# Name-based or Traffic-based External NAT?



## poorandunlucky (Dec 20, 2017)

You know how NGINX can redirect queries for www.domain1.com:80 to an internal ip, and www.domain2.com:80 to another internal ip even though they have the same external ip?

I know the domain is in the HTTP header, and that's how NGINX does that, but is there a software that can do the same thing but for things other than HTTP?  Like maybe something that recognizes the type of traffic as FTP, or SSH, or anything else, and redirects it or treats it according to your own rules?

I know firewalls can recognize traffic types (SPI), so I figure there's probably a piece of software out there that can do that...  maybe it won't be able to be name-based, but the result would be the same...  You can have multiple things point to the same external IP but get redirected to the right internal IP...

that would be awesome...


----------



## SirDice (Dec 20, 2017)

This isn't NAT, it's generally known as a reverse proxy. NAT is specific to network packets and works on layers 3/4, whereas this works on layer 7.



poorandunlucky said:


> is there a software that can do the same thing but for things other than HTTP?


net/haproxy, net/bsdproxy and net/relayd come to mind.


----------



## Snurg (Dec 20, 2017)

I think, squid can do, too.
However, I decided to use haproxy as at that time it was the only reverse proxy I found that was able to do https passthru using SNI (i.e. without decrypting the data).
This requirement made me change from squid to haproxy,
It is a very powerful program that SrDice uses himself.


----------



## SirDice (Dec 21, 2017)

Snurg said:


> It is a very powerful program that SrDice uses himself.


Indeed, I'm quite fond of it. It works really well and is extremely powerful and flexible. Two HAProxy machines with CARP will go a long way to make sure things keep working.


----------



## usdmatt (Dec 21, 2017)

> Like maybe something that recognizes the type of traffic as FTP, or SSH,



If you want to simply forward SSH to one internal IP, some other protocol to a different internal IP, then you can probably do that with just basic NAT forwarding (dst-nat). FTP would be more tricky as it normally uses random high numbered ports for data transfers.

Actually looking at a certain protocol and for example trying to forward SSH for domain1.com to internal-ip-1, and SSH for domain2.com to internal-ip-2 probably wouldn't be possible. Not many protocols have hostname indication built in like HTTP does. The simple solution to this is to forward some-external-port-1 to {internal-ssh-server-1} port 22, and some-external-port-2 to {internal-ssh-server-2} port 22, and just specify the relevant external port in your client when you want to connect.


----------



## poorandunlucky (Dec 21, 2017)

SirDice said:


> Indeed, I'm quite fond of it. It works really well and is extremely powerful and flexible. Two HAProxy machines with CARP will go a long way to make sure things keep working.



HAL...?  Did somebody delete their post?


----------

