Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Paul1977

3425 posts

Uber Geek


#196534 3-Jun-2016 12:18
Send private message

We will soon be deploying an on premises web server, but ports 80 and 443 are already forwarded to Exchange for ActiveSync.

 

Obviously I will have a separate external A record for each server, but since they will both be resolving back to a single public IP I'm not sure how to redirect the traffic internally based on the requested URL.

 

How do you clever people deal with this kind of thing?





 Home:                                                           Work:
Home Work


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3 | 4
Andib
1122 posts

Uber Geek

Trusted

  #1564978 3-Jun-2016 12:21
Send private message

You will need to setup a reverse proxy, We use TMG (Although this will change soon as it's coming to EOL).

 

I use nginx on my home to do this (4 separate VMs each having multiple services using port 80 / 443)


Paul1977

3425 posts

Uber Geek


  #1565008 3-Jun-2016 12:48
Send private message

Andib:

 

You will need to setup a reverse proxy, We use TMG (Although this will change soon as it's coming to EOL).

 

I use nginx on my home to do this (4 separate VMs each having multiple services using port 80 / 443)

 

 

I was reading about reverse proxies. Our firewall vendor tells us that it can't be configured as a reverse proxy (although various Googles seem to contradict that).

 

So reverse proxy is the only way of achieving this?


 
 
 
 


CB_24
309 posts

Ultimate Geek


  #1565015 3-Jun-2016 12:59
Send private message

Citrix NetScaler Unified Gateway, single IP in front of multiple different backend systems.


jnimmo
What does this tag do
1040 posts

Uber Geek

Subscriber

  #1565017 3-Jun-2016 13:02
Send private message

Microsoft Web Application Proxy (Role on Server 2012 R2)


mikespook
12 posts

Geek


  #1565019 3-Jun-2016 13:04
Send private message

Paul1977:

 

Andib:

 

You will need to setup a reverse proxy, We use TMG (Although this will change soon as it's coming to EOL).

 

I use nginx on my home to do this (4 separate VMs each having multiple services using port 80 / 443)

 

 

I was reading about reverse proxies. Our firewall vendor tells us that it can't be configured as a reverse proxy (although various Googles seem to contradict that).

 

So reverse proxy is the only way of achieving this?

 

 

The reverse proxy uses `Host` to separate different services.

 

http://nginx.org/en/docs/http/server_names.html

 

http://nginx.org/en/docs/http/request_processing.html

 

All these processes can be deployed on a same hardware. Thus no need to worry about the firewall.

 

                                  |------------------Your home side -------|

 

                                  |                           => Web service 1

 

Internet ==> Firewall ==> Reverse proxy => Web service 2

 

                                  |                           => Web service 3

 

                                  |------------------------------------------|


darylblake
1028 posts

Uber Geek

Trusted

  #1565023 3-Jun-2016 13:09
Send private message

There are 2 reasons why you would want to do this.

 

1) One server is not enough or 

 

2) You want to utilize a web server you already have. By running more hosts on it.

 

If its #1, you should look at making the IP address work as a load balancer and serve proxy the traffic off other hosts.

 

If its #2 use virtual hosts. Where the incoming request determines which Vhost the request would be routed to.

 

Or you could use a mixture of both. 

 

 

 

Personally I would use NGINX to achieve this. The product is perfect for serving static content, and can passthrough so much stuff to servers behind the public address. 

 

You can hand off Node.js via PM2  or PHP via PHP-FPM processing to other machines. 

 

The other option is you could buy more IP's.

 

I can help you with an Apache or NGINX config if you want... I really need to know a bit more about what you are trying to do. 


Paul1977

3425 posts

Uber Geek


  #1565028 3-Jun-2016 13:14
Send private message

jnimmo:

 

Microsoft Web Application Proxy (Role on Server 2012 R2)

 

 

The idea is to have a separate webserver in a DMZ for client access, and our Exchange on the main LAN.

 

If we deployed the webserver on a 2012 R2 could that function as both the proxy and a webserver? E.g:

 

Firewall points inbound web traffic to 2012 R2 server, if request is for mail.company.com it forwards the traffic to Exchange server, if request is for portal.company.com to forwards it on to itself?


 
 
 
 


Paul1977

3425 posts

Uber Geek


  #1565035 3-Jun-2016 13:22
Send private message

darylblake:

 

There are 2 reasons why you would want to do this.

 

1) One server is not enough or 

 

2) You want to utilize a web server you already have. By running more hosts on it.

 

If its #1, you should look at making the IP address work as a load balancer and serve proxy the traffic off other hosts.

 

If its #2 use virtual hosts. Where the incoming request determines which Vhost the request would be routed to.

 

Or you could use a mixture of both. 

 

 

 

Personally I would use NGINX to achieve this. The product is perfect for serving static content, and can passthrough so much stuff to servers behind the public address. 

 

You can hand off Node.js via PM2  or PHP via PHP-FPM processing to other machines. 

 

The other option is you could buy more IP's.

 

I can help you with an Apache or NGINX config if you want... I really need to know a bit more about what you are trying to do. 

 

 

Thanks Daryl,

 

Basically just want to have a separate webserver in a DMZ for a customer portal, while keeping Exchange in our main subnet - but both behind the the same public IP.

 

New webserver will be deployed on a new Windows server.


timmmay
16521 posts

Uber Geek

Trusted
Subscriber

  #1565042 3-Jun-2016 13:36
Send private message

You can't offer two services on the same public IP / port combination. So you need to change your current setup or add a new domain. Suggest you create a subdomain (ie a new A record) (eg customerportal.example.com) and run nginx as a proxy server to these web servers. Nginx is pretty easy.


deadlyllama
1018 posts

Uber Geek


  #1565044 3-Jun-2016 13:39
Send private message

I use haproxy for this.

 

If you want https servers behind the proxy, haproxy has a neat feature where it can sniff the hostname from an SNI handshake and direct traffic to the correct internal server accordingly.  It can also, if you run it on the router/gateway the webservers are using, fake the source IP of the TCP connections it makes to your webserver, so that they appear to come from the original source IP, not the IP of the haproxy box.


Paul1977

3425 posts

Uber Geek


  #1569162 10-Jun-2016 09:34
Send private message

darylblake: The other option is you could buy more IP's.

 

This seemed like a good idea, but Spark have come back and said "We can only assign one Static IP to each broadband connection I am afraid. This is a system issue, not a business rule."

 

I tend to take what Spark first level support tell me with a grain of salt, as I have been given incorrect info in the past.

 

Can anyone confirm if the above is definitely the case? @cbrpilot do you have any knowledge about this?

 

Thanks


timmmay
16521 posts

Uber Geek

Trusted
Subscriber

  #1569164 10-Jun-2016 09:36
Send private message

You may be ok with one IP. Does ActiveSync address the server by domain name or by IP?


Paul1977

3425 posts

Uber Geek


  #1569188 10-Jun-2016 09:56
Send private message

timmmay:

 

You may be ok with one IP. Does ActiveSync address the server by domain name or by IP?

 

 

By domain name, but I'd still need a reverse proxy for this to work wouldn't I since ports 80 and 443 need to be forwarded to different internal servers depending on the requested URL?

 

I was hoping it might be possible to avoid needing a reverse proxy by having multiple public IPs.


Dynamic
2891 posts

Uber Geek

Trusted
Lifetime subscriber

  #1569198 10-Jun-2016 10:11
Send private message

You have the option of moving ISPs if for some reason this solution is simpler for you.  We use Snap.net.nz (now 2Degrees) and have multiple static public IPs on our VDSL connection.

 

Or just add a second broadband connection to the building if the expense can be justified.

 

Does the workload REALLY have to be on site?

 

Or is it time to consider moving email to Office 365 or similar which would free up Port 443?





"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

cbrpilot
744 posts

Ultimate Geek

Trusted
Spark NZ

  #1569202 10-Jun-2016 10:15
Send private message

Paul1977:

 

darylblake: The other option is you could buy more IP's.

 

This seemed like a good idea, but Spark have come back and said "We can only assign one Static IP to each broadband connection I am afraid. This is a system issue, not a business rule."

 

I tend to take what Spark first level support tell me with a grain of salt, as I have been given incorrect info in the past.

 

Can anyone confirm if the above is definitely the case? @cbrpilot do you have any knowledge about this?

 

Thanks

 

 

 

 

Yes this is correct.  We only support a single IP address per Broadband connection.





My views are my own, and may not necessarily represent those of my employer.


 1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic





News »

Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS16211+
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13


Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57


Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32


NordVPN starts deploying colocated servers
Posted 7-Oct-2020 09:00


Google introduces Nest Wifi routers in New Zealand
Posted 7-Oct-2020 05:00


Orcon to bundle Google Nest Wifi router with new accounts
Posted 7-Oct-2020 05:00


Epay and Centrapay partner to create digital gift cards
Posted 2-Oct-2020 17:34


Inseego launches 5G MiFi M2000 mobile hotspot
Posted 2-Oct-2020 14:53









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.