[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] multiple web servers behind firewall

I haven't really played around with namebased pointing, if you have the hard disk space, you should probably put all the sites on all the machines or a use a central nfs server to eliminate single points of failure then you could just point the whole IP at all the machines. But if you have a raq 3 as the firewall, I believe you should be able to use ipmasqadm (See juanjox.kernelnotes.org)and ipchains. 

This is a basic idea of what you want to do if:
 192.168.0.1 =firewall
 192.168.0.2 =webserver 1
 192.168.0.3 =webserver 2
 192.168.0.4 =mirror of webserver 2 for round robin load balancing(not needed)

#!/bin/sh
/sbin/depmod -a
/sbin/ipchains -M -S 7200  10 160
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ
/sbin/ipchains -I forward  -p tcp -s 192.168.0.2/32 80 -j MASQ
/sbin/ipchains -I forward  -p tcp -s 192.168.0.3/32 80 -j MASQ
/sbin/ipchains -I forward -p tcp -s 192.168.0.4/32 80 -j MASQ #take out if not load balancing 
/usr/sbin/ipmasqadm portfw -a -P tcp -L your.address 80 -R 192.168.0.2 80
/usr/sbin/ipmasqadm portfw -a -P tcp -L your.address2 80 -R 192.168.0.3 80
/usr/sbin/ipmasqadm portfw -a -P tcp -L your.address2 80 -R 192.168.0.4 80 #take out if not load balancing
If you have a mips raq you're going to need to use the kernel 2.0 based firewall tools which I have no experience with or do the smart thing and get a cheap x86 system and dedicate it as a firewall. 


Hope that either helps or at least gives you an idea,

Howard
webmaster@xxxxxxxxxxxx
Note: I havent used ipmasqadm on a raq or name based hosting with the raq but do have experience with our x86's and alphas. 



I have name-based hosting setup right now...but it is only on one machine.
How would I go about having outside requests to the same IP address go to a
different internal ip address?  Can name-based hosting do this for me?  Do I
just have a webserver setup on the firewall that has all of the virtual
hosts setup pointing to the correct internal IP address?  I am going to
setup some test machines tomorrow and try some different stuff.  I will
report my findings if anyone is interested.

-Nathan Martinez

-----Original Message-----
From: Kris Dahl <kris@xxxxxxxxxxxxx>
To: cobalt-users@xxxxxxxxxxxxxxx <cobalt-users@xxxxxxxxxxxxxxx>
Date: Monday, March 06, 2000 5:17 PM
Subject: Re: [cobalt-users] multiple web servers behind firewall



on 3/6/00 4:05 PM, Nathan Martinez at nathanm@xxxxxxxxxx wrote:


 This may be slightly off topic for this list, but I figured that it could
 still prove useful for some people.  I have a firewall setup with

multiple

 webservers behind it.  Because we are running on a DSL connection, we do

not

 have very many IP's and are trying to only use one of our "real" IP's for
 all of our webservers.  Is it possible to do something similar to port
 forwarding here?  I want to be able to do port forwarding based upon the
 domain name that is trying to be reached.  For example, abc.com will be
 forwarded to 192.168.0.10 and xyz.com will be forwarded to 192.168.11.
 Everything that I have read so far indicates that the only condition that
 can be used here is the IP that is trying to be reached.  Since I have
 multiple different private IP's all masqueraded under the same single IP,
 this does not work out.  Is there a way to do this?  Or am I just wasting

my

 time trying?  Thank you very much for any help that you can give.


I was thinking about how to overengineer this problem, and then realized it
is all possible using name-based virtual hosting.

There should be some documentation in the knowledgebase about how to set up
name-based virtual hosting.

-k





_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users