Since IPv4 prices raise a lot lately I have started looking for a way to forward traffic according to the header destination hostname to be able to host behind one mikrotik multiple web servers.
Unfortunately TLS host filter does not work on NAT!
I know that nginx server is capable of doing that… so…
What if we would use an nginx docker into routeros to forward traffic to the correct IP ???
Can anyone think of a reason why this would not work or a good reason why it would work?
I haven’t tried it yet but it could be a good topic to discuss beforehand.
PS. I know IPv6 exists but… that is a different discussion
The reason why it doesn’t is that NAT firewall rules only handle the initial packet of each connection; the rest of the packets of that connection inherits the same NAT treatment by means of connection tracking. In case of HTTPS connections, the initial packet is the TCP SYN one bearing no payload at all, so no point in matching on the payload contents. And once a TCP session gets established, you cannot redirect it to a new server just like that, as the new server would be missing the SYN/SYN+ACK/ACK initial exhange so it would ignore the packets.
So you indeed need an application layer proxy, that acts as a “back to back TCP agent”, i.e. it talks to the client, and once it receives enough information in the payload to choose the actual server, it opens a separate TCP session towards the chosen server and keeps forwarding the payload data between the “client session” and the “server session” until one of them terminates the connection.
