Hello,
I am a bit confused about the exact difference between NAT and reverse proxy.
Can someone please describe me the two approaches to an incoming request?
For example, I am publishing the address nextcloud.domain.com via port 443.
How do the two concepts proceed to associate and forward a nextcloud.domain.com request to the nextcloud server?
Thanks in advance!
NAT is a router function, modifying individual packets to fake the sender and/or recipient (depending on the direction of the traffic) to make many machines look like 1, or vice versa. However the rest of the packet is not modified, or as minimal modifications as possible are performed to maintain this transparent effect (there are some exceptions for protocols that don’t handle sender/recipient rewrites, but screw those guys).
A proxy is something you connect to directly as its own service like with TCP, and then it will in turn connect to a different service upstream acting as a relay. This means the proxy can do things that NAT isn’t smart enough to, such as filtering what URL a user is trying to load, or add SSL encryption to a connection allowing the internet to see encrypted traffic but the local LAN to see not-encrypted traffic.
NAT has to decide on the very first packet which machine in the LAN area gets the packet, and then it’s locked. A proxy has the option to delay that decision, accepting the incoming request first and talking to the incoming user before it has to commit. However it means there are technically 2 connections: user to proxy and proxy to server. With NAT it’s just one connection passing straight through other than the sender/recipient modification.
When you say NAT (Network Access Translation), I think you actually mean Port Forwarding. NAT is just about translating traffic from one IP address to another. Most commonly when you are going from a private IP to a public IP. Your router/modem will have a NAT, to change your 192.168.0.15 private IP to a public 270.3.10.65. This is a pretty complicated system and has been around for a very long time.
As for your question Port Forwarding would allow you to map all requests coming to your public IP, on port 443 to a specific internal IP address. If you had a web server running in your network, you would likely forward 443 to that server.
This will work if you only have one web server running on a single IP address. But what if you wanted to have two, maybe you have an Apache server, and an IIS server. Port forwarding could work, but you would have to give one 443, and the other a non standard port like 8443. But that sucks. This is where a reverse proxy comes into play. You setup your reverse proxy, and you port forward 443 to your proxy. Then on your proxy you can then define all requests coming in with the host name of “nextcloud.domain.com” I want you to forward to the Apache Server, and all other requests I want you to go to the IIS server.
Reverse proxies can actually do much more than just forwarding. Personally I have my reverse proxy doing all my SSL encryption so that my application servers do not have to worry about that.
Hello,
so in case I publish
nextcloud.domain.com (running on server 1)
and
grafana.domain.com (running on server 2)
both public via port 443, and they are also internal both reachable via port 443 - this would not be possible via NAT?
That is correct. You would need a reverse proxy. I use Nginx, but you can use Apache too.
One last question:
In case I have both websites publicly reachable via port 443.
But internal one is reachable over port 3333 and the other via port 4444.
Could NAT translate the public IP from https://nextcloud.domain.com to https://192.168.0.20:3333, so it uses different ports between router and internal device - and I could publicly have multiple 443 websites via NAT?
No. NAT or port forwarding can only switch on ports. So you can only have 1 rule per port. It does not matter what the internal ports are.
You cannot do publicIP:443 → Server1:3333 and also do publicIP:443 → Server2:4444. How would it know which connection to publicIP:443 to send to which server?
nextcloud.domain.com isn’t an IP address, it’s a domain name. NAT works at the network level, it doesn’t know what a domain name is. That’s why the Port Forwarding options on your router can only map a specific external port to an internal address and port. Having multiple internal services listening on different ports doesn’t change the fact that only one port is exposed publicly, and you can only map on external port to one internal address+port.
A HTTP Reverse Proxy is more advanced because it actually handles HTTP connections, can analyse the request to determine the domain, and thus forward traffic to the target service on the LAN.
That makes sense - thanks for clarifying!