| View previous topic :: View next topic |
| Author |
Message |
Zhang Zheng
n00b
Joined: 26 Jul 2021
Posts: 11
Location: Xi'an, China
|
 Posted: Sat Jul 30, 2022 8:15 am Post subject: [solved] How to make server accessible in a bigger LAN ? |
 |
|
Dear everyone,
I have an nginx server on 127.0.0.1:81, and I plan to make it accessible to
my roommate.
Below is a simple topology of my environment
| Code: | +--------------------------------------------+
| campus network ( gateway 10.194.255.254 ) |
+--------------------------------------------+
| |
| |
| |
+-----------------------------+ +------------------+
| my router ( 10.194.30.2 | | my roommate |
| 192.168.0.1 ) | | ( 10.194.132.90 )|
+-----------------------------+ +------------------+
| |
| |
+------------------------+ +--------------+
|laptop ( 192.168.0.2 | |other devices |
| 127.0.0.1:81 ) | +--------------+
+------------------------+
|
My general idea is to make the server on 127.0.0.1:81 available to the router,
then router could port forward the 192.168.0.2:11235 out, and the second could
be done in the router page
First I use $( caddy reverse-proxy --from 192.168.0.2:11235 --to 127.0.0.1:81 ),
this enables other devices under the same router to access the server.
But direct access to 192.168.0.2:11235 in the router LAN reports an error as below:
| Quote: | | Client sent an HTTP request to an HTTPS server. |
I must access https://192.168.0.2:11235, which is what confuses me, since
the nginx server on 127.0.0.1:81 should be http but not https.
I barely changed the nginx configuration except for the port,
| Code: | server {
# listen 127.0.0.1;
listen 127.0.0.1:81;
server_name localhost;
access_log /var/log/nginx/localhost.access_log main;
error_log /var/log/nginx/localhost.error_log info;
root /var/www/localhost/htdocs;
}
# SSL example
server {
listen 127.0.0.1:443 ssl;
server_name localhost;
ssl_certificate /etc/ssl/nginx/nginx.pem;
ssl_certificate_key /etc/ssl/nginx/nginx.key;
access_log /var/log/nginx/localhost.ssl_access_log main;
error_log /var/log/nginx/localhost.ssl_error_log info;
root /var/www/localhost/htdocs;
}
|
This may be a caddy question, so should I use iptables or its successor nftables ?
I've read a lot of seemingly related articles and knowleges on google, but things
always become hard when I practice.
Another question is that, the ip of my router desgined by the campus network is
not static, so is there a good way for a dynamically changed ip everytime the router
reboots ?
It will be much appreaciated if anyone could help.
Last edited by Zhang Zheng on Sat Jul 30, 2022 1:31 pm; edited 1 time in total |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Sat Jul 30, 2022 9:08 am Post subject: |
|
|
Hi
Can your friend ping your router @10.194.30.2?
IF YES then
It seems you have same "server_name" both for http and https.
Rename one of them or disable http or have nginx forward http to https.
I suppose you wish your friend to access your server via ssl.
So maybe something like this
| Code: |
server {
listen 443 ssl
server_name my-fabulous-site;
ssl_certificate /etc/ssl/nginx/nginx.pem;
ssl_certificate_key /etc/ssl/nginx/nginx.key;
access_log /var/log/nginx/localhost.ssl_access_log main;
error_log /var/log/nginx/localhost.ssl_error_log info;
root /var/www/localhost/htdocs;
}
|
Create an entry in /etc/hosts
| Code: |
192.168.0.2 my-fabulous-site
|
You might need to create new certificates for my-fabulous-site.
see
https://www.server-world.info/en/note?os=Debian_11&p=ssl&f=1
and then edit your nginx conf file for new certificates.
Then port-forward(open port) in your router
| Code: |
10.194.30.2:443 -->> 192.168.0.2:443
|
And have your friend access your site @
| Code: |
https://10.194.30.2
|
or have your friend create also an entry in his /etc/hosts like
| Code: |
10.194.30.2 my-fabulous-site
|
and access you at
| Code: |
https://my-fabulous-site
|
Note the browser will complain about self-signed certificates but thats ok.
_________________
 |
|
| Back to top |
|
|
Zhang Zheng
n00b
Joined: 26 Jul 2021
Posts: 11
Location: Xi'an, China
|
| Posted: Sat Jul 30, 2022 9:55 am Post subject: |
|
|
Dear alamahant,
Thanks a lot for your reply !
| alamahant wrote: | Hi
Can your friend ping your router @10.194.30.2?
IF YES then
It seems you have same "server_name" both for http and https.
Rename one of them or disable http or have nginx forward http to https |
I disabled http in nginx.conf, renamed 192.168.0.2 from localhost to something other,
after port forwarding it's available to the campus network.
Then my roommate successfully accessed my site using https://10.194.30.2:11235
(Although the web browser still warns)
It didn't even occurred to me that it's feasible to directly use 192.168.0.2 rather than
127.0.0.1
Best regards |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Sat Jul 30, 2022 10:18 am Post subject: |
|
|
| Quote: |
It didn't even occurred to me that it's feasible to directly use 192.168.0.2 rather than
|
127.0.0.1 is the loopback iface.It means "localhost" YOUR machine.
If you wish a website to be accessible from other machines also I wouldnt use the loopback,
Although you can use ssh-port-forwarding to bypass this.
But why make things complicated?
Not only one,you can have as many virtual hosts as you like.
You will just have to make server_name directive unique to each virtual host and also specify additional root directories and add these vhosts to /etc/hosts as well.
Some people like to use nginx as a reverse proxy a "router" so-to-speak forwarding url requests to some other web server hosting one or multiple sites.
You shouldnt worry about that now.
But yes plz avoid using the loopback for public sites.
_________________
|
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54237
Location: 56N 3W
|
| Posted: Sat Jul 30, 2022 10:30 am Post subject: |
|
|
Zhang Zheng,
| Quote: | Then my roommate successfully accessed my site using https://10.194.30.2:11235 :)
(Although the web browser still warns) |
It it works for your roommate, it works for the rest of the campus too.
You might not want that.
Ignore the browser warning. If you want a real certificate, you will need a public web site.
Lets Encrypt gives out free certificates but uses a challenge/response to verify that you are who you say you are.
It puts the response into your public website.
As you are behind the campus NAT, you don't have a public website.
At least, not while you are on the campus network.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Sat Jul 30, 2022 10:40 am Post subject: |
|
|
Neddy
would a
| Code: |
server {
.
.
deny all;
allow 192.168.0.0/24; # OP lan
allow 10.194.132.90; # roommate IP
.
.
}
|
work?
Or one should use iptables instead?
_________________
|
|
| Back to top |
|
|
Zhang Zheng
n00b
Joined: 26 Jul 2021
Posts: 11
Location: Xi'an, China
|
| Posted: Sat Jul 30, 2022 10:54 am Post subject: |
|
|
Dear alamahant and NeddySeagoon,
thanks for your comment,
| alamahant wrote: | Not only one,you can have as many virtual hosts as you like.
You will just have to make server_name directive unique to each virtual host and also specify
additional root directories and add these vhosts to /etc/hosts as well.
Some people like to use nginx as a reverse proxy a "router" so-to-speak forwarding url
requests to some other web server hosting one or multiple sites.
You shouldnt worry about that now.
But yes plz avoid using the loopback for public sites. |
I am rather insterested in this area but what I major in doesn't contain computer network so
almost all pertinent experience is acquired through practical trials:)
| NeddySeagoon wrote: | Ignore the browser warning. If you want a real certificate, you will need a public web site.
Lets Encrypt gives out free certificates but uses a challenge/response to verify that you are who you say you are.
It puts the response into your public website.
As you are behind the campus NAT, you don't have a public website.
At least, not while you are on the campus network. |
Actually I have a public website and server from github student developer pack,
but I found it little use except for an http server. Maybe having a public website is helpful
to convert a dynamic campus ip to my website+server ip ? |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Sat Jul 30, 2022 11:33 am Post subject: |
|
|
| Quote: |
to convert a dynamic campus ip to my website+server ip ?
|
To do that you needa Dynamic DNS service like Dynu for example.
Plz see
https://www.dynu.com/en-US
But I am not certain it will work in your case,as you are standing in a double LAN.
1.The university LAN @10.194.0.0/16 possibly even bigger and
2.Your own private LAN @192.168.0.0/24
_________________
|
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54237
Location: 56N 3W
|
| Posted: Sat Jul 30, 2022 1:42 pm Post subject: |
|
|
Zhang Zheng,
To point your public website to your router probably isn't going to happen.
Your campus puts you behind NAT. You would need to do port forwarding in that NAT system to your router, which also does NAT.
Your NAT is under your control. I don't think your campus will will allow port forwarding to be able to reach you.
If they did, they would need to do it for everyone and there are only 2^16 ports.
alamahants rules should work until your or your roommates IP addresses change.
Being roommates implies that you are in the same room ;)
It would be easier for your roommate to connect to your router. Then there is no campus network involved in your LAN in your room.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
Zhang Zheng
n00b
Joined: 26 Jul 2021
Posts: 11
Location: Xi'an, China
|
| Posted: Sat Jul 30, 2022 4:13 pm Post subject: |
|
|
Dear NeddySeagoon
| NeddySeagoon wrote: | To point your public website to your router probably isn't going to happen.
Your campus puts you behind NAT.
You would need to do port forwarding in that NAT system to your router, which also does NAT.
Your NAT is under your control. I don't think your campus will will allow port forwarding to be able to reach you.
If they did, they would need to do it for everyone and there are only 2^16 ports. |
thanks for your comment, my router web page also indicates that my router is under
multiple NAT and DDNS can't work here.
| NeddySeagoon wrote: | alamahants rules should work until your or your roommates IP addresses change.
Being roommates implies that you are in the same room 
It would be easier for your roommate to connect to your router.
Then there is no campus network involved in your LAN in your room. |
Port forwarding on my router also enables other friends to join in the server,
for example to host a ddnet or minecraft server for 3 or more friends
Best regards:) |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54237
Location: 56N 3W
|
| Posted: Sat Jul 30, 2022 4:50 pm Post subject: |
|
|
Zhang Zheng,
| Zhang Zheng wrote: | Port forwarding on my router also enables other friends to join in the server,
for example to host a ddnet or minecraft server for 3 or more friends |
Port forwarding allows the entire campus to join in :)
You need to take measures to restrict it to your friends.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
|
Networking & Security
