I am new to this stuff so please be gentle.
I am using skynet also - if that is relevant, but I tried disabling it and no diff.
I have nginx installed on my MERLIN ROUTER and its working and redirecting to my hosts from the lan only - as it is all fine on the lan, I assume my config is all good.
I am using ssl port 9443, not the default. Port 80/443 are in use by the router and I dont need to use them, plus some isp's block these also so I choose 9443.
I am having trouble accessing this port from outside. A port checker on the net say it is blocked.
The ssl sophos headers check says 'taking too long' - same issue as port not there I guess.
I have tried port forward in merlin : - source IP - blank, port range - 9443, local IP - 192.168.1.1, local port - 9443 - TCP.
Much googling said to do this in the firewall - which I am not sure is in ADDITION to a port forward, or instead of - Add fw rule to the /jffs/scripts/firewall-start and restart :
iptables -t filter -A INPUT -p tcp --dport 9443 -j ACCEPT
I have spent many hours on this, but always a port checker on the net says 9443 is not open.
I have another direct open service on 8920 that is working, but that will be replaced with this reverse proxy once I get it working.
The key nginx script is below - but this is, as I said working fine when run on the LAN - I just cant access it remotely.
Thanks in advance.
server {
listen [::]:9443 ssl;
listen 9443 ssl;
server_name commented-out;
ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate /opt/etc/nginx/cert.pem;
ssl_certificate_key /opt/etc/nginx/cert.key;
ssl_session_cache shared:SSL:10m;
#add_header Public-Key-Pins '
#pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNUFEwyUE=";
#pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/utLMkBgFF2Fuihg=";
#pin-sha256="Vjs8r4z+80wjNcr1KepWQboSIRi63WsWXhIMN+eWys=";
#max-age=86400; includeSubDomains';
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
proxy_hide_header X-Powered-By;
add_header 'Referrer-Policy' 'no-referrer';
add_header Content-Security-Policy "frame-ancestors vaise.asuscomm.com;";
location / {
proxy_pass http://192.168.1.10:8096;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#Next three lines allow websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
l
I am using skynet also - if that is relevant, but I tried disabling it and no diff.
I have nginx installed on my MERLIN ROUTER and its working and redirecting to my hosts from the lan only - as it is all fine on the lan, I assume my config is all good.
I am using ssl port 9443, not the default. Port 80/443 are in use by the router and I dont need to use them, plus some isp's block these also so I choose 9443.
I am having trouble accessing this port from outside. A port checker on the net say it is blocked.
The ssl sophos headers check says 'taking too long' - same issue as port not there I guess.
I have tried port forward in merlin : - source IP - blank, port range - 9443, local IP - 192.168.1.1, local port - 9443 - TCP.
Much googling said to do this in the firewall - which I am not sure is in ADDITION to a port forward, or instead of - Add fw rule to the /jffs/scripts/firewall-start and restart :
iptables -t filter -A INPUT -p tcp --dport 9443 -j ACCEPT
I have spent many hours on this, but always a port checker on the net says 9443 is not open.
I have another direct open service on 8920 that is working, but that will be replaced with this reverse proxy once I get it working.
The key nginx script is below - but this is, as I said working fine when run on the LAN - I just cant access it remotely.
Thanks in advance.
server {
listen [::]:9443 ssl;
listen 9443 ssl;
server_name commented-out;
ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate /opt/etc/nginx/cert.pem;
ssl_certificate_key /opt/etc/nginx/cert.key;
ssl_session_cache shared:SSL:10m;
#add_header Public-Key-Pins '
#pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNUFEwyUE=";
#pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/utLMkBgFF2Fuihg=";
#pin-sha256="Vjs8r4z+80wjNcr1KepWQboSIRi63WsWXhIMN+eWys=";
#max-age=86400; includeSubDomains';
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
proxy_hide_header X-Powered-By;
add_header 'Referrer-Policy' 'no-referrer';
add_header Content-Security-Policy "frame-ancestors vaise.asuscomm.com;";
location / {
proxy_pass http://192.168.1.10:8096;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#Next three lines allow websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
l