I’ve got Nginx Proxy Manager set up and it’s working wonderfully. However, I have some services I want to be able to access via reverse proxy, so I have SSL and can use a hostname to direct me to a service, but I only want to be able to access them via VPN. My best idea to make this work is to configure access so that only connections from my local network can access certain proxy hosts. This gives all external traffic a 403 on connection attempt. Is this the best or only way to go about it? Short of additional services such as Authelia and Fail2Ban of course, but I wanted to know if I have the right idea.
Not sure I follow but if you’re doing what I think you’re doing you could simply just have two proxies - one for internal access and one for external access each with their own set of proxied hostnames. You obviously only expose the latter on your public_ip:443 port forward and ensure you don’t have your more private services defined on it.
Alternatively you could use the oft-overlooked geo in your nginx config, assuming NPM exposes it (don’t use it so not sure).
e.g.
geo $public {
default 1;
192.168.0.1/24 0; # internal subnet(s)
192.168.1.0/24 0; # also include your vpn subnet
}
You can then have any ‘restricted host’ proxy config check $public and skedaddle before proxying the private services if access is not from an internal/vpn subnet, eg:
if ($public) {
return 302 https://www.example.com;
}
# normal proxy stuff here...
What are you trying to do exactly? You don’t need to reverse proxy services you want to access only via VPN.
Use LetsEcnrypt with DNS challenge, so you can get certificates for your domain without opening a single port for access. My image provides that via RFC2136 enabled DNS.
It’s exactly what I do and works great
Yes this is how I do things. I run two instances of nginx proxy, one public facing and one private. External requests are routed to the public proxy and my local dns has CNAME records for all the domains my services run on forwarding to the internal proxy. That way I have a couple of subdomains exposed publicly (Plex, nextcloud and home assistant) through subdomains declared in my public name server and many, many more on the internal proxy whose domain records exist only on my local dns.
I personally run tailscale on my host and a single traefik instance on docker. Anything that doesn’t need to be accessed by other people listen to the hostname and get a 100.64.0.0/10 ip whitelist middleware to only allow connections through tailscale.
That way a request sent through the public IP with a custom Host header can’t be smuggled in and I don’t have to deal with custom ports for a 2nd reverse proxy
My goal is that I’d like to access services using “sub.domain.com”, but of course, I only want some of those accessible via the internet. For some subdomains, I’d only want to be able to use them on my local network or when connecting via VPN.
Yes, sure he does. A reverse proxy adds TLS termination, so you have nice certs on all your endpoints that don’t use certs or don’t even provide TLS encrypted services. It also adds middlewares and much more, so, yes, he does not a reverse proxy, basically every webapp should only be run via reverse proxy and most TCP or UDP applications too. The benefits outweigh the cost.
Thank you! This is the most appealing option to me right now. I’m having trouble understanding how all my internal traffic could be routed via my internal DNS though. NPM listens on both 80 and 443. Is the idea to have NPM listen on 443 and and my local DNS on 80, then I configure my router to use local DNS to route my traffic accordingly?
You can, i also do this:
So i have sub.dom.com pointing to a public ip generatin certs with http01 using proxy manager.
Then i have sub.priv.domain.com pointin to a PRIVATE ip an generatin certs with DNS01, this way, the dns will point to your private ip and only work when you are connected to vpn.
See more here: https://youtu.be/qlcVx-k-02E?si=ZkhRwlG9Qh4EMCN7
It’s down to having two distinct instances of your reverse proxy and control of your local DNS (I use pihole as my DNS provider for local machines, but other DNS servers are available).
So you have your public proxy, which for the sake of this example we’ll call publicproxy.local, and you have your internal proxy which we’ll call localproxy.local.
You also have a dns provider, e.g. pihole.local
Configure your router to provide pihole.local as the dns server for any client on your local network via DHCP. Then configure your router to forward port 443 to publicproxy.local
In your local DNS provider configure CNAME or A records for any service you want to be able to access locally that point to localproxy.local.
In your external name servers configure CNAME or A records for any service you want to be able to access externally that point to your public IP or DDNS address.
For example:
Cloudflare (which I use, or name server of your choice) has a CNAME record for plex.example.com which resolves to your public IP. Requests from outside your network hit your router which port forwards the request to publicproxy.local, publicproxy.local is configured to forward plex.example.com to plex.local (where your Plex server lives)
pihole has a CNAME record for plex.example.com which resolves to localproxy.local. localproxy.local is also configured to forward plex.example.com to plex.local.
That means whether you request from outside or inside the network you’ll end up hitting plex.local, success!
Now, pihole also has a CNAME record for sonarr.example.com which resolves to localproxy.local and the proxy is configured to forward sonarr.example.com to sonarr.local (where sonarr is in this example).
There’s no cloudflare record for that subdomain and the public proxy doesn’t recognise it. So you can’t hit your public IP with a request for sonarr.example.com at all, short of having a host file configured to force it. Even if you forced the domain resolution the public proxy doesn’t recognise the URL and gives a 404.
However, if you were to go to sonarr.example.com locally you’d see sonarr.
To add the VPN layer all you need to do is make sure your VPN server on your internal network (whether it’s your router or its own machine) configures clients to use pihole.local as the DNS server. Then, when you VPN in it acts entirely as if it were on the local network, including using local DNS resolution and the local proxy.
The proxy can also serve valid SSL certificates for both local and external requests, no more SSL warnings!
I also do something similar