[ale] [OT] Inbound web access using pfSense

James Taylor James.Taylor at eastcobbgroup.com
Sun Jun 28 21:33:47 EDT 2020 

I tend to recommend putting certs on nginx and tomcat and go straight
:443, then let nginx redirect to 8443 on tomcat.
Is there a technical reason for not doing that?
-jt
 
 

James Taylor
678-697-9420
james.taylor at eastcobbgroup.com



>>> Jeff Hubbs via Ale <ale at ale.org> 6/28/2020 3:12 PM >>> 
I already have nginx performing a redirect to the same machine's 
Guacamole front end, which as you know is a Tomcat app. So the way I 
have nginx configured now, when it is hit with 
https://<nginx-guac_machine_ip_address>:80/wxyz nginx is converting
that 
to http://127.0.0.1:8080/guacamole-1.1.0. So I've got two mechanisms in

series here, in order pfSense and nginx, that do mangling even without

making use of internet DNS and I'm trying to get the pfSense-nginx 
transition sorted such that pfSense will make the intermediate 
connection between itself and nginx and do so without breaking the
https 
escalation.

On 6/28/20 7:20 AM, Jim Kinney wrote:
> I don't think pfsense will handle the /xyz->/abc layer. That's just 
> for the ngnx proxy.
>
>
> On June 28, 2020 1:00:54 AM EDT, Jeff Hubbs via Ale <ale at ale.org>
wrote:
>
>     Now that I've got a static IP (just one) I'm starting to work on
hosting
>     my own web servers and the first thing I'm trying to do is make a
nginx
>     and Apache Guacamole rig export Windows Server Remote Desktop
sessions
>     via HTML5 (that's the Guacamole part) out to people who come in
with a
>     URL I give them. I do not yet have internet DNS involved so the
URL I
>     plan to give to one person I want to demonstrate the capability
to will
>     have the form https://<internet_ip_address>/abcd.
>
>     I have all this set up behind a pfSense machine. From behind the
pfSense
>     machine, I can point a browser to a URL in the form of
>     http://<nginx-guac_machine_ip_address>/wxyz, log in to Guacamole,
and I
>     get an RDP session on the adjacent Windows server painted in the
browser
>     window. In fact, I've got nginx where if I start the URL with
http: it
>     will "auto-escalate" to https: using a self-signed certificate.
What I'm
>     unclear about is what needs to happen in pfSense such that 1)
someone
>     over the internet can come in at .../abcd as described above and
pfSense
>     will change that to .../wxyz and 2) the https escalation still
gets handled.
>
>     I expect that I will be using the nginx-Guacamole server for
other
>     internet-reachable services so I won't want to do anything that
will
>     pave over that flexibility.
>
>     - Jeff
>    
------------------------------------------------------------------------
>     Ale mailing list
>     Ale at ale.org
>     https://mail.ale.org/mailman/listinfo/ale
>     See JOBS, ANNOUNCE and SCHOOLS lists at
>     http://mail.ale.org/mailman/listinfo
>
>
> -- 
> "no government by experts in which the masses do not have the chance

> to inform the experts as to their needs can be anything but an 
> oligarchy managed in the interests of the few.” - John Dewey

More information about the Ale mailing list