Regardless of regret (the difference between intranet penetration and reverse proxy), intranet penetration solution, intranet penetration chapter 3: safe intranet penetration nanny level tutorial, using nginx reverse proxy to achieve two-way ssl authentication for intranet devices, and preventing certificateless users from brute force cracking nas,

Author: Geek plaything foreword, will you have such a problem? After using intranet penetration, other devices such as nas in the home intranet always have unknown ip attempts to break the login by force. Although your strong password makes them unable to login successfully, they are always attacked. Recently, I will also deploy an intranet penetration environment to complement the virtual network penetration I use now.

For the convenience of the family members who do not use the virtual network tools, that is, directly access the solution on the browser without adding other operations. For example, the nps penetration solution is a way of directly exposing to the public network. Anyone who knows the domain name can access my home intranet, and the domain name is not a very confidential thing.

It is a very bad experience to be violently cracked by unknown IP every day. Is there any way to avoid it? We know that https can identify the identity of the server through a certificate. This is called ssl one-way authentication. Since there is one-way authentication, there is two-way authentication. In ssl two-way authentication, the server will also require the client to show the certificate. If the certificate passes the authentication server and the client, the communication will be established. If the certificate does not pass the authentication server, the connection request of the client will be rejected.

Therefore, we can configure ssl two-way authentication so that the allowed users can access nas and so on. Other http-based intranet services and other disallowed users do not have connection permissions, so as to protect the security of intranet devices to a certain extent. 1. A domain name, which needs to support universal resolution

2. Public IP, or public cloud server, or other intranet penetration means 3. An intranet device that allows dockers, such as Qunhui, openwrt, and unreid, will work. 4. An ssl certificate, self-signed or issued by a ca agency, will work. Start with the tutorial 1. nginx webui container deployment

Nginx webui is a graphical nginx written by Chen Yimeng. nginx is configured through the graphical web management interface. It is very convenient for novices to get started with the automatic application and renewal function of ssl certificates, which greatly facilitates our group of intranet penetration players to use the docker version of nginx webui in this tutorial, in order to monopolize ports 80 and 443.

You need to use macvl nginxWEBUI as an independent IP. First, check whether the Docker has deployed macvlan network. Enter the following command Docker network ls to get the following output root@Tower :~# docker network ls

NETWORK ID NAME DRIVER SCOPEc9b49d7dffff br0 macvlan local

0464aacdffff bridge bridge local07c5c1d0ffff host host local

a059f37effff none null localroot@Tower :~# You can see that there is a macvlan network named br0

If there is no macvlan network, first create a macvlan network. Enter the following command to view the name of the network card being used ifconfig and obtain the following output. Find the network card with your background management interface ip. For example, my background ip is, and the network card with this IP is br0. Remember br0.

bond0: flags=5443 mtu 1500 inet6 fe80::2f1:ffff:fef0:5aba prefixlen 64 scopeid 0x20 ether 00:ff:ff:ff:ff:ff txqueuelen 1000 (Ethernet)

RX packets 15361454 bytes 5485436605 (5.1 GiB) RX errors 0 dropped 773911 overruns 0 frame 0

TX packets 14499561 bytes 9878246997 (9.1 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

br0: flags=4163 mtu 1500 inet netmask broadcast inet6 fe80::2f1:ffff:fef0:5aba prefixlen 64 scopeid 0x20

Inet6 123f: fff: fff: acc0:2f1: ffff: fef0:5aba prefixlen 64 scopeid 0x0 Enter the following command to enable network card mixing. Note that my network card name here is br0. If your name is not br0, please change the br0 in the command to your network card name.

IP link set eth0 promise on docker creates a macvlan network named vlan1. Please change the name of the network card, gateway and network segment to your own. My network card is br0, and my network segment is gateway

Docker network create – d macvlan — subnet= — gateway= – o parent=br0 vlan1 Pull nginx webgui container image

Docker pull cym1102/nginxwebui: the latest starts the container. Here, specify a macvlan network named “vlan1” created in the previous step for the container and configure the IP address to modify the command according to your actual situation. You cannot copy it.

docker run -itd -v /home/nginxWebUI:/home/nginxWebUI -e BOOT_ OPTIONS=”–server.port=8080″ –privileged=true –net=vlan1 –ip= cym1102/nginxwebui:latest

After the container is started, access it directly http://ip:8080 。 You can open the nginx web ui management interface.

Of course, we don’t have to worry about setting up nginx webui first. We still need to do a lot of preparatory work to make ngixwebui better. Second, configure the container network and allow nginx webui container to communicate with the host. Because of the security mechanism of docker, containers using macvlan can’t communicate with the host.

After all, many all in one users will install functional containers, such as the emby media server, which generally use the host port forwarding mode, and use the host IP address, so they can’t access these containers. Isn’t this a lonely breakthrough? So this section is to solve the problem of accessing the host through the Macvlan network.

The host and the container using macvlan cannot communicate with each other, even in the same network segment, but the macvlan container can communicate with each other. Therefore, we can add a macvlan virtual network card to the host. Through this virtual network card and the macvlan container to communicate, my host’s network card name is br0, ip is, and the container’s ip is

Enter the following command in the host computer to create a virtual network card named “macvlan2” and assign it to the host computer. Use ip link add macvlan2 link br0 type macvlan mode bridge to assign an ip to the virtual network card

Ip addr add dev macvlan2 starts the virtual network card ip link set macvlan2 up to set routing rules. Through this virtual network card and container communication, several routing rules are set for several containers that need communication

IP route add dev macvlan2 # The target IP address is modified according to the actual situation, so that we can make the container and the host communicate. The host accesses the container through the container’s IP, and the container accesses the host through the host’s macvlan2.

For example, here the container needs to ping the host, that is, ping 3, configure nginx webui and openssl self-signed ssl certificate 1. oepnssl self-signed certificate and apply for free ssl certificate. Here we need to configure two certificates, one server’s ssl certificate.

This can be obtained from the ssl certificate issuing authority, such as Alibaba Cloud, or the certificate of the self-signed certificate client configured with openssl needs to be configured with self-signature through openssl. First, configure the server’s ssl certificate, and then issue the branch certificate and opessl self-signature (1). Agency signing – take Alibaba Cloud as an example

First of all, you need to create an Alibaba Cloud ram access user to apply for and automatically update ssl certificates. Open the Alibaba Cloud console, place the mouse on the top right corner of the avatar and the following menu will appear. Click to enter accesskey management. After entering, he will prompt you to create a sub-ram user.

After that, we open the ram sub-user management interface, click Add a user, set the user name and check the openapi option, and then the sub-user will be established. At this time, you can see that the AccessKey ID and AccessKey of the sub-user can not be used directly, and you have to add corresponding permissions to the sub-user.

We need to add three permissions to the sub-user: “Manage Yundun certificate service permissions”, “Manage cloud resolution (DNS) permissions”, “Manage domain name service permissions”. At this time, the ram sub-user configuration is complete

Fill the sub-user id and key into the certificate management of nginx web ui in one step to automatically apply for certificates and renew them.

(2) The openssl self-signed certificate nginx webui comes with the openssl tool, so we need to self-sign directly in the container. First, we need to connect to the terminal of nginx webui. For unarid, we need to select the connection terminal in the container management. For Qunhui and openwrt, we need a container.

Due to the limited space, let’s briefly talk about the deployment of the container Docker pull 6053537/portainer-ce # Pull the image of the Chinese version of the container Docker run – p 9000:9000 — name container — restart=always – v/var/run/docker.sock:/var/run/docker.sock – v/container_ Data:/data – d 6053537/portainer-ce # Run the portainer image and set the 9000 port access.

Log in to ip: 9000 to access the Portainer background

Openssl self-signed service certificate is very troublesome to use, so I don’t recommend you to use it. Here, I will simply talk about the process of self-signed certificate opening/home/nginxWebUI. This target is mapped to the/home directory of the host, and then create a new folder, openssl, and enter the new folder

Cd/home/nginxWebUImkdir opensslcd openssl generate ca private key, generate ca root certificate openssl genrsa – out ca.key 4096 openssl req – new – x509 – days 3650 – key ca.key – out ca.crt

When creating a ca certificate, you will enter some necessary information://Enter the name of the country://Enter the name of the province or state with two letters at most://Enter the name of the city://Enter the name of the organization://Enter the name of the organization://Enter the name of the common name://Enter the name randomly

Email://Enter freely to create the ca certificate. Create the server’s certificate and private key openssl genrsa – out server.key 4096 openssl req – new – key server.key – out server.csr

The process of creating a server certificate is similar to that of creating a ca root certificate Common Name: This option cannot be filled in casually. The domain name or ip universal domain name of the server should be written as *. If you enter a “A challenge password” after entering your domain name, it is required to create a password for the ca certificate.

Do not enter anything, press Enter to skip, and then enter the following command to sign the server certificate openssl x509 – req – in server.csr – CA ca.crt – CAkey ca.key – CACreateserial – out server.crt – days 3650

At this time, the server certificate has been signed. Transfer the server certificate and private key to nginx webui, and install the self-signed ca root certificate on the required device. (3) The client certificate production is different from the self-signed server certificate above. This time, the last ca private key and ca root certificate are used to sign the client certificate.

If you are the student who uses the ssl certificate issued by the organization to skip the service self-signed certificate, you can refer to the previous step to produce the ca private key and ca root certificate openssl genrsa – out client.key 4096 openssl req – new – key client.key – out client.csr

The steps are the same as generating the root certificate. After entering some necessary information and entering the mailbox, a “A challenge password” is required. This is to create a password for the ca certificate. Do not enter anything. Enter the carriage return and skip entering the following command to sign the client certificate openssl x509 – req – in client.csr – CA ca.crt – CAkey ca.key – CACreateserial – out client.crt – days 3650.

Enter the following command to package the client certificate and private key into the p12 format openssl pkcs12 – export – inkey ssl/client.key – in ssl/client.crt – out ssl/client.pfx//The next step will require you to set a password for the p12 certificate

All generated files will be located in/home/n of the hostginxWebUI中.2.配置nginxwebui反向代理和ssl双向认证首次登陆后会有账户密码的设置界面,设置好以后登陆到nginxwebui的管理界面第一步选择http参数配置,第二步选择简易配置向导,之后会打开配置界面,使用默认的配置就可以了



有些时候需要整一级域名解析给一个ip,就是泛解析记为”*.b.a”,二级域名泛解析则为“*.f.b.a”对于阿里云的设置,在解析记录的主机记录上写上“*.”那么所有“c.b.a” , “d.b.a”……….”z.b.a”都会解解析给同一个ip。

在解析记录的主机记录上写上“*.home”,那么所有的“a.home.b.a” , “b.home.b.a”……..”z.home.b.a”都会解析给同一个ip因为nginx的http反向代理是通过域名来识别目标的,所以我们需要把一个域名泛解析给nginx。




比如我的openwrt的ip是“”端口默认为“80”,那么目标地址就为“”注意一个域名的代理目标是可以添加多个的,但是在这里不建议最好一个域名对应一个代理ip:端口,比如群晖管理是一个域名,sea file是一个域名,openwrt是一域名,这样才不会导致解析错误。



比如我这里插入的是群晖的反向代理配置中每一方向代理域名都需要单独配置,并插入到对应的位置中“ssl_client_certificate /home/nginxWebUI/openssl2/ca.crt;”中的“/home/nginxWebUI/openssl2/ca.crt”是刚才openssl生成的自签名ssl ca证书,可以根据自己的实际情况的进行配置。

配置好以后重复上一步:“检验文件” “停止nginx”的步骤就配置好ssl双向认证了ssl_client_certificate /home/nginxWebUI/openssl2/ca.crt;ssl_verify_client on;。





4.ios也要先安装openssl的自签ca证书,当然ios安装ca证书和p12证书比较麻烦我的解决办法就是将ca证书和p12客户端证书传到群晖或者unraid上,用它们充当简单的http下载服务器在ios自带的safari登陆群晖在file station上选中证书,长按打开菜单选择下载就可以安装描述文件。


然后安装p12证书,输入密码安装成功后,也要在“设置”——“通用”——“描述文件和设备管理”——验证刚才安装的p12客户证书不过ios有限制,只有自带的safari浏览器才能使用ssl双向验证打开需要的双向ssl的网页时,浏览器就会跳出客户端证书选择界面,选择对应的证书就可以访问了,就不会出现nginx 400错误。


我的科技记录 » Regardless of regret (the difference between intranet penetration and reverse proxy), intranet penetration solution, intranet penetration chapter 3: safe intranet penetration nanny level tutorial, using nginx reverse proxy to achieve two-way ssl authentication for intranet devices, and preventing certificateless users from brute force cracking nas,