1 Pubilc IP 2 webservers, how to route traffic



  • Hi everybody,

    I just switched from IPCop to pfSense (2.3.3) I got it running with all the basic settings (Portforwarding etc.)
    There is 1 thing I want to do, but I have no idea if it's even possible.

    Here goes; I have 1 public IP address (1.2.3.4), on the LAN I have 2 webservers (which I can't merge into one) with IP addresses 192.168.1.100 and  192.168.1.101.
    We have 2 FQDN's ws1.domain.com and ws2.domain.com, both hostnames resolve to IP address 1.2.3.4

    Can somebody tell me if it's possible to route traffic based on the hostname so that traffic for ws1.domain.com is routed to 192.168.1.100 and traffic for ws2.domain.com is routed to 192.168.1.101.

    I've read something about HAProxy and I installed it, but I'm at a loss on what to do next.
    Hopefully somebody can help me out or maybe point me to a tutorial on how to accomplish it.

    Thank you for reading this

    Kind regards,
    Cor van den Berghe



  • Hi there,

    Unfortunately not a response to your question, however I have the exact same query.  I'm setting up a lab for an O365 hybrid migration, as such I have both Exchange and ADFS behind my public IP and need to NAT sts.domain and mail.domain through to the respective webservers.  At the moment I just cannot see how to do this since I need to NAT any source through to two different destination IP's on the same destination port (TCP/443).  I'm sure this must be a fairly common scenario especially in lab environments.

    Has anyone else managed to achieve this setup?

    Kind Regards
    Chris



  • Hello Again,

    A bit of research suggests this is all possible through the use of Squid reverse proxy within PF sense, for HTTP/HTTPS end points only of course.  More detail here should help you:

    https://blogs.technet.microsoft.com/nexthop/2014/04/07/configuring-pfsense-as-a-reverse-proxy-for-lync-web-services/

    A bit MS specific but the principles will be the same regardless of the back end HTTP/HTTPS end point.

    HTH

    Cheers
    Chris



  • You need to have a DNS server install.

    And from the DNS server you say with IP belongs with domain/sub-domain

    Or use this solution
    https://forum.pfsense.org/index.php?topic=52861.msg296986#msg296986



  • A DNS cannot be a solution here. The problem is that he want to make multiple webservers accessible by a single public IP, as Johnpoz illustrated it in his first example behind your link.

    The packets for both webservers have the equal destination address and port in the internet. The only different is in the host name, which isn't known on layer 3. So the webserver which the packets should be forwarded to can only be decided at the application layer.
    So there will be a proxy needed for that as chrisdoofer already figured out.



  • Just a quick search for reverse proxy shows among dozens of other hits:
    https://forum.pfsense.org/index.php?topic=122869.0
    https://forum.pfsense.org/index.php?topic=126531.0
    https://forum.pfsense.org/index.php?topic=118419.0

    and:
    https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki
    PiBa's here on the forum and maintains the haproxy package. What else do you need? …



  • One possibility would be to have one use HTTPS.  That way, you'd have different port numbers coming in, which can then be forwarded.  Of course, this means you'd have to specify HTTPS in the URL for the server on port 443.  The other server would be on the usual port 80.



  • Can confirm, squid reverse proxy would be the way to host multiple websites behind a single IP.

    The way it works is by checking the http get requests for the hostname. So you will need a hostname for each website.

    host1.example.com and host2.example.com will suffice. of course you can change your hostnames to whatever you like.

    if you need more horsepower, you can check out HAProxy. it can do the same + more.



  • Sorry for my late reply, I've been free for a couple of days.
    I'll get to work with your suggestions and will report back when I have more news.

    Thank you all very much for the help so far!

    Kind regards,
    Cor van den Berghe



  • It can be done with squid as a reverse proxy (I did it).
    It can be done with HA-Proxy (I'm doing it ;) )

    In HA-Proxy you will need two backends.
    One for each server you want to forward trafic to. (you can specify them on IP addess - no nned for DNS for that)

    You will need one HA-proxy frontend listening on your wan address port 443.
    On that frontend I would configure two ACL:S
    one that says that if the hostname is ws1.domain.com send it to backend 1
    the other one would handle the ws2.domain.com hostname and send that to backend 2.


Log in to reply