With a reverse proxy, one can control access to the "internal" web servers from the Internet. In contrast to a port forwarding, dedicated filter rules can be created via the reverse proxy. In addition, with only one public IP address, several internal web servers can be addressed based on the domain.
Another highlight is offered by the load balancing. Servers can be combined into groups, to which the requests are then distributed using the selected algorithm (e.g. Round-Robin).
Requirements
The following values are assumed for the example configuration:
Web server with the private IP: 10.1.0.150
Domain: www.ttt-point.de
Vorbereitungen
Attention: If the web server is also to be accessed via https, the port of the Userinterface must be changed first.
In the factory setting, port 443 for https is already occupied by the user web interface of the UTM. This must then be changed to another port. The settings for this are in the menu → Network →Appliance SettingsTab Appliance Settings in the section
Webserver
.
If necessary, port filter rules that allow access to the user Webinterface must be adjusted.
Save
For https, the reverse proxy needs a certificate to accept the encrypted connection.
For this, a certificate is used from → Authentication →Certificates
If a locally self-created certificate is used, external users must confirm a certificate warning when calling up the certificate for the first time
It is better to import a publicly issued, purchased certificate or to create an ACME certificate
Important: the name of the certificate must be named like the domain. In this example, a wildcard certificate *.ttt-point.de is used.
Portfilter rule
For the reverse proxy to be reachable, the following port filter rule must be in place. This can be checked under → Firewall →Port filter. If this is not present, Add rule will add this rule.
#
Source
Destination
Service
NAT
Action
Active
3
internet
external-interface
https
Accept
On
If necessary, this port filter rule must also be created using the http service.
Configuration
The settings for the reverse proxy are located in the menu → Applications →Reverse-Proxy Clicking on the button Reverse-Proxy wizard opens the wizard.
Wizard
Step 1 - Internal
Caption
Value
Description
Target server already exists as a network object
Target Server:
www.ttt-point.de
If the host has already been created as a network object, it can be selected directly in the drop-down menu.
Port
443
The web server should be accessed via an encrypted connection.
Use SSL:
On
SSL must be activated.
Target Server:
Create server
If the Exchange Server does not yet exist as a network object, it can be created via the selection point new server in the wizard.
Target server does not yet exist as a network object
Server Name:
www.ttt-point.de
Name of the network object. The server name of the network object can be freely selected when creating a new object, but must not already be in use with other objects. A meaningful name conventions should be considered and kept. Since here for the Web server with the homepage the connection is configured and the goal is to be attainable later also as "www.ttt-point.de", this designation is used also for the network object.
IP address:
10.1.0.150
IP address of the webserver
Zone:
dmz1
Zone of the network object. The zone is entered automatically if the IP range of the UTM is known.
It is recommended to set up the server in its own network with its own zone.
Port
443
The web server should be accessed via an encrypted connection.
Use SSL:
On
SSL must be activated.
Next
Step 2 - External
Define incoming connection
External domain name:
www.ttt-point.de
Here you enter how the server behind the UTM is addressed
The public IP address that the client calls up from the Internet can also be entered here. However, it is then not possible to distinguish further individual servers via additional subdomains.
Configuring external access so that the reverse proxy responds to requests
Mode
HTTPS
Access shall be exclusively encrypted via https.
SSL-Proxy Port:
443
Proxy port is 443 as well
SSL certificate:
*.ttt-point.de
The certificate that was selected in the step Preparations is selected here.
Next
Step 3 - Authentication
Forward authentication:
Provide login data
The proxy should not perform authentication
No authentication!
Login name
Blank
Password
Blank
Authentication:
off
Authentication is not useful for a web server that maintains the public home page.
Finish
Server groups
Server groups
A server group is created automatically
New server groups can be added
Existing server groups can be extended with additional servers
A port forwarding allows a 1:1 relationship, the connection is forwarded to a server.
With a reverse proxy it is different, these are the relationships:
1:1 - One domain/IP : One server
1:N - One domain/IP : Multiple servers (load balancing)