I have installed rocketchat on a pi3 b via snaps.
Handed the pi back to the owner where the server will be homed on their home network, which we want to give internet access for others to join.
Now I am quite confused about what ports have to be opened if using reverse proxying. I am planning to go with nginx for the reverse proxy because when I tried with snap and caddy some errors came up which I looked on github seem to be a bug. Don’t have the errors as it was days ago but besides I have more familiarity with nginx since I used it successfully about a year ago for another rocketchat server.
I have received very conflicting replies so for when asking on general networking/self hosting based forums about what ports have to be forwarded to the pi for this to work correctly.
Some say you should forward only port 3000 from public-ip of the network to the pi’s ip. Others say you should never expose any port as it is a security hole. Others still say you should port forward 3000 as well as 443 for ssl and 80 for the redirect to ssl. Others again say you should not port forward anything at all as the reverse proxy will handle it all without exposing any ports.
So yea I really don’t know what is correct right now. Can anyone please clear this up for me?
What makes it more cumbersome is that I am doing this remotely for a network that isn’t mine and the owner only has small windows of about an hour at a time a couple of times a week to make changes to the router settings. So I have to ask questions and then gather info beforehand to relay to him to make the changes.
Where we are up to so far is that yesterday I told him to forward port 3000 of public-ip to internal port 3000 of the pi. While I was unable to access the chat server remotely before, I was, after this change, then able to access the pi on their public-ip:3000 in browser. Now, given the above conflicting advice, I am unsure whether this should be closed to ensure security or left open now that we want to setup the reverse proxy.
I am still not clear if this is a no-no or not in terms of security? Since I was not sure I told him to switch off the pi soon after until I got more information on the matter. Also to note, we were not able to forward either 443 or 80 to the pi’s IP as the router would say these ports are in use. He has confirmed to me he hasn’t set anything up on the router himself but I have since read this could be an issue with the ISP/router itself, given a forum thread I found for the ISP on the error message, which prevents forwarding of those specific ports. As mentioned above, I have no idea if these ports have to be forwarded to the pi or not for reverse proxying to work? I would really hope not since the router is not allowing us to forward them!
I have already set an A name for the tld pointing to the public-ip of their network but no further reverse proxying setup as yet. That is correct right? It should be just the IP with no port in the A name?
So I am just wanting to know what are the final steps we have to take now to setup ssl with reverse proxying so it can be accessed via the tld and what ports if any have to be forwarded to achieve this.