Help: Point subdomains to multiple services/hosts behind single public IP

p4-k4 · Jul 26, 2020, 11:14 AM

I'm wanting to point specific subdomains to a paticular service on multiple internal hosts behind 1 public IP. For example...

sub1.domain.com --> PUBLIC IP (the one and only public IP)** -->** INTERNAL HOST 1
sub2.domain.com --> PUBLIC IP (the one and only public IP) --> INTERNAL HOST 2

I have A records pointing the sub1.domain.com and sub2.domain.com to the same public IP address.

From there I've taken a stab in the dark an tried to use the DNS resolver to interpret the requests and resolve them to the internal hosts IP addresses as below.

No luck or perhaps this is the totally wrong approach?

Also setup port forwards for each host. Each host is running web services on ports 80 and 443 however when accessing sub1.domain.com or sub2.domain.com, the browser gives me what host 1 is serving on both domains.

I know the easiest way would be to run these services within a domain on web hosting panel but basically I need each service running on their own host machines (VM's).

This is the 3rd attempt I've made at setting this up over the past 2 years so certainly banging my head against the wall. Would be super greatful if someone could point me in the righ direction! Thanks in advance.

johnpoz · Jul 26, 2020, 11:42 AM

If you want say sub1 to go to 192.168.1.100 and sub2 to got .101

You would use a reverse proxy for that. The HAproxy package.

p4-k4 · Jul 27, 2020, 1:24 AM

Cheers thanks for confirming this.

I believe I've setup the front and backends correctly in the HAProxy package however, there are two factors which I believe might not be giving me the desired result.

I have Cloudflare for DNS hosting which then point my A records for these subdomains to the same public IP address.
Am I to disable SSL encryption with Cloudflare?

Second thing is, is there some certificate setup required within pfSense in order for the front and backends to work as intended?

I think I'm stuck and not sure what to do when it comes to secure connections.

Thanks

johnpoz · Jul 27, 2020, 11:52 AM

So the http traffic is working?

Who host your dns has nothing to do with it somefqdn points to 1.2.3.4 and otherfqdn also points to 1.2.3.4 - matters not who resolves that on the public internet to 1.2.3.4

Your using cloudflare as just dns, and not proxy?

I have dns in cloudflare as well.. which is behind haproxy and works fine. Yes if you want ssl offloading to work, you would have to setup the cert on haproxy... If your just passing the traffic through then your end device would be doing the ssl, and yeah that would have to be setup correctly for it to work.

Does the traffic get there or not? Just sniff or what error do you get when you try and go to https vs http?

p4-k4 · Jul 29, 2020, 12:41 AM

Yeah so I've enabled DNS only on Cloudflares side of things.

It seems I can't even hit the backends on port 80. I've got NGINX up on both backends.

Here's what my HAProxy setup looks like. Obviously substituted some info fo provacy reasons.

![alt text](image url)

As for the firewall rule, I've just setup a pass on port 80 specifically for this HAProxy setup. I've also tried destination as "This firewall" with no luck.

This is doing my head in!

johnpoz · Jul 29, 2020, 12:48 AM

Not sure what your trying to do there with your firewall rule? The dest would be your wan address to allow traffic to your wan IP, so the ha proxy can see the traffic and then send it to your backends.

p4-k4 · Jul 29, 2020, 5:40 AM

Thanks for your help, it seems that there were two things holding me up (if anyone else is in the same boat).

HTTP health checks were enabled and not configured so it seems pfSense was detecting my backends as offline therefore not pointing anything through. Second thing was my firewall rule for this was completely wrong and should be as @johnpoz has indicated.

Now that I am able to point frontend to back for HTTP traffic, what is the ideal method for setting this up for multiple custom ports?
The schenario would be as follows:

sub1.domain.com-> 10.0.0.1 (ports 20, 30)
sub1.domain.com-> 10.0.0.2 (ports 20, 31) *note this has a service running on port 31

I setup some port alias's for each, however it seems that the HAProxy package won't acknowledge the input of alias's.
My thinking in doing so was that in some cases, multiple hosts might have the same services running on the same ports, but different hosts.

So then, I assume there would be some manual setup for each host, is that correct?

If so, is it as simple as adding these additional ports to each backends?

Thanks for your help @johnpoz much appeciated.