Listen
At the beginning of the installation there are standard ports that listen for a connection.
The ports specified here come from the web interface and are used by nginx intern docker container.
| Port | Description |
|---|---|
80 (TCP) | HTTP Protocol |
443 (TCP) | HTTPS/SSH/SSL Protocols* |
53 (TCP/UDP) | DNS Protocol |
These ports are internal to nginx of type "Stream". You can see a port overview again in port forwarding.
If you only use the standard ports for your services, you do not need to enter any additional ports here.
Add/Edit Listen
Add a list, a dialog follows that also appears when editing.
Name: Name your list, so you always recognize it in the UI.
Type: Type of listening from Nginx proxy. Stream or HTTP/HTTPS, the difference is how the connection is handled.
Protocol: Which protocol should be used, UDP can also be used in addition to TCP for a stream.
Port: Which port the listening is listening on.
Description: Here you can describe in more detail what the listener is used for.
IP6 enable: Additionally enables listening on an IP6 address (untested yet, but enables it in the nginx config).
IP access: Enables checking of the IP address against a list (blacklist/whitelist).
Access type: Which list to use for the IP check. The lists can be maintained under IP Access.
Proxy protocol enable: Activates the use of the proxy protocol. From now on all packets are provided with the proxy protocol header. This setting is important for internal HTTP/HTTPS processing. Only in this way does the route get the correct IP of the inquiring request for further checks or logging.
Proxy protocol incoming enable: Enables expecting a packet with a proxy header. Should the FlyingFish sit behind another proxy server with a proxy protocol.
Disable this listen: Disables listening, settings are skipped during nginx config build. All dependent routes are also skipped.
After the initial installation, you can view the automatically installed listeners. You will find that ports 80 and 443 work with the proxy protocol. There is a good reason for this, since the stream points to the internal HTTP/HTTPS servers (lists). Which in turn expect the proxy protocol to process the correct IP from the request and not the IP 127.0.01.
Imagine the Type 2 zones, the Stream represents the external zone with the color orange and the HTTP/HTTPs with the color green the internal zone.
The Internal Zone can only be accessed from the External Stream Zone.
Save causes an immediate reload of nginx. Existing connections are kept as if running the command: nginx -s reload
Listen flow
The following graphic should help to understand the list process:
Port 5333, 80, 443 Listening on the network from the host (as a bridge, port forwarding to the Docker container).
There, the Nginx first uses "IP access" to check whether the IPs have access rights. Then the streams (TCP/UDP) are split into their protocol (SSL/HTTP/etc.) and split into domains for forwarded to a destination. Should not specify an external destination, then use the internal ports for the HTTP (10080) and HTTPS (10443) server are specified as standard. They perform a "proxy reserve" and request a route too internal or external HTTP/HTTPS server.
The internal ports are only accessible in the Docker network and are securely shielded from the public network. It must pass stream ports 5333, 80, 443 via a query.
Last updated
