The Joel on Software Discussion Group (CLOSED)

A place to discuss Joel on Software. Now closed.

This community works best when people use their real names. Please register for a free account.

Other Groups:
Joel on Software
Business of Software
Design of Software (CLOSED)
.NET Questions (CLOSED)
TechInterview.org
CityDesk
FogBugz
Fog Creek Copilot


The Old Forum


Your hosts:
Albert D. Kallal
Li-Fan Chen
Stephen Jones

Exposing our internal network

The network setup at my office we've got is an internal network with three servers, about six dev machines and one domain controller.

We're connected to the Internet via an ADSL line through a router which redirects all incoming traffic from one IP on port 80 pointed at our domain to one of the servers running Apache.

However, we need to expose more servers running on specific ports, some on the same port. Is there any way to get the apache server to redirect traffic to various internal servers based upon the address requested? (e.g. server1.ourdomain.com goes to one server, server2.ourdomain goes to a different one).
Colm
Thursday, February 16, 2006
 
 
Do you have the ability to put a router in line before the server?  For a small office, you don't necessarily need to go Cisco but a smaller one should be fine.

Netgear is my personal favorite.  I used the RT311 for 5 years and now use the WG624.
KC Send private email
Thursday, February 16, 2006
 
 
You can EASILY do this with a Linux box and iptables.
Anon
Thursday, February 16, 2006
 
 
You might try ProxyPass with virtual hosts: http://www.linuxfocus.org/English/March2000/article147.shtml (see "Real World Example" and then "Mapping Virtual Servers").
DHofmann Send private email
Thursday, February 16, 2006
 
 
The cleanest solution is to buy the extra IPs and set up the public servers in a network that sits between the ADSL connection and your router. That way the servers are directly accessible, and you aren't punching any new holes in your firewall.

"Is there any way to get the apache server to redirect traffic to various internal servers based upon the address requested? (e.g. server1.ourdomain.com goes to one server, server2.ourdomain goes to a different one)."

A redirect is not possible in that scenario, but you might be able to get Apache to proxy the requests to the right server. As far as your other web servers are concerned, all requests will seem to come from the Apache server. This may or may not be a problem depending on how you do things.
clcr
Thursday, February 16, 2006
 
 
"You can EASILY do this with a Linux box and iptables."

How? iptables would need to pull the host header out of the request to decide where to route the traffic, but the client can't send the host header (or anything else) until the connection is established.
clcr
Thursday, February 16, 2006
 
 
Are these external websites for other companies (you're hosting them) or are they intranet/dev services that you need to expose for use from home?  If that's the case, you should look into a VPN solution instead of just exposing everything to the outside.
Mark Lubischer Send private email
Thursday, February 16, 2006
 
 
I believe you can do this with some rewrite rules and mod proxy.

RewriteEngine on
RewriteRule ^internal.example.com/(.*)$ http://192.168.1.5:80/$1 [P]
Michael Dwyer Send private email
Thursday, February 16, 2006
 
 
To clcr:

"However, we need to expose more servers running on specific ports, some on the same port"

Port redirection is easy with IPTABLES but I see your point if they are all on the same port and same IP.

However, I would not say go buy more IPs.  That's usually like pulling teeth from the provider.  Sometimes you get a whole new set of IPs if provider has to "reengineer" the circuit.

"Is there any way to get the apache server to redirect traffic to various internal servers based upon the address requested? (e.g. server1.ourdomain.com goes to one server, server2.ourdomain goes to a different one). "

You don't need any of IPTABLES to accomplish this if the traffic he is talking about is web traffic.  Apache supports name based virtual hosting.
Anon
Thursday, February 16, 2006
 
 
"You can EASILY do this with a Linux box and iptables."

Yes, if you're willing to invest the time to learn them.

Alternatively, you could buy an off the shelf component for < $200 and take care of it.  Sure, you won't have the same flexibility, but if it saves hours, it's an easy decision.
KC Send private email
Thursday, February 16, 2006
 
 
NetBSD, FreeBSD and OpenBSD all have pf (packetfilter) which I consider superior to iptables and far easier to set up.  Pf also has built-in network address translation (NAT) capabilities, so it is possible to direct FTP traffic one way, web traffic to a specific domain name another way, web traffic to another domain name another way, etc etc. The typical scenario is to set up a BSD box with two network cards, and use that as a programmable router.

Before we get bogged down in the details and debate which is the better approach - I'm just throwing this out as an example illustrating that there are many many many different ways of doing this, each with their own pros and cons.

I think the OP should research "demilitarized zones (DMZ)" and how they can be set up, before picking a technical solution.
TheDavid
Friday, February 17, 2006
 
 
I'm interested as to why you think PF is superior to IPTables myself.  Does PF actually look at higher level protocols to make decisions based on HTTP headers?

Linux has two very cool/flexible routing tools:
IPtables and IPROUTE2.

Enlighten me/us?  (maybe in a new thread).
Eric (another ISV guy with his company)
Friday, February 17, 2006
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz