Multiple Web Servers Behind Single Public IP

Forums › IT Pro and developers › Multiple Web Servers Behind Single Public IP

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#196534 3-Jun-2016 12:18

We will soon be deploying an on premises web server, but ports 80 and 443 are already forwarded to Exchange for ActiveSync.

Obviously I will have a separate external A record for each server, but since they will both be resolving back to a single public IP I'm not sure how to redirect the traffic internally based on the requested URL.

How do you clever people deal with this kind of thing?

Home: Work:
Home Work

1 | 2 | 3 | 4

1395 posts

Uber Geek
+1 received by user: 974

ID Verified

Trusted

#1564978 3-Jun-2016 12:21

You will need to setup a reverse proxy, We use TMG (Although this will change soon as it's coming to EOL).

I use nginx on my home to do this (4 separate VMs each having multiple services using port 80 / 443)

<#
.DISCLAIMER
Anything I post is my own and not the views of my past/present/future employer.
#>

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#1565008 3-Jun-2016 12:48

Andib:

You will need to setup a reverse proxy, We use TMG (Although this will change soon as it's coming to EOL).

I use nginx on my home to do this (4 separate VMs each having multiple services using port 80 / 443)

I was reading about reverse proxies. Our firewall vendor tells us that it can't be configured as a reverse proxy (although various Googles seem to contradict that).

So reverse proxy is the only way of achieving this?

CB_24

371 posts

Ultimate Geek
+1 received by user: 33

#1565015 3-Jun-2016 12:59

Citrix NetScaler Unified Gateway, single IP in front of multiple different backend systems.

jnimmo

1098 posts

Uber Geek
+1 received by user: 255

#1565017 3-Jun-2016 13:02

Microsoft Web Application Proxy (Role on Server 2012 R2)

mikespook

12 posts

Geek
+1 received by user: 4

#1565019 3-Jun-2016 13:04

Paul1977:

Andib:

You will need to setup a reverse proxy, We use TMG (Although this will change soon as it's coming to EOL).

I use nginx on my home to do this (4 separate VMs each having multiple services using port 80 / 443)

I was reading about reverse proxies. Our firewall vendor tells us that it can't be configured as a reverse proxy (although various Googles seem to contradict that).

So reverse proxy is the only way of achieving this?

The reverse proxy uses `Host` to separate different services.

http://nginx.org/en/docs/http/server_names.html

http://nginx.org/en/docs/http/request_processing.html

All these processes can be deployed on a same hardware. Thus no need to worry about the firewall.

|------------------Your home side -------|

| => Web service 1

Internet ==> Firewall ==> Reverse proxy => Web service 2

| => Web service 3

|------------------------------------------|

darylblake

1172 posts

Uber Geek
+1 received by user: 410

Trusted

#1565023 3-Jun-2016 13:09

There are 2 reasons why you would want to do this.

1) One server is not enough or

2) You want to utilize a web server you already have. By running more hosts on it.

If its #1, you should look at making the IP address work as a load balancer and serve proxy the traffic off other hosts.

If its #2 use virtual hosts. Where the incoming request determines which Vhost the request would be routed to.

Or you could use a mixture of both.

Personally I would use NGINX to achieve this. The product is perfect for serving static content, and can passthrough so much stuff to servers behind the public address.

You can hand off Node.js via PM2 or PHP via PHP-FPM processing to other machines.

The other option is you could buy more IP's.

I can help you with an Apache or NGINX config if you want... I really need to know a bit more about what you are trying to do.

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#1565028 3-Jun-2016 13:14

jnimmo:

Microsoft Web Application Proxy (Role on Server 2012 R2)

The idea is to have a separate webserver in a DMZ for client access, and our Exchange on the main LAN.

If we deployed the webserver on a 2012 R2 could that function as both the proxy and a webserver? E.g:

Firewall points inbound web traffic to 2012 R2 server, if request is for mail.company.com it forwards the traffic to Exchange server, if request is for portal.company.com to forwards it on to itself?

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#1565035 3-Jun-2016 13:22

darylblake:

There are 2 reasons why you would want to do this.

1) One server is not enough or

2) You want to utilize a web server you already have. By running more hosts on it.

If its #1, you should look at making the IP address work as a load balancer and serve proxy the traffic off other hosts.

If its #2 use virtual hosts. Where the incoming request determines which Vhost the request would be routed to.

Or you could use a mixture of both.

Personally I would use NGINX to achieve this. The product is perfect for serving static content, and can passthrough so much stuff to servers behind the public address.

You can hand off Node.js via PM2 or PHP via PHP-FPM processing to other machines.

The other option is you could buy more IP's.

I can help you with an Apache or NGINX config if you want... I really need to know a bit more about what you are trying to do.

Thanks Daryl,

Basically just want to have a separate webserver in a DMZ for a customer portal, while keeping Exchange in our main subnet - but both behind the the same public IP.

New webserver will be deployed on a new Windows server.

timmmay

20857 posts

Uber Geek
+1 received by user: 5349

Trusted

Lifetime subscriber

#1565042 3-Jun-2016 13:36

You can't offer two services on the same public IP / port combination. So you need to change your current setup or add a new domain. Suggest you create a subdomain (ie a new A record) (eg customerportal.example.com) and run nginx as a proxy server to these web servers. Nginx is pretty easy.

deadlyllama

1283 posts

Uber Geek
+1 received by user: 476

Trusted

#1565044 3-Jun-2016 13:39

I use haproxy for this.

If you want https servers behind the proxy, haproxy has a neat feature where it can sniff the hostname from an SNI handshake and direct traffic to the correct internal server accordingly. It can also, if you run it on the router/gateway the webservers are using, fake the source IP of the TCP connections it makes to your webserver, so that they appear to come from the original source IP, not the IP of the haproxy box.

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#1569162 10-Jun-2016 09:34

darylblake: The other option is you could buy more IP's.

This seemed like a good idea, but Spark have come back and said "We can only assign one Static IP to each broadband connection I am afraid. This is a system issue, not a business rule."

I tend to take what Spark first level support tell me with a grain of salt, as I have been given incorrect info in the past.

Can anyone confirm if the above is definitely the case? @cbrpilot do you have any knowledge about this?

Thanks

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

timmmay

20857 posts

Uber Geek
+1 received by user: 5349

Trusted

Lifetime subscriber

#1569164 10-Jun-2016 09:36

You may be ok with one IP. Does ActiveSync address the server by domain name or by IP?

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#1569188 10-Jun-2016 09:56

timmmay:

You may be ok with one IP. Does ActiveSync address the server by domain name or by IP?

By domain name, but I'd still need a reverse proxy for this to work wouldn't I since ports 80 and 443 need to be forwarded to different internal servers depending on the requested URL?

I was hoping it might be possible to avoid needing a reverse proxy by having multiple public IPs.

Dynamic

4015 posts

Uber Geek
+1 received by user: 1850

ID Verified

Trusted

Lifetime subscriber

#1569198 10-Jun-2016 10:11

You have the option of moving ISPs if for some reason this solution is simpler for you. We use Snap.net.nz (now 2Degrees) and have multiple static public IPs on our VDSL connection.

Or just add a second broadband connection to the building if the expense can be justified.

Does the workload REALLY have to be on site?

Or is it time to consider moving email to Office 365 or similar which would free up Port 443?

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

cbrpilot

964 posts

Ultimate Geek
+1 received by user: 555

Trusted

Spark NZ

#1569202 10-Jun-2016 10:15

Paul1977:

darylblake: The other option is you could buy more IP's.

This seemed like a good idea, but Spark have come back and said "We can only assign one Static IP to each broadband connection I am afraid. This is a system issue, not a business rule."

I tend to take what Spark first level support tell me with a grain of salt, as I have been given incorrect info in the past.

Can anyone confirm if the above is definitely the case? @cbrpilot do you have any knowledge about this?

Thanks

Yes this is correct. We only support a single IP address per Broadband connection.

My views are my own, and may not necessarily represent those of my employer.

1 | 2 | 3 | 4