i've setup a rasberry server with open media vault on board, so i'm using docker to setup multiple services such as:
pihole
plex
nextcloud
and much more
i would like to expose some of them on internet, while others only on LAN.
For internet i will use SSL from letsencrypt, while for LAN i can use a self-signed certificate.
Right now, i'm thinking to create multiple domains on two ports, one dedicated for internet and the other for lan, but... are there better alternatives (also from a security standpoint) ?
P.S.: right now i'm not considering VPN as an alternative
for the people who will read this, i solved in this way using only a nginx instance (on linuxserver swag image).
Created another server block (ports 8443)
Created a self signed certificate for the new server block
Opened on the router and port forwarded on 443 in order to expose only what i want to expose publicly using proxy-conf
Did the same for server block 8443 which is not exposed, so no port forwarding
Related
I have set up a mosquitto-broker on my raspberry pi which I have running on my local network. I've tested this locally using the paho-mqtt package in python which is working, however I want to access this broker remotely (outside my local network).
From what I understand, the safest way to do this is to use TLS-authentication and configure mosquitto to listen on port 8883, rather than opening the un-encrypted 1883 port, where login credentials can be sniffed. This is where my problems start, as I suspect my ISP doesn't allow forwarding port 8883 to the (static) IP-address of my RPi. (Port wont open no matter what I try, and I've tried googling this specific issue.)
So my question is:
Is it possible to use another port than the default 1883 or 8883 (which my ISP hopefully allows to be opened) for accessing my locally hosted mosquitto-broker? For example one of the higher-valued ports, which I understand is not reserved for anything.
I'm imagining connecting to the broker by using my external IP-address with this port (xxx.xxx.xxx.xxx:yyyyy) and either tunneling this data to the 8883-port on the local network, or configuring mosquitto to listen on the selected port. Any tips on how I can solve this issue?
EDIT
Thanks for your answers! I just got off the phone with my ISP, and unfortunately they don't allow opening ANY ports because I live in a university dorm, so opening a different port won't work either. I guess using a cloud broker is the only option.
You can use any ports you want (or that your operating system will permit). MQTT uses certain ports by convention but is not restricted to using those ports. You're even welcome to encrypt on port 1883 if you want.
You'll need to do four things:
write the listener configuration directive correctly to use the port you want to use and make sure that you're listening on 0.0.0.0 in order to listen on all network interfaces, or the IP address of a specific network interface to listen on.
correctly configure encryption after the listener directive
ensure that the port you chose is accessible through any firewall your server may be running
properly configure any clients to use the port you configured and work with the encryption you configured
If you want to make it accessible over the Internet you'll need to open a port on your router as well.
If you do make it accessible over the Internet, please require authentication. Encryption won't stop strangers from connecting to your broker, it will just stop eavesdropping on them. Turn off allow_anonymous and set up some Mosquitto accounts.
In the project I am working on, there is an application that works on many docker containers. To access one of the containers I need to add the following path in the /etc/hosts file
127.0.0.1 my.domain.com
Then App of course is available on http://my.domain.com in my computer.
Unfortunately, This is large complicated application and I cannot change the configuration to add a port (then i would use 192.168.X.X:PORT from other device)? so How I would to be able to access the application from other device in local network (WIFI or other way)? I try using localtunnel or ngrok but this works too slow and aren't good in this case.
Maybe someone knows another way?
If your server is running on ip 192.168.X.X on you local network, adding the line:
192.168.X.X my.domain.com
to the second device on your network should do the job
Another solution is to run a proxy server on the same instance as your server and send all the requests to the proxy server. The proxy server will listen on another port but it will forward all the requests to my.domain.com with the original port, it will work since it uses the same /etc/hosts.
try using nginx-webserver proxy it's free version it offers the feature what you want.
add a reverse proxy and host your app with my.domain.com
OR
Host your app on port :80 ie. the default port
I have 3 websites running on my server, all of them on different ports. One is on port 80 and it works fine, the other one is on port 88 and it also works fine. Today I deployed a third one on port 8080, opened the port in Firewall.
I can access it with http://localhost:8080/, with 127.0.0.1:8080 and with it's internal IP address. I can't access it using the external IP address for some reason. I tried accessing it locally using the external IP address and I tried from another computer.
It is worth noting that the website on port 8080 is almost identical to the one on port 80.
Initially I thought it was a firewall issue but I disabled the firewall and tried again and I get the same result (The website took too long to respond).
I am using Windows 10 on the server.
Any ideas as to why this is happening?
I figured out the answer. I am using an EC2 instance from Amazon Web Services for a server. I forgot to go into the console in AWS and open the port there too. I did that and now it's working as it should.
There could be couple of reasons.
Cloud Provider(AWS) Specific
Check your subnet's ACL rules. Both ingress and egress
Check the security group attached to the instance. It should allow ingress
on that port/protocol
Windows Server Firewall: All windows servers and desktops have firewall running which blocks any non-standard traffic. Make sure to add a custom rule to allow the traffic that you want to allow. I found this https://computingforgeeks.com/how-to-open-a-port-in-windows-server-firewall/ link helpful
I use to develop my project on my localhost, on apache in ubuntu machine.
Sometimes i need to show progress to my costumer.
Is it possible to access to localhost from remote machine?
You can use a service that provides a tunnel to your local service, such as localtunnel, pagekite or ngrok. These services simplify setting up remote demos, mobile testing and some provide request inspection as well.
I find ngrok useful because it provides a https address, which is needed to test things like webcam access.
Terms used in this answer:
Host = machine with site on it
Client = machine you are trying to access the host from
If the host and client are on the same network, you can access the host from the client by entering
http://(hostname or ip address)
in your client's browser. If the site is not running on port 80 (for http) or port 443 (for https), add the post as so (this example is for if your server is on 8080, a common alternate port):
http://(hostname or ip address):8080
If the host and client are not on the same network, and you need to reach across the internet from the client to see the host, you will need to make your host available on the internet for the client to access.
This can be extremely dangerous for your information security if you're not sure what you're doing and I'd recommend getting a cheap-o hosting account (can get them for like $10/month at places like 1:1 hosting).
There are many methods to do this - the difference is security, easiness of the configuration and cost of the solution.
Following I am typing some methods with some analyses
Port Forwarding (with Dynamic DNS and SSL encryption)
This requires router configuration (to forward your routers public port to loclhoat port), however this requires you to have fixed ip address. In case your ip address is not fixed (in most cases) you need to use Dynamic DNS services to be able to use domain name instead ip address (there are lot of available free services). Here we still have security question open. To solve security question i.e. setup ssl certificate we can use Let’s Encrypt service ( https://letsencrypt.org/ ) to get free certificate, however we should configure local server to use the certificate or we should setup reverse proxy (in most cases nginx or apache) and configure proxy to use certificate.
Conclusion – Hard to setup if we want to have secure connection (can be done for free)
VPN
For this scenario we should use VPN services. We should connect our local machine to VPN then in other side we should connect our client's machine to VPN that will allow us to access to localhost by local IP address. We can set up our own VPN server however this requires knowledge to do it right.
Conclusion – Easy, Paid, Secure, Bad User Experience (connecting to VPN every time you need to connect to localhost)
Tunneling
For this scenario we can use free tunneling services (i.e. https://tunnelin.com/). The process is very straight forward i.e. Register a User, Connect your device to service (by running one line command on device), use Web interface to open/close secure tunnels to the device.
Conclusion – Free, Secure, Easy
Yes, if you have a public and static IP. Usually, ISPs offer static ips during a session (i.e. until you disconnect and connect again)
In our network a proxy server is used to give all the clients, which are all Windows XP computers, access to the internet. Now, we want setup a Wireless LAN to allow people to connect their own mobile phones, computers, etc. to the internet. However if we simply connect a wireless access point to our network everyone has to configure the proxy server on their devices.
What can I do, that the WLAN router can act as a gateway to the internet using the proxy server?
You can NAT all the traffic destined to port 80 to a proxy machine. This is a so called forced or intercepting proxy.
For example, if you have a RouterOS router, you would simply add a rule
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp to-addresses=<proxy IP address>
If you proxy other protocols apart from HTTP, you would do the same for them changing the port.
Many proxy solutions can run in intercepting mode (such that you have a machine with two network interfaces that filter all the traffic that is coming through). See this tutorial for setting it up with Squid.
Otherwise, if you already have a proxy server you can use the solution above by placing a router or a server running the routing software between the access point and your network, for example Vyatta or Mikrotik RouterOS (commercial but pretty powerful), some open-source/freeware router/firewall distribution (pfSense, Openwall, m0n0wall, ...) or even a vanilla OpenBSD (with pf firewall) / Linux (with iptables) to achieve the desired effect.
Once you get the straight through routing in place it should be pretty straightforward to setup proxy NAT asnoted above.
You should consider applying this setting on the router that your access-point connects to for it may save you the trouble of setting up a new machine.