IIS, Tomcat, multiple domains, and reverse proxy

vonfrank

Hi there

Some time ago, i asked a question, regarding DNS servers. I was told to have a look at reverse proxy insted, as this would solve my problem as well. So I did. First, allow med to summarize what i want to achieve:

Lets say my one public ip is 1.2.3.4

Inside 1.2.3.4 i have 2 servers beside my pfSense box.

https://www.domainA.com -> server 1
https://www.subdomainA.domainA.com -> server 2

https://www.domainB.com -> server 2

So, i have on ip 10.0.0.xx1 a windows server 2016, running IIS with webpage 1 and 2.
On ip 10.0.0.xx2 i have a centos 7 server, running Tomcat 7 with service 1.

I have tried both Squid3 and HAProxy, which both provided me with some results, but not completely right. I am pretty sure i am just doing something wrong.

Squid3:
I am able to setup all my services, have each FQDN directed to the right services and stuff. Everything is good, until i want to have HTTPS running, as i have to put a certificate, bound to ONE FQDN.. This mean, every time i try to access webpage 2, i get a warning, because the "root" certificate, is bound to webpage (base webpage).

HAProxy:
I am able to bind to my embedded tomcat services, but i can only make it work, with my IIS server, if i don't enter any host name for the webpage.

Generating HTTPS certificates is a nightmare, on my centos machines. I am only able to receive a certificate, if i port forward directly to the server, running certbot, which then makes it impossible to reach the proxy, and not possible to reach each service.

In HAProxy, i have a shared fronted, which is attached to both port 80 and 443. I then have a frontend, consuming this shared frontend, with an ACL, listening for, lets say the webpage, deployed in IIS. This is directed to a backend, which is attached to port 80 and 443 on the IIS server. This doesn't work..

I have been scratching my head the last couple of days, and it starts to look impossible.

How would YOU deploy multiple HTTPS services, on different technologies (tomcat, iis, apache etc..)

Thank you so much!

oki

Hi vonfrank,
i'm using pfsense packages haproxy and package acme on my pfsense for this similar situation.

pfsense WebUI rconfigured to listen on Port 8443.
pfsense WebUI disabled for redirect from Port 80.

I've two frontends defined in haproxy:

• WAN:80 (for acme redirection and ssl cert sign)

• WAN:443 (for ssloffloading with all certificates for my websites)

  • one acl for each certificate. configured as "Host matches:"-Expression. value is the CN of ssl-Certificate.

  • one action for each acl to switch to every backend.

  • SSL Certificates configured as "Additional certificates", in configuration area "SSL Offloading"

  • checkbox "Add ACL for certificate CommonName. (host header matches the "CN" of the certificate)" checked

backends in haproxy:

• one Backend for acme challenge. (I'm using the pfsense internal webserver for that)

• several other Backends. one for every site. some acl's for URL rewriting

here my Backend config for acme to direct to pfsense's WebUI (listening on Port 8443):

backend BE_ACME-Server_http_ipvANY
	mode			http
	log			global
	errorfile			403 /var/etc/haproxy/errorfile_BE_ACME-Server_http_ipvANY_403_http_503
	timeout connect		30000
	timeout server		30000
	retries			3
	acl			acme_not_in_path	path_beg -i /.well-known/acme-challenge
	http-request deny  if  !acme_not_in_path 
	server			pfsenseAdminWebpage 127.0.0.1:8443 ssl check inter 1000  verify none