Accessing devices through just domain instead of domain+port on both VPN and LAN.

[Levent]

Hello. I am trying to access my services using simply by using the same domain on LAN and VPN. Here is what the simplified version of my setup looks like for some context.

• Home server has Proxmox and Haproxy installed so I can access it on 10.1.0.3:443 (or via 10.1.0.3:8006).
• I did set hostnames on the Router (OpenWRT) so I can also access it via https://proxmox.lan but this solution obviously wouldnt work outside of LAN both due to proxy being on "Home server" and proxmox.lan being provided by Router.
• I have a pihole with unbound setup on VPS.
• No device that is in the LAN has VPN client running on them and this is not going to change, only Router has VPN client running on it.

 

What I would love to do is, when I connect my devices to either VPN or to LAN I want to be able to access them using same domain. For the arguments sake, lets say I want to be able to access "Home server" proxmox webgui (which runs on port 8006 by default) with homeserver.example.com instead of what I currently have. (router.example.com:9999, which router forwards to 10.1.0.3:8006)

 

Any ideas?

[Electronics Wizardy]

take a look at a reverse proxy. should be able to do all of this for you. I have one that can redirect things like nextcloud.my.domain to my nextcloud server. You can do this with many webservers like apache and nginx

[Levent]

13 minutes ago, Electronics Wizardy said:

take a look at a reverse proxy. should be able to do all of this for you. I have one that can redirect things like nextcloud.my.domain to my nextcloud server. You can do this with many webservers like apache and nginx

I did try that with haproxy but issue I am having is, where would homeserver.example.com be defined and to where?

I want to be able to have different services on different subdomains, like nas.example.com, mc.example.com all would be redirecting to 10.0.0.2.

 

[Master Disaster]

8 minutes ago, Levent said:

I did try that with haproxy but issue I am having is, where would homeserver.example.com be defined and to where?

I want to be able to have different services on different subdomains, like nas.example.com, mc.example.com all would be redirecting to 10.0.0.2.

 

You need to create a virtual host on your webserver for each service then define the domain name and port in each vhost config file. I have my setup running exactly like this only internally.

 

nas.home.lan for my NAS which uses port 9001

home.lan for my webserver which uses port 80

pma.home.lan for phpmyadmin also on 80

 

etc etc

 

then as above, use reverse proxy on the webserver to forward whatever port to whatever service. Local services can share a port since they should all have their own folder on the webserver anyway so you can define the subdomain and point it to whatever folder you like.

[Levent]

58 minutes ago, Master Disaster said:

You need to create a virtual host on your webserver for each service then define the domain name and port in each vhost config file. I have my setup running exactly like this only internally.

 

nas.home.lan for my NAS which uses port 9001

home.lan for my webserver which uses port 80

pma.home.lan for phpmyadmin also on 80

 

etc etc

 

then as above, use reverse proxy on the webserver to forward whatever port to whatever service. Local services can share a port since they should all have their own folder on the webserver anyway so you can define the subdomain and point it to whatever folder you like.

Would you mind sharing your haproxy.conf? Because if I understood that right, this should have worked?

[Master Disaster]

32 minutes ago, Levent said:

Would you mind sharing your haproxy.conf? Because if I understood that right, this should have worked?

 

I do it all though Apache, it has its own proxy module. Unfortunately I actually cannot get into my webserver at all, its been so long since I needed to change anything I actually forgot the password. I've been meaning to redo it but I'm worried I might go from it working flawlessly to not.

 

Edit

So using Apache & mod_proxy something like this should work

Quote

<VirtualHost *:443>
  ServerName sub.domainname.com

  RewriteEngine On
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /(.*)           ws://localhost:8080/$1 [P,L]
  RewriteCond %{HTTP:Upgrade} !=websocket [NC]
  RewriteRule /(.*)           http://localhost:8080/$1 [P,L]
  SSLEngine on
  SSLProxyEngine on
  SSLCertificateFile pathofyourcert
  SSLCertificateKeyFile pathofyourkey
  ProxyRequests off
  ProxyPass        / http://localhost:8080/ nocanon
  ProxyPassReverse / http://localhost:8080/
</VirtualHost>

This would forward whatever is on 127.0.0.1:8080 to sub.domain.com:443, you can adjust it as needed. You probably don't need the rewrite and socket stuff TBH, all this does is reformat the URI and forward it to a running socket, most websites don't need that.

 

Edit 2 - Now that I think back, it works better if you create a non SSL vhost on port 80 then run certbot and let it generate the SSL config for you. I don't remember the exact reason why but I do remember it caused me issues when trying to create an SSL vhost manually.

[Levent]

10 hours ago, Master Disaster said:

I do it all though Apache, it has its own proxy module. Unfortunately I actually cannot get into my webserver at all, its been so long since I needed to change anything I actually forgot the password. I've been meaning to redo it but I'm worried I might go from it working flawlessly to not.

 

Edit

So using Apache & mod_proxy something like this should work

This would forward whatever is on 127.0.0.1:8080 to sub.domain.com:443, you can adjust it as needed. You probably don't need the rewrite and socket stuff TBH, all this does is reformat the URI and forward it to a running socket, most websites don't need that.

 

Edit 2 - Now that I think back, it works better if you create a non SSL vhost on port 80 then run certbot and let it generate the SSL config for you. I don't remember the exact reason why but I do remember it caused me issues when trying to create an SSL vhost manually.

I am in bit of a pickle here. I couldnt manage to get it to work with Apache nor Nginx last night at all, but I did managed to get somewhere [getting an SSL error] with HAproxy. However I am now facing another issue which breaks router VPN connection.

 

• I set openvpn on VPS to only listen on WAN:443TCP (it was previously listening on *:443TCP)
• I set up proxmox.example.com to 10.0.0.1 on VPS server.
• I set up haproxy to redirect 10.0.0.1:443 to 10.0.0.2:9999 (where Router forwards it to local 10.1.0.3:8006)
• When I browse https://proxmox.example.com on a local client, router drops VPN connection and wont manually reconnect.
• When I trigger manual vpn reconnect on router (which runs openwrt), I can momentarily connect to proxmox.example.com BUT I can only see SSL_ERROR_RX_RECORD_TOO_LONGSSL momentarily before VPN drops again (I still dont know which service is responding as it can be router too as it also runs https).

I will give Apache one more attempt but posting to see if you have any inputs on what might be going wrong here.

[Master Disaster]

1 hour ago, Levent said:

I am bit of a pickle here. I could not managed to get it to work with Apache nor Nginx last night at all, but I did managed to get somewhere [getting an SSL error] with HAproxy. However I am now facing another issue which breaks router VPN connection.

 

• I set openvpn on VPS to only listen on WAN:443TCP (it was previously listening on *:443TCP)
• I set up proxmox.example.com to 10.0.0.1 on VPS server.
• I set up haproxy to redirect 10.0.0.1:443 to 10.0.0.2:9999 (where Router forwards it to local 10.1.0.3:8006)
• When I browse https://proxmox.example.com on a local client, router drops VPN connection and wont manually reconnect.
• When I trigger manual vpn reconnect on router (which runs openwrt), I can momentarily connect to proxmox.example.com BUT I can only see SSL_ERROR_RX_RECORD_TOO_LONGSSL momentarily before VPN drops again (I still dont know which service is responding as it can be router too as it also runs https).

I will give Apache one more attempt but posting to see if you have any inputs on what might be going wrong here.

The only thing I can think might offer a clue to what is going is is to create a vhost on port 80, leave out the SSL stuff and see if you can connect to it. AFAIK this error usually happens because SSL kinda expects port 443 and throws a fit if it doesn't get that. By eliminating SSL entirely (temporarily) it should allow you to at least connect and test your config.

[Levent]

3 hours ago, Master Disaster said:

The only thing I can think might offer a clue to what is going is is to create a vhost on port 80, leave out the SSL stuff and see if you can connect to it. AFAIK this error usually happens because SSL kinda expects port 443 and throws a fit if it doesn't get that. By eliminating SSL entirely (temporarily) it should allow you to at least connect and test your config.

My mistake turned out to be super dumb mistake lol. I figured out with nginx as well. Attempting to "wrassle" the SSL. Thanks guys