I'm trying to access an internally hosted application on my QNAP at my externally hosted domain, http://mydomiain.com, instead of http://mydomiain.com:12345
I can get the reverse proxy to work when I enter a local IP address of my network, for example the IP address of my QNAP, however, I can't seem to figure out why it wont work from an external domain name. As far as I can tell, the traffic flow is there, I just don't understand why it wont connect.
Is this whole thing even possible or is this not how reverse proxies work?
Current setup:
[External] - Domain DNS:
A Record: Points to home IP address.
[Internal] - Home Router:
Port forwards port 12345 to the IP address of the local server.
[Internal] - Home Server:
Has a revserse proxy setup on the QNAP that is configured as such:
<VirtualHost *:80>
ServerName http://mydomiain.com/
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
Order allow,deny
Allow from all
</Location>
ProxyPreserveHost On
ProxyPass / http://localhost:12345/
ProxyPassReverse / http://localhost:12345/
ProxyStatus On
</VirtualHost>
Ok, so it seems that my issue was on my home router. I was port forwarding the application port, where I needed to port forward port 80 to allow the web traffic.
Related
I setup a local guacamole server for people in my work to access several VM's that we have running in the server. IN order to access guacamole the have to type http://ip:port/guacamole or after the host override I did in my pfsense DNS resolver http://guac.loc:port/guacamole. The problem is that even that some times is problematic for some of them so I want to do something like http://guac.loc so they can remember it easily. I did it for some with the hosta file but I can't different functionallities for some of them. So can anyone help on how to do that? Can I do it somehow from the web server? Or do I need to setup a DNS Server?
If I understand correctly, you want to have "simpler" URL, without port and "guacamole" path.
Guacamole by default runs under Tomcat on port 8080. However, you can put Apache in front of the Tomcat and proxy request to the guacamole. Apache can proxy and forward all requests to the Guacamole on the given port and path.
Something like the example below should work and also will redirect all http requests to the htpts. It is not mandatory to have SSL enabled, you can proxy http as well.
<VirtualHost *:80>
ServerName guac.loc
Redirect permanent / https://guac.loc/
</VirtualHost>
<VirtualHost *:443>
ServerName guac.loc
SSLEngine on
SSLCertificateFile /etc/ssl/certs/guac-loc.cer
SSLCertificateKeyFile /etc/ssl/private/guac-loc.key
SSLCACertificateFile /etc/ssl/certs/guac-loc-ca.crt
<Location /guacamole/>
ProxyPass http://localhost:8080/guacamole/ flushpackets=on
ProxyPassReverse http://localhost:8080/guacamole/
Order allow,deny
Allow from all
</Location>
</VirtualHost>
I would like to block any traffic that does not come for the websites hosted on my VPC.
My Server's IP address is 1.2.3.4 which hosts 3 websites.
Following requests should be allowed:
http:// example1.com or https:// www.example1.com
http:// example2.com/ or https:// www.example2.com
http:// example3.com/ or https:// www.example3.com
Following requests should be blocked (including server's IP address):
http: //1.2.3.4/ or https:// 1.2.3.4/
http:// anyotherdomain.com/ or https:// anyotherdomain.com/
List of allowed Host names could be read from a text file which I could update as and when required.
Is this feasible? If yes, what are the pros and cons. If not, thank you for the information.
Cheers
You can't do that in iptables as you would like to.
What you have aren't 3 real different hosts, but 3 virtual hosts: the main difference, as you already know, is that they share the same IP address.
As they share the same IP, kernel's netfilter just can't distinguish different requests from its layer: it's your web server application itself that "routes" the different requests to its proper website by looking at the "Host:" header inside the incoming HTTP packet and by determining which virtualhost should reply to it.
A good compromise (denying instead of dropping) for what you want to do would be to setup a configuration in your web server to make it catch and deny any connection that doesn't belong to your virtual hosts. Also there's no need to make a different list in this way, as your web server could dinamically determine if the requested host exists or not.
Here's an example, assuming you're running Apache, adding the catchall sentence to the top will make your server respond with a 403 message to any connection that won't be overridden by your examples.com websites:
<VirtualHost *:80>
ServerName catchall
<Location />
Order allow,deny
Deny from all
</Location>
</VirtualHost>
<VirtualHost *:80>
ServerName example1.com
DocumentRoot /var/www/example1
<Directory /var/www/example1>
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
...
VirtualHost for example2.com (allowing all as above)
VirtualHost for example3.com (allowing all as above)
That's not the same as dropping right from the kernel of course, but it stops any further interation with your server aswell.
i have a problem with setting up an apache reverse proxy server and hope you can help.
I have 3 ubuntu web servers, available on https://service1.domain.com, https://service2.domain.com:4433 and so on...
Now, i will access these servers without typing the port in the addressbar.
So my idea is to use an reverse proxy server, that i can type in service2.domain.com and it redirects to service2 (https).
I installed an ubuntu server with apache and enabled the modules:
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_balancer
sudo a2enmod lbmethod_byrequests
Then i set up the 000-default.conf on the proxy with the following content:
<VirtualHost service1.domain.com:80>
ProxyPreserveHost On
ProxyPass / https://service1.domain.com/
ProxyPassReverse / https://service1.domain.com/
</VirtualHost>
<VirtualHost service2.domain.com:80>
ProxyPreserveHost On
ProxyPass / https://service2.domain.com/
ProxyPassReverse / https://service2.domain.com/
</VirtualHost>
The ports 80 and 443 on the router are forwarded to the proxy server.
On the service(1-3) servers, SSL is enabled with certificates from Lets Encrypt.
Now, if i try to open site service1.domain.com, i get an error (cert_name).
The sites now should not be accessible directly, because there is no port forwarding anymore.
My question is now, how is the right config for reverse proxies? Do i need to enable a certificate for each service also on the proxy server?
Thank you for your help!
Not exactly sure what your end goal is. The certificate is for the client facing server. If you want people to hit the site without having to set the port, you can use the Redirect statement in the virtual host config.
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://www.example.com
</VirtualHost>
Which would forward any non ssl traffic to use the ssl virtual host.
I am running one node application on port 7777 on an ec2 Instance.
I can access that application with ec2 instance's IP address like this -
52.77.122.38:7777 (Not the real IP address)
Now I created one A entry in route53 for abc.mydomain.com and put IP address of my ec2 instance there,
Now loading abc.mydomain.com gives me apache server homepage.
To open this node app on this subdomain,
I removed all the virtualhost entries in apache2.conf file and added this -
<VirtualHost *:80>
ServerName abc.mydomain.com
ServerAlias www.abc.mydomain.com
ProxyRequests on
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
ProxyPass http://localhost:7777/
ProxyPassReverse http://localhost:7777/
</Location>
</VirtualHost>
but loading abc.mydomain.com gives me 'this site can't be reached'. While I can still access my app at <ec2's Ip address>:7777
How do I get it running on abc.mydomain.com?
My question is probably trivial and a duplicate, but either I cannot formulate it or it's not been answered on SO yet.
I have two webservers on a Digital Ocean droplet. One is listening on port 80 and can be accessed via example.com (DNS are on route 53), and the other is on port 8080: how can I make it accessible from example-2.com?
I suppose the software I'm looking for would intercept the HTTP requests, check the referrer, and route those coming from example.com to port 80 and those coming from example-2.com to port 8080. What is it?
This can not be done using only DNS. By default web browsers attempt to connect to port 80 when the url starts with "http" without specifying a port. The user would have to know to connect to port 8080 and explicitly access the URL as
http://example-2.com:8080
I am assuming you are running both web server instances on the same OS environment/IP address, though this would also work for separate hosting environments. What you probably want is a reverse web proxy which can inspect the requested domain name and route to an appropriate server instance. You would run the reverse web proxy on port 80, and probably move the server you are currently running on port 80 to another port (say, 8081).
Apache with mod_proxy and the virtual hosting settings is a possible solution. Assuming example.com and example-2.com point to the Apache instance configure it something like this:
<VirtualHost *:80>
ServerName example.com
ServerAdmin webmaster#example.com
ProxyRequests off
ProxyPreserveHost on
ProxyPass / http://localhost:8081/
ProxyPassReverse / http://localhost:8081/
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
</VirtualHost>
<VirtualHost *:80>
ServerName example-2.com
ServerAdmin webmaster#example-2.com
ProxyRequests off
ProxyPreserveHost on
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
</VirtualHost>