Access Website internally?

killmasta93

Hi
I was wondering if someone could shed some light on the issue im having,
Currently i have a website internally which i need to access
I have the NAT reflection enabled, and i can ping the site but shows err connection timeout

I checked the states
i see that its closed on the acknowledgment
the IP that is trying to access is 192.168.3.211 and the server which has the website is 192.168.3.190

not sure what else i should look for

Thank you

johnpoz

@killmasta93 said in Access Website internally?:

192.168.3.190

Why do you not just resolve whatever the fqdn is for this site to that IP?

killmasta93

@johnpoz
Thanks for the reply,
I tried adding on the custom option on dns resolver

local-data: "sub.domain.com A 192.168.3.211"

but then realized that the server 192.168.3.190 has NGINX reverse proxy which therefore
putting the IP wont work
this is the nginx config which proxies to an IIS with multiple ports

server {

#        listen 80;
   listen 443 ssl;
 server_name xxx.xxx;

  ssl_certificate /etc/letsencrypt/live/xx.xxx/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/xx.xxx/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
       ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
       ssl_stapling_verify on;


        location ~ /.well-known {
        root /var/www/letsencrypt;
        allow all;
    }
        location / {

               proxy_pass http://192.168.3.211:8093/;

#                headers setting

                proxy_set_header Host $host;

                proxy_set_header X-Real-IP $remote_addr;

                proxy_set_header X-Forwarded-For $remote_addr;

                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Client-IP $remote_addr;

                }

        }

Gertjan

@killmasta93 said in Access Website internally?:

local-data: "sub.domain.com A 192.168.3.211"

211 ? 190 !

johnpoz

@killmasta93 said in Access Website internally?:

192.168.3.190 has NGINX reverse proxy which therefore
putting the IP wont work

Huh? Your client is still going to send the host info when he tries to connect.. So why wouldn't it work?

Dude if you want help you have to tell us how your setup.. So your reverse proxy is on 3.190, which sends the data to 3.211? So you want to send it back to the client your coming from?

WTF Dude??

BTW all you need is a host override in the gui, you don't have to use a custom option anything.

killmasta93

@johnpoz @Gertjan
Sorry that i wasnt clear, let me clear the setup again

Currently i have windows server with IIS on 192.168.3.211
in that IIS i have 3 websites
192.168.3.211:8093
192.168.3.211:8091
192.168.3.211:8092

As i only have 1 WAN ip (i separate my wan navigation from my web services) i needed to use a reverse proxy, so i created another VM with NGINX

and redirected the subdomains according to each website
ex:
sub.domain.com----NGINX proxy------192.168.3.211:8093
sub2.domain.com----NGINX proxy------192.168.3.211:8091
sub3.domain.com----NGINX proxy------192.168.3.211:8092

and its working perfectly when the user is not in the LAN

So when the user is in the LAN and try to access sub.domain.com they get error connection time out
ex:
User ip: 192.168.3.156 trying to access sub.domain.com
the sub.domain.com IP starts with 181.49
and my Wan address 181.57
NGINX reverse proxy IP 192.168.3.190

This is my NAT

Hope this made my question better

johnpoz

@killmasta93 said in Access Website internally?:

1 WAN ip (i separate my wan navigation from my web services) i needed to use a reverse proxy

Sure - I use HAproxy.. On pfsense for this.. And I have no issues access service internally or externally via the public fqdn from my client.

You for sure could run into asymmetrical issues with such a setup.. Unless you did a pure nat sort of setup where the reverse proxy would send the traffic back to pfsense wan to get back to the client on your lan..

killmasta93

@johnpoz
Thanks for the reply, as i was looking into HAproxy but wanted the Let encrypt on NGINX rather then on pfSense, i do have pure NAT enabled so not sure why its not letting on my LAN to access it

Gertjan

@killmasta93 said in Access Website internally?:

but wanted the Let encrypt on NGINX rather then on pfSense

"Letsencrypt"is a concept, a brand, not code.
It needs, on 'your' side, a program, most often scripts like Python, bash etc that runs on some system (OS).
NGINX is a web server; that, on request from a web browser, gets files from its local storage and send it to the browser asking for it. It does not natively execute programs or scripts.

Your NGINX runs on a device (host) : install certbot, acme.sh or whatever script you like, that interfaces with the Letenscrypt API servers. The traffic will just flow through pfSEnse, as any other traffic.