RE: [suse-security] reverse Proxy [was: http proxy]
mmh ... Maybe this is realy a missunderstandig. What I`m searching is a pice of Software that I can publish my HTTP-Servers in my DMZ to the world. AND I would like to do things like: www.Name.de/sub1/ -> box2.internal/sub_main/sub www.Name.de/sub2/ -> box3.internal/something_else/sub www.Name.de/sub1/sub2 -> box2.internal/sub_main/sub3 We have one external IP, but have very different boxes for the diffrent parts of our Web-Service. Like box2 runs NT, box3 runs Solaris. As far as I know Squid does only a Proxy the other way round. Maybe I can do this even with a kind of redirecting, therefor we mostly have generated JPEG's, they woun't be cached anyway. Franziskus
-----Original Message----- From: Kurt Seifried [mailto:listuser@seifried.org] Sent: Donnerstag, 13. September 2001 10:43 To: Franziskus Scharpff; suse-security@suse.com Subject: Re: [suse-security] reverse Proxy [was: http proxy]
Hello,
might be off topic, but I'm searching for a reliable Reverse-Proxy for Our Web-Servers.
A more correct term is HTTP accelerator (couldn't figure out your email initially =).
As far as I know does Apache do the Job, but only for HTTP 1.0. Are there any other Solutions ? Or is the mod_proxy meanwhile updated ?
Squid will pass HTTP 1.1 headers, Apache too. mod_proxy is updated in 1.2.
Any Security-Hole's ?
Yup. Misconfiguration is easy. I may be able to use your proxy to attack your internal network for example. Or anonymize my web surfing. If you do it be very restrictive and use firewalling on the accelerator machine to enforce what it should do (i.e. only talk to port 80 on internal www server).
Thank you for your help.
Franziskus
Kurt Seifried, kurt@seifried.org PGP Key ID: 0xAD56E574 Fingerprint: A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/
mmh ...
Maybe this is realy a missunderstandig. What I`m searching is a pice of Software that I can publish my HTTP-Servers in my DMZ to the world. AND I would like to do things like:
www.Name.de/sub1/ -> box2.internal/sub_main/sub www.Name.de/sub2/ -> box3.internal/something_else/sub www.Name.de/sub1/sub2 -> box2.internal/sub_main/sub3
Yes, that's called http accelerating. Dunno if you can do various dir's to internal servers though. You can do virtual hosts off of one IP address though.
We have one external IP, but have very different boxes for the diffrent parts of our Web-Service. Like box2 runs NT, box3 runs Solaris.
Yup. no prob.
As far as I know Squid does only a Proxy the other way round.
Then you may want to read the config file sometime, or the documentation.
Maybe I can do this even with a kind of redirecting, therefor we mostly have generated JPEG's, they woun't be cached anyway.
Franziskus
Kurt Seifried, kurt@seifried.org PGP Key ID: 0xAD56E574 Fingerprint: A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/
Jo, On 13-Sep-01 Kurt Seifried wrote:
mmh ...
Maybe this is realy a missunderstandig. What I`m searching is a pice of Software that I can publish my HTTP-Servers in my DMZ to the world. AND I would like to do things like:
www.Name.de/sub1/ -> box2.internal/sub_main/sub www.Name.de/sub2/ -> box3.internal/something_else/sub www.Name.de/sub1/sub2 -> box2.internal/sub_main/sub3
Yes, that's called http accelerating. Dunno if you can do various dir's to internal servers though. You can do virtual hosts off of one IP address though.
We have one external IP, but have very different boxes for the diffrent parts of our Web-Service. Like box2 runs NT, box3 runs Solaris.
Yup. no prob.
I had the same thoughts first, but IMO a little more tweaking is required to get it up and running properly. If www.Name.de resolves to, for example, 1.2.3.4, it would be the same for www.Name.de/sub1, /sub2, etc., but Apache can only do name-based virtualizing with pure domain names/aliases like www.Name.de or www.Name2.de, not www.Name.de/sub1, because /sub1 is just a simple subdirectory, not a subdomain or something. But you could do Apache name-based virtualizing AND redirecting instead. For example, if you have one DMZ-based web server with Apache, you could assign this as your "master" web server where www.Name.de resides. Next you could set up an internal DNS which "knows" the internal machines by their (also internal) names, and then redirect requests to, say, www.Name.de/sub1/ to box2.internal/sub_main/sub. This could be easily accomplished using Apache�s redirect directive. For security reasons you should use internal/private IP addresses for the DMZ boxes, make them resolveable with an internal DNS and use port forwarding on the firewall, assign your official IP to its world network-device and forward any requests to your "master web server" with a private IP first, which does the name-based redirecting and virtualizing. My port forwarding utility of choice is ipmasqadm, which is part of the SuSE distro (sec). "Have a lot of fun..." ;) [...]
Franziskus
Kurt Seifried, kurt@seifried.org PGP Key ID: 0xAD56E574 Fingerprint: A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/
Boris Lorenz <bolo@lupa.de> ---
There is also a project on www.linuxvirtualserver.org hangs on this topic. Michael
participants (4)
-
Appeldorn -
Boris Lorenz -
Kurt Seifried -
Scharpff@tembit.de