32

I have a domain (e.g. example.com), static IP address (e.g. 212.5.5.5) and local devices at 192.168.0.1:80, 192.168.0.2:80, 192.168.0.3:80, 192.168.0.4:80, 192.168.0.4:47 (this one is not a website).

How do I access these devices using subdomains (for example, device1.example.com, device2.example.com, etc.)?

Currently I was only able to get example.com:80 and example.com:47 working, which point to 192.168.0.4:80 and 192.168.0.4:47.

I know that you cannot set the port on DNS server.

How I should overcome my problem?

  • 42
    @RonMaupin: "All"? I can't find that clause in my residential ISP's contract. – grawity Jul 22 at 5:00
  • 19
    @RonMaupin, I live in Lithuania, you do whatever you want to with your external IP. – Laurynas Kerežius Jul 22 at 7:50
  • 13
    @RonMaupin: you don't know that. There are plenty of smaller ISPs that don't care about home users running services. – whatsisname Jul 22 at 16:23
  • 13
    @RonMaupin I've been running my home server for like 15 years? Changed 4 ISPs during that time. I've the contract just recently out of curiosity and my ISP lets me do whatever I want until I do some sort of fraud, spam, hosting gambling websites, anything that does not break the law and is not fraudulent is allowed. – Laurynas Kerežius Jul 22 at 17:18
  • 12
    I guess this might be some US-centric perspective which @RonMaupin is sharing with us. It simply might not be globally applicable. – GrzegorzOledzki Jul 23 at 10:50
68

You can have one public facing server running nginx reverse proxy that redirects traffic based on subdomain to the correct server.

nginx configuration on your "main" server:

server {
  server_name device1.example.com;
  location / {
    proxy_pass http://192.168.0.1:80;
  }
}
server {
  server_name device2.example.com;
  location / {
    proxy_pass http://192.168.0.2:80;
  }
}
server {
  server_name device3.example.com;
  location / {
    proxy_pass http://192.168.0.3:80;
  }
}
  • 26
    While you're at it, you could also use https / port 443 for the outside facing end – Hagen von Eitzen Jul 22 at 12:58
  • 6
    +1 Same goes for any reverse proxy. My favorite is HAProxy because it is very easy to setup for multiple subdomains. – rexkogitans Jul 22 at 13:35
  • 4
    This post is absolutely correct! Although I'd recommend running a docker called "NginxProxyManager" github.com/jc21/nginx-proxy-manager which gives easy (letsencrypt) ssl and routing configuration! – Rick van Lieshout Jul 22 at 18:02
  • 1
    @shadow, since its only one none website the reverse proxy will be used for all websites and default port forwarding for port 47 (it seems OP already done this) – Fritz Jul 23 at 13:41
  • 1
    @Daniel Don't forget to mention that port forwarding must be enabled on the router, forwarding port(s) 80 (and 443) to the Nginx proxy and port 47 to 192.168.0.4:47 – BlueCacti Jul 24 at 12:24
6

You'll need to use alternate ports for everything except one of them. For example, 212.5.5.5:80 would forward to 192.168.0.1:80, but then 212.5.5.5:81 would forward to 192.168.0.2:80, and 212.5.5.5:82 would forward to 192.168.0.3:80, and so on. This should be configurable on most modern NAT devices.

Another way, if you're willing to use IPv6, is just turn on IPv6 pass-through on your NAT device or router. That basically exposes every IPv6 address on your LAN to the public internet, letting you access them directly from the outside. As you might imagine, there is some risk associated with this. It's up to you to decide if that risk is tolerable.

4

You shouldn't expose these services to the internet directly. You can't audit these devices to be sure they are secure, and merely exposing them leaks information about the state of your internal network.

The correct solution is to set up a VPN server that grants you remote access to an internal network. Ideally the internal network should be segregated from your main one, only used for these exposed devices. That limits the damage if they are hacked.

Open source VPN software is mature, audited and the security issues are well understood. You limit yourself to a much smaller attack surface.

  • 2
    This only works if none of the services needs to be exposed for any reason. – mckenzm Jul 24 at 1:19
2

If you have only one external IP address, then:

The first thing is to differentiate my port, you seem to have done this.

Next for all the port 80s, you can use nginx as a reverse proxy to route traffic to the various places. You can tell it exactly what you asked for e.g. route http://device1.example.com to 192.0.0.1:80 etc. An alternative is to route http://example.com/device1 to 192.0.0.1:80.

To do the first way see virtual hosts, in the nginx manual.

You will also have to point all of the names to the external IP address, if using the virtual host method. Or just the base domain, if using the directory method.

2

You could first make sure everyone needs to access these services from Internet (= that they are truly intended to be public). Otherwise you could consider setting up a VPN server and access the services inside your network.

I assume that the services which are on port 80 are web servers providing typical web services. In such a case the reverse proxy solutions suggested in other answers apply.

It may be that they are services which are prepared/intended to run with a SRV entry in your DNS. The idea is that you resolve a well-known record for a service, which in turn gives you the name:port to connect to. To take the example of Minecraft:

  • you set up your client to connect to minecraft.example.com
  • your client knows that it can query _minecraft._tcp.minecraft.example.com. to get the actual IP and port to connect to.

This is an extremely useful feature but it has to be implemented on the client for the service you are accessing

0

If you want exactly what you described, the answer by Daniel is correct - you have to up set another server, make it receive all the :80 traffic and proxy it to the correct server depending on domain.

But I would suggest to simply get another IP address. Judging by your comments it seems that you are using some local ISPs and you have multiple of them to choose among in the neighborhood. Smaller ISPs in a competitive situation are very likely to agree on whatever. As long as you doing something legal, most of them will agree to give you an additional IP address for a couple of euros per month.

Another option is to just use one server. If your :80 servers are virtual machines on the same host, you will save resources and reduce complexity by making a single webserver with multiple virtual hosts serving it all.

0

If you have a DNS server running inside your network, you could configure your DNS server and make use of domain name override for each subdomain to point to an internal IP. To do this, please refer to this link.

If this is not the case, then you can use a router to forward ports like so:

212.5.5.5:444 forward to 192.168.0.2:80

and

212.5.5.5:333 forward to 192.168.0.3:80

Then to access 192.168.0.2:80 from outside you connect to 212.5.5.5:444 or domain.com:444

and to access 192.168.0.3:80 from outside you connect to 212.5.5.5:333 or domain.com:333

and so on...

  • That's not an option. Writing ports on your domain is counterintuitive. – Laurynas Kerežius Jul 22 at 14:00
  • That's not how DNS works. It can't make private IPs routable just by adding an entry for them... – Milney Jul 23 at 17:18
  • @Milney Public DNS servers cant. However if an internal DNS server is present on the private network, this can be done and it is a common practice. Please read [here] (medium.com/tech-jobs-academy/…) – Raffa Jul 23 at 20:32
  • @Raffa - No... that simply passes the DNS Request on to another DNS server. If the record points at an internal private IP, it will still not be accessible from outwith the network - unless one of the other solutions others have mentioned (i.e. port forwarding, proxying) is employed – Milney Jul 23 at 22:13
  • @Milney The aim is to help and clarify. I removed that part since it appeared to be not helping and not clear. However, I suggest reading about domain name override inside a network. – Raffa Jul 24 at 1:30

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged or ask your own question.