Multiple servers behind one public IP [duplicate]

hostname reverse-proxy proxy

This is a canonical question about hostname-awareness and proxying.

I know that some protocols are hostname-aware; that is, when I connect to the HTTP server at www.example.com it knows I want www.example.com's HTTP service, not www.example.net's, even though they are on the same IP address. How can I do this for protocol foo?

(Temporary note: this question appears pursuant to this meta discussion.)


Solution 1:

To understand what's going on, you need to know a little about DNS.

When a client wants to connect to a service on a given host, it looks up the hostname through its local DNS infrastructure, and receives an IP address in response. It then connects to that IP address, and requests the service in the manner prescribed by the procotol it's built to implement.

In some cases, part of that procotol involves a second sending of the hostname originally looked up, which in this case is sent to the server rather than the DNS infrastructure. In the case of HTTP, this was added as part of HTTP/1.1, in RFC 2616; in the case of HTTPS, this was implemented as Server Name Indication (SNI) in RFC 4366; and in the case of FTP, this was added by the HOST command, in RFC 7151 (but see later caveat). If such a second sending does not occur, the server has no way to know what hostname the client fed to its local DNS in order to get the server's IP address.

Note that in all cases a change to the protocol was required to do this second sending, and thus make the client-server interaction hostname-aware. After the protocol was changed, server code had to be updated to implement it. And finally, clients had to be updated to talk the new protocol to the servers. That last step can be particularly slow; in the case of SNI, Internet Explorer on Windows XP never implemented it, so the protocol could not be relied on while there was still any significant number of IE-on-XP users around, and it's taken about ten years for enough of them to die off and/or get upgrades that SNI is reliably deployable.

So that's what it takes to make a non-hostname-aware protocol hostname-aware. It is not a simple flag setting or configuration change. We have some protocol-specific answers that deal with the state of affairs, and possible mitigation measures, for that protocol in particular: for SSH (and thus also SFTP) and for FTP (which points out that HOST support for FTP is currently in the patchy-support phase, and so cannot yet be relied on).

The short answer is that if your protocol does not currently implement hostname-awareness, with good support amongst both clients and servers, forget it: it's not something you can do.

Related

Invalid response from .well-known/acme-challenge/<token>
Postfix client cert info not being passed to opendkim milter
AUTH NTLM Authentication Format
CentOS 8 network on boot
Can the Upgrade: header have spaces between the comma?
Haproxy acl based on URL param existence
Where to download Sun Solaris 10 SPARC 64bit installation cd's?
auspex LFS backups
NTP synchronizing always in local
What is shrink_slab, and why is it showing up in /var/log/messages?
Install PHP 7.1 on CentOS 8.3
Can a currupt backup cause a hardrive failure?