Layer 3,4,7 Reverse Proxy

[DemoNIck]

I have a FreeBSD server at domain.com that resolves to 1 public WAN IP address, running several jails with each jail running various services.
I would like to run a (reverse) proxy on that server, so when a client asks for a service at A.domain.com, the proxy would forward the service request to the appropriate Jail A.
The service request could be anything, not just an http request.

Client.A -> A.domain.com --|                            |--> Jail.A A.domain.lan (local IP.A)
                           |    [SERVER.domain.com]     |
Client.B -> B.domain.com --|-->        (PROXY)   -->    |--> Jail.B B.domain.lan (local IP.B)
                           |       (1 public IP)        |
Client.C -> C.domain.com --|                            |--> Jail.C C.domain.lan (local IP.C)

(A,B,C).domain.com resolves to the same 1 public IP where SERVER is hosted, running the (Reverse) PROXY service.
Each Jail (A,B,C) has it's own private lan IP
Each jail runs several services (i.e. sshd [22], httpd [443], zeromq [5535] etc)
The SERVER accepts connections on these ports (22,443,5535 etc.) and depending on the Client's request to (A,B,C).domain.com, "forwards" the request to the appropriate Jail (A,B or C) via the PROXY.

i.e
Client.A (ssh user@A.domain.com:22) --> [SERVER/PROXY.domain.com:22] --> Jail.A A.domain.lan:22
Client.B (zeromq_subscribe B.domain.com:5535) -> [SERVER/PROXY.domain.com:5535] --> Jail.B B.domain.lan:5535

If these were just http requests, this could easily be done for example with nginx reverse proxy.
But how could you forward service requests based not only on IP/Domain (Layer 3) but combined also also with Application protocols (Layer 7) and/or data transfer protocols (Layer 4)?

Is net/haproxy what I am looking for, or am I missing a complete different implementation for example with pf and NAT/Port forwarding under FreeBSD?

Thank you in advance for your time.

 

[SirDice]

The SERVER accepts connections on these ports (22,443,5535 etc.) and depending on the Client's request to (A,B,C).domain.com, "forwards" the request to the appropriate Jail (A,B or C) via the PROXY.

You can't "proxy" SSH, there's nothing in the protocol that would allow it to be proxied based on a Host: header or something similar. This may be the case for MQ too but I don't know enough details about the protocol.

Is net/haproxy what I am looking for

For HTTP(S) based, yes. I would definitely recommend it.

or am I missing a complete different implementation for example with pf and NAT/Port forwarding under FreeBSD?

You can redirect a port only to one host (you can redirect to multiple hosts but this will work in a round-robin kind of way). There's nothing in the TCP/IP protocol you can use to 'detect' if the packet should go to jail A or B. There's no "trick" you can use here, TCP/IP simply doesn't work that way.

 

[SirDice]

You can't "proxy" SSH, there's nothing in the protocol that would allow it to be proxied based on a Host: header or something similar.

That said, you can do some interesting tricks with ProxyJump and/or ProxyCommand in your .ssh/config.

SSH to remote hosts through a proxy or bastion with ProxyJump

Here are some tricks for using SSH through a proxy or bastion quickly.

www.redhat.com

(Yes, it's RH, but it's a nice and clear example and should work on FreeBSD too)

 

[DemoNIck]

Thank you SirDice for your quick response.
I think I will stick to the "traditional" approach of NAT/port-forwarding of different ranges of SERVERorts to each jail/host.

This thread could be closed.

 

[SirDice]

I think I will stick to the "traditional" approach of NAT/port-forwarding of different ranges of SERVERorts to each jail/host.

For HTTP(S) you can still use www/haproxy. The great thing about this is that you can have everything running on a single IP and the 'standard' ports (80, 443). For SSH you could use the ProxyJump trick but it depends on who will actually use that. If it's only for you to manage those jails then it should be fine. If it's for 'ordinary' people without much experience having the SSH of the jails running on different ports is probably easier to explain/use.