[Reverse Proxy] Multiple localhost Web UI Connections -> Different Ports

Hello everyone,

I’ve tried everything and searched the web as much as I could and finally need some help. What I want to do is simple and I feel I could easily do it with Apache or NGINX but have not been successful. I have a localhost address for example, 192.168.1.50. The localhost has multiple web UIs on different ports.

192.168.1.50:9117
192.168.1.50:8989
192.168.1.50:7878
192.168.1.50:32400
192.168.1.50:5000

Now, I want to allow access to these addresses publicly and I’m using cloudflare to forward the domain to my public address. As you all know, DNS is not responsible for redirecting towards a specific port only a public address such as an A record IPv4 address. I made attempts to do reverse proxy with NGINX and Apache2 but to no avail.

I’d like to forward these local addresses to a public domain like so in this example:

web1.example.com -> 192.168.1.50:9117
web2.example.com -> 192.168.1.50:8989
web3.example.com -> 192.168.1.50:7878
web4.example.com -> 192.168.1.50:32400
web5.example.com -> 192.168.1.50:5000

I’m not entirely sure if this is considered off-topic but I’m assuming I need to make some sort of modification to my Turris Mox firewall settings. I’ve always port forwarded which seems like an obvious answer but that did not work.

NOTE: I attempted to do reverse proxy through my local server and not the router.

Any help would be appreciated thank you.

EDIT:

/etc/apache2/sites-available/web4.example.com.conf

<VirtualHost *:80>
ServerAdmin example@example.com
ServerName web4.example.com
ServerAlias web4.example.com
ProxyRequests Off

    #ProxyPass / http://localhost:8080/
    <Location />
            ProxyPreserveHost On
            ProxyPass http://192.168.1.50:32400
            ProxyPassReverse http://192.169.1.50:32400
    </Location>
 # Uncomment the line below if your site uses SSL.
 # SSLProxyEngine On

</VirtualHost>

I attempted this on my local server and not on my Turris Mox router.

Hi
Since webx.example must have a fixed address, I would see the solution using the stateful firewall. There is a lot of documentation about the firewall and there can be no problem finding a specific solution. My english is not good but I think reason read DNAT and redirect the source ip (web.example) to the internal address and port.

EDIT: DNAT can’t do source ip. Solution postrouting snat.

1 Like

Does this solution mask the public IP with the domain as well?

The iptables rules are unlimited. Advanced setup is not easy. it will have to allow redirection to the internal site and then rewrite the addresses to the right ports “snat” also, I think some rule for outgoing traffic “dnat” .everything can be controlled by using the tcpdump filter. Details and exactly solutions , sorry but more like 12 years I don’t doing this.

This looks like correct approach I have similar setup :
What needs to be done : in DNS (on cloudflare) create A record for your domain - pointing to your router external address and add CNAME records for all your webX.example.com

A example.com -> x.x.x.x where x.x.x.x is your external IP of router
CNAME web1.example.com -> example.com
CNAME web2.example.com -> example.com
CNAME web3.example.com -> example.com
CNAME web4.example.com -> example.com
CNAME web5.example.com -> example.com

In your firewall forward port 80 from WAN to your local server running apache2
Now in apache configuration - similar to your posted example – remove location tags and comment ServerAlias

You have to create Virtual host for each of your webservers - in your example you will have 5 VirtualHost sections in same file

You need to create link to your file to be available in /etc/apache2/sites-enabled (Apache do not look to sites-available folder)

Side note - you are using port 80 HTTP - this is quite unsecure. Better to get certificates for SSL for your domain and run everythink with HTTPS (port 443)
You can install letsencrypt which will create free certificates for your domains allowing you to use HTTPS and disable plain text communication.

1 Like

Would you use Cloudflare’s proxy for SSL? I’m assuming it’d be best to just generate the SSL certificates myself like you suggested but I do not know the specific parameter that apache2 uses to grab the generated certificates. I’m now following your suggestion as I type this though.

EDIT: It seems to be working, however I receive a proxy error:

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request
Reason: DNS lookup failure for: 192.168.1.180:32400web

/etc/apache2/sites-enabled/web1.exmaple.com

<VirtualHost :80>
ServerAdmin **@
***.com
ServerName ***
# ServerAlias ***
ProxyRequests Off

    #ProxyPass / http://localhost:8080/
      ProxyPreserveHost On
      ProxyPass / http://192.168.1.180:32400
      ProxyPassReverse / http://192.168.1.180:32400
 # Uncomment the line below if your site uses SSL.
 # SSLProxyEngine On

</VirtualHost>

FINAL EDIT: Found my answer, forgot to add a / after the local host.

Changed http://192.168.1.180:32400 to http://192.168.1.180:32400/

SILLY ME :joy:

Thank you very much to everyone who helped me!

1 Like

I use certbot (https://certbot.eff.org/) it generate certificates and update apache2 configuration automatically. You will also need to forward both 80 and 443 ports to be able pass through domain name validation. Certificates will be stored at your webserver and will need to be renewed periodically - this can be also automated by cron and correct certbot command.