Access to Web Server from Outside

[spetrillo]

Hello all,

I have an Apache web server setup on a vm on my home network. I setup two port forwards, one for HTTP and one for HTTPS. Is there anything else I need to be able to see the web server from the outside?

Thanks,
Steve

[Greelan]

Firewall rules on WAN generally, although by default OPNsense will set up associated rules when you set up the port forwards

[Greelan]

PS - if OPNsense is configured properly but you still can’t connect, check that your ISP is not blocking 80 and 443 inbound - many do, and if so you might be able to ask them to remove the block

[spetrillo]

Yes I have the port forwards and the fw rules setup. I am going to check with my ISP.

[chocapic]

Use nginx and lets encrypt.
https://wiki.slemoal.fr/index.php/OPNSense_os-acme-client
And
https://wiki.slemoal.fr/index.php/OPNSense_NGINX

[spetrillo]

Use nginx and lets encrypt.
https://wiki.slemoal.fr/index.php/OPNSense_os-acme-client
And
https://wiki.slemoal.fr/index.php/OPNSense_NGINX

Are you using the Nginx plugin?

[chocapic]

yes it's a great plugin

[chocapic]

it allows me to host several websites at home by redirecting my subdomains to my public ip. nginx takes care of analyzing the origin of the subdomain in order to redirect it to the right server.

[spetrillo]

it allows me to host several websites at home by redirecting my subdomains to my public ip. nginx takes care of analyzing the origin of the subdomain in order to redirect it to the right server.

Are you using the plugin as your defacto web server or are you just using it to point to your web server? For example I have spun up an Ubuntu vm on my home network and installed Wordpress on it. It is now a working website. What I cannot seem to figure out is how do I tie the IP of the internal vm/web server to the www name I want to use. That seems to be my missing piece. I have A records in the domain's DNS pointing www to my public IP but that does not seem to do the trick. Its like I am missing something on OPNsense that equates www.my-domain.com to the internal IP of my vm/web server.

Make sense? Clear as mud?

[Greelan]

All you should need to do is port forward ports 80 and 443 from your router to the VM. If the webserver is listening on www.my-domain.com, then that should work

Post your port forward config, as there may be something wrong with it

[Greelan]

But really, as chocapic suggested, having nginx as the primary webserver, serving content itself and/or proxying other webservers, is a great idea.

I run nginx as a reverse proxy for about 9 backend webservers in my network (plus have nginx running its own basic frontend). My nginx webserver runs in a LXD container in my network, not on OPNsense itself, but the concept is the same.

Running it on OPNsense means you don’t need any port forwards, just need to open ports 80 and 443 so that the nginx server can receive external requests and serve or proxy the relevant content on the various domains/subdomains. Also means you only have to configure SSL termination in one place.

Edit: I should add that I run nginx in a container because I am somewhat paranoid about security. If nginx ever gets compromised, the damage is limited. I don’t like running extraneous services on OPNsense for that reason

[spetrillo]

All you should need to do is port forward ports 80 and 443 from your router to the VM. If the webserver is listening on www.my-domain.com, then that should work

Post your port forward config, as there may be something wrong with it

Here are my port forwards and WAN rules.

[spetrillo]

But really, as chocapic suggested, having nginx as the primary webserver, serving content itself and/or proxying other webservers, is a great idea.

I run nginx as a reverse proxy for about 9 backend webservers in my network (plus have nginx running its own basic frontend). My nginx webserver runs in a LXD container in my network, not on OPNsense itself, but the concept is the same.

Running it on OPNsense means you don’t need any port forwards, just need to open ports 80 and 443 so that the nginx server can receive external requests and serve or proxy the relevant content on the various domains/subdomains. Also means you only have to configure SSL termination in one place.

Edit: I should add that I run nginx in a container because I am somewhat paranoid about security. If nginx ever gets compromised, the damage is limited. I don’t like running extraneous services on OPNsense for that reason

Could it be as simple as the reverse proxy to my vm?

[Greelan]

Can’t see anything wrong with your port forwards/rules. I assume FIOS = WAN. Maybe then the issue is that your apache server is not configured to listen on the domain/subdomain.

In answer to your second question, yes a nginx reverse proxy would work

[spetrillo]

Can’t see anything wrong with your port forwards/rules. I assume FIOS = WAN. Maybe then the issue is that your apache server is not configured to listen on the domain/subdomain.

In answer to your second question, yes a nginx reverse proxy would work

I checked my Apache server and its setup correctly. Is there a good tutorial on how to setup the nginx plugin for reverse proxy? It looks complicated.