Can't access two local ips through port 443 from outside

Hello everybody,

I'm really sorry if my question has an easy answer and I couldn't find it but I really did look around the internet, wikis and blogs to try to understand my problem and find the solution.
I'm a new user of OpenWrt and a very much beginner in everything linked to network.

I bought a https://openwrt.org/toh/bt/homehub_v5a with OpenWrt 18.06 installed.

I have connected it to ADSL and I have a good internet connection.

I have setup Active DHCP Leases and Active DHCPv6 Leases for all my machines that connect regularly to my Home Hub 5.

I have opened in my firewall the 80,443,22,25,587,993 ports for one yunohost server (192.168.1.xx1) that host [https://]mydomain1[.net] (it has let's encrypt certificate).
I have a second yunohost server connected (192.168.1.xx2) that need only access to port 80 and 443 that host both [https://]mydomaine2[.net] and [https://]mydomain3[.net] (both have let's encrypt certificate).
mydomain1[.net] is both accessible from local network and outside.
mydomain2[.net] and mydomain3[.net] are accessible in the local network but can't be accessed from outside even though I also opened the port 80 and 443 in the firewall.
Actually, if I put the rules for this second server (192.168.1.xx2) before the first one (192.168.1.xx1) by clicking on "up" in luci, then mydomain2[.net] and mydomain3[.net] become accessible from outside (that's how I manage to get let's encrypt certificate) but mydomain1[.net] stop to be reachable.

How can I have all three domain mydomain1[.net] hosted by 192.168.1.xx1 and mydomain2[.net]/mydomain3[.net] hosted by 192.168.1.xx2 accessible from outside through port 80 and 443?

I thank you in advance for your replies. I'm sure it's a small parameter I don't know, I didn't understand that I should setup...

Oh, I forgot to say that I also setup Hostnames for the three name domain linked to their ips, mydomain1[.net] linked to 192.168.1.xx1 and mydomain2[.net]/mydomain3[.net] linked to 192.168.1.xx2 .

Thanks again,

Thatoo

You cannot port forward the same ports (80 and 443) to multiple inside hosts.
What you can do is forward slightly different ones, e.g 8080 and 4443 to second server . Not sure if this will cover your needs though with the letsencrypt certificate.

really?
That makes sens but how we can host different website on different server behind the same router/modem then?

If I redirect 80 from outside to 8080 inside and 443 from outside to 4443 inside, will that work?
Maybe I should tell the 192.168.1.xx2 that 443 is incorrect but 4443? would that work? How can I do that?

Usually with virtual servers.

1 Like

I don't understand?
https works through 443 right and http through 80?
So when someone enter the url https://mydomain2{.net], it looks for 443 at my router, right? how do I tell them that it's not 443 but 4443?
I'm lost.

should I mention the port 4443 in the DNS record in my registar? How?

HTTPS cannot be virtually hosted because the client must know the certificate in use first.

Use different ports.

Not if you want both servers to use 80 or 443 on the Public IP.

Yes, I want both server to use 80 and 443 on my public IP.
How can I do that?

:man_facepalming:

You were just told.

One option is:

This is done on the web server with URLs.

1 Like

To host multiple domains on a single IP address, you need to implement virtual servers. A production-grade server such as nginx can do this. If you are using HTTP-S then you will additionally need either a wildcard certificate, or a certificate that supports each of the hostnames and use a browser that supports SNI (most current browsers do).

2 Likes

:disappointed_relieved:
I don't understand. I'm sorry.
And now I get scared...
I don't understand why my router can't make the difference between mydomain1 and mydomain2 when the request comes from outside but can make the difference when it comes from inside...
I feel now how difficult and obscure is all that and I feel I have lost so much time and money trying to do by myself but I reach my limit now...
Tonight I feel desperate and lonely.
I need fresh air.
Thank you all

A router routes IP packets, transport layer. It looks only at the IP addresses and ports involved. The information about which URL is being requested is in the content of the stream (application layer). Routers don't look at this information. In the case that the information is encrypted, such as with HTTP-S, any device can't look at this information at all, except if it is one end of the encrypted channel or the other.

You need a webserver or reverse proxy to route HTTP requests, which are at the application layer. When the connection is encrypted, the URL is, for most practical purposes, only present in the encrypted channel. Since TLS requires the end point to convincingly confirm that it is the desired end point and not an imposter, certificates are used. For a browser to be convinced that it is securely connecting to, say downloads.example.com, the server needs to send a send a signed or otherwise trusted certificate that includes downloads.example.com, either explicitly, or with a wildcard like *.example.com. Only after the trust is established does the TLS channel get set up. Only after the TLS channel is up, does "GET https://downloads.example.com" get sent to the server.

Setting up multiple hosts ("server blocks" under nginx) is straightforward, but not trivial. I'd take some careful steps on the path, such as:

  • Install nginx with TLS support as a package or set of packages
  • Set up a single server block with nginx, no TLS
  • Get your certificates from Let's Encrypt, or wherever you choose
  • Add TLS to that single server
  • Add a second server block, no TLS
  • Extend your certificates to cover an additional host name
  • Add TLS to the second server block

Now you can "lather, rinse, and repeat" for additional server blocks since you know the pattern works.

2 Likes

Thank you all for your answers. I'm sorry for my behaviour last time.
It's just that I have worked very hard, studied all aspect of how to self-host services and I was so close to succeed that having missed that small but very important information and thus see all my work failing, I was very desperate...
Anyway, I have learn now that one IP, one port, one server...
I'll find a solution.
Thank you again for all your amazing work to all of you.

1 Like