Reverse proxy problems on local network with FiOS G3100

meneelyt · December 9, 2020, 10:24pm

My situation is a tad complex. I'm on FiOS, a G3100 router. (Other than the TVs) the only thing connected to the G3100 is a Google puck system (which the G3100 sees as 192.168.1.151). Everything, including a Synology DiskStation, is on the Google WiFi network, which is 192.168.86.*. I'm trying to securely access applications on a Ubuntu box at 192.168.86.99, at various ports.

On the G3100 I've forwarded HTTP and HTTPS to the Google router. On the Google router I've forwarded those ports to the Synology. I've used the Synology reverse proxy capabilities to forward various subdomains (e.g., https://fake.meneelys.com) to the appropriate ports on the Ubuntu box (e.g., 192.168.86.99:8123). The Synology app takes care of getting Let's Encrypt certificates issued; I've done those on a per-app basis.

From outside my local network it all works perfectly.

Inside the local network, it worked perfectly for many months, but now I started getting certificate errors (Certificate does not match the URL). When I examine the certificate, it tells me it was issued to myfiosgateway.com, when it should have been issued to fake.meneelys.com.

In short, connections inside the network are being given a different SSL certificate than those outside the network.

I know enough to be dangerous.

Help, please?

Thanks,
Tim

Most of these questions don't apply:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:meneelys.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:Verizon FiOs

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Synology Reverse Proxy and Security apps.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

rg305 · December 9, 2020, 10:45pm

Love it!

It sounds like the FiOS system was updated and is now listening to TLS (port 443) or is doing a MITM IPS/Web filtering type service for you.
Do you reach the correct destination/content when you ignore the cert warning and continue?

meneelyt · December 10, 2020, 2:01am

No, I can't connect even ignoring the cert warning; Chrome gives me an HSTS error and says it can't connect to the site. When I examine the certificate I'm told the CN is myfiosgateway.com

I agree it seems as if FiOS is doing a man-in-the-middle. But I don't know what to do about it.

Thanks,
Tim

rg305 · December 10, 2020, 2:03am

Login to the FiOS gateway router and see what it does.
Call the provider if you can't find what your looking for.

meneelyt · December 10, 2020, 2:08am

I've been all through the router's menus without finding anything that seems relevant.

I guess calling Verizon is indeed the next step.

Thanks,
Tim

system · January 9, 2021, 2:08am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.