[WBEL-users] Iptables Vs Cisco Pix 525
Thomas Swan
tswan@idigx.com
Mon, 24 May 2004 02:29:47 -0500
Johnny Hughes wrote:
> On Sat, 2004-05-22 at 16:31, kbohling@birddog.com wrote:
>
>>/> What I meant, and didn't say very well :), is that if you are using IP
>>> Masquerading (and 1 external IP with many internal IPs), you will have
>>> a
>>> problem with things like ... having 2 separate web servers (say at
>>> 192.168.0.3 and 192.168.0.6) and trying to split some traffic to one
>>> and
>>> some traffic to the other ... but with only 1 external IP.
>>>
>>> Why would you want to do this? Maybe you have a Linux and a Microsoft
>>> web server ... one has sites with ASP and MSSQL ... the other has
>>> Apache
>>> and MySQL ....
>>>
>>> I have yet to figure out a way to route all traffic (coming in for
>>> //_www.msserver.com_ <http://www.msserver.com> on port 80 to the MS server ... while routing all
>>> traffic coming in for _www.lxserver.com_ <http://www.lxserver.com> on port 80 to the Linux Server)
>>> .... anyone have any ideas?
>>>
>>
>>I believe you are correct, that will be a problem. However, I am
>>guessing, that you can setup a "reverse proxy". I believe that's the
>>configuration you'd use in apache. You setup a web server that merely
>>parses the HTTP request, figures out that it can't respond, forwards the
>>request on, takes the answer and feeds it back over the initial connection
>>to the original requester.
>>
>>I believe I've heard of such setups before, but can't say that I've ever
>>done it before. This gives a rough description of what I think you could
>>make work if you wanted to.
>>
>>_http://www.apacheweek.com/features/reverseproxies_
>>
>>Thanks,
>> Kirby/
>>
>
> Kirby,
>
> Thank you VERY much. This is working perfectly....at least for port
> 80 http traffic. Not only that, but you can use any internal IPs, on
> any number of machines and just setup the forward and reverse proxies.
>
> I haven't tried to do anything yet with https traffic ... and I think
> it will be an issue for that, but I'll worry about that later.
Yes, it will. The problem is that the SSL handshake and encryption take
place before the name can be sent so you will likely have a site
name/certificate mismatch. If this is acceptable, then you should make
the rest work the same as your non-SSL traffic. If your SSL requests
are only to one server then you should be able to get proxy to secure
your connection and then forward your request on internally.
>
> I am hosting one website that has to have IIS and MSSQL (for my
> church) ... which also made me have to use MS for my website as
> well...but no more!
>
> I used to have a MS server as my firewall (and it contained my
> webserver, e-mail server, and FTP server), but I wanted to add Spam
> Assassin and a virus scanner in front of it. This allows me to use a
> WhiteBox server as my Firewall, a front end to my exchange server, and
> now as a web server. Again, many thanks.
>
> -Johnny Hughes