DNS wildcard for multiple hosts and reverse proxy

rob861 · October 19, 2020, 11:47am

Hi everyone,
I own a domain, let’s say jonsmith.it and only one public IP. If I’d want to host multiple servers on this domain using only the aforementioned IP, would it be possible using reverse proxy to manage the hosts and a DNS wildcard record? Nethserver is the gateway and firewall. Is this scenario possible? Or is there a better way to achieve this? Let me know.

Thanks in advance!

NethServer Version: 7.8.2003
Module: Reverse proxy, DNS

danb35 · October 19, 2020, 12:30pm

Of course. The wildcard DNS entry would go on your DNS host; I’m not sure if Neth’s DNS for your LAN supports wildcard entries as well.

You may then also want to get a wildcard Let’s Encrypt certificate. Neth will happily use one, but it doesn’t have the capacity to request one through the web GUI. For two different ways of doing that, see:
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns

rob861 · October 19, 2020, 12:54pm

Hi Dan,
thanks for your reply. If I understood correctly, these would be the steps (correct me if I’m wrong):

Change the DNS record so that *.jonsmith.it will point to the IP address on the DNS provider panel and wait for it to spread
On the Nethserver side, configure the reverse proxy hosts and point them to the correct devices

Right?

danb35 · October 19, 2020, 12:56pm

That looks right, assuming all the reverse proxy hosts would be subdomains of jonsmith.it. Be aware that you can only have one level of wildcard in a DNS label, so the entry you mention will match foo.jonsmith.it, bar.jonsmith.it, and baz.jonsmith.it, but not foo.bar.jonsmith.it (or, for that matter, simply jonsmith.it).

michelandre · October 19, 2020, 3:45pm

Hi Roberto,

SAN and Wildcard
Reference: https://www.thawte.fr/ssl/san-uc-ssl-certificates/#.
Reference: https://www.thawte.fr/ssl/wildcard-ssl-certificates/.
What do the terms SAN (Subject Alternative Names) and UC (Unified Communications) mean?
Certificates that use SAN (Subject Alternative Names) are powerful tools that allow you to secure multiple domain names efficiently and economically. Thawte SSL certificates can secure up to 25 fully qualified domain names with a single certificate using SANs. The names of certificates that use SANs are also known as Unified Communications (UC) certificates and are used with Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Communications Server. The purpose of a certificate with SAN is the same as any other certificate; it allows a server to define its identity and establish secure communication. Certificates with SAN also provide a SAN (Subject Alternative Name) field that allows additional domain names to be protected with a single certificate.

Why do I need a SAN?
Instead of purchasing individual certificates for each domain name, you can add domain names in SAN fields to share the same certificate. Not only does the company save the cost of purchasing individual certificates, it also saves time by eliminating the need to manage multiple certificates.
For example, a single certificate with SAN support would be able to secure the following domain names:
www.macompagnie.com
mail.macompagnie.com
macompagnie.com
www.toto.net
mail.toto.net
toto.net

SAN certificate vs Wildcard certificate
Wildcard certificates are similar to SAN certificates with a few restrictions. With a Wildcard certificate, you can secure multiple subdomains with a single root domain. For example, if you have a Wildcard certificate for www.macompagnie.com, it also secures intranet.macompagnie.com and email.macompagnie.com with the same certificate.
However, you will not be able to secure multiple unique domains like www.macompagnie.net and www.toto.org.

Wildcard SSL Certificates
Securing multiple subdomains on a single server.
Thawte Wildcard SSL Certificates secure multiple subdomains with a single SSL certificate, reducing management time and cost. Using wildcard notation (an asterisk and a period before your domain name) allows you to extend security to different subdomains, based on your top-level domain name.

Michel-André

danb35 · October 19, 2020, 4:17pm

…unless, of course, you get a wildcard cert for both root domains–which is trivially easy.

michelandre · October 19, 2020, 4:22pm

Hi Roberto,

I am not sure of what you mean by “multiple server”.

If the other “multiple servers” are on you LOCAL network, keep in mind that if you connect from the Internet, the certificate that the browser will see is the one from the main server, i.e. the one directly connected to the Internet and it will not be the one from the LOCAL server, as it is the main server that answer the connection and it just then relays the pages from the LOCAL server.

If the other “multiple servers” are vhosts on the main server, then you can ask multiple different certificates, one for each vhost. You can then choose which certificate is associated with which vhost. The certificate viewed by the browser will then be the correct one and not the one from the main server.

Michel-André

danb35 · October 19, 2020, 4:28pm

In the most common case, the local server wouldn’t have a cert at all, and TLS termination would be handled at the proxy (the Neth box). But can Neth really only use the default cert as a reverse proxy? That seems like a silly limitation.

rob861 · October 20, 2020, 11:58am

Hi guys,
thanks for your thoughts, I went the DNS wildcard and reverse proxy way and it worked fine, although I didn’t use your repo @danb35 because I found another useful software called Certify SSL Manager from Certify the web, which has a GUI on top of everything and smooths the certification procedure. Thanks a lot for your help!

Cheers,
Roberto