What's new

Access webGUI behind corporate firewall

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

giopas

Regular Contributor
Hi folks,

I have a situation :)

I used to connect to my router on port 18880 via a DynamicDNS. The problem is that very recently my corporate firewall/proxy restricted access to all ports other than 80 and 443.

Of course I already use ports 80 and 443 for Apache running on my NAS.

I have already set a Virtual Host on Apache, but it only forwards to http://router:18880, which is not accessible from behind my corporate firewall/proxy ("504 error: remote server did not respond to the proxy").

Have you got any idea how I could solve the issue? Any advice is really appreciated!

Thanks,

giopas
 
Hi folks,

I have a situation :)

I used to connect to my router on port 18880 via a DynamicDNS. The problem is that very recently my corporate firewall/proxy restricted access to all ports other than 80 and 443.

Of course I already use ports 80 and 443 for Apache running on my NAS.

I have already set a Virtual Host on Apache, but it only forwards to http://router:18880, which is not accessible from behind my corporate firewall/proxy ("504 error: remote server did not respond to the proxy").

Have you got any idea how I could solve the issue? Any advice is really appreciated!

Thanks,

giopas

If you search the forum, I believe there was a thread describing the installing of

http://www.rutschle.net/tech/sslh.shtml

on RT-N66U to basically multiplex known ports

SSH / OpenVPN / AiCloud etc.

all concurrently through a corporate firewall via single port 443.

Not sure if this technique is adaptable for your NAS port 18880 access?
 
Nginx (or lighttpd) proxy + domain name (second level):

nas.yourdomain.com
router.yourdomain.com
 
Last edited:
Can you elaborate more please? I already have Apache running on my nas and a virtual server pointing to the router with a simple php index
 
One way would be to move the NAS https interface from 443 to any other port (like 8443), then run a VPN server on port 443 of your router.
 
Is it possible to put a conditional nat rule in place based on your works ip address assuming it is static?
 
RMerlin, unfortunately I cannot access to a VPN from behind my corporate fw. Unless there is a way to use a VPN without having admin rights on win7...

Bilbo, yes I suppose my corporate IP is static. Where would I need to put that rule, and how knowing that both 80 and 443 ports are taken by the nas?
 
Folks realize that many enterprise/corporate firewalls specifically block outbound VPN for security reasons...

Esp. now days since the Sony hack and other corporate breaches..
 
Nginx (or lighttpd) proxy + domain name (second level):

nas.yourdomain.com
router.yourdomain.com

I think this approach will work. Worth doing a bit research how to set it up.

Also shall add SSL support. We don't want traffic into home LAN in clear text...
 
Hi folks,

for your information I solved with the built-in NAS apache server in the following way:

Code:
<VirtualHost *:80>
ServerName sub.domain.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
Order allow,deny
Allow from all
</Location>
ProxyPreserveHost On
ProxyPass / http://192.168.1.1/
ProxyPassReverse / http://192.168.1.1/
ProxyStatus On
</VirtualHost>

The advantage is also that I can close port 18880 from the router as at the end the router thanks to the reverse proxy will be access through port 80 from the inside of the LAN and only leave open port 80 (which is used by other services as well).

giopas
 
Last edited:
Hi folks,

for your information I solved with the built-in NAS apache server in the following way:

Code:
<VirtualHost *:80>
ServerName sub.domain.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
Order allow,deny
Allow from all
</Location>
ProxyPreserveHost On
ProxyPass / http://192.168.1.1/
ProxyPassReverse / http://192.168.1.1/
ProxyStatus On
</VirtualHost>

The advantage is also that I can close port 18880 from the router as at the end the router thanks to the reverse proxy will be access through port 80 from the inside of the LAN and only leave open port 80 (which is used by other services as well).

giopas

For added security, you could change "Allow from all" to only allow the IP address of your work.
 
Yes, once everything is well set, I could do this (but my fear is always to do not be able to access to it when I need it).

One more question: I have two apache servers (2.2.x and 2.4.x) running the first on port 80 and the second on port 88.

In particular, I use the second apache server to run a reverse proxy with web sockets connections (function which is not supported by apache 2.2.x). In practice I have a Virtual Host for this specific purpose that I can access going to sub.domain.com:88

My problem is that I would need to use port 80 also to access this Virtual Host (i.e. access the reverse proxy with a simple "sub.domain.com").

As I cannot dispose or upgrade the apache 2.2.x server, I have though about a possible (unlikely) solution:

if I set on the router the two following port forwarding rules:

Wan Port 80 <-> Local Port 80 of the IP of the apache 2.2.x server
Wan Port 80 <-> Local Port 88 of the IP of the apache 2.4.x server

would this make the trick or such rules would conflict each other?

I hope that the question is clear.

Thanks for your advice,

giopas
 
My problem is that I would need to use port 80 also to access this Virtual Host (i.e. access the reverse proxy with a simple "sub.domain.com").

I still believe you shall spend some time on post #3. I also would assert there is equivalent module in Apache where you could set up apache A to conditionally redirect to Apache B.
 
Hi kvic,

Probably I do not get the meaning of post #3. Could you please help me with it?

You speak about "conditionally redirect [Apache A] to Apache B". How should I do it? And most of all, how can I do it in a way that reverse proxy done on Apache B is not lost during redirection to/from Apache A?

The situation in fact is that Apache A (which is the main one and uses port 80) is older than Apache B (which runs the reverse proxy and uses port 88).

If I install Nginx (or lighttpd) or whatever other web server the situation does not change as port 80 is always used by Apache A... or am I wrong?

Thanks

ps: I tried the double port forwarding but (of course) it does not work.
 
You speak about "conditionally redirect [Apache A] to Apache B". How should I do it? And most of all, how can I do it in a way that reverse proxy done on Apache B is not lost during redirection to/from Apache A?

The situation in fact is that Apache A (which is the main one and uses port 80) is older than Apache B (which runs the reverse proxy and uses port 88).

Apache 2.2 seems also support mod_rewrite. https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top