Access Web server behind NAT
-
@cyrilbuchs
You should set the pfSense WebGUI to listen on another port than 443.
Also I recommend to check "Disable webConfigurator redirect rule". -
@viragomann
Thanks for your answer. I configured pfSense to listen on 444 and I disabled the rule. There is no more DNS rebind error/login from public IP, but I still cannot access my website with the laptop.On Chrome, I'm getting a "ERR_CONNECTION_TIMED_OUT" error.
-
@cyrilbuchs
To connect to the web site from inside your LAN you should add an DNS override for your domain pointing to the proxy. This requires that you are using an internal DNS server like pfSense.Otherwise you can activate DNS reflection in the NAT rule for natting the access correctly. If the laptop is in the same network segment as the proxy you might need the "NAT + proxy" mode.
-
@viragomann
Oh nice, thanks! By setting NAT reflection mode to NAT + proxy, I'm able to reach the website using my laptop.
But the problem with the reverse proxy is still there. When I try to renew LE certs, I get the "Timeout during connect" error. Any idea why? -
@cyrilbuchs
Depends on the authentication method. I guess you use webroot on the proxy?
Did this work before you put pfSense in front of it?It need to access a webroot resource on port 80 and 443 from the LE server. Did you forward these correctly and allow it?
Did you check "Disable webConfigurator redirect rule" as suggested?
On pfSense it might also possibly be blocked by pfBlockerNG.The LE client will wright a nice log file where you might hints to the problem.
-
@viragomann
Thanks for the precisions.
What is webroot? It's just a simple Apache2 reverse proxy running on a standalone VM, nothing special.I disabled the rule as you suggested. I do not use pfBlockerNG.
I'll check in the logs too.
-
Nothing special in the logs of LE sadly.
The strange thing is that my website is reachable from the Internet (I can go on a browser and, after accepting the certificate expiration problem, access the website). And I don't think (and hope) that the problem is related to LE.
I'll try to create a new simple web server facing the Internet and check if I have the problem.
-
@cyrilbuchs said in Access Web server behind NAT:
What is webroot?
An authenticator plugin for Certbot, assuming you're using Certbot as ACME client, since it's the most common for Apache.
To get further, you will need to know, how you get your LE certs, which ACME client you are using and which auth method it's using.
@cyrilbuchs said in Access Web server behind NAT:
Nothing special in the logs of LE sadly
If the client is not able to pull or renew a certificate he should at least write something into the log file at all. Otherwise kick it and use another one.
-
@viragomann hi, sorry for my late response. Been out for a few days and came back to the problem today.
I created a new Web server with a simple Apache website running on port 80. Everything is working using this. But whenever I try to generate a certificate, even with this new server (using Certbot again), I'm getting a "fetching" error.
Just checking with my small laptop, I cannot access the public IP (finishing by .146). And with another PC, I can?? Wth is going on haha.
Why is this happening? That's the main question. Did I made any shitty configuration in the NAT?
I just redirected the 80 and 443 ports from WAN address to the Web server.
-
@cyrilbuchs said in Access Web server behind NAT:
Just checking with my small laptop, I cannot access the public IP (finishing by .146). And with another PC, I can??
From inside your LAN or from outside? By using the IP or the host name.
Can you please provide the whole certbot log?
Still not clear which authenticator methode it is using.