How to stop remote access

Ok I guess I’m going to need to do more research on this. I can’t find any settings except dynamic DNS which I believe just acts as a middleman between the router and ISP. I can’rt find any information on the Orbi router having that capability either. I will need to see what other methods are available.

You could look into running a DNS server on the Pi itself.

Unbound or dnsmasq are the software packages you’ll probably be looking at for this purpose.

In this setup, you’d run the DNS resolver on the Pi, and you’d edit your router’s DHCP to issue the Pi’s local IP address as the first DNS resolver on the list (followed by itself, followed by a public resolver).

Once that’s done, your clients will check with the Pi’s resolver first. You can then set overrides in the Pi’s DNS resolver that produce LAN addresses for the internal site, at which point you should be smooth sailing.

I’ll play with it tomorrow. dnsmasq fails to start at install. Seems like a common problem. I’ll need to figure out why and get it to work for me. I tried a manual restart and no luck. Once I get that figured out I’ll let you know the results of accessing Portainer internally.

Ok I think it’s working now. Took some serious learning about DNS and IP addresses but I believe I have it figured out. Here is my Caddyfile:

mydomain.duckdns.org {
log
@internal {
remote_ip 192.168.0.0/16
}
handle @internal {
reverse_proxy 127.0.0.1:9000
}
respond 403
}
app1.mydomain.duckdns.org {
reverse_proxy 127.0.0.1:8096
}
app2.mydomain.duckdns.org {
reverse_proxy 127.0.0.1:81
}

And here is my log
2020/05/14 15:52:18.433 INFO http.log.access handled request {“request”: {“me thod”: “GET”, “uri”: “/web/components/serviceworker/notifications.js”, “proto”: “HTTP/2.0”, “remote_addr”: “192.168.1.18:56080”, “host”: “redacted.redacted.duc kdns.org”, “headers”: {“Sec-Fetch-Mode”: [“no-cors”], “Accept-Language”: [“en-US ,en;q=0.9”], “Sec-Fetch-Dest”: [“script”], “Referer”: [“https://redacted.redacted. .duckdns.org/web/serviceworker.js”], “User-Agent”: [“Mozilla/5.0 (Windows NT 1 0.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Saf ari/537.36”], “Accept-Encoding”: [“gzip, deflate, br”], “If-Modified-Since”: [“S un, 26 Apr 2020 19:25:03 GMT”], “Accept”: ["/"], “Sec-Fetch-Site”: [“same-orig in”]}, “tls”: {“resumed”: false, “version”: 772, “ciphersuite”: 4867, “proto”: " h2", “proto_mutual”: true, “server_name”: “redacted.redacted.duckdns.org”}}, “c ommon_log”: “192.168.1.18 - - [14/May/2020:11:52:18 -0400] “GET /web/components /serviceworker/notifications.js HTTP/2.0” 304 0”, “duration”: 0.003564847, “siz e”: 0, “status”: 304, “resp_headers”: {“Content-Type”: [“application/x-javascrip t”], “Cache-Control”: [“public”], “Access-Control-Allow-Methods”: [“GET, POST, P UT, DELETE, PATCH, OPTIONS”], “Access-Control-Allow-Origin”: ["*"], “Content-Len gth”: [“0”], “Access-Control-Allow-Headers”: [“Accept, Accept-Language, Authoriz ation, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, C ontent-Length, Content-MD5, Content-Range, Content-Type, Date, Host, If-Match, I f-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragm a, Range, Slug, Transfer-Encoding, Want-Digest, X-MediaBrowser-Token, X-Emby-Aut horization”], “Date”: [“Thu, 14 May 2020 15:52:18 GMT”], “Server”: [“Caddy”, “Mi crosoft-NetCore/2.0, UPnP/1.0 DLNADOC/1.50”], “Last-Modified”: [“Sun, 26 Apr 202 0 19:25:03 GMT”], “Age”: [“1542435”]}}

2020/05/14 15:52:26.233 INFO http.log.access handled request {“request”: {“me thod”: “GET”, “uri”: “/”, “proto”: “HTTP/2.0”, “remote_addr”: “192.168.1.18:5608 5”, “host”: “redacted.redacted.duckdns.org”, “headers”: {“Sec-Fetch-Site”: [“none”], “Sec-Fetch-Mode”: [“navigate”], “Sec-Fetch-User”: ["?1"], “Sec-Fetch-Dest”: [“d ocument”], “Accept-Encoding”: [“gzip, deflate, br”], “Accept-Language”: [“en-US, en;q=0.9”], “Cookie”: [“X-OPENMEDIAVAULT-SESSIONID=m49mekkl7uuvun0v5ii3v0pa21”], “Upgrade-Insecure-Requests”: [“1”], “User-Agent”: [“Mozilla/5.0 (Windows NT 10. 0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safar i/537.36”], “Accept”: [“text/html,application/xhtml+xml,application/xml;q=0.9,im age/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9”]}, “tls”: {“resumed”: false, “version”: 772, “ciphersuite”: 4867, “proto”: “h2”, “proto_mu tual”: true, “server_name”: “redacted.redacted.duckdns.org”}}, “common_log”: “192.16 8.1.18 - - [14/May/2020:11:52:26 -0400] “GET / HTTP/2.0” 200 1255”, “duration” : 0.095561712, “size”: 1255, “status”: 200, “resp_headers”: {“Expires”: [“Thu, 1 9 Nov 1981 08:52:00 GMT”], “Pragma”: [“no-cache”], “Content-Security-Policy”: [" default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ data:;"], “Cont ent-Encoding”: [“gzip”], “Cache-Control”: [“no-store, no-cache, must-revalidate” ], “X-Content-Type-Options”: [“nosniff”], “X-Frame-Options”: [“SAMEORIGIN”], “Da te”: [“Thu, 14 May 2020 15:52:26 GMT”], “X-Xss-Protection”: [“1; mode=block”], " Server": [“Caddy”, “nginx”], “Content-Type”: [“text/html; charset=UTF-8”]}}

2020/05/14 16:01:51.059 INFO http.log.access handled request {“request”: {“method”: “GET”, “uri”: “/”, “proto”: “HTTP/2.0”, “remote_addr”: “174.226.13.128:10134”, “host”: “app2.mydomain.duckdns.org”, “headers”: {“Cookie”: [“X-OPENMEDIAVAULT-SESSIONID=ug4st9issdo490u3u703g4vk85”], “Accept”: [“text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8”], “User-Agent”: [“Mozilla/5.0 (iPhone; CPU iPhone OS 13_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/71.0.3578.89 Mobile/15E148 Safari/605.1”], “Accept-Language”: [“en-us”], “Accept-Encoding”: [“gzip, deflate, br”]}, “tls”: {“resumed”: true, “version”: 772, “ciphersuite”: 4867, “proto”: “h2”, “proto_mutual”: true, “server_name”: “app2.mydomain.duckdns.org”}}, “common_log”: “174.226.13.128 - - [14/May/2020:12:01:51 -0400] “GET / HTTP/2.0” 200 1255”, “duration”: 0.088420754, “size”: 1255, “status”: 200, “resp_headers”: {“Server”: [“Caddy”, “nginx”], “Date”: [“Thu, 14 May 2020 16:01:51 GMT”], “Content-Type”: [“text/html; charset=UTF-8”], “Content-Encoding”: [“gzip”], “X-Xss-Protection”: [“1; mode=block”], “Cache-Control”: [“no-store, no-cache, must-revalidate”], “Pragma”: [“no-cache”], “Content-Security-Policy”: [“default-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; img-src ‘self’ data:;”], “X-Frame-Options”: [“SAMEORIGIN”], “Expires”: [“Thu, 19 Nov 1981 08:52:00 GMT”], “X-Content-Type-Options”: [“nosniff”]}}

So from the way the caddyfile is set up I can access mydomain.duckdns.org (Portainer in my case) locally but I only get a blank screen on my iPhone when not connected to wifi. App1 (jellyfin) and App2 (OMV) both load fine internally and externally.

Please let me know if there’s a better way to set up the Caddyfile. I was trying to use the wildcard feature but couldn’t figure out exactly how to. Either way this seems to be working fine now.

I swear this home network project has been sending me down one rabbit hole into the next. I’m pretty simpleminded when it comes to computers so I feel like I’m trying to remember the numbers in the Matrix as they flow down the screen.

One last thing. How do I put logs/codes and other command prompt stuff into one of those scrolling boxes on this forum so my post doesn’t go on forever?

Thanks again for all the help.

Cool, looks good!

What wildcard feature are you referring to, exactly?

Other than that, your Caddyfile looks quite efficient!

If you wanted to be super pedantic, you could reduce the line count by inverting the matcher logic. Because respond operates before reverse_proxy does (see: Caddyfile Directives — Caddy Documentation), you can rely on it to terminate the request before the proxy happens. The line count is reduced because you don’t need to open a handle block for the reverse proxy to “beat” the responder.

example.com {
  @external {
    not remote_ip 192.168.0.0/16
  }
  respond @external 403
  reverse_proxy 127.0.0.1:9000
}

But the downside there is where your current logic is more safe (it only allows access if it confirms an internal remote), the other is technically less safe (it only denies access if it confirms external remote). The same in practice, perhaps, but the difference is accessible-by-default vs. inaccessible-by-default. I’d probably just keep what you have.

Welcome to IT as a hobby! :joy:

Inline code like this is done by quoting with single backticks (`) either side of the text.

Entire scrolling blocks can be created with triple backticks (```) like so (the text part just disables any syntax highlighting, it’s not necessary):

image

Or you can select all the code/log/whatever text and hit this button on the editor:

image

1 Like

I’ll look into it. I do prefer safer though.

The one used for sub-subdomains. *.mydomain.duckdns.org. But also looking at what I have setup I don’t see why I would need it either. I found some Caddy v1 examples but they didn’t work for me.

Once I’m done with finishing up Caddy I plan on trying to get OpenVPN or Wiregaurd set up and I’m sure that’ll take up some of my quarantine time too.

For wildcard domains, you need DNS validation or On-Demand TLS. The former gets you a wildcard certificate. The latter negotiates individual certificates for hostnames as requests come in for them.

tls (Caddyfile directive) — Caddy Documentation

Once you’ve got one of those running, you’d then use matchers to check which host matched and route the visitor through a reverse proxy based on that result.

It’s a different beast to v1, for sure.

1 Like

Awesome I’ll do some reading on that and see what’s better for me. Thanks again for all the help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.