zoraxy icon indicating copy to clipboard operation
zoraxy copied to clipboard
verified publisher icon tobychui

[HELP] Proxy Host not resolving without invalid cert warning via HTTPS despite valid SSL Cert

Open RadTunesly opened this issue 1 year ago • 1 comments

I'll start by saying I'm pretty new to networking/reverse proxies and the issue is most likely due to a gap in my understanding. Apologies in advance as this is most likely a general networking problem rather any specific to Zoraxy. I'm hoping that you might be able to point me in the right direction as I'm not sure what to look for next.

I've created a proxy rule to point to the proxy host (synology) and it cannot resolve via HTTPS despite valid SSL certificate and local DNS records.

I'm running Zoraxy in a docker container on a macvlan network. I have a pihole container on the same macvlan network. I have a "shim" macvlan network in bridge mode on the host with parent 'eth0' (promisc enabled) with an aux address reserved for communication between the macvlan docker network and the host. I've obtained a wildcard SSL cert for 'mydomain' from duckdns.

Zoraxy Build: v.3.1.6

Image

Not using CloudFlare

docker-compose:

services:
  zoraxy:
    image: zoraxydocker/zoraxy:latest
    container_name: zoraxy
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
      - 8000:8000
    volumes:
      - ${DOCKERCONFDIR}/zoraxy:/config 
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/localtime:/etc/localtime
    environment:
      FASTGEOIP: "true"
    networks:
     macvlan:
       ipv4_address: 192.168.1.210

networks:
   macvlan:
     external: true

macvlan network:

docker network create -d macvlan \
    --subnet=192.168.1.0/24 --gateway=192.168.1.1 \
    --ip-range 192.168.1.192/27 \
    -o parent=eth0 \
    --aux-address="host=192.168.1.221" \
    macvlan

macvlan-shim network:

ip link add macvlan-shim link eth0 type macvlan mode bridge
ip addr add 192.168.1.221/27 dev macvlan-shim
ip link set macvlan-shim up

Proxy Rules: zoraxy.mydomain.duckdns.org -> 192.168.1.210:8000 (proxy target requires TLS connection not checked). This works dsm.mydomain.duckdns.org ->192.168.1.221:5001 (macvlan-shim ip/port of https on synology host, proxy target requires TLS connection is checked). This works but gives an invalid cert warning

DNS Records: zoraxy.mydomain.duckdns.org -> 192.168.1.210 dsm.mydomain.duckdns.org -> 192.168.1.221 (macvlan-shim ip)

Network is not exposed to the internet (yet)/no port forwarding on router. I wanted to get ensure the reverse proxy is working locally first. This may be a possible issue given the network is behind a NAT router but I thought if DNS is resolved locally it didn't matter.

From Zoraxy container I can successfully ping: -pihole ip -macvlan-shim auxiliary ip -host @ dsm.mydomain.duckdns.org

From host I can successfully ping: -zoraxy container ip -zoraxy container @ zoraxy.mydomain.duckdns.org

I can access the Synology DSM web interface on 192.168.1.221:5001, though I get an invalid cert warning (which is expected).

When I try to access the Synology DSM web interface on https://dsm.mydomain.duckdns.org, I still get an invalid cert warning and the browser adds the port (5001) to the address but can access the web interface.

Any idea what might be causing this?

RadTunesly avatar Feb 16 '25 02:02 RadTunesly

This works but gives an invalid cert warning

What do you mean by invalid cert warning? There are three possible invalid cert warnings

  1. You are served with Zoraxy self-sign certificate, meaning the SNI cannot locate the certificate in regards of your requesting hostname
  2. Your upstream (dms) is serving with an invalid certificate that Zoraxy dpcore TLS roundtripper cannot resolve.
  3. Your wildcard certificate is an intermediate certificate (or something more complex that is not the basic public / private key setup) that requires a conversion manually

For 1, check if your certificate has the correct Common Name field in it. For 2, try enable the ignore TLS verification error option and see if it works For 3, try switching to another domain that you have full control of (like yourdomain.com instead of free domains like duckdns.org), or manually combine some of the public keys into one .key file before uploading to zoraxy

When I try to access the Synology DSM web interface on https://dsm.mydomain.duckdns.org/, I still get an invalid cert warning and the browser adds the port (5001) to the address but can access the web interface.

This sounds like a Synology DSM issue to me. Zoraxy will not redirect you to another port unless you have specified it in the redirection rule. Consider consulting with Synology customer services for more information.

tobychui avatar Feb 16 '25 03:02 tobychui