Application requires IP address, need it to go to domain

15

2

We use a (poorly-designed) application that requires the IP address of our corporate office which has a static public IP address. However, when our failover internet kicks in, it obviously has a different static public IP address and then remote connections fail.

If the application would accept a domain name, I would use that with dynamic DNS, but it doesn't accept a domain name.

Is there any way to input an IP address but get to our domain name? I had two thoughts that I haven't tried yet.

  1. Set up a local IP address that redirects to our domain name (e.g. 10.0.1.99 goes to local.ourdomain.com). However, I'm not quite sure how I would do this. Set up a Raspberry Pi with a web server maybe.

  2. Purchase web hosting with a dedicated IP address and have it redirect to our domain which then could get updated as needed.

Any thoughts on how to achieve this?

MrPeanut

Posted 2017-12-04T02:42:47.507

Reputation: 301

1What kind of application? You mean something hosted internally? Like some kind of Ruby or Java or even JavaScript framework? – JakeGould – 2017-12-04T02:54:58.277

1Reverse proxy. Stick it at a fixed address and have it forward packets to the appropriate address. – Ignacio Vazquez-Abrams – 2017-12-04T02:55:27.107

Just a Windows program that a vendor has provided to us which sends and retrieves data from our corporate office. – MrPeanut – 2017-12-04T02:56:05.717

@IgnacioVazquez-Abrams Something like a Raspberry Pi running Nginx as a reverse proxy? – MrPeanut – 2017-12-04T03:07:29.927

Nginx, netfilter, ebtables, whatever you need. – Ignacio Vazquez-Abrams – 2017-12-04T03:08:32.433

Ok, thanks. I've never configured Nginx but there seem to be plenty of tutorials on setting it up as a reverse proxy and a RPi is easy enough. I'll look into this more. – MrPeanut – 2017-12-04T03:14:17.453

2You’re going to have to host a reverse proxy somewhere with an IP address that never changes. That will cost money. Have you considered just moving the service to the cloud where redundancy is built in anyways? The cost is probably similar. The other suggestion of using a VPN makes a lot of sense. I don’t see how a reverse proxy is a good solution to this at all. – Appleoddity – 2017-12-04T05:51:41.687

Are you using Reverse DNS and referring to PTR records? I'm guessing probably not (that's a bit more advanced). That is how "IP address that redirects to our domain name (e.g. 10.0.1.99 goes to local.ourdomain.com)." I find it much more likely that you have an A record, so local.example.com goes to 10.0.1.99. Being able to keep that straight may be essential to being able to craft a working solution. If your software app communicates through a firewall, NAT might be useful. – TOOGAM – 2017-12-04T06:09:23.530

@Appleoddity The cost of "host a reverse proxy somewhere with an IP address that never changes" is "buy a raspberry pi and configure it". The device after all needs nothing but a static IP address in the local network (and if that one fails no solution will work). Moving to the cloud is a repeated cost every month, just as a VPN is. – Voo – 2017-12-04T12:47:58.910

@Voo either I’m misunderstanding the question or you are. The problem here that I see is that there are external clients trying to connect to a server on-premise. If the company’s public IP changes due to a failover event, the external clients can’t connect. So you tell me how a reverse proxy hosted on premise is going to solve that? – Appleoddity – 2017-12-04T13:17:11.950

1@Appleoddity The reverse proxy is simply the implementation of bullet point 1 of the OP. You don't have the raspberry in the corporate office but in the local network where the application is being run. Since that's feasible in the given scenario according to the OP, it's probably the simplest and cheapest solution. – Voo – 2017-12-04T13:49:01.020

Answers

37

A reverse proxy is a good idea, but may be limited by protocol.

I'd solve this problem by setting up a VPN (which provides security - if the app is that badly written it does not do a DNS lookup it's probably not using decent crypto either). Using a VPN means your addresses can all be rfc1918 ( ie private ones ), and the app won't even care when the external addresses change.

davidgo

Posted 2017-12-04T02:42:47.507

Reputation: 49 152

0

A VPN is sort of expensive when you could get a Raspberry Pi or Pi Zero and run Debian on it, and set up iptables on it to masquarade the way you want

Details would depend on how you local network was set up, but the general idea would be to give the Pi two fixed local addresses.

One address would be reserved for administering the Raspberry Pi. That's how you'd ssh in and alter things if needed.

The other would act as proxy for the remote primary (or backup).

Packets sent to THAT address could get forwarded using iptables as a masquerade to the primary or to the fallback depending on conditions. NAT would alter the packet's source and destination addresses as needed before re-transmission.

Packets returning get NATed back to the requester.

This should work fine as long as there are no IP addresses embedded deeper in the packets, or cases like classic FTP that establish parallel connections.

Bonus points if you can make the Pi notice that the primary site has vanished and automagically switch to the backup

infixed

Posted 2017-12-04T02:42:47.507

Reputation: 759

I run a vpn for free, i dont see why he couldn't. He isnt hiding his traffic from his ISP. OPENvpn – FreeSoftwareServers – 2017-12-05T09:50:21.907

-4

Use Route53 (amazon) or any other dns which has a fallback routing. If you use health checks, you can assign a secundairy DNS entry IP when your health check fails on the primary IP.

Ramon Fincken

Posted 2017-12-04T02:42:47.507

Reputation: 1

7How does this help if the application won't resolve a DNS record? – ydaetskcoR – 2017-12-04T11:14:12.667

you will check the primary internet IP so NOT the device IP. the primairy internet IP has to resolve. when it does not, this means you need a failover. – Ramon Fincken – 2017-12-04T12:01:37.907

@Ramon Considering that the application never uses the DNS record, how exactly would adapting the DNS record help? – Voo – 2017-12-04T12:45:40.000

4 IPs: A primary internet IP, B fallback internet IP, C the device IP, D the device fallback IP you will health check ip A and return ip C for the device. if A goes down, return ip D – Ramon Fincken – 2017-12-04T14:01:19.693

1@Ramon The application has hardcoded in some configuration "connect to IP A.B.C.D", the exact problem is that it is not asking which IP it should use. Or is the idea that they should run the application multiple times for each server IP and then switch applications? That could work assuming there's no licensing problems and it's possible to configure the applications to share stored state and there's no problem with running multiple applications with the same storage at the same time (this seems very unlikely for the vast majority of applications). – Voo – 2017-12-04T15:42:23.910

I see. in that case you need a proxy (nginx, haproxy, even IPtables) which proxies all requests to that route 53 (or equivalent) (sub-)domain, which points to the device IP. – Ramon Fincken – 2017-12-05T07:40:26.453

Or just full nginx with health checks, varnish will even suffice as well. – Ramon Fincken – 2017-12-05T07:41:25.493

Asked: 2017-12-04T02:42:47.507

Viewed: 2 306 times

Active: 2017-12-04T22:17:15.527