Port 80/443 router conflict

Joseph Sinclair plug-discussion at stcaz.net
Mon Mar 11 20:09:41 MST 2019


I would second both Stephen and Dhruva with a slight expansion.
1) Setting up a HTTP (or Layer 7 in general) proxy is what you need to have one IP/port set directed to multiple backend HTTP servers/services.
2) TLS traffic is "special" to proxy, as the certificate has to be on the proxy, which needs to terminate the secure tunnel in order to inspect the traffic and figure out where it goes.  You'll probably want to look into how you setup the server to manage multiple certificates (if you have different DNS entries) to make this work smoothly.
3) In addition to Nginx or Apache, you could also use HAProxy to setup a pure proxy (the proxy terminates TLS, inspects traffic, and directs traffic to backend services for both website and NAS based on HTTP characteristics), and manage traffic for both services in the proxy.  Not the simplest setup, but a good toolset to learn for a ton of use cases.
  3a) If you're looking to learn more, you can look at doing things like cookie inspection to direct traffic, so (e.g.) only traffic with a certain cookie will transit and other traffic goes to a tarpit or authentication service.

On 2019-03-11 02:41 PM, Stephen Partington wrote:
> You have two likely issues to overcome. The First is that letsencrypt
> REQUIRES port 80 for certbot validation, Unless you can control your DNS to
> perform DNS authentication. they disabled HTTPS validation some time ago.
> 
> This is the part that makes the above part obnoxious. Port 80 on just about
> any ISP for the last 30 years has been blocked. Sometimes you can get it
> turned on for business accounts, sometimes on a home account for WFH type
> purposes. but rarely without a cost. This will the foul LetsEncrypt in a
> big way for their normal validation.
> 
> With your DDNS provider it will vary depending on what your provider is.
> Google has great DDNS support. Dreamhost, not so much.
> 
> DDNS is ususally what will be used for a system that is on DHCP and will
> need to have its ip/dns records updated. CNAME is for a redirection of
> Domain A to Domain B (No IP).
> 
> Here is the fun voodoo of a modern webserver. Apache and nginx both do this
> well. You can put up one of those web-servers and use it as a web-server.
> and then use a reverse proxy from that server into a website or location on
> another machine that is not exposed to the internet. So your NAS is now
> behind a location on your main server. IE your network is homedomain.org
> and your webserver responds to it. your NASis behind your firewall, but you
> set up a reverse proxy on your webserver so now homedomain.org/NAS goes
> directly to your nas device's web page. If you have more DNS and DDNS tools
> available you can create nas.homedomain.org and tell your webserver to talk
> all nas.homedomain.org traffic and redirect to "webiste" A wich is a
> reverse proxy to your NAS and then all other traffic si handled by
> "website" B on the server itself.
> 
> I have had limited success with this because I am very new to this. But it
> is an interest learning process and you learn a great deal about webtraffic
> and the like.
> 
> On Mon, Mar 11, 2019 at 2:17 PM Herminio Hernandez, Jr. <
> herminio.hernandezjr at gmail.com> wrote:
> 
>> The issue most of of the box routers have pretty basic port-forwarding. If
>> you are already forarding 80/443 to one server then you will not be able to
>> use it on another server unless you have more than public ip address.
>>
>> On Mon, Mar 11, 2019 at 2:14 PM Carlton Brooks <linux at carltonbrooks.net>
>> wrote:
>>
>>> I have a successful homeassistant setup running on a NUC with a
>>> letsencrypt certificate. It uses Port 80 and 443 for internet access.
>>>
>>> I just bought a Synology NAS disk station DS918+ to do all my bacups etc.
>>>
>>> If I want to access the outside world with the NAS with an SSL or
>>> Letsencrypt certificate, I again need to have port 80/443 open.
>>>
>>> This is where I need help. I will admit the lack of knowledge at this
>>> point but I do know that two devices can not share the same ports, but
>>> how might I configure the NAS to gain outside secure access.
>>>
>>> I can get a domain name but am confused as to using a DDNS or cname to
>>> gain access.
>>>
>>> Any help in "somewhat" simple terms would be greatly appreciated.
>>>
>>> Thanks
>>>
>>> Carlton Brooks
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> 
> 
> 
> 
> 
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20190311/4b29f123/attachment.sig>


More information about the PLUG-discuss mailing list