LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 03-19-2019, 05:02 PM   #1
iacchi
LQ Newbie
 
Registered: Oct 2011
Location: Uppsala, SE
Distribution: Debian testing
Posts: 14

Rep: Reputation: Disabled
SSL headache: not provided only within LAN. Help!


Hello,
I run a nas/webserver with OpenMediaVault. Until the end of February I was living in a different apartment, and my internet provider was X. On the machine I have installed nginx and I have a few websites running there, basically a main domain with subdomains (dns provided by cloudflare). A couple of subdomains don't go through the cloudflare "proxy", but directly to the server, so I have setup Let's Encrypt certs for those two subdomains, everything is working as intended.

On the first of March I moved to a new apartment and my internet provider is still X. I turn on the machine, I try to connect to one of the two subdomains that talk directly to my server and I obtain a nice "SSL_ERROR_RX_RECORD_TOO_LONG". Basically, no certificate is being sent to the browser. Keep in mind that I haven't changed anything on the machine, just switched it off and on again. I thought there was a problem with the certificate maybe, so I re-created it, but still no luck. I decide to have that subdomain go through the cloudflare proxy, and everything is working nicely again.
Another day I give it another try from work, I make the subdomain connect directly to my server again and I re-create the Let's Encrypt certificate. This time, I can see my website! I have no idea what was wrong before, but it's working and I'm fine with this. Except, when I reach home, I get that SSL error again. I have an illumination and I try to connect to my workplace's VPN and access the page again. This time, I can open the website.

So, basically, I can access my subdomain from everywhere in the world except when I'm at home, where the server resides. This is driving me crazy and I don't understand why. I mean, I'm not typing an IP address, I'm typing a domain name, so the request still needs to go through cloudfare's dns servers to be fulfilled (and even if it wasn't, what the heck), and it's not just managed within the lan, is it? Does anybody know what's going on? Also, it worked in the previous apartment!

If I run a traceroute to a subdomain that goes through the cloudflare proxy this is what I get:

Code:
 1  192.168.0.1 (192.168.0.1)  10.970 ms  9.065 ms  8.902 ms
 2  10.190.1.2 (10.190.1.2)  15.882 ms  17.315 ms  16.926 ms
 3  * * *
 4  mtc-peer-1-be2.net.comhem.se (213.200.162.34)  19.879 ms  20.748 ms
    nap-peer-1-be1.net.comhem.se (213.200.162.30)  20.401 ms
 5  * * *
 6  destination reached
If I run the same on the subdomain that is directly connected to the server I just get three * on all hops, I stopped the traceroute after 20 hops. As a final note, if I try to open the non-https version of the page (just plain http) it gets displayed correctly, so I can indeed reach the server also from within my apartment. It's just ssl that it's not working.

Last edited by iacchi; 03-19-2019 at 05:22 PM.
 
Old 03-20-2019, 03:13 AM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,536

Rep: Reputation: Disabled
Sounds like it could be a "hairpin NAT" issue.

When you connect to your domain from your local LAN, you're connecting to an external IP which is then presumably NATed by the router to the internal/private IP address of you web server, which presumably sits on the same (internal) subnet as the connecting client.

In order for such a setup to work properly, the router has to perform source NAT on packets originating from the local LAN, otherwise the return path will be incorrect (directly from the server to the client, rather than through the NATing router).

I assume you got a new router from your ISP when you moved to your new apartment? Could be your old router handled this scenario properly by default, while your new router doesn't.

Try creating an entry in the hosts file on the client, pointing the hostname to the internal (LAN) IP address rather than the external IP address of the router. If that works, you'll know for sure it's a NAT issue.

The solution would be either to edit the NAT rules in the router or set op a local DNS service on the LAN, directing local clients to the internal server IP rather than the external one. Alternatively, you could redesign your network and put the web server in a separate IP network, forcing all IP traffic through the router regardless of origin.
 
Old 03-20-2019, 03:27 AM   #3
iacchi
LQ Newbie
 
Registered: Oct 2011
Location: Uppsala, SE
Distribution: Debian testing
Posts: 14

Original Poster
Rep: Reputation: Disabled
Thank you for your reply. Indeed, it's a NAT loopback issue, as apparenty my new router does not support it (I managed to find the problem yesterday night, then I went straight to bed, I was going to update this thread in a minute). Editing the hosts file works, it's just weird that http doesn't have this issue, but only https does. This has been confirmed by others, however, so I guess it's just how the thing works. Unfortunately my router has very limited options, and I cannot swap it for another one (I could buy a new one and do double NAT, but I don't want to pat the price :P). For the moment I'll stick to editing the hosts file and I will look into this local DNS thing a bit more in detail, although my router also doesn't allow me to change default DNS servers, so I guess that would be a problem as well. Anyway, thank you for all the useful suggestions, I'll try to come up with something that works!
 
Old 03-20-2019, 04:14 AM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,536

Rep: Reputation: Disabled
Quote:
Originally Posted by iacchi View Post
it's just weird that http doesn't have this issue, but only https does.
This strongly suggests the router is transparently proxying (and potentially interfering with and/or spying on) all HTTP traffic.
Quote:
Originally Posted by iacchi View Post
I will look into this local DNS thing a bit more in detail, although my router also doesn't allow me to change default DNS servers, so I guess that would be a problem as well.
I'd get rid of that router altogether, if at all possible.

In some cases, an ISP will put their otherwise locked-down router in passthrough/bridge mode if you ask them nicely. You could then put another router behind it, and it would have your public IP directly on its WAN interface.

Last edited by Ser Olmy; 03-20-2019 at 04:15 AM.
 
Old 03-20-2019, 04:27 AM   #5
iacchi
LQ Newbie
 
Registered: Oct 2011
Location: Uppsala, SE
Distribution: Debian testing
Posts: 14

Original Poster
Rep: Reputation: Disabled
It's a cable modem, so hardly replaceable (in Sweden there are no laws that force ISPs to accept a different, retail router as in Germany and Italy), as I doubt my ISP will disclose all configuration parameters. Yes, bridging is an option, but to be honest I don't want to spend the money for a new router :P
I'll see what I can do with the ISP, or I will just keep things as they are. I just wished they wouldn't dumb down router firmwares this much...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Can only log into VSFTP from one IP on LAN (not others and not outside of LAN) DefiantPanda Linux - General 4 12-04-2018 10:20 PM
question: 'onclick' within 'onmouseover' within 'form' within 'table' - how is it possible? rblampain Programming 4 04-25-2017 08:49 PM
Can't see the image within selected Monitor (Picture provided of the problem) Nimai Linux - Software 0 12-07-2015 05:45 AM
Need HELP please-Ubuntu provided drivers vs. ATI official drivers smiley_lauf Ubuntu 2 02-12-2006 11:30 AM
Nedd HELP please-Ubuntu provided drivers vs. ATI official drivers smiley_lauf Ubuntu 1 02-11-2006 09:01 AM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 05:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration