cancel
Showing results for 
Search instead for 
Did you mean: 
Troja
Level 14

Reverse Proxy - Webserver using virtual Hosts (virtual Host Name)

Hi all,

has someone any idea how this can work with MWG 7.1.6. I´m using MWG as an HA Reverse Proxy Cluster. SSL terminates on MWG. This traffic is redirected to a Webserver where virtual Hosts are used.

There is no setting to define the virtual host name which MWG should use. MWG always connects with the url.host Value to the Webserver. 

I compared the functionality with an Microsoft ISA Server. There you have the choice to use the original url.host or the virtual host name.

Anyone any idea?

Best, Thorsten

0 Kudos
4 Replies
asabban
Level 17

Re: Reverse Proxy - Webserver using virtual Hosts (virtual Host Name)

Hi Thorsten,

can you give an example of what is happening and what would be expected?

With an Event you can set the URL.Host property to whatever value you like, so maybe it is possible to change this behaviour by manually rewriting the property to the desired host?

Best,

Andre

0 Kudos
Troja
Level 14

Re: Reverse Proxy - Webserver using virtual Hosts (virtual Host Name)

Hi Andre,

today MWG it´s not able to use ost Headers on a web server.

Webserver configuration. It´s called virutal host with Apache and Host Headers with Windows IIS Servers. The goal is not using physical IP Adresses to connect to different webservers/webservices.

Take a look at the screenshots. There are different virtual Websites using one ip-address.

webserver1.company.local: 192.168.1.120 with different websites using the same IP-adress. Therefore the webserver takes a look into the hostheader to connect the client to the right website.

- WebsiteA.company.local with IP 192.168.1.120

- WebsiteB.company.local with IP 192.168.1.120

- WebsiteC.company.local with IP 192.168.1.120

MWG configuration:

Redirect Ruleset - Next Hop Proxy to WebsiteA.company.local.

Access to the ressources:

- Client connects to reverse.company.com (HTTP/HTTPS)

- SSL terminates on MWG reverse proxy.

- In the Host Header always reverse.company.com is shown. I checked this with a packet trace.

The question is, how to set the host header field in the right way.

Best,

Thorsten

image001.jpg

image002.jpg

0 Kudos
asabban
Level 17

Re: Reverse Proxy - Webserver using virtual Hosts (virtual Host Name)

Hi Thorsten,

are all the three sites WebsiteA, WebsiteB and WebsiteC made available externally via reverse.company.com?

I beleive when you cann reverse.company.com in your browser, the GET request will look similar to this:

GET / HTTP/1.1

Host: reverse.company.com

...

So the client already inserts the Host header, which contains the requested URL from the address bar as a value (at least I think this is the case). So MWG by default will keep this value.

Which information are you using to decide if a request which goes to reverse.company.com is for WebsiteA, B or C? If there is an information we can grab from the request to decide, it should be possible to rewrite the host header to allow virtual hosts.

Assuming we use the port, it could look like this:

reverse.company.com:81 -> WebsiteA

reverse.company.com:82 -> WebsiteB

reverse.company.com:83 -> WebsiteC

In this case I would try a rule on Web Gateway which does the following:

If URL.Port = 81, then call Event: Set Property Value(URL.Host) to WebsiteA

If URL.Port = 82, then call Event: Set Property Value(URL.Host) to WebsiteB

If URL.Port = 83, then call Event: Set Property Value(URL.Host) to WebsiteC

Before the request leaves the proxy, MWG should rewrite the request which is sent to the Web Server:

GET / HTTP/1.1

Host: WebsiteA

If the request arrives at the Web Server with the correct host header, the Web Server should be able to determine which site should be displayed.

0 Kudos
eelsasser
Level 15

Re: Reverse Proxy - Webserver using virtual Hosts (virtual Host Name)

Here's an example of my reverse proxy setup.

Reverse Proxy
Enabled
Applies to Requests: True / Responses: False / Embedded Objects: False
Always
EnabledRuleActionEventsComments
Enabledhttps://*.lordchariot.com
1: Command.Name equals "CONNECT"
ContinueSSL Client Context without CA<*.lordchariot.com>
Enabledlordchariot.com
1: URL.Host equals "lordchariot.com"
Stop Rule SetSet URL.Host = "www.lordchariot.local"
Enabledwww.lordchariot.com
1: URL.Host equals "www.lordchariot.com"
Stop Rule SetSet URL.Host = "www.lordchariot.local"
Enabledtorment.lordchariot.com
1: URL.Host equals "torment.lordchariot.com"
Stop Rule SetSet URL.Host = "torment.lordchariot.local"
Enabledremote.lordchariot.com
1: URL.Host equals "remote.lordchariot.com"
Stop Rule SetSet URL.Host = "remote.lordchariot.com"
Enabledsheogorath.lordchariot.com
1: URL.Host equals "sheogorath.lordchariot.com"
Stop Rule SetSet URL.Host = "sheogorath.lordchariot.local"
Enabledscan.lordchariot.com
1: URL.Host equals "scan.lordchariot.com"
Stop Rule SetSet URL.Host = "scan.lordchariot.com"
Enabledhttps://epo.lordchariot.com
1: URL.Protocol equals "https"
2: AND URL.Host equals "epo.lordchariot.com"
Stop Rule SetSet URL.Port = 8443
Set URL.Host = "epo.lordchariot.local"
Enabledhttp://mwg7.lordchariot.com
1: URL.Protocol equals "http"
2: AND URL.Host equals "mwg7.lordchariot.com"
Stop Rule SetSet URL.Port = 4711
Set URL.Host = "mwg7.lordchariot.local"
Enabledhttps://mwg7.lordchariot.com
1: URL.Protocol equals "https"
2: AND URL.Host equals "mwg7.lordchariot.com"
Stop Rule SetSet URL.Port = 4712
Set URL.Host = "mwg7.lordchariot.local"
Enabledhttp://webreporter.lordchariot.com
1: URL.Protocol equals "http"
2: AND URL.Host equals "webreporter.lordchariot.com"
Stop Rule SetSet URL.Port = 9111
Set URL.Host = "sheogorath.lordchariot.local"
Enabledhttps://webreporter.lordchariot.com
1: URL.Protocol equals "https"
2: AND URL.Host equals "webreporter.lordchariot.com"
Stop Rule SetSet URL.Port = 9112
Set URL.Host = "sheogorath.lordchariot.local"
EnabledBlock All
Always
Block<(Default)>

All incoming connections on 80 and 443 go to reverse proxy.

"sheogorath" and "scan" both go to an apache server using apach host headers.

"webreporter" goes to a different service and port on "sheogorath".

"torment" and "remote" both go to the same instance of IIS server using it's host headers.

What else are you trying to do?

0 Kudos