Can not get NGINX to allow connections..

[fbeye]

Well I have 20 docker containers on there. I have no issues with anything going in or out, only now trying to go through NGINX.
Now 172.16.2.0 has ZERO Rules or NAT or anything, it is simply the link between OPNSENSE and SG350XG. Everything works fine when I do port forward stuff (in terms of not using NGINX but like access the stuff just with port forward).
I can't imagine 172.16.2.0 even needs any port forward or rule as I have static routes to "find" 192.168.1.0 through it

[fbeye]

I guess what I am saying is, without utilizing nginx on Opnsens, I can access anything on any network on any of the 6 Networks I have with port forward NAT. So these services are open and running as they should. For some reason my nginx is not relaying to them. Like right now if I set a port forward for 8080 I'll
Access qbit from the internet easy. It's just when I don't port forward and try through nginx , it don't make it.

[cookiemonster]

would you be willing to try haproxy instead? I find it easier to figure out settings as it (the plugin) exposes more options for a reverse proxy and has the "config export" utility that allows to visualise the result of settings in the UI.

[fbeye]

Absolutely... I only did the NGINX plugin cause I currently run NGINX in VM/Docker and actually found the OPNS plugin to be 1000% different, so no loyalties to it.

I guess I went with the NGINX as well cause it had that visual step by step, and not assume I know anything, guide to it. But yes I'll install it no problem.

[Monviech (Cedrik)]

After your will has been broken by HA Proxy try out Caddy, which is very easy to configure and does what you need and has proper documentation (I linked it earlier).

[fbeye]

Hello, my name is Matt, I have a serious mental disability.

Installed Caddy, set up the LAN/WAN Rules as suggested, changed GUI to different port etc. applied the LAN/WAN rules as suggested.

Under Caddy;

Domain:
https://
service.host.duckdns.org
443
ACME

Handler:
https://service.host.duckdns.org
Subdomain- None
Reverse Proxy
http://
192.168.2.181
8080

When I try to connect just times out. I connected to my WG and verified is up and running (qbit on 192.168.2.181:8080).

[Monviech (Cedrik)]

What you did must be all correct though.

What does the caddy debug log say? Post the output when you connect to your domain (set log level to debug).

[fbeye]

02T18:01:45   Error   caddy   "error","ts":"2024-12-02T18:01:45Z","logger":"http.log.error","msg":"dial tcp 192.168.2.181:8080: i/o timeout","request":{"remote_ip":"108.147.172.59","remote_port":"42719","client_ip":"108.147.172.59","proto":"HTTP/1.1","method":"GET","host":"qbitmain.h0use0fm.duckdns.org","uri":"/favicon.ico","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Gpc":["1"],"Priority":["u=6"],"Via":["HTTP/1.1 zphn1amcuc01ism005.wnsnet.attws.com"],"Accept":["image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5"],"Accept-Encoding":["gzip, deflate"],"Connection":["keep-alive"],"Referer":["http://qbitmain.h0use0fm.duckdns.org/"]}},"duration":3.017842969,"status":502,"err_id":"ptig4kk4m","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}   
2024-12-02T18:01:41   Error   caddy   "error","ts":"2024-12-02T18:01:41Z","logger":"http.log.error","msg":"dial tcp 192.168.2.181:8080: i/o timeout","request":{"remote_ip":"108.147.172.59","remote_port":"21407","client_ip":"108.147.172.59","proto":"HTTP/1.1","method":"GET","host":"qbitmain.h0use0fm.duckdns.org","uri":"/","headers":{"Accept-Language":["en-US,en;q=0.5"],"Upgrade-Insecure-Requests":["1"],"Sec-Gpc":["1"],"Connection":["keep-alive"],"Priority":["u=0, i"],"Via":["HTTP/1.1 zphn1amcuc01ism005.wnsnet.attws.com"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8"],"Accept-Encoding":["gzip, deflate"]}},"duration":3.005683853,"status":502,"err_id":"5z6rgfpv3","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}

[fbeye]

2024-12-02T18:01:45    Error    caddy     error   ts:2024-12-02T18:01:45Z   logger:http.log.error   msg:dial tcp 192.168.2.181:8080: i/o timeout   request:{remote_ip:108.147.172.59   remote_port:42719   client_ip:108.147.172.59   proto:HTTP/1.1   method:GET   host:qbitmain.h0use0fm.duckdns.org   uri:/favicon.ico   headers:{User-Agent:[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0]   Accept-Language:[en-US,en;q=0.5]   Sec-Gpc:[1]   Priority:[u=6]   Via:[HTTP/1.1 zphn1amcuc01ism005.wnsnet.attws.com]   Accept:[image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5]   Accept-Encoding:[gzip, deflate]   Connection:[keep-alive]   Referer:[http://qbitmain.h0use0fm.duckdns.org/]}}   duration:3.017842969   status:502   err_id:ptig4kk4m   err_trace:reverseproxy.statusError (reverseproxy.go:1269)}
2024-12-02T18:01:41    Error    caddy     error   ts:2024-12-02T18:01:41Z   logger:http.log.error   msg:dial tcp 192.168.2.181:8080: i/o timeout   request:{remote_ip:108.147.172.59   remote_port:21407   client_ip:108.147.172.59   proto:HTTP/1.1   method:GET   host:qbitmain.h0use0fm.duckdns.org   uri:/   headers:{Accept-Language:[en-US,en;q=0.5]   Upgrade-Insecure-Requests:[1]   Sec-Gpc:[1]   Connection:[keep-alive]   Priority:[u=0, i]   Via:[HTTP/1.1 zphn1amcuc01ism005.wnsnet.attws.com]   User-Agent:[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0]   Accept:[text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8]   Accept-Encoding:[gzip, deflate]}}   duration:3.005683853   status:502   err_id:5z6rgfpv3   err_trace:reverseproxy.statusError (reverseproxy.go:1269)

[fbeye]

It is like 192.168.2.181:8080 is unreachable, but from OPNSense I can ping that address. Do I maybe need a static route to that IP? Seems I would not I can ping it and also have a static route to that Network, 192.168.2.0.

[Monviech (Cedrik)]

well the opnsense can not reach it.

Error    caddy     error   ts:2024-12-02T18:01:41Z   logger:http.log.error   msg:dial tcp 192.168.2.181:8080: i/o timeout

Go to the opnsense ssh shell and try:

curl -vv http://192.168.2.181:8080

[fbeye]

@OPNsense:~ # curl -vv http://192.168.2.181:8080
11:31:32.108728 [0-0] * [SETUP] added
11:31:32.109149 [0-0] *   Trying 192.168.2.181:8080...
11:31:32.110056 [0-0] * Connected to 192.168.2.181 (192.168.2.181) port 8080
11:31:32.110254 [0-0] * using HTTP/1.x
11:31:32.110495 [0-0] > GET / HTTP/1.1
11:31:32.110495 [0-0] > Host: 192.168.2.181:8080
11:31:32.110495 [0-0] > User-Agent: curl/8.10.1
11:31:32.110495 [0-0] > Accept: */*
11:31:32.110495 [0-0] >
11:31:32.110952 [0-0] * Request completely sent off
11:31:32.114530 [0-0] < HTTP/1.1 200 OK
11:31:32.114646 [0-0] < cache-control: no-store
11:31:32.114711 [0-0] < connection: keep-alive
11:31:32.114787 [0-0] < content-length: 1674
11:31:32.114852 [0-0] < content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self'; frame-ancestors 'self';
11:31:32.114917 [0-0] < content-type: text/html
11:31:32.114977 [0-0] < cross-origin-opener-policy: same-origin
11:31:32.115056 [0-0] < date: Mon, 02 Dec 2024 18:31:32 GMT
11:31:32.115115 [0-0] < referrer-policy: same-origin
11:31:32.115175 [0-0] < x-content-type-options: nosniff
11:31:32.115240 [0-0] < x-frame-options: SAMEORIGIN
11:31:32.115320 [0-0] < x-xss-protection: 1; mode=block
11:31:32.115382 [0-0] <
<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8" />
    <title>qBittorrent Web UI</title>
    <link rel="icon" type="image/png" href="images/qbittorrent32.png" />
    <link rel="icon" type="image/svg+xml" href="images/qbittorrent-tray.svg" />
    <link rel="stylesheet" type="text/css" href="css/login.css?v=1hsus4y" />
    <noscript>
        <link rel="stylesheet" type="text/css" href="css/noscript.css?v=1hsus4y" />
    </noscript>
    <script src="scripts/login.js?locale=en&v=1hsus4y"></script>
</head>

<body>
    <noscript id="noscript">
        <h1>JavaScript Required! You must enable JavaScript for the Web UI to work properly</h1>
    </noscript>
    <div id="main">
        <h1>qBittorrent Web UI</h1>
        <div id="logo" class="col">
            <img src="images/qbittorrent-tray.svg" alt="qBittorrent logo" />
        </div>
        <div id="formplace" class="col">
            <form id="loginform" method="post" onsubmit="submitLoginForm(event);">
                <div class="row">
                    <label for="username">Username</label><br />
                    <input type="text" id="username" name="username" autocomplete="username" required />
                </div>
                <div class="row">
                    <label for="password">Password</label><br />
                    <input type="password" id="password" name="password" autocomplete="current-password" required />
                </div>
                <div class="row">
                    <input type="submit" id="login" value="Login" />
                </div>
            </form>
        </div>
        <div id="error_msg"></div>
    </div>
</body>

</html>
11:31:32.115632 [0-0] * Connection #0 to host 192.168.2.181 left intact

[fbeye]

I figured it out, and I apologize.

I did not even think about this. In my qbit docker container, I have LAN_ACCESS = 192.168.0.0/16,172.16.2.0/24

It was blocking my remote device, my iPad. So I added that /16 network and it works fine.

[Monviech (Cedrik)]

Good job figuring it out :D

[fbeye]

Not sure if I am getting ahead of myself, but I assume I am able to add my internal [192.168.1.180] Postfix/Dovecot [Ports 25 and 993] to this Caddy? I'd assume I would need to leave WAN Side Ports 25/993 but change the LAN side and then would Crowdsec be able to monitor that via Caddy logs? I saw there was a postfix/Dovecot crowdsec collection but also I know they would have to reside on the firewall/where crowdsec is installed to be utilized.