You need a reverse proxy (RP) to get the incoming traffic and redistribute it to the right server according to the domain name.
You can run the RP inside your green network, then you need to setup a port forward on the firewall to deliver the traffic from IPFire to the RP machine and from there according to the rules of the RP, to the final destination. Or, you install directly on IPFire a RP but then you need to allow access to the firewall from the red interface.
On IPFire, you can use either nginx or HAProxy as RPs.
In synthesis, traffic arrives from the WAN to IPFire based on the DNS entry, IPFire either does a DNAT (at the router layer) and forwards the packets to a green zone RP server, which then routes to its final destination, or directly forwards to the final destination at the application layer using a RP configured for this task (nginx or HAProxy).
At least, this is how I understand the issue. I have yet to setup a project to experiment the steps involved. This is my low resolution map of the tasks involved at this point in time.
EDIT, I am still thinking which solution would be best. On one end RP on IPFire means no port forward and only one hop to the destination, which is a simpler system. On the other end, I am terrified to allow access to the firewall from the red interface, therefore I think I will try to have a DNAT to an internal RP server.
I dont wont to spin up extra hardware to provide RP, so installing it on the IPFire is an option for me…
I DO think that firewall rules should be implemented with great care, so this is something to take in mind.
Im not a linux guy, so this is something i need to outsource.
Im just hoping that there is a ‘clickable’ interface to configure the HAProxy