If you like DNray Forum, you can support it by - BTC: bc1qppjcl3c2cyjazy6lepmrv3fh6ke9mxs7zpfky0 , TRC20 and more...

 

Domain-based External Access to Local Network

Started by allricjohnson, May 31, 2023, 12:18 AM

Previous topic - Next topic

allricjohnsonTopic starter

Is there a way to organize external access to the local network based on domains?
I  have a local network comprising of two servers, a router, one IP, and two domains.
The current setup involves Nginx running on one server which is reverse proxied to the second server while port forwarding is done on the router to the first server creating a configuration like so - Router <---> Server 1 <---> Server 2.
However, this approach seems like a temporary solution. Is there a more permanent and efficient way of achieving the same result?
  •  

levimurphynh

The domain name system has multiple record types, including the A record which holds the server's IP address. This IP will be the same for both domains. Assuming you require HTTP access, port 80 should be used along with the same IP for both domains. This means that requests will be sent to the IP address on port 80 and the router will have to direct them to the correct server by parsing the Host header in the HTTP protocol through a firewall or other solutions like nginx or lighthttp. The type of router you have will play a crucial role in determining what solution will work. If you require SSH access, it's possible to spread it across different server ports.

For HTTPS (port 443), both servers can be accessed if the visitor's browser supports the TLS SNI extension. The router won't be natively able to parse headers. SRV DNS records exist, but their use depends on the SSH client and whether it works with XMPP, SIP, and Poch. When an SSH client searches for SRV records in DNS, it then needs to locate them.
  •  

gazetkabiedronka

Moving the nginx external port to the router would be ideal, as it allows for resolving one port based on the requested domain name through either nginx or haproxy rules.
This makes it easier to access the desired internal IP address. An SSH tunnel via Putty is another option for administration, as it allows for connecting to multiple servers and their services on a remote network at once. By binding all necessary tunnels to 127.0.0.1, software can be configured to work through this port. Simply starting Putty when needed makes connecting hassle-free.

Do you have any experience with configuring network servers?
  •  

Secureemailservice

By setting up port forwarding, you have the ability to run multiple servers on different ports. Once the router has been configured with the appropriate settings, everything should work smoothly. However, one drawback of this method is that when connecting, the specific port must be specified.

When attempting to avoid proxying from one server to another, port forwarding is the only solution. Otherwise, you would need a dedicated "DNS type" server to redirect traffic.

Overall, port forwarding can be a helpful tool for those who need to run multiple servers with ease but may require additional setup and configuration to function properly.
  •  

lincon

Yes, there are several ways to organize external access to your local network based on domains. One common approach is to use a reverse proxy server, such as Nginx, as you mentioned. This allows you to route incoming requests based on the domain name specified in the request's header.

To make this setup more permanent and efficient, you might consider the following steps:

1. Set up a dedicated reverse proxy server: Instead of running Nginx on one of the servers in your local network, you can set up a separate machine solely responsible for reverse proxying.

2. Use a DNS provider: Register your domain names with a DNS provider and configure DNS records to point to the public IP address of your router. This way, the incoming requests for your domains will be directed to your router's public IP.

3. Configure port forwarding: Set up port forwarding on your router to forward incoming requests on specific ports to the internal IP address of your new reverse proxy server. This ensures that the requests are forwarded to the correct server within your local network.

4. Set up Nginx as a reverse proxy: Configure Nginx on the reverse proxy server to listen for incoming requests on the forwarded ports and reverse proxy them to the appropriate server within your local network based on the domain name specified in the request.

additional considerations to make your setup even more robust and secure:

1. Enable HTTPS: To secure the communication between external clients and your local network, consider enabling HTTPS on your reverse proxy server. You can obtain an SSL/TLS certificate for your domains and configure Nginx to handle encrypted connections.

2. Implement authentication: If you want to restrict access to certain resources or add an extra layer of security, you can implement authentication on your reverse proxy server. Nginx supports various authentication methods, such as basic authentication or integrating with third-party authentication providers.

3. Use a load balancer: If you anticipate high traffic or want to distribute requests across multiple servers for scalability and redundancy, you can introduce a load balancer between the reverse proxy server and your backend servers. This ensures that incoming requests are evenly distributed among the servers.

4. Set up firewall rules: Configure firewall rules on your router and reverse proxy server to only allow incoming traffic on the necessary ports and from trusted sources. This helps prevent unauthorized access to your network.

5. Regularly update and patch software: Keep your router, reverse proxy server, and backend servers up to date with the latest security patches and updates to protect against potential vulnerabilities.

advanced options to consider for organizing external access to your local network based on domains:

1. Consider using a dedicated firewall: Instead of relying solely on router firewall rules, you can use a dedicated firewall appliance or software to provide advanced security features like intrusion detection and prevention, deep packet inspection, and network segmentation.

2. Set up a Virtual Private Network (VPN): If you want to allow secure remote access to your local network, you can set up a VPN server. This enables users to securely connect to your network from anywhere and access your resources as if they were directly connected to the local network.

3. Utilize containerization or virtualization: Instead of running your services directly on the servers, you can utilize containerization platforms like Docker or virtualization technologies like VMware or VirtualBox. This allows you to isolate services within their own containers or virtual machines, making it easier to manage and scale your infrastructure.

4. Implement serverless architecture: In a serverless architecture, you can leverage cloud-based services like AWS Lambda or Google Cloud Functions to host individual functions or microservices. This eliminates the need for maintaining traditional servers while providing scalability and cost efficiency.

5. Use a content delivery network (CDN): If your websites or applications experience high traffic or have a global audience, consider using a CDN to cache and serve static content from edge servers located geographically closer to your users. This can improve performance and reduce latency.
  •  

anirmanger

I'd recommend using a dedicated reverse proxy service like Cloudflare or Nginx Plus. These services can handle SSL termination, caching, and traffic management, freeing up resources on your local servers. You can configure these services to route traffic based on the requested domain, simplifying your local network setup.
  •  


If you like DNray forum, you can support it by - BTC: bc1qppjcl3c2cyjazy6lepmrv3fh6ke9mxs7zpfky0 , TRC20 and more...