Virtual Hosting With Mutliple Web Server behind Linux Firewall

Greets.

I'm trying to get our Linux firewall configured up so that we can do
virtual hosting to our multiple web servers inside the firewall.
Currently, we have set up NAT with port redirections all over the port range
to get to our internal web servers, but I'm trying to clean that up so that
it's two ports (80 & 443) and route everything accordingly by name to the
appropriate server.

Our web servers are mainly IIS-based due to vendor requirements. The
firewall is a Redhat 7.2 server (that probably needs upgrading to 9).
Webmin is installed on it and I would probably go and do the editing that
way.

We have one static address on the outside.

Essentially, what I'm looking for is that if you go to www.domain.etc , it
will route to 1 server. If you go to www2.domain.etc, it will route to the
2nd server, etc. Same goes for https: redirections.

Can someone point me in the right direction here? I'm not all that great
with Linux and networking in general so anything 'newbieish' would be
helpful.

TIA!

Paul L wrote:
> Greets.
>
> I'm trying to get our Linux firewall configured up so that we can do
> virtual hosting to our multiple web servers inside the firewall.
> Currently, we have set up NAT with port redirections all over the port range
> to get to our internal web servers, but I'm trying to clean that up so that
> it's two ports (80 & 443) and route everything accordingly by name to the
> appropriate server.
>
> Our web servers are mainly IIS-based due to vendor requirements. The
> firewall is a Redhat 7.2 server (that probably needs upgrading to 9).
> Webmin is installed on it and I would probably go and do the editing that
> way.
>
> We have one static address on the outside.
>
> Essentially, what I'm looking for is that if you go to www.domain.etc , it
> will route to 1 server. If you go to www2.domain.etc, it will route to the
> 2nd server, etc. Same goes for https: redirections.


Netfilter is IP level firewall router.
To do what you want to do, you have to look inside the http header to
see to what http host the packet really wants to go. Netfilter is IP
level firewall and is not really designed to do that - you can try
string matching module, but this solution is ugly. Moreover, with SSL
packets it would be impossible, since you would have to look inside the
encrypted http header!

Better solution is to have a load balancer such as may be squid (reverse
proxy), to which all http and https requests are redirected and which in
turn makes desicion which internal server handles the request. You
might also want to take a look at Linux Virtual Server which sounds
rather interesting.

> Better solution is to have a load balancer such as may be squid (reverse
> proxy), to which all http and https requests are redirected and which in
> turn makes desicion which internal server handles the request. You
> might also want to take a look at Linux Virtual Server which sounds
> rather interesting.

Let me correct myself - Linux Virtual Server probably wont work for you.

On Sat, 21 Feb 2004 09:12:53 -0500, Paul L <(E-Mail Removed)> wrote:
> Greets.
>
> I'm trying to get our Linux firewall configured up so that we can do
> virtual hosting to our multiple web servers inside the firewall.
> Currently, we have set up NAT with port redirections all over the port range
> to get to our internal web servers, but I'm trying to clean that up so that
> it's two ports (80 & 443) and route everything accordingly by name to the
> appropriate server.
>
> Our web servers are mainly IIS-based due to vendor requirements. The
> firewall is a Redhat 7.2 server (that probably needs upgrading to 9).
> Webmin is installed on it and I would probably go and do the editing that
> way.
>
> We have one static address on the outside.
>
> Essentially, what I'm looking for is that if you go to www.domain.etc , it
> will route to 1 server. If you go to www2.domain.etc, it will route to the
> 2nd server, etc. Same goes for https: redirections.

iptables does not know what hostname was used to access your public IP,
but apache can via the Host header in an http request, and can proxy LAN
servers based on that (see apache docs for mod_proxy). It would be
configured like name based virtual hosts, using ProxyPass instead of
DocumentRoot.

I have no experience with https, but somehow multiple hosts on a single
IP:443 would seem to be insecure, and may not work.

--
David Efflandt - All spam ignored http://www.de-srv.com/

"Paul L" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> I'm trying to get our Linux firewall configured up so that we can do
> virtual hosting to our multiple web servers inside the firewall.
> Currently, we have set up NAT with port redirections all over the port
range
> to get to our internal web servers, but I'm trying to clean that up so
that
> it's two ports (80 & 443) and route everything accordingly by name to the
> appropriate server.

You can do this for http on port 80. You can't do it for https on 443 for
more than one site because you must find the correct certificate to
use for encryption before you can see the host header.

> Essentially, what I'm looking for is that if you go to www.domain.etc ,
it
> will route to 1 server. If you go to www2.domain.etc, it will route to
the
> 2nd server, etc. Same goes for https: redirections.
>
> Can someone point me in the right direction here? I'm not all that
great
> with Linux and networking in general so anything 'newbieish' would be
> helpful.

Run apache on the firewall machine. Use NameVirtualHost with a
VirtualHost section for each site where you use ProxyPass and
ReverseProxyPass to direct to the appropriate server.

---
Les Mikesell
(E-Mail Removed)