Community discussions

MikroTik App
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Can web [reverse] proxy redirect to different local computers based on host header ?

Tue May 25, 2021 6:44 pm

Hello.
The Mikrotik web proxy features confuse me a bit, I want to configure it as a reverse proxy, so that when accessing host1.mysite.com and host2.mysite.com , it would show data from different local computers (e.g 192.168.0.2:81, 192.168.0:3:81, etc), (without being obvious to the visitor), so visitor remains on:
http://host1.mysite.com
http://host2.mysite.com
Can the web proxy do that ? What options should I look at ? Is it "web proxy direct" ?
I know Nginx can do that.
I use a HapAc2 for this case, I know performance might not be great, but I wanted to experiment with it a bit.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can web [reverse] proxy redirect to different local computers based on host header ?

Tue May 25, 2021 7:37 pm

Forget that funcion.

Simply change on the DNS the A record on host1.mysite.com and host2.mysite.com on two public IP address on your device.

Or same host like host1.mysite.com can redirect inside the webserver on another host host2.mysite.com if http header HTTP_HOST is host2.mysite.com.
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Can web [reverse] proxy redirect to different local computers based on host header ?

Tue May 25, 2021 8:12 pm

First part would not work for me because I have 4-8 hosts and not that many public IPs.
I didn't understand what you meant in second part, maybe you can tell me differently.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Can web [reverse] proxy redirect to different local computers based on host header ?

Tue May 25, 2021 8:18 pm

The 2nd part: install a proper reverse proxy on one of internal servers (e.g. haproxy, nginx or apache) and configure it to forward requests to the rest of servers.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can web [reverse] proxy redirect to different local computers based on host header ?

Tue May 25, 2021 8:19 pm

First part would not work for me because I have 4-8 hosts and not that many public IPs.
I didn't understand what you meant in second part, maybe you can tell me differently.
supposing host1.mysite.com is external 2.3.4.5:80 , internal 192.168.0.51:81

and host2.mysite.com do not have external with 80 directly, but external is 2.3.4.5:82 and internal is 192.168.0.52:82

on DNS
host1.mysite.com A 2.3.4.5
host2.mysite.com A 2.3.4.5

Use a function near all webserver have,
host1.mysite.com read HTTP header and if the site wanted from browser (readed on HTTP_HOST header) is host2.mysite.com,

then instruct the browser to redirect the connection to host2.mysite.com:82 and the address on address-bar is changed to host2.mysite.com:82
_OR_
act as proxy for host2.mysite.com, but the address on address-bar is still host1.mysite.com

I'm not english and I cant write better one example, sorry.
Last edited by rextended on Tue May 25, 2021 8:26 pm, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Can web [reverse] proxy redirect to different local computers based on host header ?

Tue May 25, 2021 8:26 pm

instruct the browser to redirect the connection to 2.3.4.5:82.
That's against OP's requirement that it should be hidden from clients. Additionally using non-standard ports may break things for some clients (some corporate firewalls are quite restrictive when it comes to uncommon/nonstandard ports).

Additionally, anything else than what I proposed doesn't work for encrypted connections (i.e. for https).
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can web [reverse] proxy redirect to different local computers based on host header ?

Tue May 25, 2021 8:28 pm

useless
Last edited by rextended on Tue May 25, 2021 10:35 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can web [reverse] proxy redirect to different local computers based on host header ?

Tue May 25, 2021 8:32 pm

Additionally, anything else than what I proposed doesn't work for encrypted connections (i.e. for https).
But wat I have proposed work.

If host1.mysite.com have valid ceritificate, can redirect without problems to any other site, like

https://google.com/ with auto-redirect to https://www.google.com/

https://host1.mysite.com -> https://host2.mysite.com:444


Addittionally one https webserver with latest technology can handle more https sites with various names, than one a time, using internal pipes to show websites located on another machine.

But that's not the point, and it has nothing to do with mikrotik.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Can web [reverse] proxy redirect to different local computers based on host header ?

Tue May 25, 2021 10:30 pm

Redirecting stuff is complicating things and it is visible to user. For example: if server1 replies to both https://host1.example.com/ and https://host2.example.com/, it needs installed certificate which works for both FQDNs. Then if sole function of server1 for requests for https://host2.example.com/ is to serve redirect to e.g. https://host2.example.com:444/, then server2 needs certificate covering host2.example.com as well (doesn't need to be the same certificate as on server1 though). But then all the softwares I mentioned are fully capable of performing reverse proxy, which means they will terminate TLS/SSL (using one or multiple certificates), forward requests to appropriate back end servers (using plain http or https, whatever more appropriate) and will pass replies back to original clients. All of that without exposing any backend topology details to clients. haproxy can even perform load sharing and/or high availability between backend servers serving same FQDN.

The point in exercise is this: if one runs multiple actual backend web servers, then using router to perform reverse proxy is ... I'll be blunt: stupid. You already have multiple machines capable of doing job properly, why bother making router do it (poorly)?
Do you tinker with your lawn mover to make it walk your dog? I don't.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can web [reverse] proxy redirect to different local computers based on host header ?

Tue May 25, 2021 10:57 pm

Do you tinker with your lawn mover to make it walk your dog? I don't.
No I put a stake in the middle of the lawn and attach a goat by rope to the stake and watch it move around in ever decreasing circles cutting/eating the lawn, whilst I sit back in my lawn chair pounding down some Valmiermuiža ale and reading Mikrotik Switching with LABS by Maher Haddad! :-)
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Can web [reverse] proxy redirect to different local computers based on host header ?

Tue May 25, 2021 11:01 pm

The 2nd part: install a proper reverse proxy on one of internal servers (e.g. haproxy, nginx or apache) and configure it to forward requests to the rest of servers.
Yes, I know how to do that part, I was hoping the Mikrotik web proxy function has a feature to use different local computers based on host in the request.
So Mikrotik doesn't have this ?
That is how Nginx does it, and also can use different data sources based on the path requested (/images /downloads), etc, it is also a nice way to spread the load on server(s).
 
User avatar
adrianTNT
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sun Mar 10, 2019 4:27 am
Location: The Internet
Contact:

Re: Can web [reverse] proxy redirect to different local computers based on host header ?

Tue May 25, 2021 11:08 pm

I put a stake in the middle of the lawn and attach a goat by rope to the stake and watch it move around in ever decreasing circles cutting/eating the lawn, whilst I sit back in my lawn chair pounding down some Valmiermuiža ale and reading Mikrotik Switching with LABS by Maher Haddad! :-)
:)
blue-screen.png
You do not have the required permissions to view the files attached to this post.
 
graealex
just joined
Posts: 14
Joined: Fri Feb 03, 2017 7:39 pm

Re: Can web [reverse] proxy redirect to different local computers based on host header ?

Sun Jan 02, 2022 3:30 pm

Unfortunately, ROS can't do it, although I feel it would be a useful feature, especially in front of a DMZ. It wouldn't need to be a full-fledged HTTPS application proxy, just SNI-based firewall-routing would be enough to pipe the traffic to the right internal host (although you can't use directory-based routing then). The funny part is that ROS already contains an option for SNI-based filtering, but the SNI information isn't available in the first SYN/ACK-handshake, and that's why that feature is only useful for blocking, but not for routing.

IPv6 might make the whole issue obsolete, though, as we are mainly just talking about ways on how to share a single public IP to multiple internal ones. If you have multiple public IPs for your servers, it suddenly turns into a non-issue.

Who is online

Users browsing this forum: Bing [Bot], cmmike, holvoetn, svh79, Vyizis and 45 guests