how to access from outside my application protected by nginx reverse proxy?

Hi there,
my application works and is accessible normally in the local network and the internet network. but when I put it behind nginx (reverse proxy), it is no longer accessible from the internet. i have 404 error object not found!
anyone know why?
I use centos and I have authorized ports 8081 and 443 (firewalld). my application runs on my local pc.
as an attachment my nginx configuration file

 

I don't really know what you are trying to do. Your config looks strange:

Code:

location ~/home/(.*)$ {
resolver 4.4.4.4;
 include /opt/nginx/conf/naxsi.rules;
proxy_pass https://inter.apopzs.org/$1;
}

says that when someone is accessing https://my.spacze.org/~/home/ on port 443 he will get the contents of https://inter.apopzs.org/
If someone is connecting via http on port 8081 he gets nothing.

Have a look at the documentation on how to make a proper nginx config.
https://docs.nginx.com/nginx/admin-guide/web-server/web-server/
https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/

Have a look at the examples (the part with "simple reverse-proxy"):
https://www.nginx.com/resources/wiki/start/topics/examples/full/

 

Hi
thank you for your interest in my concern.
without the nginx firewall, the application works correctly in the local network and from the internet.
what i want to do is put the app behind the nginx firewall and be able to access it from the internet too.
except that it doesn't work:
- I first had an error on bad gateway 502 that I resolved in the local network with the resolver command (I use the internet with the proxy); but from the internet still nothing;
- my config works well in the local network and if I change anything (by deleting the ~ for example) then it no longer works in the local network and elsewhere;
- normally when someone is accessing https : // my. spacze. org / home / on port 443 he will get the contents of https : // inter. apopzs .org /.

My problem remains the same and I am stuck.

 

Code:

        ssl_certificate_key /etc/private/keyy.key;
--------------------------------------------^

Is that a typo?

 

the certificate is ok, no problem with certificate

 

the certificate is ok, no problem with certificate. I also consult my error file (error.log); at first sight nothing special; the errors generated are in fact the failed intrusion attempts by my vulnerability scanner.

even in my network architecture doing portforwarding it doesn't work ... I always have the error ((((Object not found! The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again . Error 404))))

I don't know if it's my network architecture that poses the problem; I am confused and stuck;

 

nginx is not a firewall.
Are you sure you want a reverse proxy and not a simple port forwarding?
I still do not understand your network topology, where which service runs and from where you want to access what ...

 

my network topology is as follows:
-the local network application runs on different servers and some are accessible from the internet;
-a nginx/naxsi server is in place to protect these applications. this nginx/naxsi server must be accessible from the internet. a reverse proxy was set up by also protecting my applications behind the naxsi firewall.
what remains for me to do is make this nginx/naxsi server accessible from the internet; I would like my protected applications behind naxsi to be accessible from the internet.

 

So, You have lets say 2 servers in your local network:
1) nginx/naxsi, accessible from the internet via https://my.spacze.org/ on port 443 (can you ping it from the internet?)
2) Web application that is accessible only in the lan via inter.apopzs.org on port 443
So you have a local DNS that resolves inter.apopzs.org in your network (reverse proxy would be easier with IP addresses than domain names). But why are you using the external DNS via resolve command?

 

1. from the internet using ping.eu tools I do not ping https://my.spacze.org/. but I still access the inter.apopzs.org application (the application interface is displayed internally and externally);
2. the site must be accessible from the outside, I added the resolver command to resolve the 502 bad gateway error; otherwise nginx could not resolve the domain name. it is an internal dns.

do you think it's useful to be able to ping from the internet https://my.spacze.org/ and deactivate the resolver command? use ip addresses instead of domain names?

 

1. from the internet using ping.eu tools I do not ping https://my.spacze.org/. but I still access the inter.apopzs.org application (the application interface is displayed internally and externally); I realize that my.spacze.org and inter.apopzs.org have the same ip address (results of the ping.eu tool);
2. the site must be accessible from the outside, I added the resolver command to resolve the 502 bad gateway error; otherwise nginx could not resolve the domain name. it is an internal dns.

do you think it's useful to be able to ping from the internet https://my.spacze.org/ and deactivate the resolver command? use ip addresses instead of domains?
I realize that my.spacze.org and inter.apopzs.org have the same ip address (results of the ping.eu tool); is this a problem?

 

If nginx runs under https://my.spacze.org/ and this does not resolve from the internet, then you can't reach it??

Your reverse proxy should take care of that. If the site is directly accessible from the internet, why should you use the proxy?
I still don't get it

For me it looks like you have no clue what you are doing and you do not even know what you want (and why). I have no idea how I could help you here...

 

Thanks for your following along.
yes without the proxy the application is accessible from the internet. but in its operation, there is no real protection. this is why we have considered setting up an application firewall in another server which should in principle be also accessible from the internet.
taking into account your explanations, I see that it is better to install the application firewall in the application server to avoid any IP address conflict.
once again thank you for your follow-up.