used as the source port for the reverse proxy. It is now 444 and points to my DSM https port.

The reverse proxy is on the NAS hence I think it is pointless without a port... because the reverse proxy needs a source port.

Reason for my 2nd question.

ISP could be simply blocking usage of 443 port as a forward port to prevent users for hosting web sites.

they do say that they reserve 80 and 443 for their own purposes...

Is 443 the default for https websites? So if I use 443 for the reverse proxy then my.website.com would work (ie without the :xxxport ?) ? I guess that is why it worked before on the old router.

So how do people host websites on their NAS, in a way that doesn't require a port to be typed in?

So confused!!

You could try and set it up as a DMZ setup, and use your own router after that ISP one. That way you will be able to pass all traffic over ISP onto your own, and there terminate port forwards, firewalls etc. This should work, if, ISP router has support for DMZ configuration.

Also if you can configure it in "bridge" mode with your own router, it should be the same. From what you have written I guess you don't have one more router (your own), but if there will be no way around it, and you don't want to explicitly type in the ports, guess that would be a way to go.

Unfortunately I don't have my own/spare router. Ideally I will get this set up with the hardware I already have...

Maybe someone will have more ideas.

:)
 
I think maybe you have misunderstood a little bit about my setup - 443 is no longer being used as the source port for the reverse proxy. It is now 444 and points to my DSM https port.
No I understood it fine then. So your outside port is in fact 444 and your reverse is coming in after your router. It means that you will have to use your outside port as a reverse host parameter if you want to do it that way.

The fact is that your source reverse port needs to be your publicly accessible port so that when an outside request comes and hits your router it will need to push to your reverse host. That host needs to be then configured with that same port so that it knows where to redirect internally.

If you have multiple HTTPS sites/services on the same public port, the FQDN name is used to redirect to the exact internal host (destination).

The reverse proxy is on the NAS hence I think it is pointless without a port... because the reverse proxy needs a source port.
Correct

Is 443 the default for https websites?
It is a default HTTPS port, not just websites. Any web service can "live" behind it. Ports are in a relation to the protocol (http, https etc), not the content behind it.

So if I use 443 for the reverse proxy then my.website.com would work (ie without the :xxxport ?) ? I guess that is why it worked before on the old router.
Also correct, but atm, that will not be possible. If you have no control over 443 port on your router as your incoming (forwarded) port, and have to use 444 or any other non-default HTTPS port, you will be able to use reverse proxy services, but with an explicit entry of that particular port when accessing the service.

Meaning, if you try in https://zzz.mysite.com without the 444 port, your web browser (any modern one) will redirect automatically to 443, and try and hit your router on that port. Considering it is being used by your ISP you will either a) not hit your service that you were going for and stop there or b) not hit your service and land on any other service that is running on your router 443. In most cases, it will be the router's login page or something like that.

Ideally I will get this set up with the hardware I already have
Not sure you will be able to do it if you have no control over router ports and forwards, but I do hope you will.
 
@Rusty sorry for the delay and thanks for the advice.

Basically I just got lucky with the last router having no default 443 page and passing 443 requests straight through to which port forward requested it...

I will have to do more research because if people are able to host websites on the NAS (without a port explicitly in the address) I should be able to do the same with DSM!
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Does this only happen when you try to access packages via the 'office' links in Drive's menu? And have you...
Replies
1
Views
456
  • Question
Ofc you can make a single compose for this no problem. Personally I like to separate front end apps from...
Replies
10
Views
1,240
  • Solved
I think it was point 1 that was messing me up. And it was a simple fix, honestly. We'll have to see if I...
Replies
3
Views
1,565
I accessed to log and when I trying connect I have message: "SSTP_DUPLEX_POST...
Replies
9
Views
1,662
  • Solved
Glad it’s working. Now you can help the next person! No reward necessary 😎
Replies
14
Views
2,267
The thing is... Too many users freeload off Marius and then come to the forums for assistance. Give Marius...
Replies
4
Views
1,725

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top