[Norcino]

I have a router Linksys WRT1900ACv2
Firmware Version DD-WRT v3.0-r33679 std (11/04/17)
Kernel VersionLinux 4.9.60 #68 SMP Sat Nov 4 06:18:00 CET 2017 armv7l.

I am trying to understand how to install and configure a reverse proxy but I'm totally lost.
I found many articles saying that I can use pound, but I don't have it in my rom, so I found that to install it you need OTRW2 (Optware), but I found only old guides referring to Broadcom routers, and apparently it is not supported anymore.
After that I found entware-ng, but I douldn't find a way to safely install it.
In other places, I read that I can use ngix or a blog saying you can use Apache.

How can I install any of those reverse proxy?
I have jffs activated but it says that is not mounted, so if I need to mount it, please tell me how I can do it.

[ian5142]

You want to use Entware 3X (ARM v7): https://github.com/Entware-for-kernel-3x/Entware-ng-3x/wiki/General-installation-notes

The installation from Entware ng can be helpful, just use the links from Entware 3X: https://github.com/Entware-ng/Entware-ng/wiki/Install-on-DD-WRT

[Norcino]

Hey ian5142 thank you for the reply, I have been busy so I couldn't add a step by step guide as I wanted to, so here I am.

First, connect to your router using ssh or putty.

1 ) Make sure you can write inside opt folder
To try it, move into /opt/ and type:
mkdir test
If the command is successful delete the folder (rmdir test) and go to the point 2)
If the command failed you need to mount jffs to opt executing the following command:
mount --bind /jffs/ /opt/

2 ) Install entware (Note that there are versions for every architecture so in aware and choose the one for your device if you don't have a WRT1900AC).
To do so execute the following command from the /opt folder:
wget -O - http://pkg.entware.net/binaries/armv7/installer/entware_install.sh | sh

3 ) If the procedure completed successfully you will be able to use opkg command. Use it to install nginx as shown below:
opkg install nginx

4 ) Locate the nginx.conf configuration file, where you need to configure the reverse proxy.
Run the command:
find / -name 'nginx.conf'

5 ) Add the configuration to the nginx.conf file, that normally is located in /jffs/etc/nginx/nginx.conf.
To edit the file type vi /jffs/etc/nginx/nginx.conf
Type in your keyboard SHIFT+i to start editing.
When you have finished, press ESC to stop editing.
Then type :wq to save and exit vi.

7 ) Change the web interface default port from 80 to 81 (or any other one) and disable the https if you want to reverse proxy also https urls. To do that run:
nvram set http_lanport=81
nvram commit

8 ) In the UI now navigate to Administration > Commands and add the following scripts to run at startup:
--bind /jffs/ /opt/
nginx
Remember to click the button Save Startup, because you need the file system to be mount at every reboot and you want to run automatically nginx as well.

9 ) Restart the router and everything should be setup.


For examples of reverse proxy configuration please refer: https://www.nginx.com/resources/admin-guide/reverse-proxy/

[ian5142]

I have added it to the wiki here: https://www.dd-wrt.com/wiki/index.php/Reverse_Proxy_using_Entware

I don't know that much about reverse proxies. Can you write a short introduction on what they are used for?

[Norcino]

Sure, let me know if it is ok.
I'm not sure I can add/edit the wiki so I will post it here.



Often we need to access various http and https services lying behind the router from the Internet.
A common solution to this problem is to use port forwarding and assign to each of those services a different port.

Example, pretend we have the following services running in the LAN.
- nas: storage device used to keep files accessible through http web requests
- ‎home automation: web interface to control your home devices, lights and heating
- ‎dev service: imagine you are a developer working on an api and you want it to be accessible from the Internet

By default all of those services are listening on port 80 (let's simplify and ignore for now TSL https connections).
In a standard router with port forwarding you would need to:

a) change the default port of home automation and dev with this configuration
- nas:80
- ‎homeautomation:81
- ‎dev:82
b) from the router assign the forwarding to the relative IPS
c) say you have mydomain.cloud and you mapped it to your public IP address, to access the various services you would need to use the following URLs:
- nas: http://mydomain.cloud:80
- ‎homeautomation: http://mydomain.cloud:81
- ‎dev: http://mydomain.cloud:82

Now this clearly this is not ideal and reverse proxy is here to help.

First, we need to edit the DNS configuration of our domain name adding CNAMES, if you use a Dynamic DNS service, to always point to your (non static) IP address, replace DESTINATION with your DynDNS URL.
If you instead have a static IP address, just replace DESTINATION with mydomain.cloud.

To do so add the following CNAMES.

+ nas - DESTINATION
+ homeautomation - DESTINATION
+ dev - DESTINATION

Once saved, and after waiting few minutes to allow the DNS update to propagate, you will be able to use the following addresses, in an indistinct way connect to your public address:
- http://nas.mydomain.cloud
- ‎http://homeautomation.mydomain.cloud
- http://dev.mydomain.cloud

Now without a reverse proxy those URLs would always point you to the service listening on port 80, in this example, the NAS.

The reverse proxy allow us to specify, based on the original URL, where this should be forwarded to.
So in our case we want http://nas.mydomain.cloud to point maybe the lan hostname nas.home or maybe an IP address 192.168.0.100.
Then we have to say http://dev.mydomain.cloud to point desktop.home or another IP and so on.

At each request, the reverse proxy running in your router will forward those to the right target machine within your LAN.

Notes:
1) I strongly recommend not to use IP addresses, to do so in the DHCP reservation table in the router's web ui, add the MAC address of nas, desktop and homeautomation reserving an IP. This will make the IP static but will also give you an automatic hostname resolution so nas.home will be always resolved with your nas IP, even if you change it. (I use home as internal domain name)
2) ‎If you don't have a domain name, you can buy it for a very little amount of money nowadays. I bought mine from services like https://hosting.aruba.it/en/home.aspx
3) If you need a Dynamic DNS service, you can use for free https://www.noip.com/ (you need to confirm the setup every month for the free plan) or https://www.duckdns.org/

[ian5142]

I had to ask for wiki access. It is only open to those that ask. You are free to ask for it if you want. I would suggest that if you find an article that needs updating, PM me and I will either try and update it myself or you can write a draft and I will update that way.

I have added your introduction to the wiki page I created previously.

[ddwr-linksys-E4200]

Hi everybody,

I try to install ngix for a reverse proxy, everything was alright but it's impossible to strat Nginx. Here is the steps that I did :

Hardware : Linksys E4200
Firmware: DD-WRT v3.0-r30880 mega (11/14/16)

1°) Enable USB storage access (Disk Mount Point /opt)

2°) Try to create a directory on /opt, remove everything on it : rm -rf /opt/*

3°) Install entware opkg (https://github.com/Entware-ng/Entware-ng/wiki/Install-on-DD-WRT) : wget -O - http://pkg.entware.net/binaries/mipsel/installer/installer.sh | sh

4°) Install nginx : opkg install nginx

5°) Find nginx.conf : find / -name 'nginx.conf'

6°) Edit nginx configuration file to customise it : vi /opt/etc/nginx/nginx.conf

7°) Try to reload nginx : sh -x /opt/etc/init.d/S80nginx reload ===> + PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ nginx -s reload
/opt/etc/init.d/S80nginx: line 27: nginx: not found


AS you can see I got a strange feedback on the nginx reload, I got the same if i do a restart or whatever.

Can someone help me on this ?

Thanks !

[zyxmon]

[ddwr-linksys-E4200]

Hi zyxmom,

Here is my PATH :
echo $PATH
/bin:/usr/bin:/sbin:/usr/sbin:/jffs/sbin:/jffs/bin:/jffs/usr/sbin:/jffs/usr/bin:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin

I try another time to install opkg and I'm sure that I forgot something on the steps that I described. See below what I did to reinstall step by step :

First here is what I enabled on USB service on the dd-wrt GUI (see atachment).

1°) Remove everything on /opt directory : rm -rf /opt/*

2°) Install entware opkg (https://github.com/Entware-ng/Entware-ng/wiki/Install-on-DD-WRT) : wget -O - http://pkg.entware.net/binaries/mipsel/installer/installer.sh | sh
Here is what I get from the install :

[Norcino]

Hi
originally I didn't use an external usb drive to install entware and so I just installed it after mounting jffs.

Here are few notes I took the first time I did it, but the guide in the wiki should be more complete.

cacert = "/tmp/root/cacert.pem"

Mount jssf
(Info: https://teledom.gr/tech/dd-wrt/dd-wrt-linksys-wrt1900acs-v2-entware/)mount --bind /jffs/ /opt/
in opt run
wget -O - http://pkg.entware.net/binaries/armv7/installer/entware_install.sh | sh

in Administration > Commands add the command mount --bind /jffs/ /opt/ and Save Startup

To start nginx, I just type the name, if I remember correctly from anywhere but in general I go to /opt/etc/ were I have nginx.config, and I start, stop or reload it from there. (eg. nginx -s reload)

Is there anything I can do on my router to help you out?

[ddwr-linksys-E4200]

Hi Norcino,

thanks for your reply but nothing on your notes helps me. The problem is all the errors message on entware installation, i think that these errors makes something works wrong on the install :
extract_archive: Cannot create symlink from ./opt/lib/ld-uClibc.so.0 to 'ld-uClibc.so.1': Operation not permitted.

Thanks

[Norcino]

If you can, I would consider to flash your router with the latest firmware and try to install it in the local file system without mounting the usb. I did this way, I mounted the USB after I installed entware.

EDIT: I think your router doesn't have enough free space, you can check and try. I still think tough that I nice update and reset might help, it could be the way the usb drive has been mounted.

[Richie79]

Hi, I'm a Nginx noobie trying to setup basic reverse proxy server for the first time to harden my home security IP camera with HTTPS which doesn't support it natively. Camera is behind my pfSense firewall and DD-WRT router in it's own bridged subnet and I'm able to access it fine from outside and inside. I've installed Nginx successfully in my DD-WRT router, but I haven't managed to make it work.

I tried the following instructions found here:
https://security.stackexchange.com/questions/56779/securing-remotely-accessible-ip-cameras-that-do-not-support-https

My Nginx conf file is in the following path:
/opt/etc/nginx/nginx.conf

For testing purpose only I try to direct all HTTP traffic from 192.168.6.66:666 to 192.168.6.66:8080. I've set the router to start Nginx after reboot. Nginx is able to save all the configurations successfully after router reboot. I've also configured port forwarding on my router and my firewall to ports mentioned above. I still can't access the camera from port 8080 (inside or outside). I wish to move on to HTTPS when HTTP works.

Any idea what am I doing wrong?
Find attached screenshot of my Nginx configuration.
Are the configurations in wrong place? I wrote them in the beginning of configuration file.

[Richie79]