Page 1 of 1

how to publish a lot of web servers

Posted: Fri Jun 02, 2006 4:41 pm
by ahlai
there is a lot of web server ,they are different ip address,i have only one public ip.
for example
123.com @192.168.0.2
abc.com @192.168.0.3
456.com @192.168.0.4
/ip dns static add name=123.com address=192.168.0.2
/ip dns static add name=abc.com address=192.168.0.3
/ip dns static add name=456.com address=192.168.0.4
/ip firewall nat add chain=dstnat dst-address=219.158.100.133 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.0.2 to-ports=80
/ip firewall nat add chain=dstnat dst-address=219.158.100.133 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.0.3 to-ports=80
/ip firewall nat add chain=dstnat dst-address=219.158.100.133 protocol=tcp dst-port=80 action=dst-nat to-address=192.168.0.4 to-ports=80
but they don't work,why?
i feel gloomy,help me please.
thanks a lot .

Posted: Fri Jun 02, 2006 9:56 pm
by andrewluck
Look at this from the router's point of view:

A packet arrives for port 80 at 219.158.100.133. How does it determine which server to forward the packet to?

Regards

Andrew

Posted: Sat Jun 03, 2006 12:35 am
by jp
As andrew was alluding to, this is a dns/httpd configuration, not a router configuration.

Posted: Sat Jun 03, 2006 1:49 am
by djape
You should use some Virtual Domain software so you can build 100's of sites behind only one public IP.

You can check http://www.swsoft.com for Plesk ;)

Cheers...

Posted: Sat Jun 03, 2006 4:43 am
by GotNet
You should use some Virtual Domain software so you can build 100's of sites behind only one public IP.

You can check http://www.swsoft.com for Plesk ;)

Cheers...
Yes, much easer to do, apache etc. I kinda figured he had different client machines trying to put behind one IP.

Mike

Posted: Sat Jun 03, 2006 5:36 am
by ahlai
thanks ,
you mean i must use another computer to do this ,
all of my web server's os are server 2003,
how should i do.

Posted: Sat Jun 03, 2006 6:19 am
by wildbill442
Look into Plesk. You can run multiple domains on a single IP address. Currently I have 123.com, abc.com, anotherdomain.com, and thisdomain.com running on the same public ip address 10.0.0.1.

The server opens up the packet header and examines what domain was being requested and then reply's with the appropriate website. This is all done by the HTTP server and I believe is defined in the HTTP protocol.

Works beautifully, and you don't need static IP address for each domain. The only time this might present a problem is with secure websites used for ecomerce, which might require its on IP address and certificates.

http://www.swsoft.com/

Usually you don't NAT servers that were meant to be publically accessable.

Posted: Sun Jun 04, 2006 2:32 pm
by ahlai
you mean i must install swsoft?
thanks.

Posted: Sun Jun 04, 2006 5:10 pm
by Hammy
Well, a hosting controller of some type, or get a little smarter with whatever web server you have (whether its IIS, Apache, etc.). I prefer InterWorx over Plesk, but Plesk may be one of the only if not the only one that supports Windows.

Posted: Sun Jun 04, 2006 9:28 pm
by GJS
You can also do this 'virtual domains' with Apache. It will not work with some very old browsers but I think that most of the worlds web servers run in this configuration. You can have virtually unlimited domains on one server.

Posted: Mon Jun 05, 2006 8:22 am
by joeri91942
Ahlai

This is an typical example of someone that hasn't even tried to figure out what is wrong and instead decided to blame their mal-config on some other part of the system else and request help with that.... normally I wouldn't even try to respond to this kind of question but since I am feeling chariable today I will give you a few pointers ;-)

Hint, you problem lies in your basic design.... not in the MT config

#1, If you have onle ONE external IP then you should normally only have ONE physical webserver, this is since all HTTP traffic goes on port 80 and you can only have one machine receiving a address/port pair!

And before someone starts to correct me by saying that you can configure the router to examine packets and redirect to different places depending on the payload... please read the lines above, even that config still has only ONE machine listening to a IP/port pair... the router itself!

It's also a bitch to configure/maintain! Been there, done that when I was forced to FILTER/ROUTE pure NetBios (no IP) on a Token Ring network! A real bad design that I inherited when the designer got kicked out of the company... he had decided that he could bridge 5 offices running NetBios over 64Kb/s lines :-(


#2, If you can consolidate your websites onto one server, do so! Windows 2003 CAN handle multiple web-requests (123.com, abc,com etc etc) and direct them to the correct website, just LOOK at the settings and READ the manual. RTFM-GTFW :-)

#3, If you can NOT consolidate your websites onto one server you will have to configure an intermediate redirector AND set each server to listen to a different port...

Step 1: All HTTP traffic goes to the redirector which looks at the host header and identifies the requested host header URL. Depending on the host header it redirects the user web browser to a different port, example
http://www.abc.com -> http://www.abc.com:81
http://www.123.com -> http://www.123.com:82
http://www.jkl.com -> http://www.jkl.com:83
This can easily be done using ASP code on a W2K3 server

Step 2: Set the respective web server to listen to the correct port
- Web server for http://www.abc.com listens to port 81
- Web server for http://www.123.com listens to port 82
- Web server for http://www.jkl.com listens to port 83

Step 3: Configure your front end router to redirect traffic
to the correct server, some small changes to you previous code
/ip firewall nat 
add chain=dstnat dst-address=219.158.100.133 protocol=tcp dst-port=81 action=dst-nat to-address=192.168.0.2 to-ports=81 
add chain=dstnat dst-address=219.158.100.133 protocol=tcp dst-port=82 action=dst-nat to-address=192.168.0.3 to-ports=82 
add chain=dstnat dst-address=219.158.100.133 protocol=tcp dst-port=83 action=dst-nat to-address=192.168.0.4 to-ports=83 
ALSO PLEASE THINK BEFORE DOING ANYTHING ABOUT HTTPS!
That is a beast completely on it's own.... it is not a trivial thing to configure multiple HTTPS sites on one IP since you normally do NOT have access to the host headers in a request until it has been properly processed by the correct site

Best regards

/J├Ârgen

use web proxy (for http only)

Posted: Wed Jun 21, 2006 8:57 am
by tinus
It's only work for http connection not https connection.

1. First Configure your web proxy
/ ip web-proxy
set enabled=yes src-address=0.0.0.0 port=8080 hostname="your.proxy" \
transparent-proxy=yes parent-proxy=0.0.0.0:0 \
cache-administrator="webmaster" max-object-size=4096KiB cache-drive=system \
max-cache-size=unlimited max-ram-cache-size=unlimited
/ ip web-proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
disabled=no
add dst-port=80 action=allow comment="Enable Http Connection" disabled=no

2. Configure Static DNS of domains to resolve to internal ip
/ip dns static add name=123.com address=192.168.0.2
/ip dns static add name=abc.com address=192.168.0.3
/ip dns static add name=456.com address=192.168.0.4
/ip dns static add name=www.123.com address=192.168.0.2
/ip dns static add name=www.abc.com address=192.168.0.3
/ip dns static add name=www.456.com address=192.168.0.4

3. Configure NAT to redirect traffic to webproxy
(i.e. your public ip address is xxx.xxx.xxx.xxx)

/ip firewall nat
add chain=dstnat in-interface=outside dst-address=xxx.xxx.xxx.xxx protocol=tcp \
dst-port=80 action=redirect to-ports=8080 comment="" disabled=no



The traffic for 123.com will be like this
The web proxy will redirect traffic to the 123.com internal ip address which is 192.168.0.2

Internet --> xxx.xxx.xxx.xxx:80 ---> xxx.xxx.xxx.xxx:8080 --> 192.168.0.2:80

I hope this would be helpful

Posted: Wed Jun 21, 2006 10:19 am
by uldis
Maybe you would like to add an article about this in the MikroTik Wiki page:
http://wiki.mikrotik.com/

Posted: Wed Jun 21, 2006 6:33 pm
by csickles
I think I saw that this is an exchange 2003 server?
If so, use "HOST HEADERS"

you can publish infanate number od websites/domains on one IP and one port..

But keep in mind two things...

1) A valid DNS record MUST exist
2) Sites can only be called via name NOT IP

I think it works for http and https..

IE http://server.com
HTTPS://server2.com

should be able to reside on the same box at the same IP
(Ports will change as we all know..)

This should work out of the box..

I use it here and host multiple intranets on one server with one IP address.

Craig

no https connection

Posted: Wed Jun 21, 2006 9:39 pm
by tinus
Transparent web proxy not support https connection, it only work in http connection.

Re: use web proxy (for http only)

Posted: Thu Jun 22, 2006 3:20 am
by ahlai
It's only work for http connection not https connection.

1. First Configure your web proxy
/ ip web-proxy
set enabled=yes src-address=0.0.0.0 port=8080 hostname="your.proxy" \
transparent-proxy=yes parent-proxy=0.0.0.0:0 \
cache-administrator="webmaster" max-object-size=4096KiB cache-drive=system \
max-cache-size=unlimited max-ram-cache-size=unlimited
/ ip web-proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
disabled=no
add dst-port=80 action=allow comment="Enable Http Connection" disabled=no

2. Configure Static DNS of domains to resolve to internal ip
/ip dns static add name=123.com address=192.168.0.2
/ip dns static add name=abc.com address=192.168.0.3
/ip dns static add name=456.com address=192.168.0.4
/ip dns static add name=www.123.com address=192.168.0.2
/ip dns static add name=www.abc.com address=192.168.0.3
/ip dns static add name=www.456.com address=192.168.0.4

3. Configure NAT to redirect traffic to webproxy
(i.e. your public ip address is xxx.xxx.xxx.xxx)

/ip firewall nat
add chain=dstnat in-interface=outside dst-address=xxx.xxx.xxx.xxx protocol=tcp \
dst-port=80 action=redirect to-ports=8080 comment="" disabled=no



The traffic for 123.com will be like this
The web proxy will redirect traffic to the 123.com internal ip address which is 192.168.0.2

Internet --> xxx.xxx.xxx.xxx:80 ---> xxx.xxx.xxx.xxx:8080 --> 192.168.0.2:80

I hope this would be helpful
it's a good idea!
thanks a lot.