[TriLUG] serving multiple HTTPS sites on same server with redirection

Heath Roberts htroberts at gmail.com
Wed May 8 17:53:25 EDT 2013 

I haven't tested this, but I think you just need to specify the interfaces.
Right now you're just telling iptables to forward anything matching :80 to
:8080. You need to tell it to match x.x.x.5:80 to x.x.x.5:8080 and
x.x.x.6:80 to x.x.x.6:8080 (and similarly for port 443). We can do it with
the interface (eth0:80) instead of the address, though. I think this will
work:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-PORT 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT
--to-PORT 8443
iptables -t nat -A PREROUTING -i eth0:0 -p tcp --dport 80 -j REDIRECT
--to-PORT 8080
iptables -t nat -A PREROUTING -i eth0:0 -p tcp --dport 443 -j REDIRECT
--to-PORT 8443

if not, you may need to switch from REDIRECT to DNAT:

iptables -t nat -A PREROUTING -p tcp -d x.x.x.5 --dport 80 -j DNAT
--to-destination x.x.x.5:8080
iptables -t nat -A PREROUTING -p tcp -d x.x.x.5 --dport 443 -j DNAT
--to-destination x.x.x.5:8443
iptables -t nat -A PREROUTING -p tcp -d x.x.x.6 --dport 80 -j DNAT
--to-destination x.x.x.5:8080
iptables -t nat -A PREROUTING -p tcp -d x.x.x.6 --dport 443 -j DNAT
--to-destination x.x.x.5:8443

I'm also not sure how outbound traffic will look with a multi-addressed
interface. Everything may be sent with x.x.x.5 as a source.



On Wed, May 8, 2013 at 4:53 PM, Blackburn, Marvin
<mblackburn at glenraven.com>wrote:

> redhat 5.7
>
> We have a system with one nic with two ip addresses: eth0 is x.x.x.5 and
> eth0:0 is x.x.x.6
> we also run apache and have multiple sites -- some http(s) going to each
> ip.  We can run these to 443/8443 or we can run them on 80/8443 whichever
> we configure apache to  listen on without a problem
>
> However, if we try to redirect 80 to 8080 and 443 to 8443 everything seems
> to go to eth0.
>
> We've used this redirection on systems with only one ip and have never had
> a problem.
>
> A sample iptables config is:
>
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> #### NAT for redirection
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443
> -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
> COMMIT
>
>
> Any help would be appreciated.
>
> _____________________________________
> "He's no failure. He's not dead yet."
> William Lloyd George
>
>
>
> --
> This message was sent to: Heath Roberts <htroberts at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/htroberts%40gmail.com
> TriLUG FAQ          :
> http://www.trilug.org/wiki/Frequently_Asked_Questions
>



-- 
Heath Roberts
htroberts at gmail.com

More information about the TriLUG mailing list