2 servers, 1 public IP - Redirect subdomain internally
I have 2 SSL web servers and 1 public IP address.
I own a TLD (example.com), what I'd like to do is redirect server1.example.com to internal server A and server2.example.com to internal server B.
How would I go about doing this? The webservers are not IIS or Apache, but they are management web applications using ports 443.
You should use a reverse proxy (e.g. HAProxy, nginx, squid...) in front of those two servers. Bind public IP address to the proxy frontend and then use SSL SNI extension to route the traffic by the domain name to the backend servers.
HAProxy example (https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/):
# Adjust the timeout to your needs
defaults
timeout client 30s
timeout server 30s
timeout connect 5s
# Single VIP
frontend ft_ssl_vip
bind 10.0.0.10:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
default_backend bk_ssl_default
# Using SNI to take routing decision
backend bk_ssl_default
mode tcp
acl application_1 req_ssl_sni -i application1.domain.com
acl application_2 req_ssl_sni -i application2.domain.com
use-server server1 if application_1
use-server server2 if application_2
use-server server3 if !application_1 !application_2
option ssl-hello-chk
server server1 10.0.0.11:443 check
server server2 10.0.0.12:443 check
server server3 10.0.0.13:443 check
As was stated by user373333, you'd need to use something to listen on the edge and proxy into the network.
They used haproxy
, I prefer nginx
because you can serve SSL individually, control certs a little better, and there's less chaos because you can configure sites individually. That, and I have much more familiarity with nginx
than haproxy
for this - we had to have such a deployment on a specific piece of software we deployed where we had one ingress IP address for web traffic, and that was it, but we had eight or nine web administration pages on internal IP addressed servers.
Depending on your OS on what I would call a dedicated external-facing system, you'd install nginx
.
Add the following stanzas to the end of your nginx.conf
's http
section, which theoretically should be in /etc/nginx
; update these accordingly for your domains:
# First Server
server {
listen 443 ssl;
server_name server1.example.com;
ssl_certificate /path/to/SSL/cert;
ssl_certificate_key /path/to/SSL/cert/privkey;
# Secure SSL configs
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_dhparam /etc/ssl/dhparam.2048.pem; # To protect against LOGJAM
location / {
add_header X-Forwarded-For $remote_ip
add_header X-Forwarded-Proto https;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
proxy_pass https://internal.ip.address.1:443/;
}
}
# Second Server
server {
listen 443 ssl;
server_name server2.example.com;
ssl_certificate /path/to/SSL/cert;
ssl_certificate_key /path/to/SSL/cert/privkey;
# Secure SSL configs
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_dhparam /etc/ssl/dhparam.2048.pem; # To protect against LOGJAM
location / {
add_header X-Forwarded-For $remote_ip
add_header X-Forwarded-Proto https;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
proxy_pass https://internal.ip.address.2:443/;
}
}
# Catch all for all other responses, return 410 GONE message.
server {
listen 80 default_server;
listen 443 default_server;
server_name server1.example.com;
ssl_certificate /path/to/a/bogus/self-signed/SSL/cert;
ssl_certificate_key /path/to/a/bogus/self-signed/SSL/cert/privkey;
# Secure SSL configs
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_dhparam /etc/ssl/dhparam.2048.pem; # To protect against LOGJAM
return 410;
}
You'll need to run openssl dhparam -out /etc/ssl/dhparam.2048.pem 2048
either as superuser or with sudo
, depending on your system, but once you've done this and have the dhparam.2048.pem
file created, you can then restart the NGINX process on your system, and test your sites. Make sure that all the port 80 and 443 traffic is forwarded to this system, so it can properly hand off to internal systems.