Two Web Servers thru One Public IP

Started by spetrillo, June 12, 2024, 12:41:21 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
June 12, 2024, 12:41:21 AM
Hello all,

I have two servers that host websites, one being Prod and the other being Test. I would like to be able to use one public IP. Each server has their own Apache and Mginx(reverse proxy) install. Right now it looks like everything gets pushed to the prod server, since that was the first server done. How can I get both servers to peacefully coexist thru one IP?

Thanks,
Steve
June 12, 2024, 05:58:52 AM #1
With a reverse proxy on OPNsense. There are at least three plugins that can do that: HAproxy, NginX and Caddy. Pick what you are most comfortable with.

You must access the webservers via two different FQDNs for that to work.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
June 12, 2024, 05:46:55 PM #2
All of my websites have their own FQDNs, so thats not the issue.

As mentioned each web server has its own Nginx implementation, so I was hoping I could just reconfigure for the test server. My initial thought was to use a https://FQDN:different port and setup OPNsense firewall/NAT rules to take that and translate it to my test web server. The problem I have is one public IP and Let's Encrypt does not like multiple internal IPs thru one public IP.

So now I am thinking about assigning a separate public IP for the test web server. I have 2 extra public IPs and can use one to do this but not sure how OPNsense would be configured. Would I just add another WAN port to this public IP and then get my firewall/NAT rules in place for this?
June 12, 2024, 05:48:00 PM #3
As you mentioned I could move the reverse proxy capabilities up to the firewall but this is now production and I cannot monkey around with this now. As soon as I enable Nginx I need to be ready for all.
June 12, 2024, 06:47:16 PM #4
If you want

- single IP (v4) address
- single (standard) port
- letsencrypt

There is no way around moving the reverse proxy and SSL termination to that single IP address and port. Which product to use for that remains your choice.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
June 12, 2024, 07:12:51 PM #5
Which product would you recommend based on my needs? I have Nginx already implemented so I am thinking this might be the path of least resistence?
June 12, 2024, 07:26:03 PM #6
If you use NginX you need to integrate the acme-client somehow. The os-caddy plugin is essentially fire and forget and will do letsencrypt automatically. Just enable TLS, it will take care of everything.

Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
June 12, 2024, 07:27:41 PM #7
Does the os-caddy support TLS 1.3 and HTTP3?
June 12, 2024, 07:35:18 PM #8
TLS 1.3 - of course.

HTTP/3 - also yes for Caddy itself, although I do not know the state of the plugin in that regard.

Should some option be missing from the plugin, @monviech has been really accepting to feature and merge requests.

https://caddyserver.com/features
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
June 12, 2024, 08:58:52 PM #9 Last Edit: June 12, 2024, 09:01:16 PM by Monviech
Caddy supports HTTP3 reverse proxying in the upcoming version 2.8.4 that will be in the plugin version 1.5.7.

https://github.com/caddyserver/caddy/commit/5f6758dab5fc02f74233a92c53ba3b654e476dc0

But the feature is marked experimental, so I didnt give it a GUI option yet.

Code Select

// EXPERIMENTAL: "3" enables HTTP/3, but it must be the only
// version specified if enabled. Additionally, HTTPS must be
// enabled to the upstream as HTTP/3 requires TLS. Subject
// to change or removal while experimental.

Hardware:
DEC740
June 12, 2024, 09:18:56 PM #10
Quote from: Monviech on June 12, 2024, 08:58:52 PM
Caddy supports HTTP3 reverse proxying in the upcoming version 2.8.4 that will be in the plugin version 1.5.7.

https://github.com/caddyserver/caddy/commit/5f6758dab5fc02f74233a92c53ba3b654e476dc0

But the feature is marked experimental, so I didnt give it a GUI option yet.

Code Select

// EXPERIMENTAL: "3" enables HTTP/3, but it must be the only
// version specified if enabled. Additionally, HTTPS must be
// enabled to the upstream as HTTP/3 requires TLS. Subject
// to change or removal while experimental.


It definitely looks like a simpler implementation than HAProxy. Do you support both DNS-01 and HTTP-01? Is there a guide I should be looking to use, as I get this setup?
June 12, 2024, 09:22:07 PM #11
Hardware:
DEC740
June 13, 2024, 08:48:56 PM #12
Thank you...it does not look too onerous!

One last question...I would assume that once I deploy Caddy I must turn off Nginx on my web servers.
June 13, 2024, 10:39:08 PM #13
Quote from: spetrillo on June 13, 2024, 08:48:56 PM
One last question...I would assume that once I deploy Caddy I must turn off Nginx on my web servers.
No. Caddy will receive and answer all requests from any client on the Internet to your public IP address, then relay these to your internal web hosts based on the respective FQDN. You can leave your internal hosts just as they are.

If the NginX on your web servers implements TLS you need to decide if you want OPNsense/Caddy to trust these certificates or simply enable the "don't care about the cert" button in the Caddy config.

Or have your NginX servers use plain HTTP only and Caddy to relay to that. This is what I do for most of my applications. I do not consider unencrypted traffic across a private switched network a security risk.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
June 13, 2024, 11:19:33 PM #14
Ahh so I could consolidate SSL and certs with Caddy, and from Caddy to Nginx/Apache would be unenceypted port 80 access?
Print
Go Up Pages1 2
User actions