Redirect subdomains to ports

[kramttocs]

I have nginx proxy manager running on two pcs (docker). Right now only one is in use as port 80 and 443 in the router port forwarding go to it.
Is there a [simple] way to have the router direct x.mysite.com and y.mysite.com to IP:80/443 while directing a.mysite.com and b.mysite.com to IP2:80/443?

Or would I need to setup nginx on the router?

Router currently has DDNS setup with Let's Encrypt native in merlin. I need the DDNS but could turn off Let's Encrypt.
Running skynet and diversion.

As for the why -
Just a matter of having hosted applications on both and not wanting to rely on one pc (hosting npm) for both to work. Would prefer them work isolated from each other.

 

[eibgrad]

I suppose the simplest way would be to have the router multihomed (i.e., be assigned more than one public IP).

But that aside, I think what *I* would do is NOT use nginx at all as a local proxy, but instead using something like CF (Cloudflare) tunnels. This avoids port forwarding completely. Instead, each server establishes its own *outbound* connection to the CF proxy server, from which clients can tunnel inbound connections. IOW, CF acts as your remote proxy server. This hides your own public IP and ports behind FQDNs. You also get all the other benefits of CF, such as managed certs, DDoS protection, MFA, geo-location filtering, etc.

There are others offering similar services (e.g., Twingate). So I'm NOT suggesting CF is the only solution. I'm just suggesting a different approach (and I'll let YOU decide if it's simple enough).

 

[kramttocs]

Thanks - I am not well versed on CF but I am not sure it'd work with my nas (can run nginx in a vm and I know, I said 'pc' earlier but one is really a nas so that's my fault for not giving that detail) so would leave me with the CF tunnel pointing to nginx on my pc that would then point to services on both machines. Which is what I am trying to avoid.

Do appreciate the suggestion though. I may just have to make all subdomains on one server use a port that's not 80/443.

 

[eibgrad]

CF tunnel doesn't have to run on the servers themselves. You can establish it on the router, then route from the tunnel to the servers. I suppose the downside is it creates a single point of failure. But that's no worse than your port forwards having the same single point of failure.

 

[kramttocs]

Oh interesting. Ok, will do some more reading. Thanks!

 

[Justinh]

CF tunnel doesn't have to run on the servers themselves. You can establish it on the router, then route from the tunnel to the servers.

Does this mean CF offers a daemon/service that installs on router?

 

[kramttocs]

I haven't really dug into it yet but I did come across this last night: https://www.snbforums.com/threads/cloudflared-tunnel-in-rt-ac68u.88902/

 

[eibgrad]

Does this mean CF offers a daemon/service that installs on router?

You can either run it like any other executable, or configure it as a service. I do the latter by installing Entware, then creating and installing a service for it w/ the following script.

#!/bin/sh
# inspired by: https://www.snbforums.com/threads/cloudflared-tunnel-in-rt-ac68u.88902/
(
# important: install entware *before* running this script!

# change to *your* cloudflare token!
CF_TOKEN='XXX...'

### do NOT change below this line ###

CF_URL='github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm'
CF_DAEMON='/opt/bin/cloudflared'
CF_SERVICE='/opt/etc/init.d/S99cloudflared'

[ -f /opt/bin/opkg ] || { echo 'error: entware not found'; exit 1; }

uname -a | grep -iq 'armv7' || { echo 'error: only armv7 (x32) is supported'; exit 1; }

killall -q cloudflared && sleep 3

curl -L $CF_URL > $CF_DAEMON
chmod +x $CF_DAEMON

cat << EOF > $CF_SERVICE
#!/bin/sh
ENABLED='yes'
PROCS='cloudflared'
ARGS="--no-autoupdate tunnel run --token $CF_TOKEN"
WORK_DIR=''
DESC=\$PROCS
PREARGS=''
PRECMD=''
POSTCMD=''
. /opt/etc/init.d/rc.func
EOF
chmod +x $CF_SERVICE

$CF_SERVICE start
$CF_SERVICE check

exit 0
)

Upon reboot, Entware will start it like any other service(s) it may happen to be managing.

 

[eibgrad]

I haven't really dug into it yet but I did come across this last night: https://www.snbforums.com/threads/cloudflared-tunnel-in-rt-ac68u.88902/

There isn't a wealth of information on the SNB forums. You're better off relying on YT videos. But even there, some of them are outdated, and can thus be a bit confusing for initial setup (e.g., CF has moved/reconfigured parts of their own website). Most of the issue I mentioned in that other thread have more to do w/ SSH and RDP specifically than http/https services. For the latter, things work pretty much as expected. Once you have access to your home network via the connector and its tunnel, you can pretty much access any http/https service that is reachable from that same connector.