How to NAT port 80 based on http header



  • I am trying to forward port 80 from my external IP to my internal web servers, but I do not know how to do it. I have 1 external IP and 3 internal web servers, with diferent domains. External IP must be always on port 80.

    Can you please advice me, how to solve this problem?



  • I think that you could try to search Varnish or Squid reverse


  • Rebel Alliance Developer Netgate

    You would need some sort of system like Varnish sitting there to decide where to forward the traffic based on hostname.

    If you only want to forward port 80 in, you can only have one target IP. You can't forward the same port in to more than one host. So a program like Varnish would make the decision using extra information (like the Host: header) on where to send the connection.

    Alternate solutions:

    • Use multiple external IPs if you can get them from your ISP. You can forward port 80 from additional public IPs in to additional servers. Have three servers? You need three external IPs
    • Use different ports - forward x.x.x.x:80 to server1, x.x.x.x:81 to server2, x.x.x.x:82 to server3, and so on.

  • Banned

    No you dont…you can use L7 to do that in ISA server 2006. PFSense is lacking behind in that specific scenario.

    Builtin L7 should do that by default.



  • @Supermule:

    No you dont…you can use L7 to do that in ISA server 2006. PFSense is lacking behind in that specific scenario.

    Builtin L7 should do that by default.

    What do you mean, what about varnish package?



  • @Supermule:

    No you dont…you can use L7 to do that in ISA server 2006. PFSense is lacking behind in that specific scenario.

    Builtin L7 should do that by default.

    Without cache maybe, but if you want to reduce server load and increase speed, pfSense + varnish for sure is the answer.


  • Banned

    In ISA2006 the reverse proxy acts as cache and you decide how big and for how long it is caching requests.



  • @Supermule:

    In ISA2006 the reverse proxy acts as cache and you decide how big and for how long it is caching requests.

    Take a look on varnish, you will not believe how fast it is.  ;)

    https://www.varnish-cache.org/


  • Banned

    I know….but the thing about L7 in ISA, is that it acts as a firewall at the same time. Inspects the packages in L7 of the OSI model.

    That is lacking in PFSense and it needs that capability to really make it into the big league.


  • Banned

    You can then block or allow traffic depending on application and it makes it damn easy to block facebook and torrents ASF.


  • Rebel Alliance Developer Netgate

    It's doing exactly what varnish does. There is nothing special about "L7" in that context. It has to proxy the connection, it can't do that on the fly with packet-level inspection.

    The Host: header doesn't come in until a connection is established. Where does the TCP SYN go if it's doing purely at L7 inspection? You can't do that. It doesn't work that way.

    So adding Varnish into the picture is the solution, it doesn't need to be done in any other special way (short of maybe bringing varnish into the base system, but there really isn't a compelling reason to do so!)


  • Rebel Alliance Developer Netgate

    @Supermule:

    You can then block or allow traffic depending on application and it makes it damn easy to block facebook and torrents ASF.

    That is a completely different scenario, nothing to do with NAT which is what this thread is - and you can do that if you make your own L7 filter to match it. You can upload L7 patterns of your own making. Again, little need to add that to the base system (though we could use a page to list user-supplied patterns…) and interesting as that topic is, it isn't relevant to this one.



  • @rafkos:

    I am trying to forward port 80 from my external IP to my internal web servers, but I do not know how to do it. I have 1 external IP and 3 internal web servers, with diferent domains. External IP must be always on port 80.

    Can you please advice me, how to solve this problem?

    If your webservers are run under Apache you could also consider using virtual hosts and run all the domains on the same machine.    http://httpd.apache.org/docs/2.0/vhosts/

    Really depends on your situation though.



  • I agree with chpalmer,
    I use virtual hosts on my web server and runs great, and is easy to setup :)


Log in to reply