Reverse Proxy - Site accessible over WAN IP (Solved)

[alec_hs]

I currently have 2 sites hosted on a server behind the OPNsense FW that accessible by two sub domians through the NGINX reverse proxy:

• sub1.domain > Reverse Proxy > Server A (port x)
• sub2.domain > Reverse Proxy > Server A (port y)

I then have a FW rule on the WAN interface that allows port 443 to the WAN address.

The two sites are perfectly accessible and working fine. My issue is that if you browse directly to the WAN IP it shows up the site hosted on Server A Port x. How do I make it so that no site is accessible on the WAN IP.

Separately is it possible to have the NGINX part of OPNsense running off an additional WAN virtual IP i have?

[fabian]

You can simply not open the port on WAN by not creating a firewall rule.

[alec_hs]

But this then means that the sites behind the proxy are not available.  Does NGINX not need the 443 to WAN IP open to accept the traffic to the mapped locations/ upstream servers?

[Fright]

How do I make it so that no site is accessible on the WAN IP

you can add new Server in nginx with your wan ip in "Server name" field and manage it (block\deny\redirect etc)

Separately is it possible to have the NGINX part of OPNsense running off an additional WAN virtual IP i have?

as @fabian already said: check your fw rule destination address.

[alec_hs]

Hmm ok so I have created a new HTTP server as below:


Server name is WAN IP but i can't work out where/ how to block it. I tired create a new HTTP location that goes to nowhere but that doesn't seem to do anything as the site on Server A Port y still loads.

[Fright]

try it without locations at all
should reply with 403 (if you have no files in /usr/local/etc/nginx/html/)

[alec_hs]

Nope unfortunately that was first thing i tried - here are FW rules on WAN if that helps get a better idea.

[Fright]

Nope unfortunately that was first thing i tried

a page on the server A opens or what?
there is something wrong with the config. I use this method myself and it works.
whats in the log for the server with ip-name? any request there?
looks like wrong IP in Server Name

here are FW rules on WAN if that helps get a better idea

no. fw should pass traffic for this ip. its fine. nginx takes care of it

[alec_hs]

Cool ok so what I'm taking from that reply is FW rules are fine but something wrong with the NGINX setup. Thanks for the help with this by the way, much appreciated.

Server A behind FW is running a web gui on port y, I have a the following config in NGINX:

• Upstream Sever - Server A, port y, priority 1
• Upstream - Contains Upstream Server from above
• Location - pattern /, match none, url rewitre none, Upstream as above
• Server - name sub.domain.com, cert setup, ports 80/443, location as above

This all works fine and shows the GUI for this application. I then have another HTTP server in NGINX as configured in the pic in previous post with server name as the WAN IP, no files in html dir.

When i navigate to the WAN IP (from a different network) the gui for the application on Server A Port y is shown.

[Fright]

nginx listens all addresses
if the request arrives and its does not match any Server Names in the config, nginx uses the default server config. for now plugin does not support the directive for specifying the default server, so the first server is taken from the config. so I guess there is an error in the server name (error in IP address) and nginx is using the first server in the config to process the request. that is, server A.
in this case, the request log for the server with the ip-name must be empty

[alec_hs]

This was solved with Frights help off forums - config ended up all being ok seemed to be an issue with the NGINX config not actually being applied until after a full FW reload.