Community Health Toolkit

Firewall setup when using nginx-local-ip

When using the nginx-local-ip setup, I can connect fine from a virtualized Android device I have running locally (via AVD) but only if my firewall is disabled. (Pretty sure I am just running UFW under the Linux Mint UI skin…) I tried allowing all traffic through on 443/80 but that did not seem to help. With the firewall enabled, I just get 504 errors trying to connect. Does anyone have advice on how to properly configure your firewall?

Does it work when you use chrome/firefox to navigate https://192-168-0-3.my.local-ip.co/. I also believe there is a request out to .my.local-ip.co. I forget exactly how that is achieved.

No, it behaves the same way. 504 when the firewall is enabled, but works just fine otherwise.

What about forwarding the ports for 5988 assuming you are using grunt or node.

I think opening 5988 is the answer.

I am running the app using grunt and then node server.js from api dir.

I enable my ufw firewall in ubuntu. I cannot access going to 443 or 80. After opening 5988 it worked.

As for if you are running the other way with docker. You’ll need to forward whatever ports you’ve exposed in docker. Can be found by looking at the ports listed in docker ps

1 Like

Indeed, only opening the ports 80 and 443 wasn’t enough (followed this guide):

$ sudo ufw allow proto tcp from any to any port 80,443

But adding 5988 did work:

$ sudo ufw allow proto tcp from any to any port 5988

This shouldn’t be like that, I guess the app is trying to perform some Ajax query and has the URL hardcoded :thinking:

@mrsarm I think this is likely because you’re hitting the external IP address instead of 127 or localhost.

So it’s going from external on 443, into nginx which proxy_passes It back out and into your IP address on 192.168.0.3 which means that port needs to be open.

Good point @Nick , trying to access the app locally from a browser in the same computer it also doesn’t work because what you said.

So finally digging a bit more about ufw, I think the most restricted rules set to only allow local and LAN connections is:

$ sudo ufw allow proto tcp from 192.168.0.0/24 to any port 80,443,5988
$ sudo ufw allow proto tcp from any to 192.168.0.0/24 port 80,443,5988

Also just executing the following works:

$ sudo ufw allow proto tcp from any to any port 80,443,5988

But connection from outside the LAN can be performed if the LAN is not protected.

@jkuester if you confirm this works for you as well, we can add later a section in the nginx-local-ip readme about it.

1 Like

Boom! Thanks a bunch guys!

@mrsarm I can confirm that

$ sudo ufw allow proto tcp from 192.168.0.0/24 to any port 80,443,5988
$ sudo ufw allow proto tcp from any to 192.168.0.0/24 port 80,443,5988

works for me!

I will open a PR to update the doc for nginx-local-ip.