Reverse proxy(?) for different services

Networking and anything else
Post Reply
User avatar
marcih
Chief of Unicorn Division
Posts: 118
Joined: Fri Feb 12, 2021 12:54 pm
Location: I have no idea what location is or does, sorry.

Reverse proxy(?) for different services

Post by marcih »

With you lot being Linux vets, I thought you might be able to help me with a conundrum I've been having. The gist of it is that I can't afford a VPS so I'm running things on an RPi 3, and I want to be able to run different services with different subdomains.

Example would be a WWW server only responding to requests on 'www.marcih.com', FTP on 'ftp.marcih.com' etc. The issue is that, on Apache 2, when the only defined site is 'www' and I try a GET request to 'ftp', I still get a 200 and the document back. And no, I'm not crazy, that's intended behaviour.

So then my next thought was to stick something that would be listening on all ports and passing requests to the appropriate server given a set of rules (e.g. only pass the request to the WWW server if destination port in the TCP header is 80/443 and host in the HTTP request is www.marcih.com). I thought that's what a reverse proxy is supposed to do but I haven't been able to figure out how to configure one for my purpose; all the articles online talk about proxying for different web apps...

Any help on this topic is appreciated.
Bones McCracker wrote:It wouldn't be so bad, if it didn't suck.
Ralphred
Creator of Opportunities
Posts: 223
Joined: Tue May 11, 2021 4:22 pm

Re: Reverse proxy(?) for different services

Post by Ralphred »

This is a timeless question that often rears it's head. The main thing to be aware of it that an HTTP (re: web-address) request includes the full FQDN and PATH as part of the request, hence you can differentiate between http://git.somedomain.com/somepath.html and http://www.somedomain.com/somepath.html at the server.
But without that HTTP header, your server is in the dark, just accepting incoming connections on a specific IP at a specific port. DNS doesn't allow you to specify that ftp://ftp1.somedomain.com points to the same IP as domain ftp://ftp2.somedomain.com, but at a different port, as only the HTTP requests includes the original FQDN. << This is why your proxy "instructions" are all for web based apps, because your ftp, ntp, [every other protocol AFAIK] doesn't contain the information needed to perform a suitable redirect, the FQDN is just "looked up in the directory" and resolved to an IP.

So the TLDR reads: Buy more public static IP's, do some port based redirection, or pray for the ubiquitous implementation of IPV6 (read: get more public IP addresses)

Just for the self own lols:
So then my next thought was to stick something that would be listening on all ports and passing requests to the appropriate server
You mean a firewall, yeah; these things are pretty cool.
Were Dante alive today, he would agree that the tenth circle of hell is reserved for people who have non-ANSII characters in online usernames.
User avatar
Spent
Creator of Opportunities
Posts: 311
Joined: Thu Dec 17, 2020 11:47 pm
Location: Balmer MD

Re: Reverse proxy(?) for different services

Post by Spent »

The best way to do it is with a router. I have haproxy and Acme certificates running on my pfsense router. I have all my local services accessible with a subdomain.domain with Let's Encrypt SSL certificates.

I followed this guide for pfsense.



The key part of the guide is using virtual IP's. I have multiple services running on one raspberry pi all running on different ports. Portainer is at 192.168.1.31:9000. I assign that IP:port to 192.168.1.93. I use DNS resolver in pfsense to assign that IP to portainer.domain.com. Vaultwarden is at the same IP but on port 8010 which I have assigned to 192.168.1.99 at vaultwarden.domain.com.

You could install unbound DNS server on the raspberry pi to resolve IP:port combinations to domain names. Can't give you any help using it since I do everything in pfsense.....almost forgot...you can probably use Pi-Hole as a DNS server.
awillserver
Oxford Comma Destroyer
Posts: 57
Joined: Mon Jan 11, 2021 5:55 am

Re: Reverse proxy(?) for different services

Post by awillserver »

There's a few propietary firewalls that filter based on http referers like invicti. Couldn't think of or find anything off the top of my head that is FOSS though.
User avatar
marcih
Chief of Unicorn Division
Posts: 118
Joined: Fri Feb 12, 2021 12:54 pm
Location: I have no idea what location is or does, sorry.

Re: Reverse proxy(?) for different services

Post by marcih »

Ralphred wrote: Tue Sep 20, 2022 8:30 pm The main thing to be aware of it that an HTTP (re: web-address) request includes the full FQDN and PATH as part of the request, hence you can differentiate between http://git.somedomain.com/somepath.html and http://www.somedomain.com/somepath.html at the server.
But without that HTTP header, your server is in the dark, just accepting incoming connections on a specific IP at a specific port. DNS doesn't allow you to specify that ftp://ftp1.somedomain.com points to the same IP as domain ftp://ftp2.somedomain.com, but at a different port, as only the HTTP requests includes the original FQDN. << This is why your proxy "instructions" are all for web based apps, because your ftp, ntp, [every other protocol AFAIK] doesn't contain the information needed to perform a suitable redirect, the FQDN is just "looked up in the directory" and resolved to an IP.
Right, somehow it didn't occur to me that neither the IP nor the L4 (TCP, UDP, QUIC, Apple Talk, pidgeons) header contains the IP address resolved by DNS but not the destination domain name that was requested (and subsequently resolved), the former only contains the destination IP address and the latter the destination port.
Ralphred wrote: Tue Sep 20, 2022 8:30 pm Just for the self own lols:
You mean a firewall, yeah; these things are pretty cool.
Very funny. :lol: The issue with a firewall is, like you said, operates on L4 at most (as far as I'm aware with simple ones like iptables, maybe things have changed), both DNS and HTTP are L7, and the firewall would have no way of knowing the destination host anyway besides HTTP requests because other application layer protocols don't necessarily have the target hostname in their headers.
Spent wrote: Tue Sep 20, 2022 11:55 pm The best way to do it is with a router. I have haproxy and Acme certificates running on my pfsense router. I have all my local services accessible with a subdomain.domain with Let's Encrypt SSL certificates.

I followed this guide for pfsense.

youtube/FWodNSZXcXs [so that it doesn't embed again]

The key part of the guide is using virtual IP's. I have multiple services running on one raspberry pi all running on different ports. Portainer is at 192.168.1.31:9000. I assign that IP:port to 192.168.1.93. I use DNS resolver in pfsense to assign that IP to portainer.domain.com. Vaultwarden is at the same IP but on port 8010 which I have assigned to 192.168.1.99 at vaultwarden.domain.com.

You could install unbound DNS server on the raspberry pi to resolve IP:port combinations to domain names. Can't give you any help using it since I do everything in pfsense.....almost forgot...you can probably use Pi-Hole as a DNS server.
This vaguely resembles what I'm looking for, thank you! I'll have a look, hopefully I can get it working the way I want. If not, I'll just bite the bullet and take Ralphred's advice:
Ralphred wrote: Tue Sep 20, 2022 8:30 pm Buy more public static IP's
Bones McCracker wrote:It wouldn't be so bad, if it didn't suck.
Post Reply