hm hm hm i have a networking problem

Mar. 30th, 2023 05:02 pm
solarbird: (pingsearch)
[personal profile] solarbird

I have a Problem

This may be very easy but I don’t know how it works and it’s the opposite of what you generally want to do, but:

I have a tiny webserver that I want to have living in a fixed location in our DHCP address space on the LAN side of our DHCP-serving router/LAN gateway. I want our primary webserver to be able to get to it.

Gateway has one real internet fixed IP, web server has another. Gateway does not run a web server and won’t be.

I mean, there are other options, I could hang the tiny webserver on an even tinier private LAN on the far side of the webserver, have it talk to the one (1) IP that would hang off of it. That would be a… decision… but it’d have to be a completely separate wifi network for that to work and we do not need that additional RF noise.

hm

it is a conundrum

possibly an easy one but not to meeeeeee

dammit

Posted via Solarbird{y|z|yz}, Collected.

Tags:
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2023-03-31 03:53 pm (UTC)
mdlbear: blue fractal bear with text "since 2002" (Default)
From: [personal profile] mdlbear

Sounds like a case for either SSH tunneling or port forwarding.

Date: 2023-03-31 10:35 pm (UTC)
solarbird: (Default)
From: [personal profile] solarbird
I guess? But that's pretty vague?

I mean... okay. So if I set it to relay hits to port 80 to this thing, I guess that would work. I really, really don't want general hits to port 80 on door to go to this thing though. I guess also it should be able to filter it to just port hits from lodestone maybe?

I haven't done this so I'm like "... I guess so lol?" xD

Date: 2023-04-01 02:37 am (UTC)
mdlbear: blue fractal bear with text "since 2002" (Default)
From: [personal profile] mdlbear

I'm pretty sure you can set up firewall rules to do that. I think it's also possible with TLS (https) using a client cert.

Date: 2023-04-01 08:42 am (UTC)
vatine: Generated with some CL code and a hand-designed blackletter font (Default)
From: [personal profile] vatine
Nasty-ish, but probably-working method:

Generate a passphrase-less SSH key on the "tiny webserver", then configure a relatively low-privileged account (ideally a "shell that cannot do anything" as a login shell) on the external web server that has that as an authorized key.

Then, on the "tiny webserver", have something that basically runs ssh -R 8080:127.0.0.1:80 in a loop (which is why I don't think the classic "nologin" shell is useful here).

This should not require any changes in the firewall, and not allow anything from the outside through the firewall, unless it manages to actually get a foothold on the external web server.

Date: 2023-04-01 09:58 am (UTC)
solarbird: (Default)
From: [personal profile] solarbird
The tiny webserver is an arduino. I don't think it can even do SSL.

All the tiny webserver does is listen for commands coming in as POSTs and GETs and toggle relays or report their status. It's barely even a computer xD
Edited Date: 2023-04-01 10:00 am (UTC)

Date: 2023-04-01 11:09 am (UTC)
vatine: Generated with some CL code and a hand-designed blackletter font (Default)
From: [personal profile] vatine
Is there another "inside" computer that is sufficiently always-on that you could use it as "the thing on the inside that runs SSH" (and then use ncat or something to forward "a local port to the arduino"?
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

solarbird: (Default)
solarbird
I'm on Mastodon!

Links

February 2026

S M T W T F S
1234567
891011121314
15161718192021
22232425262728

Most Popular Tags

Page Summary

Active Entries