Hello all you lovely people!

I’m trying to figure out if I can port forward to different servers based on the destination domain.

I have a domain with a wildcard cert and I’d like to be able to route all traffic headed towards “1.domain.com” to a server I’m calling “1”. I’d still like traffic headed to domain.com to go to where it’s currently going, we can call this server “0”, and to be able to have a 2.domain.com or 3 or 4 in the future.

I thought that having a port forward rule with: interface: WAN Protocol: any source: any destination: a url alias including 1.domain.com redirect target ip: local ip

Would work, but it doesn’t seem to. Any tips?

  • greco@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    9 months ago

    This won’t work. At the level you are looking to route the packets, there is no concept of which domain the request was intended for. You need a service that knows how to look at that packet, and forward it appropriately.

    What you need to look into is a Reverse Proxy such as haproxy, caddy, or nginx (no specific order). I use haproxy to do something similar, but only on my internal network (with wireguard to access those when I am elsewhere).

    Which ever reverse proxy you pick will be responsible for looking at those packets coming into it, and can determine the intended domain to route them appropriately, either through SNI, or more likely by unrwrapping the TLS on the packet.

    I’d be careful with doing this, as you are letting whatever outside traffic into your network, so it’s up to you to assess the risk for your use case and make the appropriate mitigations.

    • doctorzeromd@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      I’m familiar with reverse proxies, but that won’t do ALL traffic, right? Just http or https?

      Like if I want to ssh into the different servers, it won’t handle that, will it? (Not saying ssh is my goal, I recognize how risky that would be)

      • greco@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        It will accept all traffic sent to it via the ports it is listening on, just like any other service. It doesn’t have to forward everything though, and what it does with that is up to it’s configuration options and what you do with those.

        Since you mentioned the wildcard cert, I assumed you were talking about services that speak http/s, and that they’d probably be on port 443. Those were a lot of assumptions by me.

        If it’s not an http/s type service, what kind of services are we talking about?

        • doctorzeromd@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          I’d like to self host matrix, and it seems like there are a bunch of not HTTP/s ports that need to be accessible

          • greco@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            9 months ago

            Can you maybe share some more information? Do you have a list of services, how you want them mapped, etc.?

  • knF@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    9 months ago

    I think you can achieve it with a reverse-proxy. Let’s say that domain.com points at server 0, you’ll have to put a reverse proxy that answers all calls. In the config of the reverse proxy you’ll have to redirect the services based on the domain. I’m using Caddy and this example should work:

    0.domain.com {
                            reverse_proxy http://X.X.X.X:8080
                          }
    1.domain.com {
                            reverse_proxy http://Y.Y.Y.Y:8123
                            } 
    

    And so on.

    EDIT: Looks like I was late to the party! +1 to @greco reply as it’s more complete and clear (especially on the risks of this approach)

  • Brownian Motion@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    8 months ago

    You can do this with HAProxy already in opnsense. And yes you can route more than just HTTP. (when you are making the Backend rules, switch from Layer 7, to Layer 4. Only thing is that it will do TCP, but not UDP.

    As you have posted, port forward cannot tell what the domain even is. (and the url alias is not used the way you are thinking).

  • bready2die@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    1
    ·
    9 months ago

    what you’re looking for is a reverse proxy. there’s plenty of guides online for setting one up in OPNsense with HAProxy - this one looks pretty solid