> Date: Mon, 28 Feb 2000 19:42:32 -0800 (PST)
> From: <[EMAIL PROTECTED]>
> Subject: Virtual hosting through firewall problem
>
> I'm not getting any response from the Redhat list so I thought I'd send
> this off here. I'm having some problems with my new firewall as described
> below and was wondering if I could get a hand with it.
>
> ...
>
> On Fri, 25 Feb 2000 [EMAIL PROTECTED] wrote:
>
> > I've just set up a firewall on my network using portfw with commands like
> > the following:
> >
> > /usr/sbin/ipmasqadm portfw -a -P tcp -L $external_ip 80 -R $internal_ip 80
> > /usr/sbin/ipmasqadm portfw -a -P udp -L $external_ip 80 -R $internal_ip 80
> >
> > I have a webserver running behind it that is hosting several domains, but
> > since installing the firewall the webserver is responding as if all all
> > requests are being made to the machine's IP, not it's domain, so all of
> > the hosted domains are defaulting a singele website. Both the firewall
> > and the server are running the latest build of redhat and the
> > webserver is running Apache.
> >
> > -Ben Newman
I don't do that much with Apache, but maybe I can help a little.
It sounds like you're using name based virtual hosts. In that case,
Apache looks for NameVirtualHost and VirtualHost directives that match
the destination IP of the packets that it receives. Now that the web
server is behind the firewall, the destination addresses in the packets
that it receives will be $internal_ip, not $external_ip. Have you
changed the NameVirtualHost and VirtualHost directives in your Apache
configuration files accordingly? If not, this may be the cause of your
problems.
Another thing that might fix the problem would be to use a separate
external IP address for your webserver and use NAT (network address
translation) to forward connections from the external IP to the internal
IP. NAT is different than port forwarding as it can forward any
packets, not just TCP or UDP packets. In practice, though, this should
be identical to port forwarding for a web server, since only a single
tcp port is used by HTTP (you don't need to forward UDP port 80 -- it
isn't used by HTTP). NAT forwarding is usually only needed if you're
dealing with something nasty (e.g. that uses protocols other than TCP or
UDP or opens ports in both directions). Static NAT is supported by the
Linux 2.2.x kernels, but it isn't usually configured and the program
needed to configure NAT routing isn't normally included in common
distributions (e.g. RedHat). If you think you need static NAT, let me
know and I'll forward some more information.
If you can't get name based virtual hosts to work, you can use IP based
virtual hosts. In that case, though, you'll need to have a separate
external and internal IP addresses for each virtual host, you'll have
forward TCP port 80 through on each pair of internal/external addresses,
you'd get rid of the NameVirtualHost directive and you'd change the
VirtualHost directives to specify the internal IP addresses of the
virtual hosts.
--
Wes Chalfant Peabody Systems [EMAIL PROTECTED]
(714) 639-8643 FAX (714) 639-2817
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
