Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IIS, Tomcat, multiple domains, and reverse proxy

    Scheduled Pinned Locked Moved Cache/Proxy
    2 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vonfrank
      last edited by

      Hi there

      Some time ago, i asked a question, regarding DNS servers. I was told to have a look at reverse proxy insted, as this would solve my problem as well. So I did. First, allow med to summarize what i want to achieve:

      Lets say my one public ip is 1.2.3.4

      Inside 1.2.3.4 i have 2 servers beside my pfSense box.

      https://www.domainA.com -> server 1
      https://www.subdomainA.domainA.com -> server 2

      https://www.domainB.com -> server 2

      So, i have on ip 10.0.0.xx1 a windows server 2016, running IIS with webpage 1 and 2.
      On ip 10.0.0.xx2 i have a centos 7 server, running Tomcat 7 with service 1.

      I have tried both Squid3 and HAProxy, which both provided me with some results, but not completely right. I am pretty sure i am just doing something wrong.

      Squid3:
      I am able to setup all my services, have each FQDN directed to the right services and stuff. Everything is good, until i want to have HTTPS running, as i have to put a certificate, bound to ONE FQDN.. This mean, every time i try to access webpage 2, i get a warning, because the "root" certificate, is bound to webpage (base webpage).

      HAProxy:
      I am able to bind to my embedded tomcat services, but i can only make it work, with my IIS server, if i don't enter any host name for the webpage.

      Generating HTTPS certificates is a nightmare, on my centos machines. I am only able to receive a certificate, if i port forward directly to the server, running certbot, which then makes it impossible to reach the proxy, and not possible to reach each service.

      In HAProxy, i have a shared fronted, which is attached to both port 80 and 443. I then have a frontend, consuming this shared frontend, with an ACL, listening for, lets say the webpage, deployed in IIS. This is directed to a backend, which is attached to port 80 and 443 on the IIS server. This doesn't work..

      I have been scratching my head the last couple of days, and it starts to look impossible.

      How would YOU deploy multiple HTTPS services, on different technologies (tomcat, iis, apache etc..)

      Thank you so much!

      1 Reply Last reply Reply Quote 0
      • O
        oki
        last edited by

        Hi vonfrank,
        i'm using pfsense packages haproxy and package acme on my pfsense for this similar situation.

        pfsense WebUI rconfigured to listen on Port 8443.
        pfsense WebUI disabled for redirect from Port 80.

        I've two frontends defined in haproxy:

        • WAN:80 (for acme redirection and ssl cert sign)

        • WAN:443 (for ssloffloading with all certificates for my websites)

          • one acl for each certificate. configured as "Host matches:"-Expression. value is the CN of ssl-Certificate.

          • one action for each acl to switch to every backend.

          • SSL Certificates configured as "Additional certificates", in configuration area "SSL Offloading"

          • checkbox "Add ACL for certificate CommonName. (host header matches the "CN" of the certificate)" checked

        backends in haproxy:

        • one Backend for acme challenge. (I'm using the pfsense internal webserver for that)

        • several other Backends. one for every site. some acl's for URL rewriting

        here my Backend config for acme to direct to pfsense's WebUI (listening on Port 8443):

        
        backend BE_ACME-Server_http_ipvANY
        	mode			http
        	log			global
        	errorfile			403 /var/etc/haproxy/errorfile_BE_ACME-Server_http_ipvANY_403_http_503
        	timeout connect		30000
        	timeout server		30000
        	retries			3
        	acl			acme_not_in_path	path_beg -i /.well-known/acme-challenge
        	http-request deny  if  !acme_not_in_path 
        	server			pfsenseAdminWebpage 127.0.0.1:8443 ssl check inter 1000  verify none 
        
        
        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.