Port forwarding only for one specific URL



  • Hi,

    I was wondering how it is possible to have a port forwarding work only for one or more hostnames?

    I want to host a virtual server that is residing om my LAN, on normal routers I would need to forward port 80 from the public interface and forward it to the server_IP_adress:80

    But if I do that, then everybody that connects to my public port 80 will be able to access my private server (which isn't secured anough)
    Therfore I would like the forward rule only to forward when it is destined for my www.example.com and second.example.com fqdn's

    What would be the best approach for doing this? reverse proxy in combination with virtual server config?



  • If your server isn't secure enough, you have no business opening it to the Internet at all. It's not magically going to become more secure if you only allow a specific hostname through to it.



  • Wow that had really helped me a lot…. NOT!
    Why do you even bother posting ?
    Your post was just useless to the world...

    There is no way to protect 100% a server, that's why I said "not completely secure", but by my question it would filter out most of the requests that shouldn't come in at all.

    I prefer constructive answers that actually help me and future people with the same problem to have a workable secure implementation.



  • Wow that had really helped me a lot…. NOT!
    Why do you even bother posting ?
    Your post was just useless to the world...

    When you receive advice that you do not like, you are allowed to ignore it without making a big scene about it.  Pro-tip: shitting all over the project founder when he gives you some reasonable advice is probably not your smartest move.

    What would be the best approach for doing this? reverse proxy in combination with virtual server config?

    Is there a reason why you can't just specify a Source in your NAT rule instead of Any??



  • Kom,

    It is certainly not ment as "shitting on.." au contraire, my post was ment exacly to avoid a trolling post
    I don't care who a certain poster was, even the biggest and brightest minds can go on the wrong path, luckily those people can handle healthy critics.
    I do believe that it is not up to the poster to ignore a non-contributing post, otherwise all posts could quickly get up getting filled with useless comments and therfore devaluating a whole forum.
    However like i said in the beginning it was not ment as "shitting on…" if it was taken like that, I apologise

    Now back on the subject:

    Your idea about a NAT source : What do you mean?
    With a NAT source I can only control from which IP adresses my public ip adress could be reached, but in my case I don't want to restrict my clients based on their IP adresses, I just want to filter traffic arriving on port 80 of my public IP adress, so that only http traffic for example.com and otherexample.com are beeing forwarded

    I think this is getting close to what I need:
    http://serverfault.com/questions/542416/having-two-subdomains-on-one-public-ip-addres-behind-pfsense-router

    Except that I don't know what it will do with UNKNOWN fqdn's or direct IP connections (both should be blocked for security)



  • It is certainly not ment as "shitting on.." au contraire, my post was ment exacly to avoid a trolling post

    Riiiiiiiight.  Whatever you say.

    Your idea about a NAT source : What do you mean?

    Nevermind, I misunderstood you.  I thought you only wanted to accept connections coming from a specific domain.  Reverse proxy is likely your solution as you had suspected.



  • Not useless, sage advice. Others obviously recognize same.

    Yes you can use a reverse proxy to do that. But the point remains - you'll get no actual security benefit from doing so if the back-end server has security issues.


Log in to reply