Not sure what I forget with firewall - unable to access nginx [solved]

bddh0 · March 24, 2025, 9:46am

Hello, NixOS newbie here. My install is almost done because I set up miniflux + navidrome then nginx reverse proxies and I really appreciated the automatic acme handling.

I still need to configure the firewall : I enabled port 80 + 443. Also navidrome automatically allows 4533. But if I enable firewall, then only local access works, and I get message in journaltcl about refused connections. SSH still works with firewall enabled, this is the only external access which works.

I thought enabling 443 was the one thing and not sure what else to open. The server uses wifi to access the box so I even wonder if interface may be the issue. But appart this I see nothing specific in my setup.

Some refused connection message
mars 24 10:41:50 nixos kernel: refused connection: IN=wlp0s26u1u5 OUT= MAC=XXX SRC=192.168.1.1 DST=192.168.1.62 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=23069 DF PROTO=TCP SPT=58238 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

MatthieuB · March 24, 2025, 9:57am

Hi,

I think you want to expose navidrome behind nginx, you can setup a virtualhost (I never hosted navidrome so it may need tuning):

virtualHosts."navidrome.example.com" = {
  enableACME = true;
  forceSSL = true;
  locations."/" = {
    proxyPass = "http://127.0.0.1:${toString config.services.navidrome.settings.Port}";
  };
};

bddh0 · March 24, 2025, 10:10am

Yes exactly. This is what I have

   services.nginx = {
        enable = true;
          virtualHosts = {
             "****.online" = {
                 forceSSL = true;
                 enableACME = true;
                 root = "/var/www/*****.online";
          };
             "navidrome.*****.online" = {
                 forceSSL  = true;
                 enableACME = true;
                 locations."/".proxyPass = "http://127.0.0.1:4533"; 
          	};

It works perfectly. Until I start firewall… When firewall is on, I can only ping ****.online, but I cannot access it with https

MatthieuB · March 24, 2025, 11:09am

I replicated your configuration and it seems to be working fine for me.

I would look again in the logs and maybe share your network config.

Is ****.online accessible in https?

AzurCrystal · March 24, 2025, 12:33pm

Please provide your config for networking.firewall on the machine running nginx:

Are you only using the firewall rules provided only by NixOS?
- It means that you do not specific any firewall rules by networking.extra*
Is your firewall based on iptables or nftables?

If you have not set networking.nftables.enable = true (which means you use iptables as default) , please provide the output of the following command:

$ sudo iptables -nvL

If you are using nftables, please provide the output of the following command:

$ sudo nft list ruleset

That will show the full firewall configuration running on your system.

BTW, please format the output in code block.

bddh0 · March 24, 2025, 12:45pm

I am so sorry. There was a typo in the firewall rule. Thanks for you help Matthieu & AzurCrystal, I noticed the typo and it works now.