Reverse proxy like setup for a local aka fake domain


danioj

Recommended Posts

Hi All,

 

I have more and more time on my hands recently due to the COVID-19 related issues we are all going through.  As a result, I have followed many of spaceinvaderone's videos and have been perfecting a setup that has been in place for a long time.  I have a day off tomorrow (trying to take some of my banked leave to help my company) and would like to solve a 'not really a' problem.  I realise that entering port numbers and storing bookmarks is not difficult - but, this is something I would just like to do.

 

Much like the reverse proxy setup I have with my personal domain, where key applications are called by accessing:

 

https://app.domain.com

 

All via port 443 obviously and no specialist ports are required to be remembered but are all available to the internet and DNS resolved to an external domain.

 

I'd like to achieve something similar but on my LAN for applications I don't want (or have no need) to expose to the Internet. The ultimate goal being that I can just type:

 

https://app.localdomain.whatever

 

Now, I do have something sort of like that setup. I run AsusWRT-Merlin and that allows me to specify a local domain name (e.g. domain.lan) and through the use of being able to specify custom IP's in unraid and the DNS capabilities of the router firmware I can have something like this:

 

http://app.domain.lan:####

 

Obviously that is not a true DNS server and is just a function of the DNS and DHCP functions of the router.  Also, as you can see from the above, I still need to use the port number. To be clear, Im after not having to specify port numbers, be lan side only, run all over https and have a valid certificate.

 

I assign custom IP's to almost every docker service I run (apart from those either on the reverse proxy on my custom domain or those whose functionality won't allow it) which also means I have a reserved IP DHCP table in my router that is massive. This was brought about because I had to do a wipe of my router and had to re-enter everything again (IP's, MAC addresses etc) and then I thought how much simpler would it be if I really only had 1 ip reserved in my router for unraid and unraid hosted services and something like a proxy handled everything else.

 

My question is, has anyone else achieved what I am trying to achieve?

 

I have thought about:

 

Running another instance of letsencrypt and doing the setup but forcing it to use a local dns server (perhaps there is docker for that) but for one I am not sure how to run another instance of letsencrypt and I am not even certain there is a DNS docker out there that would allow me to create local A and CNAME records etc.

 

This is very much an enthusiasts request and a bit of a hobby project.

 

It's fun to be playing again, even if the circumstances that have brought it about are less than ideal!

Edited by danioj
Link to comment

Some thoughts to accomplish what you want.

  • First I'd rather use an actual domain, and get DNS records for it. This way I am able to use Let's Encrypt using the DNS challenge to sign a domain wildcard cert *.domain. Admittedly in my case I'm using a VPS to run acme.sh as my LE client.
  • This cert I'll feed the nignx reverse proxy for all my LAN services.
  • Then my router (which is a mikrotik) contains the DNS mapping for all the apps to the nginx proxy. Alternatively, like the builtin unraid TLS mode, you could disable domain rebinding protection, and publish the local ips on the global DNS. Maybe pi-hole could work here too.

 

If you don't want to spend on a domain, your next alternative is to create your own wildcard cert for your personal domain name. But then you'd need to install the self-signed CA into all your clients, which might not work as easily as you might think, particularly adding certs to dockers can be a real challenge.

 

Link to comment

Thanks for the reply. It was very thought provoking and I think I have done it.

 

I have my own domain and as I mentioned in my OP, I use it to serve the sites I want to access externally. I considered a seperate instance of nginx, local IP's in the public DNS record etc etc. I was sat with my glass of wine last night and I settled on the fact that I MUST have been overthinking this. This is a basic access issue. Then I stumbled on it ...

 

I setup the application via the reverse proxy like any other public facing app (e.g. with DNS to my external site and through reverseproxy). Result, available through http://app.domain.com as expected, but not desired. I only want it to be accessible through the LAN.

 

So I put this code into the corresponding clock of the app.subdomain.conf file that sits within the proxy-confs folder of my letsencrypt setup.

location / {
  # allow anyone in 192.168.1.0/24
  allow   192.168.1.0/24;
  # drop rest of the world 
  deny    all;
}

The result, I can access https://app.domain.com from the LAN but NOT the Internet - which returns a 403. Excellent. Yes it uses external DNS, but as you put it, I think that is a good thing.

 

I am going to check in on the support thread of letsencrypt to see if I have missed any major security flaw here, but I don't think I have!

 

Thanks for being my muse in this. I appreciate it.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.