Cloudflare > Nginx reverse proxy (NPM) > Digital Ocean specific problem - dns

I am having this very specific problem. Will try my best to describe what is the deal.
I am running a server on Digital Ocean behind NGINX Reverse Proxy (configurations are done through NGINX Proxy Manager).
I create A record in my cloudflare (mydomain.com) pointing to digital ocean droplets IP.
Everything works good:
REQUEST FROM INTERNET > CLOUDFLARE PROXY > NGINX REVERSE PROXY > DIGITAL OCEAN SERVER.
However, When I am trying to put a single IP address (for example address of my VPN server X.X.X.X ) in nginx reverse proxies Access List (So that only that IP will have access to the server).
Everything stops working, and I know why.
Nginx waits for requests only from X.X.X.X , and because the scheme appears to be like this:
X.X.X.X > CLOUDFLARE PROXY > NGINX REVERSE PROXY > DIGITAL OCEAN SERVER
I is logical that NGINX doesn't send any response (because it is waiting for connection from X.X.X.X and the connection comes from CLOUDFLARES PROXYS IP)
The issue is, that when I am turning off cloudflare proxy (toggling the little orange cloud to OFF position) Server doesn't respond. With my understanding, when I turn it off, connection should be coming like this:
X.X.X.X > NGINX REVERSE PROXY > DIGITAL OCEAN SERVER
Anyone knows what the issue might be? (I am guessing there might be another cloudflare server between My VPN and NGINX Proxy? Or I don't know something of that kind)
Let me know if you need any additional info I will try to provide everything possible. Thank you everyone in advance.

For the 1st scenario (orange cloud), you can configure your NGINX to restore the visitor's original IP (X.X.X.X), since Cloudflare provides this information in HTTP headers. You can see more information in this article but here is a configuration snippet relevant for your reverse proxy:
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
#use any of the following two
real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;
The list of Cloudflare IP ranges is maintained here.
For the 2nd scenario (grey cloud), it sounds like there is a connectivity issue between X.X.X.X and your NGINX. You will want to diagnose that using tools such as mtr or also reviewing if you have any Firewall settings in Digitalocean that might prevent the traffic from passing through to your Droplet.
If you would consider a completely different approach for connecting to your application privately, I recommend the following tutorial as an alternative.

The problem is solved thanks to #Paolo s answer. I decided to start from the easiest of the cases he provided, so I added all cloudflare IP ranges to my NGINX Revers Proxies access list. Because I run docker behind that proxy, I have several containers that need to be public and some that need to be private (accessible only with my x.x.x.x VPN)
Case #1 (with orange cloud ON) Now I am able to access conainers that I wanted to be public from any IP address (thanks to new Access List mentioned above)
REQUEST FROM INTERNET > CLOUDFLARE PROXY > NGINX REVERSE PROXY > DIGITAL OCEAN SERVER > DOCKER PUBLC CONTAINER
Case #2 (with gray cloud OFF) after #Paolo pointed out that there may be a connectivity issue between X.X.X.X and NGINX I started to check all configs. He was right, the reverse proxy was misconfigured. After fixing the issue everything started to work as I planned. (Access list was switched from previous one to only allowing X.X.X.X in this case)
X.X.X.X > NGINX REVERSE PROXY > DIGITAL OCEAN SERVER > DOCKER PRIVATE CONTAINER
Thanks everyone and special thanks to #Paolo

Related

NGINX Linux: How can i monitor the traffic that goes through the LoadBalancer?

How shall i configure the Nginx to monitor the traffic going through the loadbalancer when hitting the servers in the "location-file" conf.d. ?
The access.log does only show target address, where request is coming from, but it would be interesting see which server the request is hitting. In my Conf.f i have a conf file with three upstream servers.
Anyone? :)

Using NGINX to mask destination server(s) ip address in http traffic

So I'm relatively new to nginx but want to know how I can use a reverse proxy to mask the destination server(s) IP addresses. Here is how it works so far:
I have reverse proxy (rp), main server (ms), secondary server (ss)
So when using a nginx proxy currently I connect via rp---ms but via wireshark I see main server IP address as destination.
If main server passes me to secondary server for resource I see secondary servers IP address in wireshark.
What I want to develop is rp---ms----ss or rp---ss but to/from traffic only shows ip of the reverse proxy server outgoing and returning - is this possible?
Are you checking Wireshark from inside the Nginx network? It is obvious that packets forwarded from Nginx will have the main server IP address as destination, you just need to reconfigure the firewall so that only Nginx is accessible from outside.
Check this diagram that will help you understand how to properly design this.

Caddy multi-domain reverse proxy

I'm new to Caddy server but their website looked promising. I want to use it as a reverse proxy for the websites that are hosted on other servers. So, I have 2 websites; a Wiki and a photo gallery, that needs to be hosted outside of my local network.
Caddyfile
My Caddyfile is pretty straight forward:
coppery.<my domain name> {
proxy / http://192.168.1.66:80 {
transparent
}
}
wiki.<my domain name> {
proxy / http://192.168.1.88:8080 {
transparent
}
}
When I first started caddy I saw some HTTPS stuff with lets encrypt but that was succesful so now when I start it I get this output:
root#caddy:~# caddy
Activating privacy features... done.
Serving HTTPS on port 443
https://coppery.<my domain name>
https://wiki.<my domain name>
Serving HTTP on port 80
http://coppery.<my domain name>
http://wiki.<my domain name>
WARNING: File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with `ulimit -n 8192`.
I think for now I can dismiss the warning, I might solve that in the future but this is not a production environment anyway.
Portforwarding and DNS
I configured the domain names to resolve to my IP address (this already worked) and when I ping the domain names, they resolve the IP address correctly.
When I access the IP-addresses directly from my local network it works, I get the websites I expect. So I added some configuration on my router and port forwarded port 80 and 443 to the local IP address of the machine hosting the Caddy server.
Now when I try to access coppery.<my domain name> on either HTTP or HTTPS it's not showing anything.
So my only guess is that there is something wrong with the Caddyfile configuration but it's a realy simple case and all I've done is using the examples I found online. Which don't seem to work.
So the question is: What am I missing to make this work as intended?
The problem was the DNS. Once I configured the domain names in my local host file it worked. So the configuration in my question is all correct.

Setting up my first Varnish Cache server

I am attempting to set up my first Varnish Cache server and I have a couple questions for any person(s) experienced.
1.) I am running Varnish as a stand alone server. Do I need Apache also installed on the same server. Ultimately the actual site that will be behind Varnish is not on this server.
2.) Do I point the domain to Varnish and then set the config to point to the ip address of the server that is hosting the site? If so, how do you point it to the right site?
3.) If Varnish is standalone and I have an Apache content server, can they both be port 80 and just change the ip address in the default.vcl
backend default {
.host = "198.221.134.235";
.port = "80";
}
Sorry for the basic questions. I have been on Google all weekend and I found plenty of information on how to install and config Varnish but it seems like the site you want to Cache is on the same server since all of them are changing the port Apache listens to and that seems like it would mean the site is living on the same server.
And if you have any good sites with information, please feel free to share them! Thanks again!
No, Varnish and Apache (or any other HTTP/webserver) can run on a separate server.
Indeed, point the domain to the IP of Varnish and setup a backend as described in the documentation: https://www.varnish-cache.org/docs/3.0/tutorial/backend_servers.html. The IP
of your webserver will be the IP of the backend.
Correct, as long as Apache and Varnish are on separate servers they both can listen on port 80
If I am not mistaken you will have the following setup:
DNS example.com => 1.1.1.1
IP 1.1.1.1:80: Varnish (backend: 1.1.1.2:80)
IP 1.1.1.2:80: Apache

squid /etc/hosts

I have a LAN X.X.X.X/24 and a gateway on which we were told to run Squid.
In the same LAN we have the commercial department and software developers.
We have a production version of our website on public IP Y.Y.Y.Y
and a development version on a different private LAN Z.Z.Z.Z/24
Developers in X.X.X.X/24 need to do HTTP requests to the two different versions of our website.
They used to do it changing /etc/hosts accordingly.
Now we have transparent squid in the middle that resolves DNS before HTTP-requesting, so all requests end up in the public, production version of our website.
I do not know how squid internals that allow transparent proxying work, but is there a workaround that allows only developers' machines to control locally on their machines where their requests will go?
Something like "do not DNS-query if for these, say X.X.X.X/29, machines"?
Thanks
Squid as a tansparent proxy does not see the IP address of the target server - it only sees the host name and then uses DNS for address resolution itself.
But there must be a "transparent proxy" rule somewhere on your router / Internet gateway for the transparent proxy to work. You need to change it to: "Do not use transparent proxy if target IP is Z.Z.Z.Z/24" - so your development servers will be accessed directly without proxy. This way you can still use your /etc/hosts trick.

Resources