TerryE Posted December 29, 2017 Posted December 29, 2017 This subject has many layers, like how can I use HTTPS inside my home network, but the one that I am facing at the moment is that I would like to open up some limited access to my home network: Public key, no password SSH to a non-standard port HTTPS to a web small hierarchy on one web-service provided by the same server. The first part of this was easy for me. My ISP allows my home router to have a fixed IP and I have full control of my personal domain's DNS records, so I can (and have) set up one of my sub-domains to point to this IP. This gives me the SSH functionality and HTTP to a gateway server using my router's NAT configuration. Job done -- apart from the fact that I don't want to allow inbound HTTP, just HTTPS. I also used certbot to validate a free Let's encrypt certificate for this, so I thought that this would now just be connect the dots -- except that my test session barfed on Chrome and Firefox with a certification error (certificate is unsigned and not valid for the name ph.ellisons.org.uk). After lots of head scratching I also tried a wget and this was more specific: certificate common name ‘ZyXELcert’ doesn't match requested host name ‘my.subdomain.org.uk’. The ZyXELcert was the give-away as my ISP provided an ZyXEL VDSL router. My router is not just passing the HTTPS through; it is actually doing an inbound HTTPS proxy and substituting its own unsigned certificate. Uaaarrgg!! The certification check was throwing up a valid man-in-middle attack from my Chinese router! Time for a new VDSL router, I think. Has anyone else has similar fun? Can anyone recommend a good specialist forum where I can research / bounce options? (My son-in-law says just to set up my own VPN service and have done with it.)
Jeremy Harris Posted December 29, 2017 Posted December 29, 2017 (edited) What about an off-the-shelf solution, like setting up an Own Cloud server? https://owncloud.com/security/ Edited December 29, 2017 by JSHarris
TerryE Posted December 29, 2017 Author Posted December 29, 2017 Well, I just realised the answer to my problem as I was posting this. My router can't be monitoring all ports for a putative HTTPS proxy. It mist have been filtering the NAT tables for use of a 443 port on either side of the translation, so I've just switched to another port using the same none-standard port for inbound and outbound address translation: http://subdomain.ellisons.org.uk:4444/test.php. (This isn't a valid link BTW, as the port and subdomain name are changed to prevent a scraper finding a target). So all is working!! 9 minutes ago, JSHarris said: What about an off-the-shelf solution, like setting up an Own Cloud server? Jeremy, the issue wasn't configuring a secure service on a webserver; it was stopping my bloody router snooping on the inbound HTTPS sessions.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now