Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help: Point subdomains to multiple services/hosts behind single public IP

    DHCP and DNS
    2
    7
    555
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      p4-k4
      last edited by

      I'm wanting to point specific subdomains to a paticular service on multiple internal hosts behind 1 public IP. For example...

      sub1.domain.com --> PUBLIC IP (the one and only public IP)** -->** INTERNAL HOST 1
      sub2.domain.com --> PUBLIC IP (the one and only public IP) --> INTERNAL HOST 2

      I have A records pointing the sub1.domain.com and sub2.domain.com to the same public IP address.

      From there I've taken a stab in the dark an tried to use the DNS resolver to interpret the requests and resolve them to the internal hosts IP addresses as below.
      Screenshot from 2020-07-26 23-05-10.png

      No luck or perhaps this is the totally wrong approach?

      Also setup port forwards for each host. Each host is running web services on ports 80 and 443 however when accessing sub1.domain.com or sub2.domain.com, the browser gives me what host 1 is serving on both domains.

      I know the easiest way would be to run these services within a domain on web hosting panel but basically I need each service running on their own host machines (VM's).

      This is the 3rd attempt I've made at setting this up over the past 2 years so certainly banging my head against the wall. Would be super greatful if someone could point me in the righ direction! Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        If you want say sub1 to go to 192.168.1.100 and sub2 to got .101

        You would use a reverse proxy for that. The HAproxy package.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 1
        • P
          p4-k4
          last edited by

          Cheers thanks for confirming this.

          I believe I've setup the front and backends correctly in the HAProxy package however, there are two factors which I believe might not be giving me the desired result.

          I have Cloudflare for DNS hosting which then point my A records for these subdomains to the same public IP address.
          Am I to disable SSL encryption with Cloudflare?

          Second thing is, is there some certificate setup required within pfSense in order for the front and backends to work as intended?

          I think I'm stuck and not sure what to do when it comes to secure connections.

          Thanks

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            So the http traffic is working?

            Who host your dns has nothing to do with it somefqdn points to 1.2.3.4 and otherfqdn also points to 1.2.3.4 - matters not who resolves that on the public internet to 1.2.3.4

            Your using cloudflare as just dns, and not proxy?

            I have dns in cloudflare as well.. which is behind haproxy and works fine. Yes if you want ssl offloading to work, you would have to setup the cert on haproxy... If your just passing the traffic through then your end device would be doing the ssl, and yeah that would have to be setup correctly for it to work.

            Does the traffic get there or not? Just sniff or what error do you get when you try and go to https vs http?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • P
              p4-k4
              last edited by

              Yeah so I've enabled DNS only on Cloudflares side of things.

              It seems I can't even hit the backends on port 80. I've got NGINX up on both backends.

              Here's what my HAProxy setup looks like. Obviously substituted some info fo provacy reasons.

              ![alt text](image url)Screenshot from 2020-07-29 12-34-42.png
              Screenshot from 2020-07-29 12-35-06.png
              Screenshot from 2020-07-29 12-33-28.png

              As for the firewall rule, I've just setup a pass on port 80 specifically for this HAProxy setup. I've also tried destination as "This firewall" with no luck.

              Screenshot from 2020-07-29 12-38-40.png

              This is doing my head in!

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Not sure what your trying to do there with your firewall rule? The dest would be your wan address to allow traffic to your wan IP, so the ha proxy can see the traffic and then send it to your backends.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • P
                  p4-k4
                  last edited by

                  Thanks for your help, it seems that there were two things holding me up (if anyone else is in the same boat).

                  HTTP health checks were enabled and not configured so it seems pfSense was detecting my backends as offline therefore not pointing anything through. Second thing was my firewall rule for this was completely wrong and should be as @johnpoz has indicated.

                  Now that I am able to point frontend to back for HTTP traffic, what is the ideal method for setting this up for multiple custom ports?
                  The schenario would be as follows:

                  sub1.domain.com-> 10.0.0.1 (ports 20, 30)
                  sub1.domain.com-> 10.0.0.2 (ports 20, 31) *note this has a service running on port 31

                  I setup some port alias's for each, however it seems that the HAProxy package won't acknowledge the input of alias's.
                  My thinking in doing so was that in some cases, multiple hosts might have the same services running on the same ports, but different hosts.

                  So then, I assume there would be some manual setup for each host, is that correct?

                  If so, is it as simple as adding these additional ports to each backends?

                  Thanks for your help @johnpoz much appeciated.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.