Ns8
I wanted to know if it is possible to change the http or https listening port of an app eg. Roundcube , worspress ( https://mywebserver.domain:4443 ) etc.
Thank you
Hum short answer no but why do you want it ?
Hi @stephdl , I have to do some tests with haproxy and pfsense . However, if it can’t be done … nothing …
Generally speaking we want to do it to mask the service but in the case of roundcubemail it could be protected by crowdsec so no need to mask it
Ok, but what I want to do are just not security tests, but connection tests. Anyway, thank you as always.
And the long answer?
Hi Martin, what do you mean?
If i recall well the port of apache was static on ns7 but we could change it as we want in the virtualhost. In that case we run a container that probably use the tcp port 80 internally and for sur we cannot open it like this without conflict
So if a developer wants to use the tcp 4434 for example we need to
Open the port 4434 in the firewall
In the podman command publish the -p 4434:80 (not a good pratice to open widely the container)
Trade ourself with certificate, probably traefik could not handle it
Watch that any other containers use the port 4434
Well so roundcubemail has not been designed to do it
Another way could be in the set-route of traefik create a custom port to listen the https request like for 4434, it is quite simple and more integrated but it needs to patch treafik
I would not recommend it and I never tried, but you can manually open the application backend port to the public. This actually bypasses NS8 Traefik edge proxy.
-
Look at Settings > HTTP routes page. Each HTTP application has one or more routes defined. The allocated TCP port number is reported in the route details, under the URL field (see screenshot).
-
Refer to Firewall — NS8 documentation to open the port. If the application listens only on 127.0.0.1, opening the port is not enough. You can configure a port-forward, too. Relevant commands are described here: NS8 Change node SSH port 22 permanently - #15 by davidep. Refer to firewall-cmd documentation for more information.
Thanks Davide, but I solved it differently, that is, with pfsense and HAPROXY. I couldn’t do anything else as with HAPROXY I can manage NS8 certificates in a variety of ways. That is:
Every app needs a virtualhost , which can clearly handle LE , but with the variant that in my configuration 1 ip wan dynamic with dmz from the router to pfsense , I would be obliged to open several ports for each virtual host and this is not possible in my reality . With haproxy being more flexible (my personal opinion), I create and manage the Le certificates and I can sort them automatically, in addition to many options to request LE also from different dns (I am using duckdns). Of course it is more of a home flexibility … but it has its functionality. Sorry if I went beyond the discussion topic, but also proposing an improvement on Ns8 for LE and certificate generation goes beyond. Thank you .