Mathias Diehl schrieb:> Hi List, > > sorry if this is (again) a non shorewall related question... > > My setup is a shorewall with one external IP and a DMZ with a DNS > and three webservers. > > I allowed DNS queries according to the manuals and also added an > ACCEPT rule from ext (=net) to my DMZ on port 80 and 443. > > But somehow browsing to a webserver dow not work. So following > questions (sorry, this is the non shorewall part) > > Is it possoble at all to have only one external IP and resolve my > webservers on the DMZ (with internal IP''s)? How do I have to setup > the rules in order to reach domain.tld on the firewall and > www.domain.tld on my DMZ? >Hi Mat, your setup goals are not possible. Because you have only one official IP. Therefore you can do the DNAT mapping only by port as criteria. Means you can forward e.g. Port 80 only to ONE internal address. But of course you can forward e.g. port 81 to another internal IP. But this means that a simple browsing to www.domain.tld is not possible, you will have to specify the non standard port. (www.domain.tld:81) So that''s not what I would call seamless browsing and it will probably not be transparent for your users. DNS can''t help you in this, the A entries will always have to point to your single external IP address. IMHO only getting more official IP''s from your ISP will solve your problem, or you have to setup your domains on one server by using a name based virtual apache setup. I don''t know if I understood correctly, but it seems that your DNAT setup doesn''t work at all. That''s covered by Shorewall FAQ 1. It will explain you also some more basics about port forwarding. Btw., your mail is sent to us from future ;-) HTH Alex ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Hello Mat. Not to give you the specific configuration the steps you probably want are these: With shorewall you DNAT web access on port 80 to one internal IP. This one web server then run multiple web-sites and respond to the request according to the domain address. The point is that http request include the requesting address name which the web server can use. So the setup on your web server you are looking for is "Virtual name server" I have not configured SSL web servers so I''m not sure if they allow virtual server setup. I''m not sure what the setup of your DNS server is. But all host in the different domains all point to your external IP. /K -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Mathias Diehl Sent: 3. mars 2006 12:31 To: shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] multiple webservers on internal net Hi List, sorry if this is (again) a non shorewall related question... My setup is a shorewall with one external IP and a DMZ with a DNS and three webservers. I allowed DNS queries according to the manuals and also added an ACCEPT rule from ext (=net) to my DMZ on port 80 and 443. But somehow browsing to a webserver dow not work. So following questions (sorry, this is the non shorewall part) Is it possoble at all to have only one external IP and resolve my webservers on the DMZ (with internal IP''s)? How do I have to setup the rules in order to reach domain.tld on the firewall and www.domain.tld on my DMZ? Hope someone can help... (as this is my first time to setup diffrent webservers) cheers, Mat ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Hi Mat. Yes, this is my experience. There are different solutions on failover and load balancing so I guess there is a possibilities to have different severs behind one IP. But these are focused on sort of the reverse scenario. One address to multiple server behind. I have never tried any of there scenarios/solutions. You can also get squid (never tried) to "publish" different servers out. In that case you can have different physical server locally for different web addresses. You still need to manage a single server for distributing this. If you are concerned on server load, you probably shouldn''t. If you run "pure" html output I guess that your server can handle more than your internet connection (without knowing what you have as hardware and connection) If the problem is for instance database server load, then you can most likely solve this using one or more internal DB servers. Using the virtual server solution may also simplify maintenance and backup. So I strongly recommend virtual web server solution. Personally I manage a network with 32 IP addresses and multiple servers and still use virtual web server solution on all our web servers. I could run some of our domains on servers doing other jobs but I don''t. We also have a number of unused IP''s we could use but don''t. /K -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Mathias Diehl Sent: 3. mars 2006 13:49 To: shorewall-users@lists.sourceforge.net Subject: Re:RE: [Shorewall-users] multiple webservers on internal net Hi K, thanx for that - even though it''s actually not the way I like to get it working. I already though about the possiblility of "virtual hosts" but are curious about any alternative.... Is it right that running multiple webservers always needs one public IP per server? thanx Mat -----Original Message----- Sent: Freitag 03.03.06 10:57:10 Subject: RE: [Shorewall-users] multiple webservers on internal net>Hello Mat. > >Not to give you the specific configuration the steps you probably want are >these: > >With shorewall you DNAT web access on port 80 to one internal IP. >This one web server then run multiple web-sites and respond to the request >according to the domain address. >The point is that http request include the requesting address name whichthe>web server can use. >So the setup on your web server you are looking for is "Virtual nameserver"> >I have not configured SSL web servers so I''m not sure if they allow virtual >server setup. > >I''m not sure what the setup of your DNS server is. But all host in the >different domains all point to your external IP. > >/K > > > > > > > >-----Original Message----- >From: shorewall-users-admin@lists.sourceforge.net >[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Mathias >Diehl >Sent: 3. mars 2006 12:31 >To: shorewall-users@lists.sourceforge.net >Subject: [Shorewall-users] multiple webservers on internal net > >Hi List, > >sorry if this is (again) a non shorewall related question... > >My setup is a shorewall with one external IP and a DMZ with a DNS and three >webservers. > >I allowed DNS queries according to the manuals and also added an ACCEPTrule>from ext (=net) to my DMZ on port 80 and 443. > >But somehow browsing to a webserver dow not work. So following questions >(sorry, this is the non shorewall part) > >Is it possoble at all to have only one external IP and resolve mywebservers>on the DMZ (with internal IP''s)? >How do I have to setup the rules in order to reach domain.tld on the >firewall and www.domain.tld on my DMZ? > >Hope someone can help... (as this is my first time to setup diffrent >webservers) > >cheers, > >Mat > > >------------------------------------------------------- >This SF.Net email is sponsored by xPML, a groundbreaking scripting language >that extends applications into web and mobile media. Attend the livewebcast>and join the prime developer group breaking into this new coding territory! >http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642 >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > >------------------------------------------------------- >This SF.Net email is sponsored by xPML, a groundbreaking scripting language >that extends applications into web and mobile media. Attend the livewebcast>and join the prime developer group breaking into this new coding territory! >http://sel.as-us.falkag.net/sel?cmd_______________________________________________>Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Hi List, sorry if this is (again) a non shorewall related question... My setup is a shorewall with one external IP and a DMZ with a DNS and three webservers. I allowed DNS queries according to the manuals and also added an ACCEPT rule from ext (=net) to my DMZ on port 80 and 443. But somehow browsing to a webserver dow not work. So following questions (sorry, this is the non shorewall part) Is it possoble at all to have only one external IP and resolve my webservers on the DMZ (with internal IP''s)? How do I have to setup the rules in order to reach domain.tld on the firewall and www.domain.tld on my DMZ? Hope someone can help... (as this is my first time to setup diffrent webservers) cheers, Mat ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Hi K, thanx for that - even though it''s actually not the way I like to get it working. I already though about the possiblility of "virtual hosts" but are curious about any alternative.... Is it right that running multiple webservers always needs one public IP per server? thanx Mat -----Original Message----- Sent: Freitag 03.03.06 10:57:10 Subject: RE: [Shorewall-users] multiple webservers on internal net>Hello Mat. > >Not to give you the specific configuration the steps you probably want are >these: > >With shorewall you DNAT web access on port 80 to one internal IP. >This one web server then run multiple web-sites and respond to the request >according to the domain address. >The point is that http request include the requesting address name which the >web server can use. >So the setup on your web server you are looking for is "Virtual name server" > >I have not configured SSL web servers so I''m not sure if they allow virtual >server setup. > >I''m not sure what the setup of your DNS server is. But all host in the >different domains all point to your external IP. > >/K > > > > > > > >-----Original Message----- >From: shorewall-users-admin@lists.sourceforge.net >[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Mathias >Diehl >Sent: 3. mars 2006 12:31 >To: shorewall-users@lists.sourceforge.net >Subject: [Shorewall-users] multiple webservers on internal net > >Hi List, > >sorry if this is (again) a non shorewall related question... > >My setup is a shorewall with one external IP and a DMZ with a DNS and three >webservers. > >I allowed DNS queries according to the manuals and also added an ACCEPT rule >from ext (=net) to my DMZ on port 80 and 443. > >But somehow browsing to a webserver dow not work. So following questions >(sorry, this is the non shorewall part) > >Is it possoble at all to have only one external IP and resolve my webservers >on the DMZ (with internal IP''s)? >How do I have to setup the rules in order to reach domain.tld on the >firewall and www.domain.tld on my DMZ? > >Hope someone can help... (as this is my first time to setup diffrent >webservers) > >cheers, > >Mat > > >------------------------------------------------------- >This SF.Net email is sponsored by xPML, a groundbreaking scripting language >that extends applications into web and mobile media. Attend the live webcast >and join the prime developer group breaking into this new coding territory! >http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642 >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > >------------------------------------------------------- >This SF.Net email is sponsored by xPML, a groundbreaking scripting language >that extends applications into web and mobile media. Attend the live webcast >and join the prime developer group breaking into this new coding territory! >http://sel.as-us.falkag.net/sel?cmd_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Mathias Diehl wrote:> Hi List, > > sorry if this is (again) a non shorewall related question... > > My setup is a shorewall with one external IP and a DMZ with a DNS and three webservers. > > I allowed DNS queries according to the manuals and also added an ACCEPT rule from ext (=net) to my DMZ on port 80 and 443. > > But somehow browsing to a webserver dow not work. So following questions (sorry, this is the non shorewall part) > > Is it possoble at all to have only one external IP and resolve my webservers on the DMZ (with internal IP''s)? > How do I have to setup the rules in order to reach domain.tld on the firewall and www.domain.tld on my DMZ? > > Hope someone can help... (as this is my first time to setup diffrent webservers) > > cheers, > > Mat >Mathias, what you need is a DNS / Virtual Host based solution for the problem.
yes you need one ip per server. Otherwise you can use one ip with diferent port for each server. This is also posible, but then people will have to remebber port numbers and brouse like this: www.domain.com:8080 On Fri, 2006-03-03 at 12:48 +0000, Mathias Diehl wrote:> Hi K, > > thanx for that - even though it''s actually not the way I like to get it working. > > I already though about the possiblility of "virtual hosts" but are curious about any alternative.... > > Is it right that running multiple webservers always needs one public IP per server? > > thanx > > Mat > > -----Original Message----- > Sent: Freitag 03.03.06 10:57:10 > Subject: RE: [Shorewall-users] multiple webservers on internal net > > >Hello Mat. > > > >Not to give you the specific configuration the steps you probably want are > >these: > > > >With shorewall you DNAT web access on port 80 to one internal IP. > >This one web server then run multiple web-sites and respond to the request > >according to the domain address. > >The point is that http request include the requesting address name which the > >web server can use. > >So the setup on your web server you are looking for is "Virtual name server" > > > >I have not configured SSL web servers so I''m not sure if they allow virtual > >server setup. > > > >I''m not sure what the setup of your DNS server is. But all host in the > >different domains all point to your external IP. > > > >/K > > > > > > > > > > > > > > > >-----Original Message----- > >From: shorewall-users-admin@lists.sourceforge.net > >[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Mathias > >Diehl > >Sent: 3. mars 2006 12:31 > >To: shorewall-users@lists.sourceforge.net > >Subject: [Shorewall-users] multiple webservers on internal net > > > >Hi List, > > > >sorry if this is (again) a non shorewall related question... > > > >My setup is a shorewall with one external IP and a DMZ with a DNS and three > >webservers. > > > >I allowed DNS queries according to the manuals and also added an ACCEPT rule > >from ext (=net) to my DMZ on port 80 and 443. > > > >But somehow browsing to a webserver dow not work. So following questions > >(sorry, this is the non shorewall part) > > > >Is it possoble at all to have only one external IP and resolve my webservers > >on the DMZ (with internal IP''s)? > >How do I have to setup the rules in order to reach domain.tld on the > >firewall and www.domain.tld on my DMZ? > > > >Hope someone can help... (as this is my first time to setup diffrent > >webservers) > > > >cheers, > > > >Mat > > > > > >------------------------------------------------------- > >This SF.Net email is sponsored by xPML, a groundbreaking scripting language > >that extends applications into web and mobile media. Attend the live webcast > >and join the prime developer group breaking into this new coding territory! > >http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642 > >_______________________________________________ > >Shorewall-users mailing list > >Shorewall-users@lists.sourceforge.net > >https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > > > > > >------------------------------------------------------- > >This SF.Net email is sponsored by xPML, a groundbreaking scripting language > >that extends applications into web and mobile media. Attend the live webcast > >and join the prime developer group breaking into this new coding territory! > >http://sel.as-us.falkag.net/sel?cmd_______________________________________________ > >Shorewall-users mailing list > >Shorewall-users@lists.sourceforge.net > >https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Dexter wrote:> yes you need one ip per server. Otherwise you can use one ip with > diferent port for each server. This is also posible, but then people > will have to remebber port numbers and brouse like this: > www.domain.com:8080 >Incorrect! Apache can use DNS name based hosting on a single IP and httpd will route to the correct content based on the site name that the browser provides. This is transparent, and easily setup in httpd.conf. If you have no DNS, then you must use separate port numbers. The only time you have to use non standard port numbers with functional DNS on a single IP, is if you want to run multiple sites that use SSL off the same IP. Apache will not do name based hosting, off the default SSL port. -- Michael Cozzi cozzi@cozziconsulting.com ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Mathias Diehl wrote:> Hi K, > > thanx for that - even though it''s actually not the way I like to get it working. > > I already though about the possiblility of "virtual hosts" but are curious about any alternative.... > > Is it right that running multiple webservers always needs one public IP per server?As other folks have already indicated, you should use a DNS/virtual hosting method. However, this is usually done within one server. If load or product limitations dictate that you need more than one physical server (e.g. if you need Windows AND Linux application servers), then a reverse proxy may be more appropriate for you. You can do this with Apache, whereby when you access a URL on your main site, and it internally redirects to a different web server, while still presenting the same URL to the end user. You could run as many servers internally as you like, e.g. www.example.com/lists -> mailman.local www.example.com/customerdatabase -> appserver.local www.example.com/wiki -> wiki.local For some applications, this may not work correctly. -- Paul <http://paulgear.webhop.net> -- Did you know? Email viruses spread using addresses they find on the host computer. You can help to reduce the spread of these viruses by using Bcc: instead of To: on mass mailings, or using mailing list software such as GNU Mailman (http://www.list.org/) instead.