Greetings!

In the current setup, there are two web servers with different domains and HTTPS support on two physical servers. The challenge is to ensure that the request is directed to the appropriate server based on the domain name.
While nginx can handle this with one server as master and the other as a slave, the question is whether Mikrotik tools can do the same.

The current architecture is flawed, which leads to a frequently asked question.

Instead of designating one server as the master and the other as the slave, it would be more accurate to create a server (or several for load balancing) that acts as a proxy and handles HTTPS interactions and certificate issuance. For each domain or site, there should be multiple servers. This setup, particularly when combined with virtualization, divides services into smaller pieces and simplifies infrastructure management.

nginx can be arranged on Mikrotik through any available virtualization system, such as Metarouter. This allows for the installation and running of openwrt, which comes with nginx pre-installed. However, it is important to note that without these tools, Mikrotik cannot work with the OCI application level.

Do you need any more clarification on this topic or would you like me to elaborate more on virtualization systems?

In theory, Layer7+DSTNAT is a possible option, although personally I wouldn't recommend it. It might be simpler to integrate nginx into your project for you and someone else.

Adding a load balancer to your application stack can greatly improve performance and resiliency, but it's important to carefully evaluate all available options before implementing any changes. Additionally, depending on the specific requirements of your project, different solutions may be more appropriate than others.

Mikrotik routers can also be set up to handle this scenario using the built-in tools like "IP Firewall", "Layer 7 Protocols", and "Web Proxy". Here's a high-level overview of how you can achieve this:

1. Use IP Firewall rules to forward incoming traffic on port 443 (HTTPS) to the Mikrotik router itself.

2. Use Layer 7 Protocols to classify HTTPS traffic based on the domain name in the SNI (Server Name Indication) extension of the TLS handshake.

3. Based on the domain name classification, use the Web Proxy feature to redirect the traffic to the appropriate internal web server.

By combining these features, you can effectively direct incoming HTTPS traffic to the correct web server based on the domain name.

Please note that while Mikrotik routers are versatile and powerful, setting up complex traffic routing and management may require a good understanding of networking concepts and Mikrotik's configuration syntax. It's recommended to consult the official Mikrotik documentation or seek assistance from a network specialist for detailed configuration guidance.

Let's delve deeper into the detailed configuration steps for setting up a Mikrotik router to handle incoming HTTPS traffic for two different domain names and directing it to separate web servers. Here's how you can achieve this:

1. **Port Forwarding:**
   - Set up port forwarding on the Mikrotik router to forward incoming HTTPS traffic (on port 443) to the router itself. This can be achieved using the "IP Firewall" feature and the "Destination NAT" functionality.

   Example command:
   
   /ip firewall nat add chain=dstnat protocol=tcp dst-port=443 action=dst-nat to-addresses=192.168.1.2 to-ports=443
   

2. **SSL Certificate and SNI Inspection:**
   - Ensure that your Mikrotik router has a valid SSL certificate installed if it will be terminating the SSL/TLS connection. This is necessary for SNI inspection.
   - Use Layer 7 Protocols to classify incoming HTTPS traffic based on the SNI extension, which contains the domain name in the TLS handshake.

   Example commands:
   
   /ip firewall layer7-protocol
   add name=domain1 regexp=^\x16\x03\x01
   add name=domain2 regexp=^\x16\x03\x01
   

To further expand on the Mikrotik setup for directing HTTPS traffic to different web servers based on domain names, let's continue with the advanced configuration steps:

4. **Web Server Setup:**
   - Ensure that the internal web servers hosting the domains are properly configured to serve HTTPS traffic. Each web server should have a valid SSL certificate and be listening on port 443 for incoming HTTPS requests.

5. **Destination Filtering:**
   - After classifying the Layer 7 protocols based on the domain name in the SNI extension, use routing and forwarding rules to direct the traffic to the appropriate web server.
   
   Example commands:
   
   /ip firewall mangle add protocol=tcp layer7-protocol=domain1 action=mark-routing new-routing-mark=to-domain1
   /ip firewall mangle add protocol=tcp layer7-protocol=domain2 action=mark-routing new-routing-mark=to-domain2
   

6. **Routing and Forwarding:**
   - Configure routing marks and routes to forward the marked traffic to the correct internal web servers.
   
   Example commands:
   
   /ip route add dst-address=0.0.0.0/0 gateway=your-internet-gateway routing-mark=to-domain1
   /ip route add dst-address=0.0.0.0/0 gateway=your-internet-gateway routing-mark=to-domain2
   

7. **Verification and Monitoring:**
   - Monitor the traffic flow using tools such as "IP Firewall Connection Tracking" and "Traffic Flow" to ensure that the HTTPS traffic is being correctly classified and forwarded to the designated web servers.

By implementing these additional steps, you can create a comprehensive solution for distributing incoming HTTPS traffic to the appropriate web servers based on the requested domain names.

It's essential to thoroughly test and validate the configuration to ensure that traffic is correctly routed and that the web servers are serving the expected content. Additionally, consider factors such as security, scalability, and high availability when deploying such a setup in a production environment.
3. **Traffic Redirection:**
   - Based on the classification of the Layer 7 protocol, utilize the Web Proxy feature to redirect the traffic to the appropriate internal web server.

   Example commands:
   For domain1:
   
   /ip proxy access add dst-host=www.domain1.com action=allow
   /ip proxy access add dst-host=www.domain2.com action=deny
   /ip proxy access add action=deny
   

   For domain2:
   
   /ip proxy access add dst-host=www.domain2.com action=allow
   /ip proxy access add dst-host=www.domain1.com action=deny
   /ip proxy access add action=deny
   

These configurations will allow the Mikrotik router to intercept incoming HTTPS traffic, inspect the SNI extension to determine the domain, and then direct the traffic to the appropriate internal web server based on the domain name.

Please be aware that setting up SSL/TLS termination on the router requires careful consideration of security best practices, such as ensuring the confidentiality and integrity of the encrypted traffic. Additionally, real-world scenarios may require more extensive configuration and consideration of factors such as load balancing, high availability, and failover mechanisms.