Routing incoming requests to specific servers based on domain name

Question

Hello!

Right now I have a firewall (iptables, Apache, Squid, DNS installed) and a application server behind the firewall.

Incoming traffic on port 443 (HTTPS) of the firewall is redirected to the app. server by iptables. So basically, neither Apache nor other application on the firewall is seeing HTTPS traffic. There is some web content that I serve directly from the firewall -- it reaches Apache by thrugh 80.

Now I'd like to add some extra servers and install on them other web services.

How can configure the firewall computer to route incoming traffic based on domain names to the required hosts?

What are the common practices, technologies, and tools?

In current setup all domains that I own will go to the same server, regardless of their name, if they come through port 443. So I want for example foo.com go to server1 and bar.com to be served by server2; regardless of the port.

Thank you very much!

Answer 1

You're going to need more IP addresses.

The problem with HTTPs is that the certificate (containing the domain name) is sent before the client can send the Host: header with the requested domain name in it.

If you have https://foo.com and https://bar.com, and foo.com and bar.com are on the same IP, then browsing to bar.com will get the foo.com certificate and fail with a certificate validation error.

Once you have multiple IP addresses on the firewall, it is straightforward to route each one to a different server.

Answer 2

I was actually looking into this same thing just recently. Using mod_proxy to set up Apache as a reverse proxy for the other servers was one of the better options I had seen. I'm curious what others will come up with though.

As pjc50 mentions though, this will not work with multiple domains on HTTPS.