Best practice on choosing alternative SSL ports



  • I want expose multiple internal web servers to the internet for remote access outside of our LAN. We only have one IP address and one firewall. So the first web server uses port 443 and the firewall forwards 443 traffic from the internet to this server.

    The other servers will have to use alternative ports. Which ports should I choose? When I've googled, I can only find answers that state it doesn't matter. But I'm not sure I should choose random numbers should I? So far, I used port 8443 because http://www.speedguide.net/ says it is a common alternative SSL port.

    Any other tips/advice on multiple web server on a single IP?


  • Banned

    You might want to choose ports which your users will easily remember.

    So you might want.

    :222
    :333
    :444
    :555
    :777
    :888



  • Which web server are you using? I've never done it with Apache (but I assume it's similar), with NGINX you can define multiple virtual hosts who have their own ssl cert. That way everything runs through 443 and just goes to the correct virtual host.

    You can also set up NGINX as just a reverse proxy and all traffic goes to it, and then it forwards to the correct server behind it.



  • IIS. It would certainly be nice to have everything go through 443 as it's a pain getting users to add a port onto the end of a nice friendly URL.



  • @Carnival-Boy said:

    IIS. It would certainly be nice to have everything go through 443 as it's a pain getting users to add a port onto the end of a nice friendly URL.

    Oh, ya I can't help you there ha. Agreed, about the only way to help them there is create a shortcut or favorite for them.



  • @Breffni-Potter said:

    You might want to choose ports which your users will easily remember.

    So you might want.

    :222
    :333
    :444
    :555
    :777
    :888

    Those are low numbered reserved ports. They are all "owned" by specific other services. While uncommon, it is definitely not good practice to use any low number port for something other than its assigned purpose.



  • The ports designated for the purpose described are 49152–65535. You can pick any ports you want in this, the ephemeral range. No one can request a port assignment from this range.

    For easy of use, I would start at 50,000 and increment by one as needed for each additional port.



  • Or I would follow @johnhooks idea and put an nGinx proxy in front of everything so that only port 443 need be used.



  • @scottalanmiller said:

    Or I would follow @johnhooks idea and put an nGinx proxy in front of everything so that only port 443 need be used.

    Agreed, assuming IIS can't do it directly, stand up a proxy to make your life easier.



  • Or you can cheat a little bit. This works using IIS, Apache, or whatever other web service you want...

    Export Port 80 on your web server, assuming you have one available to the public...

    Then setup folder structures... ie: /services/spiceworks

    In the spiceworks folder, put an index.html file that reads:

    <meta http-equiv='refresh' content='0;url=https://my.server.name:mysslport' />
    

    That will automatically redirect your users to the HTTPS server and port and they dont' have to remember port numbers, etc. for themselves.



  • @dafyre said:

    That will automatically redirect your users to the HTTPS server and port and they dont' have to remember port numbers, etc. for themselves.

    Ah, so able to use HTTP Header detection with SSL, then redirect for SSL. Tricky.



  • @dafyre said:

    Or you can cheat a little bit. This works using IIS, Apache, or whatever other web service you want...

    Export Port 80 on your web server, assuming you have one available to the public...

    Then setup folder structures... ie: /services/spiceworks

    In the spiceworks folder, put an index.html file that reads:

    <meta http-equiv='refresh' content='0;url=https://my.server.name:mysslport' />
    

    That will automatically redirect your users to the HTTPS server and port and they dont' have to remember port numbers, etc. for themselves.

    Sure, but doesn't that leave port 80 actually open to attack? Wouldn't this be better served at the firewall?

    What I don't know is.. is port 80 any more vulnerable to attack than port 443?



  • @Dashrender said:

    Sure, but doesn't that leave port 80 actually open to attack?

    The IIS ports have to be open, period. That can't change unless you have a full proxy out in front. What are you thinking is the issue here? Why is port 80 mentioned?



  • @Dashrender said:

    What I don't know is.. is port 80 any more vulnerable to attack than port 443?

    All ports are identical. They are just ports, addresses. Is 114 Mockingbird Lane more risky than 118 Mockingbird Lane based solely on the street address? Same thing with ports.



  • @scottalanmiller said:

    @Dashrender said:

    What I don't know is.. is port 80 any more vulnerable to attack than port 443?

    All ports are identical. They are just ports, addresses. Is 114 Mockingbird Lane more risky than 118 Mockingbird Lane based solely on the street address? Same thing with ports.

    Point taken - I just didn't know if the service sitting behind port 80 was more susceptible to attack than the TLS service that sits behind port 443.



  • @Dashrender said:

    Point taken - I just didn't know if the service sitting behind port 80 was more susceptible to attack than the TLS service that sits behind port 443.

    Service is IIS in both cases.



  • SSL and TLS protect people from spying on an existing communications channel, but does nothing to protect the end points. It's just a service that has to respond to any incoming request.