Can't access my reverse proxy services inside my local network

Nabukodonosor · 26. April 2024

OK, this will be my last attempt to fix this issue. After this I'm giving up.

So, I have some docker containers running also via reverse proxy and that works great. I'm using swag and duckdns. They work fine on my phone over mobile network. But as soon as I try them on my local network, on my PC, it doesn't work. My OMV is on 192.168.0.111. If I ping any of those services from my PC I get this:

Screenshot

Mit Lightshot geschossen

prnt.sc

This is my duckdns docker:

Code

services:
  duckdns:
    image: linuxserver/duckdns:latest
    container_name: duckdns
    networks:
      my-net:
    environment:
      - PUID=$PUID #optional
      - PGID=$PGID #optional
      - TZ=$TZ
      - SUBDOMAINS=$DOMAINS
      - TOKEN=$TOKEN
      - LOG_FILE=false #optional
    volumes:
      - CHANGE_TO_COMPOSE_DATA_PATH/duckdns:/config #optional
    restart: unless-stopped
networks:
  my-net:
    external: true

Alles anzeigen

My swag:

Code

services:
  swag:
    image: linuxserver/swag:latest
    container_name: swag
    networks:
      my-net:
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=$PUID
      - PGID=$PGID
      - TZ=$TZ
      - URL=$URL
      - SUBDOMAINS=wildcard
      - VALIDATION=duckdns
      # - DNSPLUGIN=cloudflare #optional
      - DUCKDNSTOKEN=$TOKEN #optional
      - EMAIL=myemail@gmail.com #optional
      - ONLY_SUBDOMAINS=true #optional
      # - EXTRA_DOMAINS= `#optional`
      - STAGING=false #optional
    volumes:
      - CHANGE_TO_COMPOSE_DATA_PATH/swag:/config
      - CHANGE_TO_COMPOSE_DATA_PATH/vaultwarden/vw-data/log/vaultwarden.log:/config/log/vaultwarden/vaultwarden.log
    ports:
      - 450:443
      - 82:80 #optional
      - 81:81 # swag-dashboard
    restart: unless-stopped
networks:
  my-net:
    external: true

Alles anzeigen

And for example my vaultwarden:

Code

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    networks:
      my-net:
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=996
      - PGID=100
      - TZ=Europe/Belgrade
      - WEBSOCKET_ENABLED=true  # Enable WebSocket notifications.
      - SIGNUPS_ALLOWED=false
      - ADMIN_TOKEN=hidden
      #- LOG_FILE=data/log/vaultwarden.log
      #- LOG_LEVEL=info
      - DOMAIN:https://vaultwarden.hidden.duckdns.org
    volumes:
      - CHANGE_TO_COMPOSE_DATA_PATH/vaultwarden/vw-data/:/data:rw
    ports:
      - 8445:80
    restart: always
networks:
  my-net:
    external: true

Alles anzeigen

my vaultwarden proxy-conf:

Code

## Version 2023/11/12
# make sure that your vaultwarden container is named vaultwarden
# make sure that your dns has a cname set for vaultwarden
# if you are using bitwarden (the official image), use the bitwarden conf
# if you are using vaultwarden (an unofficial implementation), use the vaultwarden conf
#
# vaultwarden defaults to port 80 and can be changed using the environment variable ROCKET_PORT on the vaultwarden container

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name vaultwarden.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 128M;

    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;

    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;

    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;

        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;

        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app vaultwarden;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location ~ ^(/vaultwarden)?/admin {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;

        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;

        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app vaultwarden;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location ~ (/vaultwarden)?/api {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app vaultwarden;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location ~ (/vaultwarden)?/notifications/hub {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app vaultwarden;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

Alles anzeigen

I have a modem from my ISP, it's address is 192.168.1.1 and and WiFi router on 192.168.0.1

Router:

Screenshot

Mit Lightshot geschossen

prnt.sc

Modem:

Screenshot

Mit Lightshot geschossen

prnt.sc

Any ideas what could be the issue here?

chente · 26. April 2024

Zitat von Nabukodonosor

They work fine on my phone over mobile network. But as soon as I try them on my local network, on my PC, it doesn't work.

"Hairpinning" could be the problem, depending on the features of your router. https://en.wikipedia.org/wiki/…anslation#NAT_hairpinning

In my case I solved it with a local DNS server. For example pihole could work.

Nabukodonosor · 26. April 2024

I tried finding that hairpining thing in my router, but no luck. My router is TP-Link WR1043ND. It should have NAT loopback by default.

gderf · 26. April 2024

Zitat von Nabukodonosor

I tried finding that hairpining thing in my router, but no luck. My router is TP-Link WR1043ND. It should have NAT loopback by default.

Hairpining is NAT loopback.

Nabukodonosor · 26. April 2024

I know. That's why I said my router should have it enabled by default.

chente · 26. April 2024

Zitat von Nabukodonosor

It should have NAT loopback by default.

I don't see anything here about NAT Loopback, but I could be wrong. https://www.tp-link.com/es/hom…-wr1043nd/#specifications

It seems that that router supports OpenWRT. https://openwrt.org/toh/tp-link/tl-wr1043nd

If you dare to install it, I would ask in the OpenWRT forum if that would solve your NAT Loopback problem.

Nabukodonosor · 26. April 2024

I really don't dare to do it, I don't want to mess up my network even more.

chente · 26. April 2024

Zitat von Nabukodonosor

I really don't dare to do it, I don't want to mess up my network even more.

In that case pihole (or any other DNS server) could be the solution.

Soma · 26. April 2024

Exposing port 8445 of vaultwarden and not changing the reverse-proxy doesn't help.

Nabukodonosor · 26. April 2024

What do you mean? If you mean that I didn't change port 80 to 8445 in the proxy-conf, that wouldn't help. For example sonarr, port in docker is 8989:8989, and in the proxy-conf 8989, and still doesn't work.

Nabukodonosor · 28. April 2024

Zitat von chente

In that case pihole (or any other DNS server) could be the solution.

OK, I've deployed Pi-Hole. My compose is below. How can I now setup that DNS thingy?

Code

---
services:
  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    hostname: pihole
    domainname: $URL
    labels:
      - com.centurylinklabs.watchtower.monitor-only=true
    networks:
      MyMacVlan:
        ipv4_address: 192.168.0.112
    dns:
      - 127.0.0.1
      - 1.1.1.1
    ports:
      - 53:53/tcp
      - 53:53/udp
      - 67:67/udp
      - 8880:80/tcp
    environment:
      - PUID=$PUID
      - PGID=$PGID
      - TZ=$TZ
      - WEBPASSWORD:hidden
      - FTLCONF_LOCAL_IPV4=192.168.0.112
      - DNS1=1.1.1.1
      - DNS2=1.0.0.1
      - IPv6=false
      - VIRTUAL_HOST=pihole.$URL
    volumes:
      - CHANGE_TO_COMPOSE_DATA_PATH/pihole/etc-pihole:/etc/pihole
      - CHANGE_TO_COMPOSE_DATA_PATH/pihole/etc-dnsmasq.d:/etc/dnsmasq.d
    cap_add:
      - NET_ADMIN
    restart: unless-stopped
networks:
  MyMacVlan:
    external: true

Alles anzeigen

chente · 28. April 2024

Zitat von Nabukodonosor

I've deployed Pi-Hole. My compose is below. How can I now setup that DNS thingy?

No idea, I've never used pihole but I guess you'll have everything you need here. https://pi-hole.net/

Can't access my reverse proxy services inside my local network

Jetzt mitmachen!

Ähnliche Themen

NPM proxied hosts not accessible until I access the NPM management interface