publishing 2 web server on one valid IP

publishing 2 web server on one valid IP

[Afshin Lamei]

hi
I have 2 web servers in my DMZ. when there was one, I used DNAT to publish 
the single web server on port 80 of the external interface of my firewall. 
now I don't know how to distinguish between the requests of 2 web servers, 
because I have only one IP address available for the external interface.
Is there any solution using iptables, to know that which http request must 
be DNAT to which web server?
regards,
afshin

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail

Re: publishing 2 web server on one valid IP

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1043 bytes --]

On Mon, 2003-09-29 at 14:12, Afshin Lamei wrote:
> hi
> I have 2 web servers in my DMZ. when there was one, I used DNAT to publish 
> the single web server on port 80 of the external interface of my firewall. 
> now I don't know how to distinguish between the requests of 2 web servers, 
> because I have only one IP address available for the external interface.
> Is there any solution using iptables, to know that which http request must 
> be DNAT to which web server?
> regards,
> afshin
> 
How about adding an ip alias to the xt iface of your firewall for the
second web server?

> _________________________________________________________________
> Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
> http://join.msn.com/?page=features/featuredemail
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: publishing 2 web server on one valid IP

[Tomas Edwardsson]

I don't think there is any solution using iptables. I personally use mod_proxy 
and virtualhosting on apache to distingusish what goes where.


====
Tomas Edwardsson
HP-UX Certified System Administrator
Red Hat Certified Engineer.
Opin Kerfi

On Mon, Sep 29, 2003 at 03:42:49PM +0330, Afshin Lamei wrote:
> From: "Afshin Lamei" <linux_st@hotmail.com>
> To: netfilter@lists.netfilter.org
> Subject: publishing 2 web server on one valid IP
> Date: Mon, 29 Sep 2003 15:42:49 +0330
> 
> hi
> I have 2 web servers in my DMZ. when there was one, I used DNAT to publish 
> the single web server on port 80 of the external interface of my firewall. 
> now I don't know how to distinguish between the requests of 2 web servers, 
> because I have only one IP address available for the external interface.
> Is there any solution using iptables, to know that which http request must 
> be DNAT to which web server?
> regards,
> afshin
> 
> _________________________________________________________________
> Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
> http://join.msn.com/?page=features/featuredemail
> 

RE: publishing 2 web server on one valid IP

[George Vieira]

Depending on your load on the webserver.. If a proxy of some sort is not possible and you have one grunty firewall that can handle string modules well enough, you can string match the virtual host.

I've tested this and it works even though there's a possibility that some packets may be small enough to be fragmented and the string match won't match it but so far it's been OK. I haven't tested it with a large site either.. so really depends if this is a small project or not.

I would not use string matching on a production machine where it's critical to get it working 110%...

I would rather tell the ISP to supply 2 IPs...

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

-----Original Message-----
From: Afshin Lamei [mailto:linux_st@hotmail.com]
Sent: Monday, 29 September 2003 10:13 PM
To: netfilter@lists.netfilter.org
Subject: publishing 2 web server on one valid IP


hi
I have 2 web servers in my DMZ. when there was one, I used DNAT to publish 
the single web server on port 80 of the external interface of my firewall. 
now I don't know how to distinguish between the requests of 2 web servers, 
because I have only one IP address available for the external interface.
Is there any solution using iptables, to know that which http request must 
be DNAT to which web server?
regards,
afshin

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail