localrelay icon indicating copy to clipboard operation
localrelay copied to clipboard
verified publisher icon go-compile

Reverse Proxy

Open Kamalaja opened this issue 1 year ago • 9 comments

Hey there, opening another issue, this one for a feature request / maybe bug!

Right now when I attempt to use localproxy to forward a bitwarden instance publicly. My current setup is as follows:

  1. Bitwarden (Docker) -> Reverse proxied w/ ssl (Nginx) -> password.x.tld (clearnet -> also has internal ip address 192.168.1.100:XXX)
  2. Bitwarden (Docker) -> Onionpipe (Docker - single hop non anonymous mode) -> XXXXXXX.onion:80 (tor)
  3. Android Phone (GrapheneOS) -> localrelay (see config below) -> InviziblePro (proxy mode, local tor proxy) -> Access 127.0.0.1:XXXXX

My localrelay generation command is as follows:

./localrelay new port -host 127.0.0.1:XXXXX -destination 192.168.1.100:XXXXX,XXXXXXX3wid.onion:80 -failover -ignore_proxy=0 -proxy socks5://127.0.0.1:9050

Just for simplicity sake, I would love to be able to set my localrelay config to accept my password.x.tld domain. When I currently try, it errors out due to missing a port. If I add the following ports (Docker Container HostPort, 443, 80), here is the errors I get:

password.x.tld:DockerHostPort - [ERROR] [password] 01:31:58.888322 relayfailovertcp.go:125: DIAL FORWARD ADDR: dial tcp: lookup password.x.tld on [::1]:53: read udp [::1]:59397->[::1]:53: read:

Cheers!

Kamalaja avatar Dec 05 '24 01:12 Kamalaja

Thank you for your contribution!

You should be able to use the domain, as this is exactly what I do on my phone using Termux and on my windows and Linux machines. With docker, NGINX, a onion, and a failover relay too, just like your setup, but with a domain name pointing to 127.0.0.1.

Looking at the error message below, your DNS server is unaccessible on localhost:53. Localrelay uses your system DNS resolver but for some reason it thinks that it is localhost.

I have seen another go project, Lego (for ACME let's encrypt), use the wrong resolver and they wat I got around that bug was forking it and specifying the resolver my self. I'm not sure if this is also what is happening here, but if so I will add a DNS server option.

Just to confrim you are setting the domain as the remote destination not the listen address?

go-compile avatar Dec 05 '24 14:12 go-compile

Thanks for the response!

For clarification, I am hoping to be able to use the domain in both the listen and remote addresses.

I would love to have password.x.tld to just be what I use in order to access my service locally or externrally.

Right now, my command for local relay is as follows:

./localrelay new password -host 127.0.0.1:9335 -destination password.x.tld:443,XXXXX.onion:57 -failover -proxy_ignore = 0 -proxy socks5://127.0.0.1:9050

To clarify what you are doing -

  1. You are setting up your localrelay instance to set the host of your password manager at 127.0.0.1:XX Port (lets say 8525) with a failover at XXX.Onion
  2. You set up NGINX proxy manager with a redirect of password.x.tld -> 127.0.0.1:8525
  3. When you browse to password.x.tld it goes: password.x.tld -> DNS Service -> Nginx -> Localrelay -> Service

The question that I have is how do you get password.x.tld to redirect to the onion address when outside of your network? Since DNS would typically have it point to your NGINX instance, unless you were running on your phone, it, it wouldnt proxy correct?

Kamalaja avatar Dec 05 '24 19:12 Kamalaja

image I am assuming its something similar to this (this is modified slightly as it is my proposed setup)

The question then would be as follows:

  1. Do you set a dns record for each subdomain you forward using localproxy?
  2. If not, and are using NGINX, where do you insert it into the flow? From my understanding, if I have the DNS service return the nginx proxy IP address, offsite browsing would not function properly.

Thanks again! Apologies for all the questions.

Kamalaja avatar Dec 05 '24 19:12 Kamalaja

Thanks for the diagram, it really helps me understand the specifics of what your asking. Yes that is exactly how you would do it.

The only thing I would add is, the DNS can be written locally via the host file if you only want to use localrelay on one device.

Q1, You can, but I would recommend setting a wild card, *. password.x.tld, if you have many services you want to host behind localrelay.

Q2, The domain you request should match the vhost inside your NGINX config, e.g. vault.password.x.tld being what you type into bitwarden or your browser, and is what is set in your nginx config.

No worries, I'm happy to answer them!

go-compile avatar Dec 05 '24 20:12 go-compile

I am really not understanding this lol

Would you be able to make a diagram of how you have it set up? Because mine are just not working at all

Kamalaja avatar Dec 05 '24 21:12 Kamalaja

OK I AM SUPER CLOSE! Here is where I am at for accessing my password manager from my phone

*.x.tld points to 127.0.0.1 via porkbun DNS

I have a localrelay config on my phone as follows:

./localrelay new pass -host 127.0.0.1:8356 -destination password.x.tld,x.onion -proxy_ignore=0 -proxy socks5://127.0.0.1:9050

*.x.tld on my local network has an override to send it directly to NGINX Proxy Manager, which then forwards password.x.tld to the service 192.168.1.100:987

When connected to my localnetwork - password.x.tld correctly fowards to my domain with https due to the DNS override on the network

When connected to my mobile network, 127.0.0.1:8356 correctly forwards me to the TOR server BUT password.x.tld is not correctly forwarding me to 127.0.0.1:8356. It is instead giving me an unable to connect error.

This is where I am stuck, if this final portion is resolved, then I can just use my regular domains anywhere fine :3

Kamalaja avatar Dec 05 '24 22:12 Kamalaja

As your domain A record changes based on your network, this may get cached by the system and cause issues, so I'd recomend setting this to only point to localrelay (localhost) to avoid that problem.

When on cellular, passwords.x.tld may still be cached as your internal server IP instead of localhost, resulting in a connection error.

So the only thing you should have to change is removing the local network DNS override and updating your relay to point to your 192.168.1.100 IP instead of a domain within the destination declaration, as your domain will point to localhost.

Hope that helps!

go-compile avatar Dec 05 '24 22:12 go-compile

Been banging my head against this all day - I will likely have to abandon this, as its not suiting my needs unfortunately.

Here's where I've ended, unfortunately, I cannot get this working

I just simply want to type in https://test.x.tld and have it connect to either my local instance when connected to local network, or my tor instance when connected to a public network.

My setup is as follows:

Porkbun pointing test.x.tld -> 127.0.0.1 Porkbun pointing *.x.tld at 192.168.1.100 (necessary for nginx on docker)

Localrelay running the following command:

./localrelay new pass -host 127.0.0.1:8356 -destination 192.168.1.100:987,X.onion:57 -failover -proxy_ignore=0 -proxy socks5://127.0.0.1:9050

Nginx has a ssl cert for password.x.tld pointing to 192.168.1.100:987

If I connect to:

127.0.0.1:8356 -> I get a bitwarden instance I can log into when on mobile network 127.0.0.1:8356 -> I get a bitwarden instance I can log into when on home network https://test.x.tld:8356 -> I get to my bitwarden instance but cannot login on home network due to no https https://test.x.tld:8356 -> I get to my bitwarden instance but cannot login on mobile network due to no https http://test.x.tld:8356 -> I get to my bitwarden instance but cannot login on home network due to no https http://test.x.tld:8356 -> I get to my bitwarden instance but cannot login on mobile network due to no https https://test.x.tld -> cannot connect on my home or mobile network

My two issues now are:

  1. I cannot get a domain to work with this. everything is pointed properly, but nada
  2. Even if I could, it seems I still would have to attach a port to the end of the domain (e.g test.x.tld:8356) as a plain domain on its own won't proxy correctly

I am sorry for the screambox here - but its just been non-usable at this point

Kamalaja avatar Dec 06 '24 06:12 Kamalaja

Looking at your breakdown of what works and what doesn't, visiting 127.0.0.1:8356 shouldn't work as the vhost in nginx should be the domain name, resulting in a 404 if navigating directly to the IP. Even if nginx routed you to it by default you'd have a certificate warning due to a host mismatch.

You're right in that you have to use the port number on the end, unless you want to listen on port 443, but doing this on android may require root.

Do you mind sending me your nginx config and localrelay config file and I'll see what the problem is, as I just think there is a slight mismatch in the configuration for you?

Your setup is practically identical to mine. A domain name + TLS, failover with Tor, on Android (as well as Windows and Linux [on these machines I listen to port 443]), nginx, docker, and bitwarden. So I know that this setup is 100% doable.

go-compile avatar Dec 06 '24 07:12 go-compile