To add to the conversation a little. Namecheap is great, and so is anger if you need a dynamic dns on the cheap. https://freedns.afraid.org/ On Mon, Mar 11, 2019, 8:09 PM Joseph Sinclair wrote: > I would second both Stephen and Dhruva with a slight expansion. > 1) Setting up a HTTP (or Layer 7 in general) proxy is what you need to > have one IP/port set directed to multiple backend HTTP servers/services. > 2) TLS traffic is "special" to proxy, as the certificate has to be on the > proxy, which needs to terminate the secure tunnel in order to inspect the > traffic and figure out where it goes. You'll probably want to look into > how you setup the server to manage multiple certificates (if you have > different DNS entries) to make this work smoothly. > 3) In addition to Nginx or Apache, you could also use HAProxy to setup a > pure proxy (the proxy terminates TLS, inspects traffic, and directs traffic > to backend services for both website and NAS based on HTTP > characteristics), and manage traffic for both services in the proxy. Not > the simplest setup, but a good toolset to learn for a ton of use cases. > 3a) If you're looking to learn more, you can look at doing things like > cookie inspection to direct traffic, so (e.g.) only traffic with a certain > cookie will transit and other traffic goes to a tarpit or authentication > service. > > On 2019-03-11 02:41 PM, Stephen Partington wrote: > > You have two likely issues to overcome. The First is that letsencrypt > > REQUIRES port 80 for certbot validation, Unless you can control your DNS > to > > perform DNS authentication. they disabled HTTPS validation some time ago. > > > > This is the part that makes the above part obnoxious. Port 80 on just > about > > any ISP for the last 30 years has been blocked. Sometimes you can get it > > turned on for business accounts, sometimes on a home account for WFH type > > purposes. but rarely without a cost. This will the foul LetsEncrypt in a > > big way for their normal validation. > > > > With your DDNS provider it will vary depending on what your provider is. > > Google has great DDNS support. Dreamhost, not so much. > > > > DDNS is ususally what will be used for a system that is on DHCP and will > > need to have its ip/dns records updated. CNAME is for a redirection of > > Domain A to Domain B (No IP). > > > > Here is the fun voodoo of a modern webserver. Apache and nginx both do > this > > well. You can put up one of those web-servers and use it as a web-server. > > and then use a reverse proxy from that server into a website or location > on > > another machine that is not exposed to the internet. So your NAS is now > > behind a location on your main server. IE your network is homedomain.org > > and your webserver responds to it. your NASis behind your firewall, but > you > > set up a reverse proxy on your webserver so now homedomain.org/NAS goes > > directly to your nas device's web page. If you have more DNS and DDNS > tools > > available you can create nas.homedomain.org and tell your webserver to > talk > > all nas.homedomain.org traffic and redirect to "webiste" A wich is a > > reverse proxy to your NAS and then all other traffic si handled by > > "website" B on the server itself. > > > > I have had limited success with this because I am very new to this. But > it > > is an interest learning process and you learn a great deal about > webtraffic > > and the like. > > > > On Mon, Mar 11, 2019 at 2:17 PM Herminio Hernandez, Jr. < > > herminio.hernandezjr@gmail.com> wrote: > > > >> The issue most of of the box routers have pretty basic port-forwarding. > If > >> you are already forarding 80/443 to one server then you will not be > able to > >> use it on another server unless you have more than public ip address. > >> > >> On Mon, Mar 11, 2019 at 2:14 PM Carlton Brooks > > >> wrote: > >> > >>> I have a successful homeassistant setup running on a NUC with a > >>> letsencrypt certificate. It uses Port 80 and 443 for internet access. > >>> > >>> I just bought a Synology NAS disk station DS918+ to do all my bacups > etc. > >>> > >>> If I want to access the outside world with the NAS with an SSL or > >>> Letsencrypt certificate, I again need to have port 80/443 open. > >>> > >>> This is where I need help. I will admit the lack of knowledge at this > >>> point but I do know that two devices can not share the same ports, but > >>> how might I configure the NAS to gain outside secure access. > >>> > >>> I can get a domain name but am confused as to using a DDNS or cname to > >>> gain access. > >>> > >>> Any help in "somewhat" simple terms would be greatly appreciated. > >>> > >>> Thanks > >>> > >>> Carlton Brooks > >>> > >>> --------------------------------------------------- > >>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > >>> To subscribe, unsubscribe, or to change your mail settings: > >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > >> > >> --------------------------------------------------- > >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > >> To subscribe, unsubscribe, or to change your mail settings: > >> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > > > > > > > > > > > > --------------------------------------------------- > > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > > To subscribe, unsubscribe, or to change your mail settings: > > https://lists.phxlinux.org/mailman/listinfo/plug-discuss > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > https://lists.phxlinux.org/mailman/listinfo/plug-discuss On Mon, Mar 11, 2019, 8:09 PM Joseph Sinclair wrote: > I would second both Stephen and Dhruva with a slight expansion. > 1) Setting up a HTTP (or Layer 7 in general) proxy is what you need to > have one IP/port set directed to multiple backend HTTP servers/services. > 2) TLS traffic is "special" to proxy, as the certificate has to be on the > proxy, which needs to terminate the secure tunnel in order to inspect the > traffic and figure out where it goes. You'll probably want to look into > how you setup the server to manage multiple certificates (if you have > different DNS entries) to make this work smoothly. > 3) In addition to Nginx or Apache, you could also use HAProxy to setup a > pure proxy (the proxy terminates TLS, inspects traffic, and directs traffic > to backend services for both website and NAS based on HTTP > characteristics), and manage traffic for both services in the proxy. Not > the simplest setup, but a good toolset to learn for a ton of use cases. > 3a) If you're looking to learn more, you can look at doing things like > cookie inspection to direct traffic, so (e.g.) only traffic with a certain > cookie will transit and other traffic goes to a tarpit or authentication > service. > > On 2019-03-11 02:41 PM, Stephen Partington wrote: > > You have two likely issues to overcome. The First is that letsencrypt > > REQUIRES port 80 for certbot validation, Unless you can control your DNS > to > > perform DNS authentication. they disabled HTTPS validation some time ago. > > > > This is the part that makes the above part obnoxious. Port 80 on just > about > > any ISP for the last 30 years has been blocked. Sometimes you can get it > > turned on for business accounts, sometimes on a home account for WFH type > > purposes. but rarely without a cost. This will the foul LetsEncrypt in a > > big way for their normal validation. > > > > With your DDNS provider it will vary depending on what your provider is. > > Google has great DDNS support. Dreamhost, not so much. > > > > DDNS is ususally what will be used for a system that is on DHCP and will > > need to have its ip/dns records updated. CNAME is for a redirection of > > Domain A to Domain B (No IP). > > > > Here is the fun voodoo of a modern webserver. Apache and nginx both do > this > > well. You can put up one of those web-servers and use it as a web-server. > > and then use a reverse proxy from that server into a website or location > on > > another machine that is not exposed to the internet. So your NAS is now > > behind a location on your main server. IE your network is homedomain.org > > and your webserver responds to it. your NASis behind your firewall, but > you > > set up a reverse proxy on your webserver so now homedomain.org/NAS goes > > directly to your nas device's web page. If you have more DNS and DDNS > tools > > available you can create nas.homedomain.org and tell your webserver to > talk > > all nas.homedomain.org traffic and redirect to "webiste" A wich is a > > reverse proxy to your NAS and then all other traffic si handled by > > "website" B on the server itself. > > > > I have had limited success with this because I am very new to this. But > it > > is an interest learning process and you learn a great deal about > webtraffic > > and the like. > > > > On Mon, Mar 11, 2019 at 2:17 PM Herminio Hernandez, Jr. < > > herminio.hernandezjr@gmail.com> wrote: > > > >> The issue most of of the box routers have pretty basic port-forwarding. > If > >> you are already forarding 80/443 to one server then you will not be > able to > >> use it on another server unless you have more than public ip address. > >> > >> On Mon, Mar 11, 2019 at 2:14 PM Carlton Brooks > > >> wrote: > >> > >>> I have a successful homeassistant setup running on a NUC with a > >>> letsencrypt certificate. It uses Port 80 and 443 for internet access. > >>> > >>> I just bought a Synology NAS disk station DS918+ to do all my bacups > etc. > >>> > >>> If I want to access the outside world with the NAS with an SSL or > >>> Letsencrypt certificate, I again need to have port 80/443 open. > >>> > >>> This is where I need help. I will admit the lack of knowledge at this > >>> point but I do know that two devices can not share the same ports, but > >>> how might I configure the NAS to gain outside secure access. > >>> > >>> I can get a domain name but am confused as to using a DDNS or cname to > >>> gain access. > >>> > >>> Any help in "somewhat" simple terms would be greatly appreciated. > >>> > >>> Thanks > >>> > >>> Carlton Brooks > >>> > >>> --------------------------------------------------- > >>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > >>> To subscribe, unsubscribe, or to change your mail settings: > >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > >> > >> --------------------------------------------------- > >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > >> To subscribe, unsubscribe, or to change your mail settings: > >> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > > > > > > > > > > > > --------------------------------------------------- > > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > > To subscribe, unsubscribe, or to change your mail settings: > > https://lists.phxlinux.org/mailman/listinfo/plug-discuss > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > https://lists.phxlinux.org/mailman/listinfo/plug-discuss