Nathan, yes. You have the general idea.
A reverse proxy is basically a fake webserver front-end for your webserver. Instead of directly exposing the "real server" to the outside world, you put a separate webserver up that does nothing but accepts the incoming commands, optionally filtering them for nefariousness, and then forwards the commands along to the "internal-only real server" (and then does the reverse back to the client with responses). Reverse Proxy servers are used
very commonly for servers on the Internet for security and load balancing (you can have one reverse proxy "front end" that handles incoming requests and forwards to a load-balanced "pool" of actual web servers behind the scenes). Probably nearly every single website you go to regularly is behind at least one reverse proxy of some kind.
In this way, you can abstract and hide the workings of the "real server" from the Internet. And, of course, because the proxy is a full-fledged webserver, it can apply TLS and do HTTPS.
So, in my case, my firewall, which is a
Sophos UTM (which I
love), has a built-in reverse proxy feature (called Web Application Firewall in their terminology, but I bet it is just squid under the covers). I was able to set it up like so:
* Virtual Proxy Server: MCWS Encrypted (External) - Running on TCP port 53199 bound to External Interface on my Router.
> TLS enabled using my LetsEncrypt cert
> Mine can also do hardening (looking for "bad traffic, known attacks, etc). I don't have this on yet, but am going to test it and enable that.
> Real Server it uses: MC running in NON-encrypted mode, when I'm done, I'll have NO port forwarding enabled for it anymore at all.
Then, to make it work
inside my network without having to make a special "external-only" Library for MC on my laptop...
* Virtual Proxy Server: MCWS Encrypted (Internal) - Running on TCP port 53199 bound to the INTERNAL interface on my Router.
> Identical settings as the external version (except I won't bother with the hardening stuff probably).
And, lastly, to make it still available both internally and externally as non-encrypted, I'm going to (I haven't done this yet) make two more Virtual Servers set to HTTP (no encryption) mode, exactly the same except they'll actually run on 52199. I haven't done this because I'll need to switch the port MC uses on the "real" server and I don't want to break all my clients until I can get it all tested/set up. Really the only reason I even need these is because of JRemote (which doesn't support HTTPS connections yet). Panel and MC itself all works fine through the encrypted connection to the proxy server.
Then, the last part, to make it so I can just set my laptops and mobile devices up with my FQDN:Port setup as I have them now (without resorting to using the JRiver Media Network key system) was to set up a Full-NAT rule on my router. This rule looks for traffic coming from any device on the Internal network on TCP Port 53199 going to my WAN address (because looking up my FQDN via DNS will result in my WAN address, so the device will "try" to connect there) and then changes it so that:
* Destination: Internal Virtual Proxy Server (in my case, on the Router itself, so the Router's internal IP address)
* Source: WAN Address
That way, when I enter lan.mynetwork.net:port as the setup in MC, it works whether I'm inside the network or outside the network. Inside, the Full-NAT rule triggers and
all traffic going to WAN from inside my network on port 53199 gets automatically re-routed to the proxy server Outside, the rule doesn't trigger at all, and traffic just comes in to the External version of the Proxy server.
So, I know a bit about Ubiquiti routers. The UDM Pro cannot act as a Reverse Proxy itself. So, to do this (at least without replacing the UDM), you'd need to set up a separate reverse proxy machine/VM inside your network yourself.
Squid is a very popular Linux GPL application designed for this purpose (that justsomeguy mentioned and is apparently available as a plugin for pfsense). But NGINX and Apache can both be set up in reverse proxy mode too, and there are a wide variety of other options (for Linux and Windows of course):
*
https://dannyda.com/2020/01/03/list-of-open-source-free-proxy-forward-proxy-reverse-proxy-cache-server-software/*
https://github.com/dariubs/awesome-proxyI'm not sure if your UDM can do full-nat rules (which are like SNAT and DNAT combined, and can modify BOTH the source and the destination addresses, instead of just one way like a typical Port Forwarding setup). If so, you could totally set one up like I did, only on a separate box or VM from your Router inside your network (and then you'd just need a couple extra port-forwarding rules to allow the external access to get through to the proxy server, just like you have now for MC directly, only pointed at the proxy server instead).