Re: Port 80/443 router conflict

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Andrew McRobb
Date:  
To: Main PLUG discussion list
Subject: Re: Port 80/443 router conflict
To add to the conversation a little. Namecheap is great, and so is anger if
you need a dynamic dns on the cheap.

https://freedns.afraid.org/

On Mon, Mar 11, 2019, 8:09 PM Joseph Sinclair <>
wrote:

> I would second both Stephen and Dhruva with a slight expansion.
> 1) Setting up a HTTP (or Layer 7 in general) proxy is what you need to
> have one IP/port set directed to multiple backend HTTP servers/services.
> 2) TLS traffic is "special" to proxy, as the certificate has to be on the
> proxy, which needs to terminate the secure tunnel in order to inspect the
> traffic and figure out where it goes. You'll probably want to look into
> how you setup the server to manage multiple certificates (if you have
> different DNS entries) to make this work smoothly.
> 3) In addition to Nginx or Apache, you could also use HAProxy to setup a
> pure proxy (the proxy terminates TLS, inspects traffic, and directs traffic
> to backend services for both website and NAS based on HTTP
> characteristics), and manage traffic for both services in the proxy. Not
> the simplest setup, but a good toolset to learn for a ton of use cases.
> 3a) If you're looking to learn more, you can look at doing things like
> cookie inspection to direct traffic, so (e.g.) only traffic with a certain
> cookie will transit and other traffic goes to a tarpit or authentication
> service.
>
> On 2019-03-11 02:41 PM, Stephen Partington wrote:
> > You have two likely issues to overcome. The First is that letsencrypt
> > REQUIRES port 80 for certbot validation, Unless you can control your DNS
> to
> > perform DNS authentication. they disabled HTTPS validation some time ago.
> >
> > This is the part that makes the above part obnoxious. Port 80 on just
> about
> > any ISP for the last 30 years has been blocked. Sometimes you can get it
> > turned on for business accounts, sometimes on a home account for WFH type
> > purposes. but rarely without a cost. This will the foul LetsEncrypt in a
> > big way for their normal validation.
> >
> > With your DDNS provider it will vary depending on what your provider is.
> > Google has great DDNS support. Dreamhost, not so much.
> >
> > DDNS is ususally what will be used for a system that is on DHCP and will
> > need to have its ip/dns records updated. CNAME is for a redirection of
> > Domain A to Domain B (No IP).
> >
> > Here is the fun voodoo of a modern webserver. Apache and nginx both do
> this
> > well. You can put up one of those web-servers and use it as a web-server.
> > and then use a reverse proxy from that server into a website or location
> on
> > another machine that is not exposed to the internet. So your NAS is now
> > behind a location on your main server. IE your network is homedomain.org
> > and your webserver responds to it. your NASis behind your firewall, but
> you
> > set up a reverse proxy on your webserver so now homedomain.org/NAS goes
> > directly to your nas device's web page. If you have more DNS and DDNS
> tools
> > available you can create nas.homedomain.org and tell your webserver to
> talk
> > all nas.homedomain.org traffic and redirect to "webiste" A wich is a
> > reverse proxy to your NAS and then all other traffic si handled by
> > "website" B on the server itself.
> >
> > I have had limited success with this because I am very new to this. But
> it
> > is an interest learning process and you learn a great deal about
> webtraffic
> > and the like.
> >
> > On Mon, Mar 11, 2019 at 2:17 PM Herminio Hernandez, Jr. <
> > > wrote:
> >
> >> The issue most of of the box routers have pretty basic port-forwarding.
> If
> >> you are already forarding 80/443 to one server then you will not be
> able to
> >> use it on another server unless you have more than public ip address.
> >>
> >> On Mon, Mar 11, 2019 at 2:14 PM Carlton Brooks <
> >
> >> wrote:
> >>
> >>> I have a successful homeassistant setup running on a NUC with a
> >>> letsencrypt certificate. It uses Port 80 and 443 for internet access.
> >>>
> >>> I just bought a Synology NAS disk station DS918+ to do all my bacups
> etc.
> >>>
> >>> If I want to access the outside world with the NAS with an SSL or
> >>> Letsencrypt certificate, I again need to have port 80/443 open.
> >>>
> >>> This is where I need help. I will admit the lack of knowledge at this
> >>> point but I do know that two devices can not share the same ports, but
> >>> how might I configure the NAS to gain outside secure access.
> >>>
> >>> I can get a domain name but am confused as to using a DDNS or cname to
> >>> gain access.
> >>>
> >>> Any help in "somewhat" simple terms would be greatly appreciated.
> >>>
> >>> Thanks
> >>>
> >>> Carlton Brooks
> >>>
> >>> ---------------------------------------------------
> >>> PLUG-discuss mailing list -
> >>> To subscribe, unsubscribe, or to change your mail settings:
> >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>
> >> ---------------------------------------------------
> >> PLUG-discuss mailing list -
> >> To subscribe, unsubscribe, or to change your mail settings:
> >> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >
> >
> >
> >
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list -
> > To subscribe, unsubscribe, or to change your mail settings:
> > https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss



On Mon, Mar 11, 2019, 8:09 PM Joseph Sinclair <>
wrote:

> I would second both Stephen and Dhruva with a slight expansion.
> 1) Setting up a HTTP (or Layer 7 in general) proxy is what you need to
> have one IP/port set directed to multiple backend HTTP servers/services.
> 2) TLS traffic is "special" to proxy, as the certificate has to be on the
> proxy, which needs to terminate the secure tunnel in order to inspect the
> traffic and figure out where it goes. You'll probably want to look into
> how you setup the server to manage multiple certificates (if you have
> different DNS entries) to make this work smoothly.
> 3) In addition to Nginx or Apache, you could also use HAProxy to setup a
> pure proxy (the proxy terminates TLS, inspects traffic, and directs traffic
> to backend services for both website and NAS based on HTTP
> characteristics), and manage traffic for both services in the proxy. Not
> the simplest setup, but a good toolset to learn for a ton of use cases.
> 3a) If you're looking to learn more, you can look at doing things like
> cookie inspection to direct traffic, so (e.g.) only traffic with a certain
> cookie will transit and other traffic goes to a tarpit or authentication
> service.
>
> On 2019-03-11 02:41 PM, Stephen Partington wrote:
> > You have two likely issues to overcome. The First is that letsencrypt
> > REQUIRES port 80 for certbot validation, Unless you can control your DNS
> to
> > perform DNS authentication. they disabled HTTPS validation some time ago.
> >
> > This is the part that makes the above part obnoxious. Port 80 on just
> about
> > any ISP for the last 30 years has been blocked. Sometimes you can get it
> > turned on for business accounts, sometimes on a home account for WFH type
> > purposes. but rarely without a cost. This will the foul LetsEncrypt in a
> > big way for their normal validation.
> >
> > With your DDNS provider it will vary depending on what your provider is.
> > Google has great DDNS support. Dreamhost, not so much.
> >
> > DDNS is ususally what will be used for a system that is on DHCP and will
> > need to have its ip/dns records updated. CNAME is for a redirection of
> > Domain A to Domain B (No IP).
> >
> > Here is the fun voodoo of a modern webserver. Apache and nginx both do
> this
> > well. You can put up one of those web-servers and use it as a web-server.
> > and then use a reverse proxy from that server into a website or location
> on
> > another machine that is not exposed to the internet. So your NAS is now
> > behind a location on your main server. IE your network is homedomain.org
> > and your webserver responds to it. your NASis behind your firewall, but
> you
> > set up a reverse proxy on your webserver so now homedomain.org/NAS goes
> > directly to your nas device's web page. If you have more DNS and DDNS
> tools
> > available you can create nas.homedomain.org and tell your webserver to
> talk
> > all nas.homedomain.org traffic and redirect to "webiste" A wich is a
> > reverse proxy to your NAS and then all other traffic si handled by
> > "website" B on the server itself.
> >
> > I have had limited success with this because I am very new to this. But
> it
> > is an interest learning process and you learn a great deal about
> webtraffic
> > and the like.
> >
> > On Mon, Mar 11, 2019 at 2:17 PM Herminio Hernandez, Jr. <
> > > wrote:
> >
> >> The issue most of of the box routers have pretty basic port-forwarding.
> If
> >> you are already forarding 80/443 to one server then you will not be
> able to
> >> use it on another server unless you have more than public ip address.
> >>
> >> On Mon, Mar 11, 2019 at 2:14 PM Carlton Brooks <
> >
> >> wrote:
> >>
> >>> I have a successful homeassistant setup running on a NUC with a
> >>> letsencrypt certificate. It uses Port 80 and 443 for internet access.
> >>>
> >>> I just bought a Synology NAS disk station DS918+ to do all my bacups
> etc.
> >>>
> >>> If I want to access the outside world with the NAS with an SSL or
> >>> Letsencrypt certificate, I again need to have port 80/443 open.
> >>>
> >>> This is where I need help. I will admit the lack of knowledge at this
> >>> point but I do know that two devices can not share the same ports, but
> >>> how might I configure the NAS to gain outside secure access.
> >>>
> >>> I can get a domain name but am confused as to using a DDNS or cname to
> >>> gain access.
> >>>
> >>> Any help in "somewhat" simple terms would be greatly appreciated.
> >>>
> >>> Thanks
> >>>
> >>> Carlton Brooks
> >>>
> >>> ---------------------------------------------------
> >>> PLUG-discuss mailing list -
> >>> To subscribe, unsubscribe, or to change your mail settings:
> >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >>
> >> ---------------------------------------------------
> >> PLUG-discuss mailing list -
> >> To subscribe, unsubscribe, or to change your mail settings:
> >> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >
> >
> >
> >
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list -
> > To subscribe, unsubscribe, or to change your mail settings:
> > https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> >
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss