Intranet Penetration and Reverse Proxy

Introduction

Recently, I finally figured out how to use nginx for reverse proxy, and I find that nginx is truly amazing!

In my previous post "Make a NAS with OrangePi Zero3", I deployed a private cloud drive (Cloudreve) and the cloud album (MT-Photos) on my NAS, and I used DDNS-GO so that I could access them using a "domain + port" combination. However, my NAS only has a public IPv6 address. And it is both inconvenience and unsafe to add an extra port when accessing it via a browser. To solve the first issue, I use "frp" for intranet penetration. To address the second issue, I use Nginx for "reverse proxy". (I'll explain what intranet penetration and reverse proxy is shortly)

1️⃣ frp^[1]

1.1 Intranet penetration

Intranet penetration (NAT traversal) is a technology used to enable devices within a local area network (LAN) to be accessed by external networks. It addresses the issue where devices in a LAN are typically not directly exposed to the public network and is commonly used for remote access, service deployment, or setting up test environments.

Frp is a powerful and easy-to-use tool for intranet penetration. We can download it on github releases. Then, run frpc on the client and run frps on the server (Yes, you need a server with public ip address of course).

1.2 Config of frps (server)

# frps.toml

bindPort = 7000 # listening port
vhostHTTPSPort = 8000 # https port
auth.method = "token" # use token for authentication
auth.token = "Set_To_Your_Token" # set to your token

1.3 Config of frpc (client)

# frpc.toml

serverAddr = "xx.xx.xx.xx" # set to the ip address of your server
serverPort = 7000 # same as bindPort in frps.toml
auth.method = "token"
auth.token = "Set_To_Your_Token" # same as bindPort in frps.toml

[[proxies]]
name = "name of your service"
type = "https"
localPort = 5212 # set to the port used by your service
customDomains = ["domain.com"] # set to your domain name

Under these configs, the local https service would be exposed to the public network. Then, we can access the services on the NAS from anywhere in the world!

However, we still need to add the port manually like https://domain.com:8000 (since the default port of https is 443). Then, let's learn to use nginx.

2️⃣ nginx^[2]

2.1 Forward Porxy & Reverse proxy^[3]

A forward proxy, often called a proxy, proxy server, or web proxy, is a server that sits in front of a group of client machines. When those computers make requests to sites and services on the Internet, the proxy server intercepts those requests and then communicates with web servers on behalf of those clients, like a middleman. An example is shown in the left figure. There are a few reasons one might want to use a forward proxy:

• To avoid state or institutional browsing restrictions
• To block access to certain content (like blocking ad.)
• To protect their identity online
• Some special reason for those in a mysterious Eastern coutry

A reverse proxy is a server that sits in front of web servers and forwards client (e.g. web browser) requests to those web servers, ensuring that no client ever communicates directly with that origin server. An example is shown in the right figure. There are a few reasons one might want to use a reverse proxy:

• Load balancing
• Protection from attacks (like hiding port, in this case)
• Global server load balancing (GSLB)
• Caching
• SSL encryption

2.2 Config of nginx

Here is an example config file which works for me.

# /etc/nginx/conf.d/example.conf

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name domain.com; # set to your domain name

    ssl_certificate /path/to/your/cert; # set to the path of ssl certificate
    ssl_certificate_key /path/to/your/key; # set to the path of ssl certificate key

    ssl_protocols TLSv1.2 TLSv1.3;
    
    # Important: Disable error and access log, so that no IPs get logged
    access_log off;
    error_log off;

    location / {
        proxy_ssl_server_name on;
        proxy_ssl_name $host;
        proxy_ssl_verify off;
        proxy_pass https://127.0.0.1:5212; # replace 5212 with the actual port of your service
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header cookie $http_cookie;
        proxy_set_header Proxy-Connection "";
	    client_max_body_size 100M; # default value is 1M
    }
}

Reference

1. https://github.com/fatedier/frp ↩︎
2. https://github.com/nginx/nginx ↩︎
3. https://www.cloudflare.com/learning/cdn/glossary/reverse-proxy ↩︎