Implementation of domain name-based layer-7 Forwarding (NAT + reverse proxy) and layer-7 nat
In the company's actual office network, because there is only one outbound IP address, port ing is required to provide external services. If multiple services are to be opened to the outside world, this can only be distinguished by ing different ports, which is very painful in the actual use process (difficult to remember, the one-to-one correspondence is not regular, and the port must be added during access ), this painful problem is illustrated in a table:
Public IP |
Public Port Number |
Internal IP |
Internal Port Number |
Note |
1.1.1.1 |
80 |
192.168.1.10 |
80 |
Service |
1.1.1.1 |
81 |
192.168.1.11 |
80 |
Service B |
1.1.1.1 |
8080 |
192.168.1.25 |
80 |
Service C |
1.1.1.1 |
443 |
192.168.1.26 |
443 |
Service D |
1.1.1.1 |
444 |
192.168.1.35 |
443 |
Service E |
In the case that many services need to be opened to the outside world, although the NAT method is difficult to use and difficult to remember, it can still meet the needs at least (the number of available ports is less than 65535 ), however, if services A, B, and C all want to (or must) use the default ports 80 and 443, it cannot be met if there is only one public IP address, if there is one of the following implementation methods, it will be perfect:
Domain Name |
Public IP |
Public Port Number |
Internal IP |
Internal Port Number |
Note |
A.example.com |
1.1.1.1 |
80 |
192.168.1.10 |
80 |
Service |
B .example.com |
1.1.1.1 |
80 |
192.168.1.11 |
80 |
Service B |
C.example.com |
1.1.1.1 |
80 |
192.168.1.25 |
80 |
Service C |
D.example.com |
1.1.1.1 |
443 |
192.168.1.26 |
443 |
Service D |
E.example.com |
1.1.1.1 |
443 |
192.168.1.35 |
443 |
Service E |
First, let's take a look at the analysis. Traditional NAT cannot be implemented, because NAT is a ing between Layer 3 ip addresses and Layer 4 ports, and Domain Names (such as in http headers) all content belongs to layer-7. to implement it, we can only use tools supporting layer-7 http protocol resolution. After some research, we found that reverse proxy can be implemented. That's great. There are a lot of tools for response Proxy: squid, apache, nginx, haproxy, mysql proxy, etc. This article only describes the implementation based on http and https.
With the support of the tool, you should consider how to deploy the tool:
(1) Resolve the domain name to the public ip address of the router --> In the router (pfsense) install squid --> Configure reverse proxy (enable http, https reverse proxy, host ing, domain name regular match forwarding) --> Successful implementation (vro support required );
(2) Resolve the domain name to the public ip address of the router --> perform traditional NAT on the router, direct ports 80 and 443 to the reverse proxy server --> Configure the reverse proxy server --> successfully implemented (common method );
In the first method, I have implemented http reverse proxy. However, for https, squid does not support SNI (server name Indication) and only supports one https site, in addition, the squid software may not be installed on routers used by many companies, so I will introduce the general method as follows: install nginx on linux to build a reverse proxy service to support layer-7 domain name-based forwarding.
Download openssl library
Wget http://www.openssl.org/source/openssl-1.0.1h.tar.gz
Tar xzvf openssl-1.0.1h.tar.gz
Music openssl-1.0.1h/usr/local/openssl-1.0.1h/
Download nginx and add SNI support during compilation
Yum install pcre-devel
Yum install zlib-devel
Wget http://nginx.org/download/nginx-1.6.0.tar.gz
Tar xzvf nginx-1.6.0.tar.gz
Cd nginx-1.6.0
./Configure \
-- User = nginx \
-- Group = nginx \
With-http_ssl_module \
-- With-openssl = "/usr/local/openssl-1.0.1h /"\
-- With-openssl-opt = "enable-tlsext "\
With-http_stub_status_module
Make
Make install
Check nginx installation (Key tls sni support enabled ):
[Root @ svn ~] #/Usr/local/nginx/sbin/nginx-V
Nginx version: nginx/1.6.0
Built by gcc 4.1.2 20080704 (Red Hat 4.1.2-54)
Tls sni support enabled
Configure arguments: -- user = nginx -- group = nginx -- with-http_ssl_module -- with-openssl =/usr/local/openssl-1.0.1h/-- with-openssl-opt = enable-tlsext -- with-http_stub_status_module
Configure the reverse proxy server:
[Root @ svn ~] # More/usr/local/nginx/conf/nginx. conf
########### Https server revese proxy
Server {
Listen 10010 ssl;
Server_name app.wei.com;
# Set up your cert paths
Ssl_certificate_key/usr/local/nginx/conf/ssl/app_wei.key;
Ssl_certificate/usr/local/nginx/conf/ssl/app_wei.crt;
Location /{
Proxy_pass https: // 192.168.100.123;
}
}
Server {
Listen 10010 ssl;
Server_name secure.wei.com;
# Set up your cert paths
Ssl_certificate_key/usr/local/nginx/conf/ssl/mars-server.key;
Ssl_certificate/usr/local/nginx/conf/ssl/mars-server.crt;
Location /{
Proxy_pass https: // 192.168.100.177: 443;
}
}
########### Http server revese proxy
Server {
Listen 10086;
Server_name secure.wei.com;
Location /{
Proxy_pass http: // 192.168.100.177;
}
}
Server {
Listen 10086;
Server_name dobby.wei.com;
Location /{
Proxy_pass http: // 192.168.100.148;
}
}
Vronat NAT ing: 1.1.1.1: 80 --> 10086 of reverse proxy; 1.1.1.1: 443 --> 10010 of reverse proxy
Restart nginx to use it. The effect is completely transparent to the client.
Region ~ Curl-I https://app.wei.com
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 26 Jul 2014 01:48:14 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.8
Refer:
Using the Nginx Web Server as a Reverse Proxy: Multiple SSL Sites with a Single IP Address
Http://www.informit.com/articles/article.aspx? P = 1994795
[Squid-users] Reverse proxy with multiple SSL sites
Http://www.squid-cache.org/mail-archive/squid-users/201406/0102.html
SNI: Implements SSL/TLS authentication for multi-domain Virtual Hosts
Http://www.ttlsa.com/web/sni-multi-domain-virtual-host-ssl-tls-authentication/
Http://www.ttlsa.com/web/multiple-https-host-nginx-with-a-ip-configuration/
Nginx reverse proxy for multiple independent web servers
If there are multiple domain names, one server segment is used for each domain name, and then proxy_pass is sent to the corresponding web server or to upstream.
Do not use any reverse proxy software to directly set redirection in the routing table to implement reverse proxy?
For example, the "forwarding rule"-"virtual server" on the vro configuration page of The TPLink household router is described as follows:
The Virtual Server defines the ing between the WAN service port and the lan network server. All accesses to the WAN service port will be relocated to the LAN network server specified by the IP address.
You can set the port, IP address, and the transport layer protocol (TCP/UDP)
NAT ......
But if there is no filter or buffer, I don't know if it can be regarded as a proxy ......