1

Problem:

I have a server (Server A) hosted in Datacenter A, where a web server listens on ports 80 and 443 for the domain example.com. Unfortunately, Datacenter A does not offer DDoS protection.

To mitigate potential DDoS attacks, I plan to provision another server Server B in Datacenter B, which has strong anti-DDoS capabilities.

My goal is to:

  1. Point the example.com domain to Server B.
  2. Proxy the traffic from Server B to Server A without modifying the content or headers.
  3. Ensure that Server A sees the original client's IP address in the request, as if the client connected directly to Server A.

Current Approach:

I'm currently using TCP streaming via NGINX on Server B to achieve this.

However, this solution feels somewhat complex, and I suspect there might be a simpler, more efficient method.

Questions:

  1. What would be the easiest and most performance-efficient way to implement such a proxy?

  2. Is my current solution with NGINX the best approach, or are there better alternatives that could simplify the setup and maintain high performance while ensuring the client's IP is preserved?

Improve this question

1 Answer 1

Reset to default
1

Set up an IP tunnel (such as GRE or IP-IP or WireGuard) between the two hosts. I believe GRE is the most common for DDoS protection services, but anything works.

Then configure DNAT (aka port-forwarding) on Server B so that it would send "port 80/443" or any other traffic through the tunnel towards Server A, as well as policy routing so that Server A would also respond through the tunnel (i.e. have two default routes and select the right one).

It is not much simpler compared to Nginx, but I don't think you can get much further than that. It does have some advantages, e.g. it will work with any service – TCP or UDP or other – even if that service doesn't support the proxy protocol.

You can also use the same tunnel to allow Server A to make outbound connections using B's address, to reduce the risks of someone being able to find its real unprotected address.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.