Community discussions

 
jatnikonnm
just joined
Topic Author
Posts: 1
Joined: Mon Aug 13, 2018 5:55 am

One IP Public Multiple Webserver

Mon Aug 13, 2018 7:58 am

Hi i'am new in mikrotik router, how to configure if i only have one Public IP, but user can access different/multiple domain from internet, with condition i have multiple webserver behind router, as shown below. Thanks for this help.

Image
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1544
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: One IP Public Multiple Webserver

Mon Aug 13, 2018 8:20 am

It is not problem of Mikrotik configuration.

You should configure virtual hosts on your WWW server to manage different domains.
In Mikrotik device you should pass all HTTP trafic to this server.
Real admins use real keyboards.
 
User avatar
Jotne
Member
Member
Posts: 326
Joined: Sat Dec 24, 2016 11:17 am

Re: One IP Public Multiple Webserver

Mon Aug 13, 2018 10:50 am

We can not see your photo. Edit your post and use Attachments in the bottom of the post to upload it to the forum.


If all web server are on the same Windows server, you can deal with it on the Windows server.

But if you have multiple web server on multiple boxes, or even efferent ports, you can use HAProxy on a linux server.
Its free and not to difficult to set up.

Here all server will answer on one IP on port 80, wit different DNS name

Example haproxy.cfg

www.home.com #Primary web server 192.168.1.30:80
cam.home.com #Surveillance camera 192.168.1.50:8080
ups.home.com #Your UPS 192.168.1.20:80
webmin.home.com #Admin of linux server 192.168.1.15:10000

Then you set all DNS records to point to your public IP
Install HAProxy on server 192.168.1.35
Make a NAT forward on port 80 to your HAProxy server

Then on HAProxy setup pointer for your web server some like this:
global
        log /dev/log    local0
        log /dev/log    local1 notice
#        log 127.0.0.1   local0
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3


defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        option  httpclose
        option  forwardfor
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

# input redirect
frontend http-in
        bind *:80

# Define a rule to use based on domain name
        acl is_www hdr_end(host) -i www.home.com
        acl is_cam hdr_end(host) -i cam.home.com
        acl is_ups hdr_end(host) -i ups.home.com
        acl is_webmin hdr_end(host) -i webmin.home.com

# Redirect to correct server based on rule to use
        use_backend srv_www if is_www
        use_backend srv_cam if is_cam
        use_backend srv_ups if is_ups
        use_backend srv_webmin if is_webmin
        default_backend default

# List of servers to use based on redirect

backend srv_web
        server Local 192.168.1.30:80

backend srv_cam
        server Local 192.168.1.50:8080

backend srv_ups
        server Local 192.168.1.20:80

backend srv_ups
        server Local 192.168.1.15:10000

backend default
        server Local 192.168.1.30:80
This should be a working config.
PS I would not recommend webmin open to internet

You could also add basic authentication (username/password) to server that does not support it.
It also does load balancing +++++++
 
User avatar
AminYounessi
Trainer
Trainer
Posts: 20
Joined: Wed Nov 23, 2016 7:39 am

Re: One IP Public Multiple Webserver

Wed Aug 15, 2018 12:12 pm

Hi,
You just need to write Destination-nat for those servers with different port number and specify the DNS records in your ip/dns/static for those two servers then you can open it from outside with one public ip address. (You just need to know about destination nat and PAT-port address translation concept)

Best regards,
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 785
Joined: Tue Oct 11, 2005 4:53 pm

Re: One IP Public Multiple Webserver

Wed Aug 15, 2018 4:36 pm

Hi,
You just need to write Destination-nat for those servers with different port number and specify the DNS records in your ip/dns/static for those two servers then you can open it from outside with one public ip address. (You just need to know about destination nat and PAT-port address translation concept)

Best regards,
How will RouterOS differentiate between domains in order to know where to forward the packets?
We are talking only port 80/443 incoming. Listening to other ports is not a solution IMO.

As already stated, this cannot be done in RouterOS alone. Some type of reverse proxy (ie HAproxy) is needed, that can talk HTTP to be able to read the Host header of each request and route it to the correct backend web server.

jatnikonnm depending on how much traffic you expect you could even use a Raspberry Pi (or something equivalent with better CPU) to run HAproxy, thus keeping your power consumption and physical space requirements low.

Who is online

Users browsing this forum: aidensound, cdiedrich, Kurosudo, learnyee, wilsongamo and 12 guests