Setting up reverse proxy for LAN use only

[kamiewtype]

Hey all. I've recently gotten into networking and selfhosting, and I'm struggling to set up domains to locally access my services. I have adguard home running on opnsense, and I'd like to be able to access it from adguard.home.arpa, instead of having to append the port to router.home.arpa. I've installed nginx, but i can't seem to quite figure it out, and all the tutorials related to it are for setting up webservers and exposing things to the internet, which I don't need to do.

[Koldnitz]

kamiewtype,

I setup nginx on a linux server with a internet facing services.

I have set it up so that I use the services from inside my network by following the guide (no need to go through internet everything stays inside my lan if it originates from inside lan).

https://homenetworkguy.com/how-to/configure-split-dns-opnsense-using-unbound/

I think you should be able to use it as well.

Cheers,

[kamiewtype]

thank you, but is it possible to do it from within opnsense? even if i need to use a plugin, i would prefer to have this self contained, and i kind of find it hard to believe that opnsense lacks reverse proxy functionality completely

[Koldnitz]

I don't think you need nginx for what you want.

You should be able to do it with unbound alone.

If you want to have https, then you use a reverse proxy with something like lets encrypt (you can manage everything from one spot).

I recommend experimenting with just unbound at first.

Cheers,

[kamiewtype]

Alright, I've messed around with it a bit more and that doesn't really seem like a possibility. Unbound is just for DNS, it can't really forward traffic to a specific port based on the hostname, that's kind of what a reverse proxy is for. Would HAProxy maybe work better in this instance?

[Koldnitz]

So you have one machine with multiple ports and you want to use placeholder.example.com to direct to a specific port of multiple ports on the machine?

Haproxy and nginx would do the same thing in this instance.

I think you need to setup nginx to listen on port 80 on you router, then make virtual servers for each service.

You will need to use unbound to point to www.yourdomain.com at the router ip port 80 via a dns entry.

Then each service will be abler to be differentiated by service1.yourdomain.com, service2.yourdomain.com .. .etc.

You will need to figure out how to go about setting up the server definitions on nginx (I use nginx on Debian and they do it differently then other implementations).

It should look something like this:

Code Select Expand


server {
       
        listen 80;
        listen [::]:80;
        server_name service.yourdomain.com;
        return 404;

}

location / {

        proxy_pass http://192.168.1.123:345;

                }

The server_name is what will tell nginx what location / proxy pass to use.

The trick is with a reverse proxy it usually listens externally (internet facing) to port 80 and port 443 and then depending on the request FQDN directs traffic to whatever machine port.

Google reverse proxy for internal network, there are examples.

I actually have mine set up to come from the internet and then used split-dns to access everything inside the network....so your mileage may vary.

I hope this is helpful I am no expert, just use google to figure stuff out.

Cheers,

[sabrina5zunoi3]

In your case, you need to configure Nginx to process requests to adguard.home.arpa and route them to AdGuard Home.

[Koldnitz]

Apologies.

I was working under the assumption you had set adguard up using unbound as a dns cache and to send all the dns queries per:

https://samuelsson.dev/install-adguard-home-on-an-opnsense-router/

or

https://forum.opnsense.org/index.php?topic=22162.msg183543#msg183543.

If you are only using adguard home (unbound is disabled) what I was saying is utter gibberish.

Cheers,

[ojobson]

This guide will show you how to setup a reverse proxy with SSL from letsencrypt - but it will be for external access.

https://forum.opnsense.org/index.php?topic=23339.0

I've done this and it works well, but like you I have a couple of resources that I only want available internally, but I would like to have on SSL so I don't see any non-ssl browser warnings (and so that the browser will remember my password / enable autocomplete, which it won't do on non-ssl sites).

So looking for some help to add some local only domains but not sure where to start! I think I could set them up as in the guide above, but first create some firewall rules on the WAN interface to prevent inbound access to these domains (and add those rules above the allow rules for my other exposed domains...). Would that work?

[Monviech (Cedrik)]

I have made a plugin for an alternative Reverse Proxy on the Opnsense. It uses Caddy. If theres a valid usecase, I could program a checkbox into it that allows access to a reverse proxied domain only from internal IP addresses, while it's still able to get external Let's Encrypt Certificates. Caddy has an own directive for this.

https://caddyserver.com/docs/caddyfile/matchers#client-ip

In Caddy, this would be the whole!! configuration for that. HTTPS with Let's Encrypt and everything.

Code Select Expand


example.com {
    @allowed {
        client_ip private_ranges
        }
    handle @allowed {
        reverse_proxy 172.16.0.1
    }
}


[az]

thanks @monveich for caddy, I got that up and running so much faster than nginx and that's coming from someone who's done a LOT with nginx in prod.

Here is my entire setting for adguard, which allows adguard to be accessed from 192.168.1.3, https://adguard, and https://adguard.home.arpa.

Code Select Expand


192.168.1.3, adguard, adguard.home.arpa {
    bind 192.168.1.3
    tls internal
    reverse_proxy 127.0.0.1:81
}

Note that my adguard dashboard is listening on :81, and I've set 192.168.1.3 as an alias Virtual IP to 192.168.1.1 (opnsense router)

This will be lan only, no external access.

[Monviech (Cedrik)]

Just today I updated the caddy plugin with access list support in the GUI, so there can be IP based restriction or allow lists configured without needing to go into the configuration files. Each list can be set per domain.