Please Help me with Troubleshooting Reverse Proxy

Currently reading
Please Help me with Troubleshooting Reverse Proxy

8
2
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
I've been working on this problem for a couple of weeks, many many hours actually, while I tried about a year ago and no I'm back at it and I cannot figure out what I am missing in getting Reverse Proxy to work. I have done I lot of investigating and can usually find answers with enough time researching but I am stumped. I just don't know enough about this sort of stuff I think. I will try to show everything I have done, and tell you what works and what doesn't. I have followed a couple of tutorials and everything works right up to the very end where they say "Congratulations, now you should have Reverse Proxy working!"

To start I have a domain:

1.jpg


I guess I will refer to it as dn.ca. I also have a Static IP and I have my DNS A records pointing to it as shown in the following Screenshot:

2.jpg


Side note You can see my ultimate goal with Reverse Proxy in the last entry which is to be able to access my services without needing to open excess ports. I was trying something else at that point desperate I think. I don't believe this is needed in any way and should probably not be here but I was trying stuff!

I can ping dn.ca which does resolve to my Static IP address.

3.jpg


I can do a browser search for dn.ca and in it will get through my Port Forwarding on my router to my NAS (443). And as you can see I have been messing around a bit with Port forwarding. You can disregard the Nas881 that is my offsite Nas, unless somehow that is causing an issue. I tried with and without mapping the 443 Internal Port.

6.jpg


But no matter what I do the end result is always the same shown here:

4.jpg


This is what I have set up in my Reverse Proxy section:

5.jpg


And here I tried both with localhost and with the IP address of the NAS in place of localhost in the Destination like this: http://192.168.205.3:5690

I feel like I must be setting something wrong at my Domain Name Registrar site, which is Rebel BTW, because I have no idea what I'm doing there, or else it's just something else simple I'm missing? If anyone knows what I can do or the troubleshooting path to follow I am really stumped at this point. Thank you to any one who might be able to help.
 
Solution
So there's forward resolution for your domain, but there's no reverse resolution setup by your ISP. Your next request to test should be for the subdomains, both configured in Rebel and not (wildcard test).

:) posts passed each other.

Wildcard would be nice but not essential. You could try adding an explicit wildcard record at Rebel, using * as the host name.
1684572122360.png

What's the ':4000' doing here? It looks to be a port but DNS doesn't work on ports, only IP addresses. I'm not sure why whatever you're using would allow a port to be appended.

BTW Are you running your own primary DNS server for your domain? Or do you use a DNS service provider as primary? I only ask because I see you are allowing TCP and UDP 53 from the Internet and that's only needed if you are hosting the primary for the World. I'm not sure you need to allow TCP 53 unless you want zone transfers from your DNS server or the responses are so big that that they exceed 512 Bytes. Personally (if I had a static IP, which I don't), as a home user, I would use a DNS service provider for my domain resolution for the Internet. I do run DNS Server internally so that I can resolve my domain (i.e. bookmarks) to local IP addresses.


[getting sidetracked] But you're also using FTP too. Is there a reason you can't use a more secure service?
 
Upvote 0
View attachment 12811
What's the ':4000' doing here? It looks to be a port but DNS doesn't work on ports, only IP addresses. I'm not sure why whatever you're using would allow a port to be appended.

BTW Are you running your own primary DNS server for your domain? Or do you use a DNS service provider as primary? I only ask because I see you are allowing TCP and UDP 53 from the Internet and that's only needed if you are hosting the primary for the World. I'm not sure you need to allow TCP 53 unless you want zone transfers from your DNS server or the responses are so big that that they exceed 512 Bytes. Personally (if I had a static IP, which I don't), as a home user, I would use a DNS service provider for my domain resolution for the Internet. I do run DNS Server internally so that I can resolve my domain (i.e. bookmarks) to local IP addresses.


[getting sidetracked] But you're also using FTP too. Is there a reason you can't use a more secure service?
Thank you fredbert for replying. The 4000 was just me grasping at straws trying to add an address DNS record on Rebel.com It is the port I set my HTTP on my NAS to instead of the defaut 5000. It did nothing and didn't work. I believe that whole DNS A record can be eliminated?

Yes you are correct about the FTP, I believe I had that set up long ago from when I first set up the NAS and it was instructed for me to do that when I needed it, so I believe it is time to delete that. Same for the 53. So I should change that one to UDP instead of BOTH then, is what you recommend?

To answer your question I'm using a DNS service provider (Rebel.com), but I really don't think I have it set up right. I believe that what you may be doing is what I want to do, so maybe the solution is to run my own DNS Server? I will start with blocking the two ports you mentioned plus I can get rid of the line in the part that you quoted about the '4000'. Thanks again fredbert.
 
Upvote 0
If you want to confirm if the domain/subdomain is being resolved correctly then you should be able to use a command line utility (depends on OS: Terminal; cmd.exe; Powershell) and run dig or nslookup. That would say what IP address you should be going to.

On an Internet DNS service I cannot imagine what use there is for your loopback and local host. It will tell whatever device is asking to use itself.

So on your Rebel DNS account you should have A records that point the domain and subdomains to your home WAN IP address. You could also use CNAME records that point subdomains to other domains/subdomains (when the IP changes on the A records you won’t have to change the CNAME records). You may also be able to create a wildcard A or CNAME record that directs anything that isn’t explicitly defined to a common destination. When requested the domain/subdomain will resolve to an IP address.

The client application adds the TCP or UDP port to the resolved IP address and sends this to the destination device. Which for you is your router. The router has forwarding rules for some TCP and UDP ports, so instead of processing these requests itself it sends the request to an internal device (sometimes changing the destination port, if needed).

On the destination device (your NAS) the service that is listening on that port will process the request. When it is a web request and there’s a reverse proxy listening for it then everything is being received on a set of TCP ports, most often it will mostly be TCP ports 80 and 443. The reverse proxy will look at the actual sub/domain name part of the request to see how to handle TCP 443 requests for this sub/domain name. These will be directed to the real destination.
 
Upvote 0
I accidently deleted my first reply which you may or may not have already seen. This is a second copy. Here is a screenshot of all of my current Rebel.com DNS records, including the NS records which I had not shown initially. I got rid of the three you instructed fredbert:

7.jpg


I did a customer service chat, shown below, with Rebel.com and the guy on the chat says that it looks like the DNS settings are OK on that end:

(12:14:58 AM) D: I would like to know how to create a wildcard A record.
(12:16:24 AM) Gilbert: Wildcard A records are the www.dn.ca or anything.dn.ca
(12:17:25 AM) D: OK I am a noob so please bear with me. I am trying to set up a reverse proxy.
(12:19:55 AM) Gilbert: I pulled up the advanced DNS records and I see you have www.dn.ca pointing to an IP address.
(12:20:05 AM) D: Yes
(12:20:06 AM) Gilbert: The *.dn.ca also acts as a wildcard as well.
(12:21:04 AM) D: Is the * one the one with nothing in front, because I see no *
(12:21:27 AM) Gilbert: It doesn't have to be added. You already have the www.dn.ca
(12:22:08 AM) Gilbert: the *.dn.ca is used when you want to have anything before the domain point to the website like dn.dn.ca or anything.dn.ca and it will point to its destination IP address.
(12:22:42 AM) D: OK so if I'm having troubles with getting reverse Proxy working it's probably not something wrong here then right?
(12:22:58 AM) D: It looks like it's set up correctly?
(12:23:06 AM) Gilbert: The domain's advanced DNS records are pointing properly to their destination.
(12:23:15 AM) D: Thank you.
(12:23:23 AM) Gilbert: Anytime.
(12:23:53 AM) * Gilbert left the chat *
 
Upvote 0
Different DNS service providers would seem to do things differently, and Rebel would appear to automatically enable wildcard resolution (I’m sure the ones I’ve used before don’t do this).

So now you have tidied up the DNS records. The wildcard should provide the correct resolution to you home IP address for anything you haven’t explicitly created a record. Have you tested this now resolves correctly? Use nslookup or dig as mentioned before. Or there’s probability a web service that can do it.
 
Upvote 0
I really appreciate your assistance fredbert we're getting close now. When I use nslookup I getting the following behaviour:

8.jpg


So it works for the dn.ca but not for the wildcard. So I'm assuming perhaps it's the way I have pi- hole set up?
 
Upvote 0
You’re actually running the nslookup.exe command in interactive mode, so you don’t start every command inside it with ‘nslookup ‘.

The default DNS server that is used is from your network settings, but you can change this e.g. to CloudFlare with command server 1.1.1.1
 
Upvote 0
OK, I've got the NSLOOKUP figured out now. Here are the results:

9.jpg


Thanks.
-- post merged: --

I forgot to show that the wildcard lookup didn't work, but the reverse lookup didn't work so I think that's pretty much the result of the same problem right?
 
Upvote 0
So there's forward resolution for your domain, but there's no reverse resolution setup by your ISP. Your next request to test should be for the subdomains, both configured in Rebel and not (wildcard test).

:) posts passed each other.

Wildcard would be nice but not essential. You could try adding an explicit wildcard record at Rebel, using * as the host name.
 
Upvote 0
Solution
Success! the explicit wildcard record using * worked. However, I have a follow up question. How to I get my Certificate to work correctly. My test example. dashy.dn.ca works now throught the proxy but gets the at risk warning (where you can proceed at your own risk). This warning does not happen when not using the wildcard. The screen shot I attached shows that the dashy.dn.ca was inserted into the same dn.ca root certificate automatically when created by the Reverse Proxy.

11.jpg


Here is the Reverse Proxy entry for your info:

12.jpg


Thank you so much once again fredbert for getting me here. I really appreciate it!
 
Upvote 0
Good you're moving forward!

The certificate alert will be because the certificate itself doesn't cover dashy.dn.ca, either its domain name or in list of Subject Alternative Names. It looks like you are using Let's Encrypt: when you are creating the certificate you can add a list of other names that this certificate covers, put dashydn.ca in this list, and they will be tested by LE when it creates the certificate. Something like this...

1685032075748.png


You can have more certificates if you can't fit all the SANs in the 255 character limit. I have a set of certificates that I've grouped into usage (default + system services; application portals; proxies; virtual hosts; etc). Then use the Settings button to assign the right certificate to each service.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
OK... so I'm beginning to follow now! If I install VPN server on the work NAS and use OpenVPN on my home...
Replies
4
Views
1,066
  • Question
Actually it was ‘parcel centre’ that was having problems ;)
Replies
10
Views
2,323

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top