I wonder if anyone can help with a question I have regarding IPTABLES?
I have all traffic incoming on port 443, which is cool. However some needs to go to one place on my internal, and some to another. I have a couple of domain names pointed at my IP, and I'd like to point traffic using port forward to the right server, depending on the domain name requested?
So, for example bbc.co.uk might point to 1.1.1.1:443. However news.bbc.co.uk needs to point to 1.1.1.1:443 but internally shift to 1.1.1.5:80. I need a trick to detect the requested domain name and point it at the right server internally and route back via 443.
If you are owning the bbc.co.uk and new.bbc.co.uk domains in the exemple then you can use a reverse proxy to direct the traffic to the servers. The reverse proxy needs to be configured with the server certificates, which won't be possible for a domain you don't own unless you configure the clients with your own CA.
If you're referring to inbound traffic to multiple HTTP servers behind your one NATed public IP, you'll have to run some kind of HTTP proxy to go to get to the proper LAN virtual servers.
I don't own those domains! I think they are owned in the UK
I was using an an example. So can I route requests for streams.bbc.co.uk:443 to an internal of 192.168.1.5:446 and requests for radio.bbc.co.uk:443 to an internal of 192.168.1.47:63 ?
Handling multiple incoming “domains” works well with nginx configured as a reverse proxy and a multi-domain cert. I run a Let’s Encrypt cert this way on a single, public IPv4 address. IPv6 can either be handled the same way (easier, in my opinion) or by going direct to the backing servers.
Edit:
Assuming this is what you are after, here are some hints from the config I'm running
In the http block, you may need (in addition to all the usual and TLS-related boilerplate):
proxy_http_version 1.1; # I "downgrade" the internal connection for "dumb" backing servers
resolver <your resolver's IP>;
For each server (domain)
(Note that it is my choice to use "plain" HTTP to the backing servers as they are on a protected VLAN)
server {
listen [::]:80;
server_name server.example.com;
ssl off;
include local/acme-challenge;
location / {
return 307 https://$server_name$request_uri;
# Once everything is running, you can uncomment:
# add_header Strict-Transport-Security
# "max-age=86400; includeSubDomains"
# always;
# add_header Strict-Transport-Security
# "max-age=31536000; includeSubDomains"
# always;
}
}
server {
listen [::]:443 ssl http2;
server_name server.example.com;
include local/acme-challenge;
location / {
include local/proxy_set_header;
# Once everything is running, you can uncomment:
# add_header Strict-Transport-Security
# "max-age=31536000; includeSubDomains"
# always;
proxy_pass http://backing.server.internal.example.com/;
}
}
local/acme-challenge
(Since the certs are going to be installed on this machine, don't proxy it to the backing server)
# Don't proxy /.well-known/acme-challenge/
location /.well-known/acme-challenge/ {
index off;
alias /usr/local/www/.well-known/acme-challenge/;
}
local/proxy_set_header
(So that the backing server's logs reflect the original client, not the reverse proxy's)
# in /etc/config/dhcp
config domain
option ip '192.168.1.5'
option name ' radio.bbc.co.uk'
config domain
option ip '192.168.1.47'
option name ' streams.bbc.co.uk'
The problem is how to redirect the ports:
# in /etc/config/firewall
config redirect
option name 'radio_Redirect'
option src 'wan'
option dest_ip '192.168.1.5'
option src_dport '443'
option dest_port '446'
option target 'DNAT'
option proto 'udp'
option dest 'lan'
config redirect
option name 'streams_Redirect'
option src 'wan'
option dest_ip '192.168.1.47'
option src_dport '443'
option dest_port '63'
option target 'DNAT'
option proto 'udp'
option dest 'lan'
Please note, this won't work for LAN to LAN, it must cross the firewall!!!
If you need to do this internally/locally, you need to place the servers in their own VLAN, so the traffic traverses the router/firewall
Just to confirm, I'm not hijacking the BBC! I have one static IP on my VDSL at home, and a lot comes in to 443. However I need to route the requests based on the domain name they are coming from. I have different virtual box instances handling the different jobs.
For example, home brew Alexa requests are coming in and handled by one system, and a streaming server is handled by Icecast2 on another system. All needs to be on port 443, so I need to route incoming by domain name to correct servers.
I doubt this will work.
The rules are identical and every time the first rule will have precedence and translate the address to 192.168.1.5.
You need something like what @jeff proposed.
If you need inside hosts to be able to access https://my.service.example.com/ it gets tricky if you're only using "public" DNS. I found the most reliable way to handle it is with split-horizon DNS, where my "inside" hosts get an IP for my.service.example.com as an internal address, on which the reverse proxy is also listening.
