2 servers, 1 public IP - Redirect subdomain internally

ip subdomain

I have 2 SSL web servers and 1 public IP address.

I own a TLD (example.com), what I'd like to do is redirect server1.example.com to internal server A and server2.example.com to internal server B.

How would I go about doing this? The webservers are not IIS or Apache, but they are management web applications using ports 443.


You should use a reverse proxy (e.g. HAProxy, nginx, squid...) in front of those two servers. Bind public IP address to the proxy frontend and then use SSL SNI extension to route the traffic by the domain name to the backend servers.

HAProxy example (https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/):

# Adjust the timeout to your needs
defaults
  timeout client 30s
  timeout server 30s
  timeout connect 5s

# Single VIP 
frontend ft_ssl_vip
  bind 10.0.0.10:443
  mode tcp

  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }

  default_backend bk_ssl_default

# Using SNI to take routing decision
backend bk_ssl_default
  mode tcp

  acl application_1 req_ssl_sni -i application1.domain.com
  acl application_2 req_ssl_sni -i application2.domain.com

  use-server server1 if application_1
  use-server server2 if application_2
  use-server server3 if !application_1 !application_2

  option ssl-hello-chk
  server server1 10.0.0.11:443 check
  server server2 10.0.0.12:443 check
  server server3 10.0.0.13:443 check

As was stated by user373333, you'd need to use something to listen on the edge and proxy into the network.

They used haproxy, I prefer nginx because you can serve SSL individually, control certs a little better, and there's less chaos because you can configure sites individually. That, and I have much more familiarity with nginx than haproxy for this - we had to have such a deployment on a specific piece of software we deployed where we had one ingress IP address for web traffic, and that was it, but we had eight or nine web administration pages on internal IP addressed servers.

Depending on your OS on what I would call a dedicated external-facing system, you'd install nginx.

Add the following stanzas to the end of your nginx.conf's http section, which theoretically should be in /etc/nginx; update these accordingly for your domains:

# First Server
server {
    listen 443 ssl;

    server_name server1.example.com;

    ssl_certificate /path/to/SSL/cert;
    ssl_certificate_key /path/to/SSL/cert/privkey;

    # Secure SSL configs
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH";
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_dhparam /etc/ssl/dhparam.2048.pem; # To protect against LOGJAM

    location / {
        add_header X-Forwarded-For $remote_ip
        add_header X-Forwarded-Proto https;
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options SAMEORIGIN;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        proxy_pass https://internal.ip.address.1:443/;
    }
}

# Second Server
server {
    listen 443 ssl;

    server_name server2.example.com;

    ssl_certificate /path/to/SSL/cert;
    ssl_certificate_key /path/to/SSL/cert/privkey;

    # Secure SSL configs
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH";
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_dhparam /etc/ssl/dhparam.2048.pem; # To protect against LOGJAM

    location / {
        add_header X-Forwarded-For $remote_ip
        add_header X-Forwarded-Proto https;
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options SAMEORIGIN;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        proxy_pass https://internal.ip.address.2:443/;
    }
}

# Catch all for all other responses, return 410 GONE message.
server {
    listen 80 default_server;
    listen 443 default_server;

    server_name server1.example.com;

    ssl_certificate /path/to/a/bogus/self-signed/SSL/cert;
    ssl_certificate_key /path/to/a/bogus/self-signed/SSL/cert/privkey;

    # Secure SSL configs
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH";
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_dhparam /etc/ssl/dhparam.2048.pem; # To protect against LOGJAM

    return 410;
}

You'll need to run openssl dhparam -out /etc/ssl/dhparam.2048.pem 2048 either as superuser or with sudo, depending on your system, but once you've done this and have the dhparam.2048.pem file created, you can then restart the NGINX process on your system, and test your sites. Make sure that all the port 80 and 443 traffic is forwarded to this system, so it can properly hand off to internal systems.

Related

Is it possible to stop computers which aren't Bitlocker encrypted logging in?
Best way to build home NAS with redundancy [closed]
What does booting in to Windows in safe mode do?
Securing Active Directory domains on a potentially hostile network
Should I ever DELETE (SQL and DB) anything?
Moving Active Directory computer to another OU - What are the affects?
Can't unmount a loop backed file but there's no open files?
ZFS and non Sun OS's
Is Hyper-V Server 2008 working on Intel's Atom platform
How to turn off airplane mode?
How to enable sudo password?
Failed to connect socket to '/var/run/libvirt/libvirt-sock'