Re: Virtual Hosting With Mutliple Web Server behind Linux Firewall

From: Andrey Asadchev (dont.spam.me_at_softhome.net)
Date: 02/21/04 

Date: Sat, 21 Feb 2004 12:02:51 -0500

Paul L wrote:
> Greets.
>
> I'm trying to get our Linux firewall configured up so that we can do
> virtual hosting to our multiple web servers inside the firewall.
> Currently, we have set up NAT with port redirections all over the port range
> to get to our internal web servers, but I'm trying to clean that up so that
> it's two ports (80 & 443) and route everything accordingly by name to the
> appropriate server.
>
> Our web servers are mainly IIS-based due to vendor requirements. The
> firewall is a Redhat 7.2 server (that probably needs upgrading to 9).
> Webmin is installed on it and I would probably go and do the editing that
> way.
>
> We have one static address on the outside.
>
> Essentially, what I'm looking for is that if you go to www.domain.etc , it
> will route to 1 server. If you go to www2.domain.etc, it will route to the
> 2nd server, etc. Same goes for https: redirections.

Netfilter is IP level firewall router.
To do what you want to do, you have to look inside the http header to
see to what http host the packet really wants to go. Netfilter is IP
level firewall and is not really designed to do that - you can try
string matching module, but this solution is ugly. Moreover, with SSL
packets it would be impossible, since you would have to look inside the
encrypted http header!

Better solution is to have a load balancer such as may be squid (reverse
proxy), to which all http and https requests are redirected and which in
turn makes desicion which internal server handles the request. You
might also want to take a look at Linux Virtual Server which sounds
rather interesting.

Relevant Pages

  • RE: Is this as bad as it seems?
    ... The network being protected by the router or firewall is still vulnerable to ... > circumvented - the administrator has explicitly allowed HTTP traffic on ... this exploit has the effect of allowing the attacker to send *INBOUND* HTTP ... The HTTP server (located on the internal network or anywhere else that is ...
    (Security-Basics)
  • Re: Activesync / Airsync - Alternative Ports
    ... Setup a reverse HTTP proxy. ... Another idea is to use the PPTP capabilities of a Windows Server to allow ... Satellite - Cisco Firewall - Exchange Server ... So on the server side you would configure the port 80 to redirect to ...
    (microsoft.public.pocketpc.activesync)
  • Re: activesync and exchange http
    ... Http users experience slow performance. ... On the SBS 2003 Server open the Server Management console. ... For the configuration of Cisco firewall, since that's third party product, ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • RE: [fw-wiz] Securing www server w/Oracle back end.
    ... > To: Firewall Wizards List ... > WWW server gets moved to the private zone close to the db ... The internal agent performs http protocol ...
    (Firewall-Wizards)
  • RE: [fw-wiz] Understanding Firewall and SSL Accelerator
    ... I would recommend handing this with the firewall ... One possible reason not to do it my way is that you're also using the BigIP ... both HTTP and HTTPS traffic before sending it on to the web servers. ...
    (Firewall-Wizards)