is it possible to use destination nat based on hostname instead of destination port?

[rhx9]

Hi,
I have a single public IP and would like to use it for my VMs, the usual way would be to add firewall rules like so:

iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2223 -j DNAT --to 10.10.10.3:22

This has two disadvantages:
1- you have to add a new rule for every port you want to share, in my case the VM I'm trying to reach is a development machine which I open ports in it occasionally, I also have a cloudbox VM that requires quite a handful of ports to be open.
2- if you want to run a service on a specific port (e.g https on 443) on both the proxmox machine and the VM you can't (without exposing a different port number, which might be difficult to change on the client side in some cases).


so my idea is to match requests based on hostnames so for example

let's say:

main proxmox public IP: 1.1.1.1
VM1 private IP: 10.10.10.2
VM2 private IP: 10.10.10.3

and in the dns registrar i have:

proxmox.com. A 1.1.1.1
vm1.proxmox.com. A 1.1.1.1
vm1.proxmox.com. A 1.1.1.1

so all hostnames are pointing to the same public IP.
now when the request reaches proxmox it should look at the requested hostname and based on that it should decide if the request should go to vm1 or vm2(regardless of the port number)

Is this possible to achieve?

Regards

 

[gurubert]

Is this possible to achieve?

No.

Hostnames are Layer 6 or 7 (Application), IP addresses are layer 3 (routing).

An HTTP proxy like HA-proxy or nginx can read the HTTP (if not encrypted) and extract the hostname to make load balancing decisions.

But an IPv4 router operates on layer 3 and only sees IP addresses. It does not decode the payload.

 

[UdoB]

An HTTP proxy like HA-proxy or nginx can read the HTTP (if not encrypted) and extract the hostname to make load balancing decisions.

Correct.

If you want to have SSL/TLS (and yes, most people do) for incoming web requests there is this nice tool:

root@sni:~# apt show sniproxy
...
Description: Transparent TLS and HTTP layer 4 proxy with SNI support
 Proxies incoming HTTP and TLS connections based on the hostname contained in
 the initial request of the TCP session. This enables HTTPS name-based virtual
 hosting to separate backend servers without installing the private key on the
 proxy machine.

So I have only one Port (443) listening and forwarded to this local VM. That tool will evaluate the destination hostname from the the not(!) encrypted standard compliant headers and forward the request to a specific web server. It does NOT crack SSL/TLS and its does NOT terminate that encrypted session - it does not have to have any private key/certificate to do this.

Note that this is not a simple port-forwarding but an active daemon. I do put things like this in a separate service VM.

Perhaps this helps..., it works for me