Unable to use domains on my local network

[natepichler]

I have nginx reverse proxy running in a jail, as well as some other apps (nextcloud, home assistant, plex, etc.). The reverse proxy is set up with my domain and ssl. I have also made CNAME records for each of the apps under my domain.

My issue is that I can access plex.mydomain.net from outside my network, but not locally. I get a "connection has timed out" error from Firefox. This is the case for all of my apps.

On my local network, I can still use Plex at its local IP, 192.168.0.123:32400.

I figure this has something to do with how nginx is configured, but I'm getting stumped at this point.

Any ideas?


nginx.conf

Code:

worker_processes 1;
events {
    worker_connections 1024;
}
http {
    include mime.types;
    default_type application/octet-stream;
    sendfile on;
    keepalive_timeout 65;

    # Redirect all HTTP traffic to HTTPS
    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        return 301 https://$host$request_uri;
    }
    include "active_subdomains.conf";

ssl-params.conf

Code:

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_ciphers #####-####-####
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

resolver 192.168.0.1;

proxy-params.conf

Code:

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;

plex.mydomain.net.conf

Code:

server {
        listen 443 ssl;

        server_name plex.mydomain.net;
        access_log /var/log/nginx/plex.access.log;
        error_log /var/log/nginx/plex.error.log;

        include chunks/mydomain.net.cert.conf;
        include chunks/ssl-params.conf;

        location / {
                include chunks/proxy-params.conf;
                proxy_pass http://192.168.0.123:32400;
        }
}

 

[jgreco]

What does plex.mydomain.net resolve to?

If it's a public IP address, which it should be, can you reach THAT IP address from Firefox? (answer is: probably not)

In this case, it seems like your NAT gateway (the device people mistakenly refer to as a "router" but isn't) is not handling hairpin NAT. This is an edge case many NAT devices fail to handle correctly.

If this is the case, you can stop looking at nginx and start looking at your "router" documentation to see if it's fixable, or if you need a better NAT gateway.

 

[sretalla]

hairpin NAT

Also sometimes called NAT reflection (for example in pfSense).

 

[jgreco]

Also sometimes called NAT reflection (for example in pfSense).

Mmm.

Because we have this thing called hairpin routing in the IP world... ponders "reflection routing"... which is a dumb term because it would be confused with "route reflector", a BGP thing... so, well, yay for pfSense apparently inventing an idiotic term.

 

[sretalla]

Just to potentially grinch you up a bit more, I see Unifi users also calling it something else... NAT Loopback

 

[natepichler]

Thanks all,

My modem/router is a Netgear C7000v2. As far as I can tell, it doesn't have any NAT settings that I can change from the web ui.

In looking up this issue with NAT, I found some information on port forwarding, say 32400, to the TrueNAS IP.

That said, I woke up this morning and I could access everything on my local network using my domain, despite having changed nothing since last night.

I'll see how long this lasts, but I have my doubts that this is actually fixed.

 

[jgreco]

Make sure that your NAS is wired to a static IP address, and that the port forwarding target is that IP address. These are the things I suspect are most likely to go awry.

 

[natepichler]

Make sure that your NAS is wired to a static IP address, and that the port forwarding target is that IP address. These are the things I suspect are most likely to go awry.

My NAS has a static IP. Would setting up port forwarding to the IP of my reverse proxy be any different?

 

[jgreco]

My opinion is that anything that is infrastructure, servers, etc., should have a static IP. This prevents things from mysteriously moving around and breaking.

 

[Liquefier]

I got similar issue when I want to access the internal Server using an URL with TLS activated from inside LAN. The reason is that it is resolved to the external IP and not to the local server IP.
I solved it with pfSense DNS setting. On the DNS resolver set an "DNS Override" for the Server name and Domain. Then override it with the local IP of the Server.
If you open then the browser and entering the URL from inside LAN, then the DNS override will point it directly to the local server.
If you make the certificate based on DNS it is checked and validated by the local server and you get the green lock sign on the browser.
Remark: I did it also for the internal GUI from Truenas with certificate from Letsencrypt, even if the GUI is not accessible from outside. ACME from pfsense is doing the cert renewal with copy to Truenas while DNS override is working from LAN.

 

[Jailer]

Another way of doing it would be to add a host override in your host file on the machine you're on that points to the IP address of the proxy server. Downside to that is it only works on the machine with the modified host file. I had to do this recently with my desktop here at home when my domains mysteriously stopped resolving because my ISP is run by a bunch of idiots.

 

[Jailer]

I solved it with pfSense DNS setting. On the DNS resolver set an "DNS Override" for the Server name and Domain. Then override it with the local IP of the Server.

I've never been able to get this to work in pfsense no matter what I've tried. The host file hack I posted above is what it took to get things working for me.

 

[danb35]

I solved it with pfSense DNS setting. On the DNS resolver set an "DNS Override" for the Server name and Domain.

This really is the answer. And if your router is too dumb to have such a setting (I'm looking at you, Unifi), a small VM running Pi-Hole will do the job nicely.