So I have a machine running proxmox with two debian containers. The first container is running Pterodactyl panel. The second container is running the Apache default site. The problem is that both containers are under the same public ip and when I open the subdomain for the apache website I get redirected to the pterodactyl website, even If I open the domain without any subdomains I get redirected to the pterodactyl one. I saw people talking about SNI. Can someone help me resolve this issue?
Where does Openwrt come into the picture?
2 Likes
I want to know if its possible in any way to usw SNI on OpenWRT and if its possible somehow to make it not redirect to one domain. Also I found out that it redirects to the domain of the machines which is port fowarded first in OpenWRT.
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html would be one way of doing it.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
OpenWrt is forwarding traffic to the respective machine regardless of its actual content. The only qualifying criteria are the port number and the protocol of the connection (TCP/UDP), beyond that OpenWrt is blissfully unaware of its content.
In theory yes, the SNI part is intentionally unencrypted and therefor sniffable. This would be adjacent to deep packet inspection (DPI) and I believe some enterprise-grade/UTM router software is able to do that ("SNI routing"). But for OpenWrt this remains purely theoretical, I'm not aware of any attempt to actually implement this on OpenWrt (someone CMIIW).
Just as well it should not be necessary in your case. You don't actually want to route requests for different FQDNs to different machines. Your requests go to the same machine in your network, this host should then implement SNI. That's the original intention of SNI, to enable a single host on a single port to distinguish between requests made to different (sub)domains. I would recommend looking into a potentially documented solution on the host rather than an obscure workaround on the upstream router.
1 Like
Or in short, the keyword to search for would be a vhost configuration for your apache2, to make it serve different content based in the requested hostname (but same IP).
1 Like
Using diff ports would obviously also work, as @takimata already appointed out.
You could use HAProxy on your OpenWRT router to handle the incoming connections and proxy them to the corresponding backend VM inside your local network.
Heavily depends on openwrt routerm weakest will max out brain forwarding connections to haproxy or nginx or varnish reverse proxy cache container, or you need filog*c or x86 to do any ssl sni
Maybe I could make a proxmox container running HAproxy to route the traffic to the right machine?
Maybe provide requested system info, wildly irrelevant what commercial virtualisation you afford on you.
That's not entirely correct.
I've successfully run HAProxy, with 3 sites, all using LetsEncrypt certificates, on a variety of devices up to and including a Dynalink WRX36 (current router of choice).
It all depends on the use case. For something like (say) a home automation server, or internal monitoring, or exposing cameras - that's fine. Using a low powered router to provide commercial hosting obviously won't fly.
That would likely be your best bet. If you've got the hardware, let the router do the routing and let other things do the other things.
If you see what I mean!
1 Like
Does HAproxy work with other protocols other than http/https because I want to entirely route the the traffic to a specific machine. If not what should I use?
That was NOT your initial question. Make new thread if firewall wiki pages can not help you.
It is imperative for firther discussion to describe your setup so far.
I concur. Unless we know the system and, crucially, the wireless configuration we cannot possibly continue to talk about protocols, proxy and network architecture. 
It is about scale. Weak router can barely forward, strong router / pc miniserver can accelerate crypto.
What in the blazes are you talking about? When did the OP come even close to talking about crypto, let alone accelerating it?
UX will be different for SNI vhosts on a PC or filogic vs ath79 using apache. nginx can pre-read SNI without running crypto on load balancer (socket proxy as opposed to typical http proxy), or specify accelerated ssl engines, a better fit for all scales.