1

How do I route traffic from different sub domains to different internal IP addresses?

I have set up a Debian router that has one public IP and a domain name pointed to that IP, I would like to have different sub domains reach different internal machines.

I'm talking about HTTP, SSH and FTP traffic here and I have Shorewall and dnsmasq installed on the router.

For instance, the URL: ftp.example.com I would like to point to one machine with the internal IP 192.168.1.10 and then dev.example.com I would like to reach another internal IP. say 192.168.1.200

It would be good if I could specify which protocols are allowed on which sub domains and explicitly route each protocol and port to the internal machines.

random
  • 450
  • 1
  • 9
  • 16
Joelbitar
  • 195
  • 1
  • 1
  • 6
  • I think you need DNAT, but I'm pretty sure it won't work the way you want it to (with subdomains). All the subdomains will end up with the same public IP (dev/ftp/...) so it won't matter if you type ftp or dev. The only thing you can do is perform NAT on the ports, telling your router that traffic on port 80 should go to server X and traffic on 20,21 & some passive ports to server Y. – Bart De Vos Sep 23 '11 at 11:10

2 Answers2

5

For some protocols this simply isn't possible with just port forwarding unless you run them on non-standard ports (so the router itself is on port 22 for SSH, internal machine 1 appears on port 23 on the public IP, internal machine so on port 24, and so forth) or have more then one public address.

HTTP - this can be done by using a reverse proxy. Have something like nginx running and have that take all traffic coming in on port 80 initially, and use the proxying feature to farm requests out to the relevant machine according the the (sub)domain requested. Other web servers have similar proxy features too (i.e. Apache, though running something smaller like nginx is more efficient if all you need is the proxy feature).

HTTPS - If all the connecting clients support SNI then you can use the same method as mentioned for HTTP above. Unfortunately no version of Internet Explorer running under Windows XP support SNI so depending on your client base this could be an issue. Affected browsers will present their users with certificate errors. Another work around rather than relying on SNI is to get one certificate that is valid for all the names you need (i.e. a multi name cert if theory are very different names or a wildcard cert if they are all subdomains of a single one), but these are generally more expensive then single name certificates.

SSH - not directly possible. Though you can just SSH into the router and then SSH further into the network from there. Even port forwarding and such works through multiple hops like this if you get the incantations right. If you get SSH working then remeber that SFTP or SCP over that are viable alternatives to FTP in many cases and confer benefits FTP does not.

FTP - I've not run an FTP server for quite some time so I'm no expert here. There might be reverse proxy options but I doubt it from my knowledge of how the protocol operates. An option here would be to have one FTP service and let it access different machines on the network via network shares (this may not be practical depending on your authentication requirements, but for a lot of things should be sufficient). You could also consider using SCP or SFTP (via SSH) which is both more efficient and more secure than FTP.

David Spillett
  • 22,534
  • 42
  • 66
  • I could for shure just change to some obscure port for SSH, not a problem. Nginx sounds like the way to go for ht HTTP traffic! – Joelbitar Sep 26 '11 at 07:33
0

You want to use a reverse proxy for this. Apache's mod_proxy should do the trick.

MDMarra
  • 100,183
  • 32
  • 195
  • 326