Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


2317 posts

Uber Geek
+1 received by user: 655


Topic # 196534 3-Jun-2016 12:18
Send private message

We will soon be deploying an on premises web server, but ports 80 and 443 are already forwarded to Exchange for ActiveSync.

 

Obviously I will have a separate external A record for each server, but since they will both be resolving back to a single public IP I'm not sure how to redirect the traffic internally based on the requested URL.

 

How do you clever people deal with this kind of thing?





 Home:                                                           Work:
Home Work


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3 | 4
908 posts

Ultimate Geek
+1 received by user: 595

Trusted

  Reply # 1564978 3-Jun-2016 12:21
3 people support this post
Send private message

You will need to setup a reverse proxy, We use TMG (Although this will change soon as it's coming to EOL).

 

I use nginx on my home to do this (4 separate VMs each having multiple services using port 80 / 443)




2317 posts

Uber Geek
+1 received by user: 655


  Reply # 1565008 3-Jun-2016 12:48
Send private message

Andib:

 

You will need to setup a reverse proxy, We use TMG (Although this will change soon as it's coming to EOL).

 

I use nginx on my home to do this (4 separate VMs each having multiple services using port 80 / 443)

 

 

I was reading about reverse proxies. Our firewall vendor tells us that it can't be configured as a reverse proxy (although various Googles seem to contradict that).

 

So reverse proxy is the only way of achieving this?


259 posts

Ultimate Geek
+1 received by user: 13


  Reply # 1565015 3-Jun-2016 12:59
Send private message

Citrix NetScaler Unified Gateway, single IP in front of multiple different backend systems.


What does this tag do
966 posts

Ultimate Geek
+1 received by user: 200

Subscriber

  Reply # 1565017 3-Jun-2016 13:02
Send private message

Microsoft Web Application Proxy (Role on Server 2012 R2)


12 posts

Geek
+1 received by user: 4


  Reply # 1565019 3-Jun-2016 13:04
Send private message

Paul1977:

 

Andib:

 

You will need to setup a reverse proxy, We use TMG (Although this will change soon as it's coming to EOL).

 

I use nginx on my home to do this (4 separate VMs each having multiple services using port 80 / 443)

 

 

I was reading about reverse proxies. Our firewall vendor tells us that it can't be configured as a reverse proxy (although various Googles seem to contradict that).

 

So reverse proxy is the only way of achieving this?

 

 

The reverse proxy uses `Host` to separate different services.

 

http://nginx.org/en/docs/http/server_names.html

 

http://nginx.org/en/docs/http/request_processing.html

 

All these processes can be deployed on a same hardware. Thus no need to worry about the firewall.

 

                                  |------------------Your home side -------|

 

                                  |                           => Web service 1

 

Internet ==> Firewall ==> Reverse proxy => Web service 2

 

                                  |                           => Web service 3

 

                                  |------------------------------------------|


911 posts

Ultimate Geek
+1 received by user: 276

Trusted

  Reply # 1565023 3-Jun-2016 13:09
One person supports this post
Send private message

There are 2 reasons why you would want to do this.

 

1) One server is not enough or 

 

2) You want to utilize a web server you already have. By running more hosts on it.

 

If its #1, you should look at making the IP address work as a load balancer and serve proxy the traffic off other hosts.

 

If its #2 use virtual hosts. Where the incoming request determines which Vhost the request would be routed to.

 

Or you could use a mixture of both. 

 

 

 

Personally I would use NGINX to achieve this. The product is perfect for serving static content, and can passthrough so much stuff to servers behind the public address. 

 

You can hand off Node.js via PM2  or PHP via PHP-FPM processing to other machines. 

 

The other option is you could buy more IP's.

 

I can help you with an Apache or NGINX config if you want... I really need to know a bit more about what you are trying to do. 








2317 posts

Uber Geek
+1 received by user: 655


  Reply # 1565028 3-Jun-2016 13:14
Send private message

jnimmo:

 

Microsoft Web Application Proxy (Role on Server 2012 R2)

 

 

The idea is to have a separate webserver in a DMZ for client access, and our Exchange on the main LAN.

 

If we deployed the webserver on a 2012 R2 could that function as both the proxy and a webserver? E.g:

 

Firewall points inbound web traffic to 2012 R2 server, if request is for mail.company.com it forwards the traffic to Exchange server, if request is for portal.company.com to forwards it on to itself?




2317 posts

Uber Geek
+1 received by user: 655


  Reply # 1565035 3-Jun-2016 13:22
Send private message

darylblake:

 

There are 2 reasons why you would want to do this.

 

1) One server is not enough or 

 

2) You want to utilize a web server you already have. By running more hosts on it.

 

If its #1, you should look at making the IP address work as a load balancer and serve proxy the traffic off other hosts.

 

If its #2 use virtual hosts. Where the incoming request determines which Vhost the request would be routed to.

 

Or you could use a mixture of both. 

 

 

 

Personally I would use NGINX to achieve this. The product is perfect for serving static content, and can passthrough so much stuff to servers behind the public address. 

 

You can hand off Node.js via PM2  or PHP via PHP-FPM processing to other machines. 

 

The other option is you could buy more IP's.

 

I can help you with an Apache or NGINX config if you want... I really need to know a bit more about what you are trying to do. 

 

 

Thanks Daryl,

 

Basically just want to have a separate webserver in a DMZ for a customer portal, while keeping Exchange in our main subnet - but both behind the the same public IP.

 

New webserver will be deployed on a new Windows server.


14109 posts

Uber Geek
+1 received by user: 2527

Trusted
Subscriber

  Reply # 1565042 3-Jun-2016 13:36
Send private message

You can't offer two services on the same public IP / port combination. So you need to change your current setup or add a new domain. Suggest you create a subdomain (ie a new A record) (eg customerportal.example.com) and run nginx as a proxy server to these web servers. Nginx is pretty easy.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


895 posts

Ultimate Geek
+1 received by user: 285


  Reply # 1565044 3-Jun-2016 13:39
Send private message

I use haproxy for this.

 

If you want https servers behind the proxy, haproxy has a neat feature where it can sniff the hostname from an SNI handshake and direct traffic to the correct internal server accordingly.  It can also, if you run it on the router/gateway the webservers are using, fake the source IP of the TCP connections it makes to your webserver, so that they appear to come from the original source IP, not the IP of the haproxy box.




2317 posts

Uber Geek
+1 received by user: 655


  Reply # 1569162 10-Jun-2016 09:34
Send private message

darylblake: The other option is you could buy more IP's.

 

This seemed like a good idea, but Spark have come back and said "We can only assign one Static IP to each broadband connection I am afraid. This is a system issue, not a business rule."

 

I tend to take what Spark first level support tell me with a grain of salt, as I have been given incorrect info in the past.

 

Can anyone confirm if the above is definitely the case? @cbrpilot do you have any knowledge about this?

 

Thanks


14109 posts

Uber Geek
+1 received by user: 2527

Trusted
Subscriber

  Reply # 1569164 10-Jun-2016 09:36
Send private message

You may be ok with one IP. Does ActiveSync address the server by domain name or by IP?





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer




2317 posts

Uber Geek
+1 received by user: 655


  Reply # 1569188 10-Jun-2016 09:56
Send private message

timmmay:

 

You may be ok with one IP. Does ActiveSync address the server by domain name or by IP?

 

 

By domain name, but I'd still need a reverse proxy for this to work wouldn't I since ports 80 and 443 need to be forwarded to different internal servers depending on the requested URL?

 

I was hoping it might be possible to avoid needing a reverse proxy by having multiple public IPs.


2437 posts

Uber Geek
+1 received by user: 717

Trusted
Lifetime subscriber

  Reply # 1569198 10-Jun-2016 10:11
Send private message

You have the option of moving ISPs if for some reason this solution is simpler for you.  We use Snap.net.nz (now 2Degrees) and have multiple static public IPs on our VDSL connection.

 

Or just add a second broadband connection to the building if the expense can be justified.

 

Does the workload REALLY have to be on site?

 

Or is it time to consider moving email to Office 365 or similar which would free up Port 443?





"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

676 posts

Ultimate Geek
+1 received by user: 222

Trusted
Spark NZ

  Reply # 1569202 10-Jun-2016 10:15
Send private message

Paul1977:

 

darylblake: The other option is you could buy more IP's.

 

This seemed like a good idea, but Spark have come back and said "We can only assign one Static IP to each broadband connection I am afraid. This is a system issue, not a business rule."

 

I tend to take what Spark first level support tell me with a grain of salt, as I have been given incorrect info in the past.

 

Can anyone confirm if the above is definitely the case? @cbrpilot do you have any knowledge about this?

 

Thanks

 

 

 

 

Yes this is correct.  We only support a single IP address per Broadband connection.





My views are my own, and may not necessarily represent those of my employer.

 1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.