Reverse proxy send me to pfsense?

cazz · Nov 22, 2023, 6:29 PM

Hi
I have two network connect to my pfsense (DMZ and LAN) where in DMZ I have a reverse proxy (apache) running on a server.
Most of the time it just reverse to another server in same DMZ network.
But I have now a server inside LAN network that I like to access but something is strange.
When I add as normal the IP address and port number to the server in LAN it all looks fine.
But when I trying to access the server from my subdomain I get "Potential DNS Rebind attack detected" and I get a little curious so
I disable "Potential DNS Rebind attack detected" and try again and now it redirect me to pfsense login page??
I have no enable that again because I do not want to access pfsense outside :)

I have even add the port 8123 to allow access from DMZ to LAN from my reverse proxy server?

So even when I specific say go to this IP address, why does it go to pfsense IP address?

Running version 2.7.0-release of pfsense.

stephenw10 · Nov 22, 2023, 6:52 PM

What does the url you're using resolve to?

Are you forwarding traffic from the WAN to the proxy?

You're probably seeing this:
https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html

Steve

cazz · Nov 22, 2023, 8:27 PM

@stephenw10
Hi and thanks for the fast replay.
Have not read that and going to try to see if Split DNS is the right idea.

That I have now is this

Cloudflare manage my domains and subdomains and send it to my WAN IP address.

pfSense sends all traffic from port 80 and 443 to my proxy server

Reverse Proxy checks which address the visitor has used and forwards the user to the correct server.

It has worked well as all my public servers are in the DMZ network. But now as I said, I want to send a specific subdomain to a server on the LAN network that has an 8123 port in its address.

stephenw10 · Nov 22, 2023, 8:40 PM

Yup, so when you try to access that url from the LAN it resolves to your WAN address and you hit that dircetly, the port forward does not catch it from the inside.

Split DNS or NAT reflection should solve that.

cazz · Nov 22, 2023, 8:48 PM

@stephenw10

My DNS Resolver was enable so I did use that.
I did add Host, domain and IP.

I then did go to the server that was going to receive the traffic and did set my pfsense address as DNS (It only have one address)
I then restart the server to make DNS change take effect.

But still when I try from a computer in LAN it go to pfSense login page (or trying)
When I did try from a phone that have 3G I can't connect at all.

I did even remove the rule in my proxy server and still go to pfsense.

stephenw10 · Nov 22, 2023, 8:54 PM

Is it now resolving to the internal address of the proxy?

cazz · Nov 23, 2023, 6:34 PM

@stephenw10
Hi
Sorry for the delay, did get some strange error but now it working :)
Thanks alot for all the help