How to build "track switch" for many of Web-Frontends?

rowihei · 2 December 2021 11:19

Here is the environment:
FQDN: firma.de
ipfire/green: 192.168.1.1
Web server: web.firma.de at 192.168.1.12 with an A record pointing to web.firma.de
Mail server: mail.firma.de  at 10.2.2.99 (orange) with an A record pointing to sogo.firma.de

at the moment we do this with firewall rules
port 7443 from red >> 192,168.1.12:443
port 443 from red >> 10.2.2.99 (sogo)

But in future there will be 2 new web frontends and the users of firma.de are unhappy with long link adresses … and IP numbers .
It’s a source of many mistakes and trouble !
Is there another way to make a “track switch” ? HAProxy and new A records ?

pmueller · 3 December 2021 10:30

Hi,

if I got your requirement correctly, you are dealing with HTTP(S) traffic.

In this case, HAProxy should fit the bill - it is available as an add-on in IPFire -, but I think it might be a bit of an overkill. Any modern web server capable of TLS SNI, virtual sites and proxying requests to a backend server should suffice.

IPFire already comes with Apache for its web interface. In theory, you could manually extend its configuration to reflect the situation described, but at the moment, I am not sure whether using a dedicated add-on would be a better idea in terms of security.

Thanks, and best regards,
Peter Müller

rowihei · 20 December 2021 16:59

Hello,again,
sorry, but we have already the same problem … but now there is one web server more listening on port 443 + 80

I tried to solve with HAProxy, but I’m too old for that …

… … … … … … … … … … … … … … / orange> email.firma.de:443 ( +80 Let’sEncrypt )
… … … … … … … … … … … … … …/
internet 111,222,333,444 —> red > iPFire - green> | ---- >web2.firma.de:443
… … … … … … … … … … … … …|… … … … …| ------> web3.firma.de: 443,80
… … … … … … … … … … … … … |
… … … … … … … … … … … … … |.blue (WLAN)

It is not very practicable to use many port forward rules like from red port 7443 > green 192.168.1.2 port 443
I tought it is possible with HAProxy. But documentations is more then old testament and examples are not very good to understand …
Or is there another way to solve this ??
The goal is to achieve 3 web servers behind the firewall. There is one static public IP for all 3 servers.

Browser input >> ipfire >> destination
https://a.firma.de >>>>>>> 192.168.1.100
https://b.firma.de >>>>>>> 192.168,1,101
https://c.firma.de >>>>>>> 192.168.1.102:80

Is there any idea ?

hvacguy · 28 December 2021 11:51

Not an expert. Would try Reverse proxy.
With Nginx. lots of documentation on the web.

rowihei · 25 March 2022 10:16

Have tried both HAProxy and Nginx but no success.
But now there are 6 webserver applications … it’s the new trend…
A very big documentation for both … I need an practicable example

luani · 25 March 2022 17:43

It’s definitely possible with nginx, I’m running a reverse proxy exactly like this. I set up an independent nginx VM for security reasons, but that doesn’t really matter here.

This is a good starting point: NGINX Reverse Proxy | NGINX Documentation

Generally speaking, you need to set up a server block for each subdomain. Each “server” then proxies the request to the respective backend server.
IPFire only forwards port 80 and 443 to the SSL proxy, there is no direct access to the backend servers from the outside world.
Finally I used include files to add common configuration directives (i.e. SSL, security headers, HTTPS redirect) to all the server blocks.