Hi List, again a little question concerning multiple ssl webserver in my DMZ. Has anybody running more than one apache-ssl on his DMZ? I''m totally confused how to setup shorewall and my DNS. Following scenario should be achieved: eth0 https://www.domain.tld eth0.1 ---- fw----https://shop.domain.tld eth0.2 https://shop2.domain.tld The DNS from my provider has only domain.tld linked with the public IP on eth0. Because I use a virtual host I don''t have "real" mac adresses so proxy arp wont work. How do I have to setup my firewall / DNS to get above working. thanx for your suggestions Mat ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Mathias Diehl schrieb: Hi Mat, the important question is: Do you have more than one public IP? If not, you setup is impossible due to limitations of the SSL protocol. Therefore I guess your question is not shorewall related at all. If you don''t have 3 Public IP''s for your 3 Servers, check apache-ssl FAQ, there is an article that describes why named virtual hosts don''t work with SSL. HTH, Alex> Hi List, > > again a little question concerning multiple ssl webserver in my > DMZ. > > Has anybody running more than one apache-ssl on his DMZ? I''m > totally confused how to setup shorewall and my DNS. Following > scenario should be achieved: > > eth0 https://www.domain.tld eth0.1 ---- > fw----https://shop.domain.tld eth0.2 > https://shop2.domain.tld > > The DNS from my provider has only domain.tld linked with the public > IP on eth0. Because I use a virtual host I don''t have "real" mac > adresses so proxy arp wont work. > > How do I have to setup my firewall / DNS to get above working. > > thanx for your suggestions > > Mat > > > ------------------------------------------------------- This SF.net > email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that > makes searching your log files as easy as surfing the web. > DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=k&kid3432&bid#0486&dat1642 > _______________________________________________ Shorewall-users > mailing list Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Hi Mathias, you have to configure the DNS entries so that the 3 hostnames point to the 3 IP addresses you are going to get. In your case now every lookup to *.domain.tld points to same IP. This setup would work with name base virtual hosts, but as stated before, you can''t do that with SSL and your 3 IP''s would be useless. So this was the DNS part. For the shorewall part read: http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html As far as I understood, you don''t have 3 real servers, you will do it with "IP based virtual hosting" on a single apache, right? So proxyarp e.g. isn''t a solution for you, so you will want to do it with seperate DNAT rules for every aliased IP. HTH, Alex Mathias Diehl schrieb:>Hi Alex, > >well - I learned that I have to have three public IP''s - so I''ll have them! > >But I''m a little unsure about the rules in combination with DNS, so it''s a mixture of shorewall and DNS issues I think. > >And as I''new to both any help would really be appriciated. (main issue is how to configure shorewall and my DNS that subdomains are reached because my provider has only a DNS to domain.tld and does not know anything about my subdomains). > >Thanx again > >Mat > >-----Original Message----- >Sent: Donnerstag 02.02.06 21:02:00 >Subject: Re: [Shorewall-users] apache-ssl with DNAT > > > >>Mathias Diehl schrieb: >>Hi Mat, >>the important question is: Do you have more than one public IP? If >>not, you setup is impossible due to limitations of the SSL protocol. >> >>Therefore I guess your question is not shorewall related at all. >>If you don''t have 3 Public IP''s for your 3 Servers, check apache-ssl >>FAQ, there is an article that describes why named virtual hosts don''t >>work with SSL. >> >>HTH, >>Alex >> >> >> >>>Hi List, >>> >>>again a little question concerning multiple ssl webserver in my >>>DMZ. >>> >>>Has anybody running more than one apache-ssl on his DMZ? I''m >>>totally confused how to setup shorewall and my DNS. Following >>>scenario should be achieved: >>> >>>eth0 https://www.domain.tld eth0.1 ---- >>>fw----https://shop.domain.tld eth0.2 >>>https://shop2.domain.tld >>> >>>The DNS from my provider has only domain.tld linked with the public >>>IP on eth0. Because I use a virtual host I don''t have "real" mac >>>adresses so proxy arp wont work. >>> >>>How do I have to setup my firewall / DNS to get above working. >>> >>>thanx for your suggestions >>> >>>Mat >>> >>> >>>------------------------------------------------------- This SF.net >>>email is sponsored by: Splunk Inc. Do you grep through log files >>>for problems? Stop! Download the new AJAX search engine that >>>makes searching your log files as easy as surfing the web. >>>DOWNLOAD SPLUNK! >>>http://sel.as-us.falkag.net/sel?cmd=k&kid3432&bid#0486&dat1642 >>>_______________________________________________ Shorewall-users >>>mailing list Shorewall-users@lists.sourceforge.net >>>https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >> >> >>------------------------------------------------------- >>This SF.net email is sponsored by: Splunk Inc. Do you grep through log files >>for problems? Stop! Download the new AJAX search engine that makes >>searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! >>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 >>_______________________________________________ >>Shorewall-users mailing list >>Shorewall-users@lists.sourceforge.net >>https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> > > >------------------------------------------------------- >This SF.net email is sponsored by: Splunk Inc. Do you grep through log files >for problems? Stop! Download the new AJAX search engine that makes >searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! >http://sel.as-us.falkag.net/sel?cmd=k&kid3432&bid#0486&dat1642 >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Hi Alex, well - I learned that I have to have three public IP''s - so I''ll have them! But I''m a little unsure about the rules in combination with DNS, so it''s a mixture of shorewall and DNS issues I think. And as I''new to both any help would really be appriciated. (main issue is how to configure shorewall and my DNS that subdomains are reached because my provider has only a DNS to domain.tld and does not know anything about my subdomains). Thanx again Mat -----Original Message----- Sent: Donnerstag 02.02.06 21:02:00 Subject: Re: [Shorewall-users] apache-ssl with DNAT>Mathias Diehl schrieb: >Hi Mat, >the important question is: Do you have more than one public IP? If >not, you setup is impossible due to limitations of the SSL protocol. > >Therefore I guess your question is not shorewall related at all. >If you don''t have 3 Public IP''s for your 3 Servers, check apache-ssl >FAQ, there is an article that describes why named virtual hosts don''t >work with SSL. > >HTH, >Alex > >> Hi List, >> >> again a little question concerning multiple ssl webserver in my >> DMZ. >> >> Has anybody running more than one apache-ssl on his DMZ? I''m >> totally confused how to setup shorewall and my DNS. Following >> scenario should be achieved: >> >> eth0 https://www.domain.tld eth0.1 ---- >> fw----https://shop.domain.tld eth0.2 >> https://shop2.domain.tld >> >> The DNS from my provider has only domain.tld linked with the public >> IP on eth0. Because I use a virtual host I don''t have "real" mac >> adresses so proxy arp wont work. >> >> How do I have to setup my firewall / DNS to get above working. >> >> thanx for your suggestions >> >> Mat >> >> >> ------------------------------------------------------- This SF.net >> email is sponsored by: Splunk Inc. Do you grep through log files >> for problems? Stop! Download the new AJAX search engine that >> makes searching your log files as easy as surfing the web. >> DOWNLOAD SPLUNK! >> http://sel.as-us.falkag.net/sel?cmd=k&kid3432&bid#0486&dat1642 >> _______________________________________________ Shorewall-users >> mailing list Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > >------------------------------------------------------- >This SF.net email is sponsored by: Splunk Inc. Do you grep through log files >for problems? Stop! Download the new AJAX search engine that makes >searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642