Noob questions re: multiple web servers


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: zdatareports.com

I ran this command: not configured yet

It produced this output:

My web server is (include version): Apache2 & IIS

The operating system my web server runs on is (include version): Unbuntu 16.04 / Windows 10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Q: I know how to put LetsEncrypt on my Ubuntu box for my domain… but I’m wondering if it’s possible to have an IIS web server running on a WIndows 10 box also work.

  1. If I have https…port 443 routes through my firewall to Ubuntu IP. If I had port 80 routing to my WIndows IIS, could I still call http:// to get to the IIS websites?

  2. Is it possible to have both web servers (IIS and Apache on different servers) using SSL with one domain name? If so, how would this work? If I need two domain names how would that work? I’m using No-IP for dynamic dns.

Thanks


#2

Yes, provided your Ubuntu website doesn’t use HSTS.

With one domain name, you can only have one server on port 443. However:

With two domain names you have a couple more options:

  • You could configure one server to proxy a particular virtual host to the other. For example Apache handles https://example.com and proxies https://example.org to IIS.
  • You could use a SNI-aware proxy such as haproxy to route traffic to a particular backend depending on the domain name.

#3

Thanks allot. So If I install a cert on the apache2 using 443, and another cert on the Windows IIS using 8443, created against my domain name…I can route them with a host header redirect in NO-IP…so say www.mydoamain.com goes to 443 and web2.mydomain.com goes to 8443. NO-IP dns record used to point to my external IP --> port 443 or port 8443. My router takes the header and redirects to internal IP 10.10.10.101:443 or 10.10.10.102:8443 for example…

NO-IP DNS
www.mydomain.com external IP : 443
web2.mydomain.com external IP : 8443

Router
Port 443 open to 10.10.10.101 Apache2 web server
Port 8443 open to 10.10.10.102 IIS web server

something like that…


#4

Just one thing to be aware of with that approach is that you can’t obtain a certificate using port 8443 - you need to use 80 or 443 (or use the DNS challenge). However you can obtain the cert using whichever server is listening on 443 and transfer if to the other one, where you can then use it on any port you like.

I’m not sure what that means - is it a feature that NO-IP provides? If it’s something that uses a HTTP redirect to send browsers to your IP address, that won’t work - Let’s Encrypt doesn’t issue certificates for IP addresses. Users must access your site directly via its domain name.

If Apache is listening on port 443, then it will respond when browsers try to connect to either https://www.mydomain.com or https://web2.mydomain.com (provided they both point to your external IP address). You can configure it to respond to the latter either by redirecting the browser to port 8443, or by directly proxying the traffic to IIS. There are advantages and disadvantages to both approaches. If your internal network is sufficiently secure, you might find the proxy approach easier, as only one server needs a certificate in that case.


#5

I got that mixed up…
NO-IP is a dynamic DNS so it’s were I can point domain to external IP.
In my router is were I can re-direct based on port to internal IP. I was using the router to take port 80 and point it to IIS box or port 8080 and point to Apache. I think I will need to have Apache do the redirect based on the host header since traffic will come in as 443…I won’t have 2 different ports coming in.

I’m going to start with setting up Apache2 with SSL. I actually don’t have any sites I need in IIS currently…but I do some .NET development and wanted a platform for that to play with.


#6

That sounds like it should work. Good luck!


#7

I think I have this figured… I’m using NO-IP with allows port 80 and web redirects. So, I can have a domain in no-ip called portal.mydomain.com with a redirect as https://mydoamin.com:4043. My router will take port 4043 and forward it to my IIS box IP address and port. Also, my nextcloud.mydoamain.com as https goes to port 443 and my router will forward that to the Ubuntu box IP. I haven’t tried this yet, but I think it will work.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.