Hi, on a internal test webserver I have different namebased virtual webservers. Ther is an A record om my DNS system for the main server, and CNAME records for the virtual servers. Now I''m thinking of a public webserver also with virtual namebased servers. What I need is to redirect incoming http(s) requests to the internal web servers, but how to handle the different virtual names?? The same, iff i have multiple physical webservers?? how do I redirect requests to e.g. web01 (172.17.1.1) and web02 (172.17.1.2) my Firewall has an A record, the webservers will have CNAME records, but private IPs in my DMZ. So Any Hints or working configs?? A rule like ACCEPT net loc:172.17.1.1:80 tcp 80 - 1.2.3.4 would only handle _one_ Webserver, am I right?? Thanks... ...Götz Reinicke - Götz Reinicke -------------------- mailto: greinick@filmakademie.de - IT Koordinator Tel: 07141/969-420 IT-OfficeNet Filmakademie Baden-Württemberg Fax: 07141/969-55420 - Mathildenstr. 20, 71638 Ludwigsburg ----------- www.filmakademie.de -
> -----Original Message----- > From: Goetz Reinicke > Sent: Monday, April 29, 2002 8:06 AM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] redirect virtual webservers > > > Hi, > > on a internal test webserver I have different namebased virtual > webservers. Ther is an A record om my DNS system for the main server, > and CNAME records for the virtual servers. > > Now I''m thinking of a public webserver also with virtual namebased > servers. What I need is to redirect incoming http(s) requests to the > internal web servers, but how to handle the different virtual names?? > > The same, iff i have multiple physical webservers?? how do I redirect > requests to e.g. web01 (172.17.1.1) and web02 (172.17.1.2) > > my Firewall has an A record, the webservers will have CNAME > records, but private IPs in my DMZ. So Any Hints or working > configs?? > > A rule like > ACCEPT net loc:172.17.1.1:80 tcp 80 - 1.2.3.4 > > would only handle _one_ Webserver, am I right?? >Yes. But unless you have multiple public IP addresses assigned to your firewall''s external interface, I think you''ll find your limited to running a single physical WEB server configured for name based virtual hosting. That''s what I do. Steve
Goetz Reinicke wrote:> > Hi, > > on a internal test webserver I have different namebased virtual > webservers. Ther is an A record om my DNS system for the main server, > and CNAME records for the virtual servers. > > Now I''m thinking of a public webserver also with virtual namebased > servers. What I need is to redirect incoming http(s) requests to thehttps will require one public IP per virtual server (unless you run on different ports)> internal web servers, but how to handle the different virtual names??The virual namebased ones will work fine.> > The same, iff i have multiple physical webservers?? how do I redirect > requests to e.g. web01 (172.17.1.1) and web02 (172.17.1.2) > > my Firewall has an A record, the webservers will have CNAME records, but > private IPs in my DMZ. So Any Hints or working configs?? > > A rule like > ACCEPT net loc:172.17.1.1:80 tcp 80 - 1.2.3.4 > > would only handle _one_ Webserver, am I right??To do this you''ll need a reverse proxy or similar. You need to inspect the HTTP request, and look at the Host: header to know which server to redirect to. That is also why you cannot do this with https, the traffic would be encrypted so you''d have no idea which web server to send it to. /m> > Thanks... > ...Götz Reinicke > > - Götz Reinicke -------------------- mailto: greinick@filmakademie.de - > IT Koordinator Tel: 07141/969-420 > IT-OfficeNet Filmakademie Baden-Württemberg Fax: 07141/969-55420 > - Mathildenstr. 20, 71638 Ludwigsburg ----------- www.filmakademie.de - > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
Magnus Stenman wrote:> Goetz Reinicke wrote: > >>Hi, >> >>on a internal test webserver I have different namebased virtual >>webservers. Ther is an A record om my DNS system for the main server, >>and CNAME records for the virtual servers. >> >>Now I''m thinking of a public webserver also with virtual namebased >>servers. What I need is to redirect incoming http(s) requests to the > > > https will require one public IP per virtual server > (unless you run on different ports) > > >>internal web servers, but how to handle the different virtual names?? > > > The virual namebased ones will work fine.How? <....>> > > To do this you''ll need a reverse proxy or similar.What is needed for that? is this possible with shorewall, if so how?> You need to inspect the HTTP request, and look at the > Host: header to know which server to redirect to.dito. Thanks... ...Götz Reinicke - Götz Reinicke -------------------- mailto: greinick@filmakademie.de - IT Koordinator Tel: 07141/969-420 IT-OfficeNet Filmakademie Baden-Württemberg Fax: 07141/969-55420 - Mathildenstr. 20, 71638 Ludwigsburg ----------- www.filmakademie.de -
Goetz Reinicke wrote:> > Magnus Stenman wrote: > > Goetz Reinicke wrote: > > > >>Hi, > >> > >>on a internal test webserver I have different namebased virtual > >>webservers. Ther is an A record om my DNS system for the main server, > >>and CNAME records for the virtual servers. > >> > >>Now I''m thinking of a public webserver also with virtual namebased > >>servers. What I need is to redirect incoming http(s) requests to the > > > > > > https will require one public IP per virtual server > > (unless you run on different ports) > > > > > >>internal web servers, but how to handle the different virtual names?? > > > > > > The virual namebased ones will work fine. > > How?Client looks up "www.virtual.server", gets a cname to your external IP. It connects (this gets forwarded to the internal web server) and tells the web server that it wants pages from "www.virtual.server" (the Host: www.virtual.server HTTP header) web server returns pages.> > <....> > > > > > > To do this you''ll need a reverse proxy or similar. > > What is needed for that? is this possible with shorewall, if so how?A reverse proxy or similar. Not included in shorewall AFAIK. Maybe squid, or apache''s mod_proxy can do that. I haven''t tried.> > > You need to inspect the HTTP request, and look at the > > Host: header to know which server to redirect to. > > dito.That''s the job of the reverse proxy. /m> > Thanks... > ...Götz Reinicke > > - Götz Reinicke -------------------- mailto: greinick@filmakademie.de - > IT Koordinator Tel: 07141/969-420 > IT-OfficeNet Filmakademie Baden-Württemberg Fax: 07141/969-55420 > - Mathildenstr. 20, 71638 Ludwigsburg ----------- www.filmakademie.de - > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
On Mon, 29 Apr 2002, Magnus Stenman wrote:> > Client looks up "www.virtual.server", gets a cname to your external IP. > It connects (this gets forwarded to the internal web server) and > tells the web server that it wants pages from "www.virtual.server" > (the Host: www.virtual.server HTTP header) > > web server returns pages. > > > > What is needed for that? is this possible with shorewall, if so how? > > A reverse proxy or similar. Not included in shorewall AFAIK. >Apache includes everything you need -- all Shorewall has to do is regular port forwarding. Look at the Apache documentation: http://httpd.apache.org/docs/vhosts/examples.html -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > On Mon, 29 Apr 2002, Magnus Stenman wrote: > > > > > Client looks up "www.virtual.server", gets a cname to your external IP. > > It connects (this gets forwarded to the internal web server) and > > tells the web server that it wants pages from "www.virtual.server" > > (the Host: www.virtual.server HTTP header) > > > > web server returns pages. > > > > > > What is needed for that? is this possible with shorewall, if so how? > > > > A reverse proxy or similar. Not included in shorewall AFAIK. > > > > Apache includes everything you need -- all Shorewall has to do is regular > port forwarding. Look at the Apache documentation:Not if you want to listen on one external IP for requests to multiple virtual (name based) servers, and forward these to separate boxes on the private net. For that you''ll need a proxy of some kind. /m> > http://httpd.apache.org/docs/vhosts/examples.html > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
On Tue, 30 Apr 2002, Magnus Stenman wrote:> Tom Eastep wrote: > > > > On Mon, 29 Apr 2002, Magnus Stenman wrote: > > > > > > > > Client looks up "www.virtual.server", gets a cname to your external IP. > > > It connects (this gets forwarded to the internal web server) and > > > tells the web server that it wants pages from "www.virtual.server" > > > (the Host: www.virtual.server HTTP header) > > > > > > web server returns pages. > > > > > > > > What is needed for that? is this possible with shorewall, if so how? > > > > > > A reverse proxy or similar. Not included in shorewall AFAIK. > > > > > > > Apache includes everything you need -- all Shorewall has to do is regular > > port forwarding. Look at the Apache documentation: > > Not if you want to listen on one external IP for requests to multiple > virtual (name based) servers, and forward these to separate boxes on > the private net. > > For that you''ll need a proxy of some kind. >True. Given that you have such a thing though, the Shorewall config part is still trivial. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Magnus Stenman wrote:> Goetz Reinicke wrote: > > > > Magnus Stenman wrote: > ... > > >>internal web servers, but how to handle the different virtual names?? > > > > > > > > > The virual namebased ones will work fine. > > > > How? > > Client looks up "www.virtual.server", gets a cname to your external IP. > It connects (this gets forwarded to the internal web server) and > tells the web server that it wants pages from "www.virtual.server" > (the Host: www.virtual.server HTTP header) > > web server returns pages.Interpretation: this has nothing to do with Shorewall. It is handled in your web server configuration. Paul http://paulgear.webhop.net
Paul Gear wrote:> Magnus Stenman wrote: > > >>Goetz Reinicke wrote: >> >>>Magnus Stenman wrote: >> >>... >> >>>>>internal web servers, but how to handle the different virtual names?? >>>> >>>> >>>>The virual namebased ones will work fine. >>> >>>How? >> >>Client looks up "www.virtual.server", gets a cname to your external IP. >>It connects (this gets forwarded to the internal web server) and >>tells the web server that it wants pages from "www.virtual.server" >>(the Host: www.virtual.server HTTP header) >> >>web server returns pages. > > > Interpretation: this has nothing to do with Shorewall. It is handled in > your web server configuration.I wasn''t interested in how the webserver handles virtual servers ;-) but how to setup redirect of the requests to one public ip to multiple namebased virtual internel web serves. But I think, I''ll try ip aliassing and something of that kind.. Thanks anyway! Götz - Götz Reinicke -------------------- mailto: greinick@filmakademie.de - IT Koordinator Tel: 07141/969-420 IT-OfficeNet Filmakademie Baden-Württemberg Fax: 07141/969-55420 - Mathildenstr. 20, 71638 Ludwigsburg ----------- www.filmakademie.de -