Community discussions

MikroTik App
 
antoncd
just joined
Topic Author
Posts: 17
Joined: Tue Jul 30, 2019 10:35 am

NAT redirection with domain name

Mon Jan 31, 2022 11:30 am

I have a network, a really basic setup:

The router connects to the ISP, and I have a NAT rule redirecting from a specific port —lets say 4321— to the port 80 on an IP within my network. At this IP I have an Ubuntu server running a web app on Nginx on port 80. Everything works as expected: I can open the browser and give my domain with my port —example.com:4321—, and it will open my web app via http.

Now, I want to set up SSL to connect via https on this web app. To do this I usually use certbot, see an example with Nginx as well here: https://www.digitalocean.com/community/ ... untu-16-04.

The problem is that Certbot requires to access a domain name to set up SSL. But with my NAT rule I'm forwarding only the port, not the domain name, so when the server receives the request it only knows about the port 80, and Certbot returns an error stating that it cant access the resource.

Is there any way to perform NAT redirections on RouterOS while maintaining the domain information of the request?
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: NAT redirection with domain name

Mon Jan 31, 2022 1:42 pm

LE requires webserver on standard port 80 for http validation, so you'd need to use that instead of your 4321. If that's not what you can or want to do, you can switch to dns validation, to get certificate without depending on web server at all.
 
antoncd
just joined
Topic Author
Posts: 17
Joined: Tue Jul 30, 2019 10:35 am

Re: NAT redirection with domain name

Mon Jan 31, 2022 3:19 pm

Thanks for the reply.

I can not use port 80, as I may want to have several web apps running on my Ubuntu server. To do this I need each web app running on a different port, and only one would be 80.

The idea of DNS validation sounds interesting, do you have any resource about it that may be useful for redirections?
 
antoncd
just joined
Topic Author
Posts: 17
Joined: Tue Jul 30, 2019 10:35 am

Re: NAT redirection with domain name

Mon Jan 31, 2022 3:28 pm

Ah, DNS validation is a feature of Certbot, not Mikrotik: https://www.digitalocean.com/community/ ... ntu-18-04
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: NAT redirection with domain name

Mon Jan 31, 2022 8:09 pm

Yes. You need some api for your domain's dns server, to be able to automate it. Other way is to keep http validation and use port 80 for reverse proxy, to provide access to challenges on other servers.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: NAT redirection with domain name

Mon Jan 31, 2022 8:41 pm

Yes. You need some api for your domain's dns server, to be able to automate it.
Actually, that is not completely true. I have my DNS hosted by an ISP that does not offer an acceptable API, but I have added an NS record for _acme-challenge in my domain that specifies my own host as the DNS server for that, and I run bind with only that zone, and the API for certbot.
In the firewall I have an accept rule for -p udp --dport 53 -m string --string '_acme-challenge' --to 256 --algo bm -j ACCEPT

This allows me to use DNS validation without having to run DNS for my entire domain.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: NAT redirection with domain name

Mon Jan 31, 2022 9:06 pm

Ok, correction, api or some other kind of automated access to server that serves LE challenges. I also use similar thing.

Who is online

Users browsing this forum: Guntis and 12 guests