Multiple HTTPS Web Servers

idemidov · April 6, 2018, 9:47am

Good day!

I have to web servers and one ip from ISP. I want forward port 443 for url site1.domain.com to one server and port 443 for url site2.domain.com to anather. Help me please! How can i do that?

I create rule for nat action=dst-nat chain=dstnat. I try to use L7 in advanced tab but it is not work. I try to mark connection, but it is no work too.

blingblouw · April 6, 2018, 11:31am

Put the URL in an address list. It will automatically resolve the IP to a DNS name.

Then in your NAT rule, put the address list in the dst-address-list field.

Do it for both domains

idemidov · April 6, 2018, 11:56am

Not work. May be i dont understand what you want to say? In firewall adress list there is no field named url. In DNS and site1 and site have one ip adress. I dont undestand how it must work.

Sob · April 6, 2018, 2:31pm

What you want is not possible, not in a way you want it. In short, you can’t do it on IP level, because to forward tcp port, you must forward the very first packet of connection, but it’s just SYN packet and it doesn’t contain hostname. It only comes later, but then it’s too late for port forwarding.

The way to solve it is by using reverse proxy. Unfortunately, current RouterOS can’t help you with that (there’s only ugly hack for http, but nothing to be done for https). So you need another machine, forward port to that, and do the redirection there. You can use e.g. nginx: http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html

Steveocee · April 8, 2018, 8:42am

This ^^^^

Why can’t you have 1 web server hosting 2 sites?
In general you can only forward 1 port to 1 host.

Sob · April 8, 2018, 3:27pm

There isn’t always the choice. It might not be just regular websites, but different machines that you can’t merge. Or they might not be under control of the same unlucky admin who was told to make it work. The right way is to have multiple public addresses, but they don’t come for free, so people try to find all kind of workarounds (instead of adopting IPv6 with practically unlimited supply of addresses ten years ago, but that’s different story).

BartoszP · April 8, 2018, 3:49pm

Or …

Forward all traffic to one server (site1 url) and then do come http/https rewriting on site1 to forward site2 url to the second server.