distributing incoming http request using ip masquerading

distributing incoming http request using ip masquerading

Post by E. Schrijver » Mon, 07 Feb 2000 04:00:00



Hello,

I have a linux firewall set up that uses IP masquerading to redirect all
incoming HTTP request to
another linux server on my private network.
Right now all requests to port 80 are statically mapped to IP
192.168.1.12:80

What I would like to do it look at the HTTP headers of the incoming request,
and based on the
header redirect the package to a different internal server, ie:

a request for 'www.mydomain.com' arrives at my firewall. The firewall
decides to have the package
serviced by 192.168.1.12.
a request for 'www.myotherdomain.com' arrives at my firewall. The firewall
now decides to redirect
the package to 192.168.1.13

Judging by the documentation there is no fixed way of achieving this goal.
Could anyone give me a
hint as to where to look to achieve this?

Yours,

Eljakim

 
 
 

distributing incoming http request using ip masquerading

Post by Jeff Beama » Mon, 07 Feb 2000 04:00:00


thanks.

I currently have a similar setup and was looking for a solution (albeit,
not that hard)  This code will help a lot.

=)
Jeff


> OK,

> I figured it out. I'm hoping to help somebody else with this too, so
> here it goes.

> Yours,

> Eljakim Schrijvers
> email: info at eljakim dot nl
> <cut>
> Distributing incoming http request from a public domain to (several
> different) private servers.

> First I tried setting up the server for IP masquerading. This worked quite
> well, and if you
> want to map all incoming HTTP requests to the same server I suggest you use
> this method.
> However, I needed some requests to be handled by the firewall, some request
> by a private
> Windows NT hosts, and some requests by one of several private linux hosts.

> I edited the httpd.conf file, and added the following lines:
>   <NameVirtualHost EXTERNALIP>

>   <VirtualHost EXTERNALIP>
>     ServerName www.myfirstdomain.com
>     ProxyPass / http://PRIVATEIP1/
>   </VirtualHost>

>   <VirtualHost EXTERNALIP>
>     ServerName www.myseconddomain.com
>     ProxyPass / http://PRIVATEIP2/
>   </VirtualHost>

> All HTTP request arrive at EXTERNALIP:80. The VirtualHost directives map
> the requests to another server that has IP address PRIVATEIP1 or PRIVATEIP2.
> So:
> HTTP(www.myfirstdomain.com, EXTERNALIP) -> (apache) ->
> HTTP(PRIVATEIP1,PRIVATEIP1)
> and
> HTTP(www.myseconddomain.com, EXTERNALIP) -> (apache) -> HTTP(PRIVATEIP2,
> PRIVATEIP2)

> This method works quite well if all internal servers server only one
> domainname.
> However, as you can see the original domainname from the original HTTP
> headers gets lost during the
> Apache handling of the ProxyPass. This is quite logical of course. However,
> if I want my private servers to
> be able to server more than 1 domain name this is very much unwanted.
> I have been going through the sourcecode of Apache for quite a while,
> figuring out how to conserve the
> original domainname when it hit me: Setting up my (internal) nameserver to
> actually resolve
> www.myfirstdomain.com to PRIVATEIP1 and www.myseconddomain.com to PRIVATEIP2
> would solve
> all the problems. So I edited my resolve.conf file, and set up named
> properly.

> I now changed my httpd.conf file to read the following:
>   <NameVirtualHost EXTERNALIP>

>   <VirtualHost EXTERNALIP>
>     ServerName www.myfirstdomain.com
>     ProxyPass / http://www.myfirstdomain.com/
>   </VirtualHost>

>   <VirtualHost EXTERNALIP>
>     ServerName www.myseconddomain.com
>     ProxyPass / http://www.myseconddomain.com/
>   </VirtualHost>

> On first sight this appears to do absolutely nothing. However, when Apache
> tries to resolve www.myfirstdomain.com
> it gets a private IP address:
> HTTP(www.myfirstdomain.com, EXTERNALIP) -> (apache) ->
> HTTP(www.myfirstdomain.com,PRIVATEIP1)
> and
> HTTP(www.myseconddomain.com, EXTERNALIP) -> (apache) ->
> HTTP(www.myseconddomain.com,PRIVATEIP2)

> This way all request get transparently sent through to the proper private
> server, and this server actually gets to see
> the original name it was called.
> </cut>



> > Check out ProxyPass option.



> > > Hello,

> > > I have a linux firewall set up that uses IP masquerading to redirect all
> > > incoming HTTP request to
> > > another linux server on my private network.
> > > Right now all requests to port 80 are statically mapped to IP
> > > 192.168.1.12:80

> > > What I would like to do it look at the HTTP headers of the incoming
> > request,
> > > and based on the
> > > header redirect the package to a different internal server, ie:

> > > a request for 'www.mydomain.com' arrives at my firewall. The firewall
> > > decides to have the package
> > > serviced by 192.168.1.12.
> > > a request for 'www.myotherdomain.com' arrives at my firewall. The
> firewall
> > > now decides to redirect
> > > the package to 192.168.1.13

> > > Judging by the documentation there is no fixed way of achieving this
> goal.
> > > Could anyone give me a
> > > hint as to where to look to achieve this?

> > > Yours,

> > > Eljakim


 
 
 

distributing incoming http request using ip masquerading

Post by Kar Gay Li » Tue, 08 Feb 2000 04:00:00


Check out ProxyPass option.


Quote:> Hello,

> I have a linux firewall set up that uses IP masquerading to redirect all
> incoming HTTP request to
> another linux server on my private network.
> Right now all requests to port 80 are statically mapped to IP
> 192.168.1.12:80

> What I would like to do it look at the HTTP headers of the incoming
request,
> and based on the
> header redirect the package to a different internal server, ie:

> a request for 'www.mydomain.com' arrives at my firewall. The firewall
> decides to have the package
> serviced by 192.168.1.12.
> a request for 'www.myotherdomain.com' arrives at my firewall. The firewall
> now decides to redirect
> the package to 192.168.1.13

> Judging by the documentation there is no fixed way of achieving this goal.
> Could anyone give me a
> hint as to where to look to achieve this?

> Yours,

> Eljakim

 
 
 

distributing incoming http request using ip masquerading

Post by E. Schrijver » Tue, 08 Feb 2000 04:00:00


I have looked into the ProxyPass option. However, this option only provides
a way
to redirect requests to the private server based on the virtual directory,
not based on
the virtual domain.



> Check out ProxyPass option.



> > Hello,

> > I have a linux firewall set up that uses IP masquerading to redirect all
> > incoming HTTP request to
> > another linux server on my private network.
> > Right now all requests to port 80 are statically mapped to IP
> > 192.168.1.12:80

> > What I would like to do it look at the HTTP headers of the incoming
> request,
> > and based on the
> > header redirect the package to a different internal server, ie:

> > a request for 'www.mydomain.com' arrives at my firewall. The firewall
> > decides to have the package
> > serviced by 192.168.1.12.
> > a request for 'www.myotherdomain.com' arrives at my firewall. The
firewall
> > now decides to redirect
> > the package to 192.168.1.13

> > Judging by the documentation there is no fixed way of achieving this
goal.
> > Could anyone give me a
> > hint as to where to look to achieve this?

> > Yours,

> > Eljakim

 
 
 

distributing incoming http request using ip masquerading

Post by E. Schrijver » Tue, 08 Feb 2000 04:00:00


OK,

I figured it out. I'm hoping to help somebody else with this too, so
here it goes.

Yours,

Eljakim Schrijvers
email: info at eljakim dot nl
<cut>
Distributing incoming http request from a public domain to (several
different) private servers.

First I tried setting up the server for IP masquerading. This worked quite
well, and if you
want to map all incoming HTTP requests to the same server I suggest you use
this method.
However, I needed some requests to be handled by the firewall, some request
by a private
Windows NT hosts, and some requests by one of several private linux hosts.

I edited the httpd.conf file, and added the following lines:
  <NameVirtualHost EXTERNALIP>

  <VirtualHost EXTERNALIP>
    ServerName www.myfirstdomain.com
    ProxyPass / http://PRIVATEIP1/
  </VirtualHost>

  <VirtualHost EXTERNALIP>
    ServerName www.myseconddomain.com
    ProxyPass / http://PRIVATEIP2/
  </VirtualHost>

All HTTP request arrive at EXTERNALIP:80. The VirtualHost directives map
the requests to another server that has IP address PRIVATEIP1 or PRIVATEIP2.
So:
HTTP(www.myfirstdomain.com, EXTERNALIP) -> (apache) ->
HTTP(PRIVATEIP1,PRIVATEIP1)
and
HTTP(www.myseconddomain.com, EXTERNALIP) -> (apache) -> HTTP(PRIVATEIP2,
PRIVATEIP2)

This method works quite well if all internal servers server only one
domainname.
However, as you can see the original domainname from the original HTTP
headers gets lost during the
Apache handling of the ProxyPass. This is quite logical of course. However,
if I want my private servers to
be able to server more than 1 domain name this is very much unwanted.
I have been going through the sourcecode of Apache for quite a while,
figuring out how to conserve the
original domainname when it hit me: Setting up my (internal) nameserver to
actually resolve
www.myfirstdomain.com to PRIVATEIP1 and www.myseconddomain.com to PRIVATEIP2
would solve
all the problems. So I edited my resolve.conf file, and set up named
properly.

I now changed my httpd.conf file to read the following:
  <NameVirtualHost EXTERNALIP>

  <VirtualHost EXTERNALIP>
    ServerName www.myfirstdomain.com
    ProxyPass / http://www.myfirstdomain.com/
  </VirtualHost>

  <VirtualHost EXTERNALIP>
    ServerName www.myseconddomain.com
    ProxyPass / http://www.myseconddomain.com/
  </VirtualHost>

On first sight this appears to do absolutely nothing. However, when Apache
tries to resolve www.myfirstdomain.com
it gets a private IP address:
HTTP(www.myfirstdomain.com, EXTERNALIP) -> (apache) ->
HTTP(www.myfirstdomain.com,PRIVATEIP1)
and
HTTP(www.myseconddomain.com, EXTERNALIP) -> (apache) ->
HTTP(www.myseconddomain.com,PRIVATEIP2)

This way all request get transparently sent through to the proper private
server, and this server actually gets to see
the original name it was called.
</cut>



> Check out ProxyPass option.



> > Hello,

> > I have a linux firewall set up that uses IP masquerading to redirect all
> > incoming HTTP request to
> > another linux server on my private network.
> > Right now all requests to port 80 are statically mapped to IP
> > 192.168.1.12:80

> > What I would like to do it look at the HTTP headers of the incoming
> request,
> > and based on the
> > header redirect the package to a different internal server, ie:

> > a request for 'www.mydomain.com' arrives at my firewall. The firewall
> > decides to have the package
> > serviced by 192.168.1.12.
> > a request for 'www.myotherdomain.com' arrives at my firewall. The
firewall
> > now decides to redirect
> > the package to 192.168.1.13

> > Judging by the documentation there is no fixed way of achieving this
goal.
> > Could anyone give me a
> > hint as to where to look to achieve this?

> > Yours,

> > Eljakim

 
 
 

1. masquerading incoming http requests?

I have asked this question indirectly as part of several
other posts, but can't seem to get much interest.

So I'll try to be a bit more direct here.

I want to have a web-server running on a machine on my
internal net which doesn't have an official external IP address.
Is this possible.

I haven't seen anything indicating it would be possible from
any of the HOWTO's and various linux documentation I've seen so far.

What I am thinking would be necessary would be a way to route incoming
http packets to the internal server.  Is this possible.

Essentially, it would require the firewall system to be checking incoming
http packets, and to forward them to the appropriate internal system
based on the URL, using packet masquerading.

Is this reasonable, has it been done, what are the issues, etc.?

Jason

2. (make, solaris porting, sybase porting) problem?

3. IP masquerade not passing http requests?

4. No verticle alignment in tabular

5. Https problem using ip-masquerade

6. DOSEMU help needed (almost there)

7. HTTP and POP3 problems using IP masquerading

8. modprobe: can't locate module net-pf-4

9. Apache Proxy server that will transform an HTTP request in a HTTPS request

10. proxy https & http request using apache

11. IP masqerade: distributing incoming packets

12. forward / tunnel / masquerade an HTTP request to another Host:Port based on ServerName/ServerAlias ?

13. incoming services using masquerade