I have a couple of local services running (e.g. AdGuard Home, Wireguard, Unbound) and a small static website. The latter I plan to open up to the world wide web.
I’ve set it up with nginx, Certbot, and a custom domain.
One question I have is, if I only plan to serve it over https, should I only open port 443 or also 80 on my router?
A problem I encountered is that now that the nginx config of the site has been blessed by a Let’s Encrypt certificate, I can’t access the site locally anymore, meaning with the local IP address (e.g. 192.178.168.18) over port 80. I need to prefix it with https:// which is annoying!
Can I somehow allow the site to be accessed unencrypted from the home network?
Can I somehow allow the site to be accessed unencrypted from the home network?
You could enable redirecting http to https in ngninx, which will work inside of your LAN, because nothing is blocking port 80 there. But when you try to reach the website from the internet, it’s only accessible via https, because redirecting won’t work with the blocked port 80.
The problem is now, that https won’t work because you try to reach it via the an IP and not a domain. You can set up a local DNS record for your domain, pointing to the LAN IP of your server. Whenever you now request the domain from inside your LAN the request will never leave your LAN, so port 80 is not blocked and the redirecing http work from inside the LAN but not from the internet.
I’m not familiar with nginx, so I can’t help you to config the redirect.
And I’m sure there is a feature in AdGuard to set up a local DNS record.
Yes you need to open port 80 and 443 from internet. Otherwise your certificate can’t be renewed if required. because certbot is going to verify your domain on port 80. There is a checkbox on the certbot GUI to force redirect from http to https. From inside the local network, it should be possible to access your web site using your DDNS record as well.
It only works with the domain and https, which is great. However, when I try reaching the website with internal (192.168.178.18) or external, static IP address, I’m redirected to nginx 404 not found. The domain obviously points to the external IP address. But nginx and certbot are only setup for the domain.
I simply want the site to be accessible from the local network without https.
if the DDNS is working from internal as well as from external, why still using the IP address
But getting a http error 404 means, page not found. This would indicate that you are reaching the web server but somehow the request page could not be displayed. Did you setup any configuration in addition?
personally I would keep it as is and access the web site using the IP address. It’s some kind of security feature to ensure access to your web site on a valid domain only and not via someone who don’t know the domain but is trying to access just by scanning IP addresses on an open port 80. Or is there a strict need to access the site using the IP?
You’re most certainly right, however I don’t like that people will get a 404 page, when they go to the local IP of the server.
But people are unable to connect via the local IP, when they connect from the internet via your domain.
I’m not a nginx expert and I don’t know if the following is a good solution, but if you like to redirect all traffic from http to https, doesn’t matter where it is coming from, you could try replacing the server block