Hi All, still quite new to Mikrotik and hoping someone can answer this for me.
I used to have 6 public ip addresses, so was easy to host different access to 443 web pages on different servers. My new ISP only supplies 1 ip but I still need to redirect 443 traffic to different servers.
Is there anyway of getting the Mikrotik to forward to the relevant ip based on the hostname coming in
Thanks
The hostname only brings the remote user to your router.
The rest you can do internally by port redirect.
Is the port static or dynamic?? Normally one only needs a DYNDNS host name if the IP changes?
For example.
hostname: port 2000
hostname: port 3000
hostname:port 4000
add chain=dst-nat action=dstnat in-interface=ether1 dst-port=1000
protocol=tcp to-addresses=Server1-ip to-ports=443
add chain=dst-nat action=dstnat in-interface=ether1 dst-port=2000
protocol=tcp to-addresses=Server2-ip to-ports=443
add chain=dst-nat action=dstnat in-interface=ether1 dst-port=3000
protocol=tcp to-addresses=Server3-ip to-ports=443
If you have a complicated mutli-wan setup then will need to see complete config minus any private public IP information.
Thanks
So there is not a way of having them all arrive as port 443 then get redirected ie with a NAT rule to the correct server using the hostname. ie
https://mail.mydomain.co.uk
https://www.mydomain.co.uk
https://subdomain.mydomain.co.uk
Nope,
Sounds like you have a non-ideal situation.
1 - How do your users get your information (aka which port to use for the application).
2 - Do you even know your users.
a. security wise its best to limit users to their known public IP addresses, either they have a static IP to give you, or they have their own dyndns name for their public IP and no excuses because there are plenty of free ones out there.
b. with a firewall address list, you will limit those accessing behind your router AND, by using a source rule in the destination-nat rule, the port will not appear on scans, otherwise they appear on scans with status closed.
The issue is the router can only handle NAT to one outgoing port,
so you can only have one 443 coming in…
So you can have
443 —> to 443 Server1
1000 —>443 Server2
2000—>443 Server3
etc…
But not
443 ---->443 ip server1
443----->443 ip server2
And not
443 ---->443 ip server1
443 ---->1000 ip server2
443 ----->2000 ip serrver3
Thanks anav
Shame as the people who will use the url’s are not the brightest LOL. Would be a nice feature to have with a singular static ip
Glenn
RouterOS does not include a full-featured reverse proxy which is what is needed in this case. The only realistic solution is to install one of full-featured reverse proxies[*] to a DMZ/LAN server and fan-out connections to different backend servers from that frontend. Then you perform DST-NAT for port 443 (and 80, if not for other things it’s needed for Letsencrypt certificate handling) towards single DMZ/LAN destination.
[*] There are numerous possibilities, ranging from specialized RP solutions such as (my personal favourite) HAproxy to RP support in normal web servers such as apache or nginx. In case of running docker containers, RP job is often handled by traefik running in own container.
The frontend server will have to handle all SSL/TLS, which requires much more CPU resources than are needed for unencrypted http. The upside of it is that you only need one capable server as frontend, some backend servers can be really lightweight if they only serve static content.
If won the US powerball, Currently over 1 billion dollars, I may be pursuaded to ‘inform’ MT about a change I would like to see.
It would not be full reverse proxy, it would be to Fix VRF and firewall rules and include an automated and sophisticated wireguard reset for the cases of when Wireguard server goes down, and finally to be able to include firewall address list entries in route rules etc…
Fully agree. IMO it’s stupid to overload one box with gazzillion functions if one has to use other boxes which are much better fit for providing some of those functions. One of those functions is reverse proxy … not really needed in SOHO environment, but needed in corporate environments where larger amount of HW is used anyways. Border line uses (a home user playing with multiple services) should be handled using lots of common sense (or, if hobbyist deems the service he’s providing of such a tremendous importance, by some investing … e.g. in a few Rpi devices).