On Mac OS X Leopard, how can I setup an web server (nginx) without being blocked by the Firewall?

StackOverflow https://stackoverflow.com/questions/8702282

  •  12-04-2021
  •  | 
  •  

Question

I'm struggling to get my nginx server reachable from outside with the OS X (Mac OS X Snow Leopard) firewall turned on. I'm stuck, I don't know what to tweak more.

I'm able to access my page through 127.0.0.1 with firewall on and from another computer with firewall off. I can't access from outside with firewall on, I've tried to put an exception on the firewall for the nginx app and it's there, "allowing connections from outside", but it's not working, I've also tried to enable websharing, which in truth just starts an internal apache, but it doesn't helped with the nginx server.

Also, I'm able to access this bundled apache from outside by turning off the nginx! but I'm not able to access MY custom web server.

I've seen in some forums that the OS X firewall works by allowing signed apps, and adding exceptions by signing an app... something like that. The problem is that adding nginx as an exception to the firewall is not working.

Any help?

Was it helpful?

Solution

I had the same problem and found no fix, but I was able to implement a workaround through ipfw:

First you have nginx to listen to another port. I added 10080 and 10443 as additional ports:

server {
    listen       80 default_server;
    listen       10080 default_server;
    listen       443 default_server ssl;                                                                                                                          
    listen       10443 default_server ssl;

    ...
}

I left to default ports (80 and 443) for access from the local machine (localhost).

After that I added 2 forwarding rules through ipfw:

fwd 127.0.0.1,10080 tcp from any to me dst-port 80
fwd 127.0.0.1,10443 tcp from any to me dst-port 443

The easiest way to do this is through WaterRoof. Additionally you have to enable ip-forwarding in the kernel:

sudo sysctl -w net.inet.ip.forwarding=1

To make this permanent, you can add the following to /etc/sysctl.conf:

net.inet.ip.forwarding=1

Now all traffic from the outside gets forwarded to the new ports nginx is listening to and you should be able to access it from other machines.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top