Provide SSTP VPN and normal HTTPS Websites over the same Port and IP

httpsPROXYreverse-proxysstp

In my little lab I want to use SSTP VPN AND a HTTPS-Webpage, which should be accessible from the internet. I just have 1 public IP and the lab is behind NAT (Port forwarding 443). SSTP already works great and also my webpage is accessible! But clearly not over the same port:443!

Current Infrastructure:

[gateway <- windows server 2012 R2 with SSTP]
[webserver <- ubuntu server with apache and a single https webpage]
[router <- standard router which forwards the 443 to... one of the above]

Is there a way to use some kind of proxy/reverseproxy/ssl-redirect to use the 443 port for both services? How would you do that? I wish to configure something on the gateway to redirect all non-sstp-traffic (maybe getting the http.sys directly?) to the ubuntu server…

any idea?

Best Answer

Obviously the question is quite old but doing this is possible if you're willing to reconsider your chosen web server. Obviously you already have a Windows Server 2012R2 server so, in order to reduce complexity, there's no reason why you can't use IIS 8.5 to host your https site. I actually use this myself along side an SSTP VPN but I've also given you another option beneath the screenshot.

Once you have set the site up in IIS, create an https binding on the site to use a host header (Host name:) appropriate to the domain name of the site. This is how IIS knows which site to send the request to - yes, this means you can have multiple SSL websites on your IIS server too. I have a single certificate with multiple subject alternative names (SAN cert) that I use for both my SSTP VPN and the websites hosted on my IIS server, though you should be able to use separate certificates if you so wish.

Bindings

You should also investigate Server Name Indication which is supported by IIS, though not enabled on my server.

http://en.wikipedia.org/wiki/Server_Name_Indication

If you desperately need to keep your Ubuntu box, install the Web Application Proxy role (sub-role of the Remote Access role) on to the Windows Server 2012R2 server (this role is new in 2012 R2). Configure that using the Remote Access Management Console (not RRAS console). Publish a web application using pass-through, define an external URL (the one external users will type in and resolve to your external IP and then an internal URL (that the Web Application Proxy server can resolve to your Ubuntu server's internal IP (HOSTS file works fine!). Use the SSL cert that you would have put on your Ubuntu box where it asks for a certificate. You can choose to not bother with defining SSL on your Ubuntu box and essentially let the Web Application Proxy service do SSL offloading. One thing to bear in mind is that your web server logs will show the WAP server's IP, not the user's external IP.

Two options there. Personally, I'd go with a single IIS 8.5 server to minimise estate sprawl :)

-Lewis

Best Answer

Related Solutions

Linux – How to Tunnel Over HTTPS Proxy Server (Client-Server Model)

WordPress – Endless Redirect Loop with AWS ELB and wordpress site using wordpress https plugin

Related Topic