Re: Handling HTTP virtual hosts with relayd
On 19 Dec 2009, at 12:18, Lars Nooden wrote: > Ben Calvert wrote: >> This is what squid is for. >> >> On Dec 18, 2009, at 10:01 AM, James Stocks wrote: >> >>> Hello everyone, >>> >>> I'm presently using Apache to reverse-proxy HTTP connections through to our >>> Microsoft IIS servers so that we don't have to expose IIS directly to >> Internet >>> hosts. Recently, I've been testing relayd in this role. > > The vulnerable machines are still accessible via the proxy, squid. > Don't fiddle with half measures, move what you have over to Apache. > Say what you have the machine for and it will be easier to find the > right software for you. > > /Lars > The IIS servers have a fair number of ASP.net based applications, to be honest I don't know what 50% of them do but they are needed. Nothing would please me more than to get rid of these machines and indeed this is what I advocate whenever my opinion is sought. However, I don't have the authority to tell the software development department what to do, so I'm stuck with it for now. I know that IIS isn't ideal from a security point of view, but I want to do everything we can to safeguard them from attack. My view is that placing Apache, relayd, squid et. al. between the server and the Internet at least helps to strip out some attacks. Anyway, somebody has replied to me off-list indicating that relayd can't presently handle virtual hosts in the same way Apache does, so I'll stick with this for now. Thanks to all who advised. James.
Re: Handling HTTP virtual hosts with relayd
On 2009-12-19, Lars Nooden wrote: > The vulnerable machines are still accessible via the proxy, squid. > Don't fiddle with half measures, move what you have over to Apache. > Say what you have the machine for and it will be easier to find the > right software for you. It could equally be "I have a webserver running apache, I want to split vhosts onto separate (machines|httpd instances) and keep them on a single IP address without using something which is total overkill". And sometimes it's simply not possible to move things to a different platform. On 2009-12-19, Ben Calvert wrote: > This is what squid is for. Or www/pound, or www/varnish, or apache mod_proxy, or lighttpd mod_proxy, or... pound is probably the simplest of these, but each have their advantages and disadvantages. On 2009-12-18, James Stocks wrote: > I'm presently using Apache to reverse-proxy HTTP connections through to our > Microsoft IIS servers so that we don't have to expose IIS directly to Internet > hosts. Recently, I've been testing relayd in this role. > > Apache can reverse-proxy requests for several internal HTTP servers through a > single internet-routable IP address by using virtual hosts. I've not yet > discovered a way of getting relayd to forward the request to a different host > depending on the content of the 'Host:' header. Does relayd have this > capability? If so how do I do it? It would make a lot of sense to be able to do this, but it doesn't seem possible (if it actually is possible, it's very well hidden in the docs).
Re: Handling HTTP virtual hosts with relayd
Ben Calvert wrote: > This is what squid is for. > > On Dec 18, 2009, at 10:01 AM, James Stocks wrote: > >> Hello everyone, >> >> I'm presently using Apache to reverse-proxy HTTP connections through to our >> Microsoft IIS servers so that we don't have to expose IIS directly to > Internet >> hosts. Recently, I've been testing relayd in this role. The vulnerable machines are still accessible via the proxy, squid. Don't fiddle with half measures, move what you have over to Apache. Say what you have the machine for and it will be easier to find the right software for you. /Lars
Re: Handling HTTP virtual hosts with relayd
This is what squid is for. On Dec 18, 2009, at 10:01 AM, James Stocks wrote: > Hello everyone, > > I'm presently using Apache to reverse-proxy HTTP connections through to our > Microsoft IIS servers so that we don't have to expose IIS directly to Internet > hosts. Recently, I've been testing relayd in this role. > > Apache can reverse-proxy requests for several internal HTTP servers through a > single internet-routable IP address by using virtual hosts. I've not yet > discovered a way of getting relayd to forward the request to a different host > depending on the content of the 'Host:' header. Does relayd have this > capability? If so how do I do it? > > Regards, > James.
Handling HTTP virtual hosts with relayd
Hello everyone, I'm presently using Apache to reverse-proxy HTTP connections through to our Microsoft IIS servers so that we don't have to expose IIS directly to Internet hosts. Recently, I've been testing relayd in this role. Apache can reverse-proxy requests for several internal HTTP servers through a single internet-routable IP address by using virtual hosts. I've not yet discovered a way of getting relayd to forward the request to a different host depending on the content of the 'Host:' header. Does relayd have this capability? If so how do I do it? Regards, James.
