Solved

Mapping Publid Subdomain into internal address

Posted on 2008-10-17
16
420 Views
Last Modified: 2012-05-05
Hi all
We have the following infrastructure:
1. Public DNS - everydns.net
2. Smootwall Firewall
3. Windows 2003 Server 2003 Small Business Server (DNS, DHCP, etc etc)
4. Linux box (crm box)
5. Only 1 Public Address - 123.123.123.123 (for example)

The crm application is located in 192.168.100.11 and at this stage we configured in our firewall to forward all the request (only port 80) to go to this internal ip address - 192.168.100.11 (port 80 as well). In our public dns (everydns.net), we set the subdomain for instance : http://crm.TEST.com and point to 123.123.123.123. This thing works OK and no problem.

But if I want to have another web application using port 80 still for instance: intranet and we only get 1 public IP address, how do I do this? We have Windows 2003 Server as our primary server (DNS etc) but don't know how to utilise this? Anyway ... is this possible? I think this is possible but maybe our firewall not be able to achive this? We can't see any options excepts forwading?!?!

Thanks
0
Comment
Question by:dewacorp_alliances
  • 7
  • 5
  • 3
  • +1
16 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 22749526
you either have to use a proxy, or your web server needs to support virtual hosts
0
 
LVL 33

Accepted Solution

by:
shalomc earned 100 total points
ID: 22752033
ahoffman said it in a very concise manner, I will elaborate a bit.

you can only do NAT to a single address, so this address must act as a "HTTP forwarder".

a method that works is to setup an Apache web server (runs on windows too).
this web server should have proxy and virtual hosts enabled.
your DNS will have an alias for each web site you need, all pointing to the same address.
you then create a virtual host for each alias, and direct all requests via a reverse proxy to the actual web servers.
ensure that the web servers do not use fully qualified URLs, or this will not work.
a nice addtition will be mod_security to better protect your web sites.

ShalomC
# example setup

# See also http://httpd.apache.org/docs/2.2/mod/mod_proxy.html 
 

NameVirtualHost *:80

ProxyRequests Off
 

<VirtualHost *:80>

   ServerName crm.TEST.com

   ServerAlias support.TEST.com

   ProxyPass / http://internalCRM.yourorg/

   ProxyPassReverse / http://internalCRM.yourorg/

   ProxyPassReverseCookieDomain internal-domain public-domain 

</VirtualHost>
 

<VirtualHost *:80>

  ServerName www.othertest.com

  ProxyPass / http://otherserver.yourorg/

  ProxyPassReverse / http://otherserver.yourorg/

  ProxyPassReverseCookieDomain internal-domain public-domain 

</VirtualHost>

Open in new window

0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 22760145
If I am reading your question correctly, then previous answers go further than what you asked.

Let's start saying many web-hosting companies have only one ip per machine, and still share hundreds of websites on that server. HOW?

This is a feature present since a lot of time on web servers: Virtual Domains. The webserver daemon will check the URL and answer with the appropiate set of webpages depeding upon it.

this is a standard virtual domain setup in apache: (more or less what shalomc put, but without "PROXIES" enabled, which is a step further)

Take into consideration, all these domains should point to 123.123.123.123, and the web server will be the one that will discrimitante using the URL.:
This is for several virtual hosts in the same server:

------8<---------------------------------------

NameVirtualHost *:80

ProxyRequests Off

 

<VirtualHost *:80>

   ServerName crm.TEST.com

   ServerAlias support.TEST.com

   ServerAdmin webmaster@TEST.com

   DocumentRoot /var/www/htdocs/crm

   ErrorLog /var/log/apache/crm.TEST.com-error_log

   CustomLog /var/log/apache/crm.TEST-access_log combined

</VirtualHost>

 

<VirtualHost *:80>

   ServerName www.othertest.com

   ServerAlias othertest.com

   ServerAdmin webmaster@TEST.com

   DocumentRoot /var/www/htdocs/www.othertest.com

   ErrorLog /var/log/apache/www.othertest.com-error_log

   CustomLog /var/log/apache/www.othertest.com-access_log combined

</VirtualHost>

------8<---------------------------------------
 
 

NOW: is you want to share a web page in your windows server too, then the technology used for that is a PROXY. Apache can do that too, and the example is what shalomc put in his answer.
 

you can also COMBINE any number of sites in your linux box with any number of internal sites proxyed using apache. is just a matter of adding the 
 

<VirtualHost *:80>

</VirtualHost>
 

blocks.
 

HTH

Open in new window

0
 

Author Comment

by:dewacorp_alliances
ID: 22762066
Hi all

The issue is that:

Let say in my internal servers, I have 1 web server linux and 1 web server in windows. In my firewall, I can only do for the following rule:

PORT FORWADING > PROTOCOL (80) - EXTERNAL IP SOURCE (ALL) - SOURCE PORT (80) - DESTINATION IP (192.168.100.11)  - DESTINATION PORT (80)

See the issue is that I can only point DESTINATION IP only into 1 machine (192.168.100.11).

Thanks
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 22762239
Then the answer was already given.

check the post from shalomc: he is telling you how to make apache "proxy" the other internal web server so it appears to be server from your linux web server.

then check my last post, where I show how to setup your domain as a virtual domain.

if you mix these two, you will be able to share both web servers
NameVirtualHost *:80

ProxyRequests Off

 

<VirtualHost *:80>

   ServerName crm.TEST.com

   ServerAlias support.TEST.com

   ServerAdmin webmaster@TEST.com

   DocumentRoot /var/www/htdocs/crm

   ErrorLog /var/log/apache/crm.TEST.com-error_log

   CustomLog /var/log/apache/crm.TEST-access_log combined

</VirtualHost>

 

<VirtualHost *:80>

   ServerName crm.TEST.com

   ServerAlias support.TEST.com

   ProxyPass / http://internalCRM.yourorg/

   ProxyPassReverse / http://internalCRM.yourorg/

   ProxyPassReverseCookieDomain internal-domain public-domain 

</VirtualHost>
 

this way.

Open in new window

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 22762777
> .. DESTINATION IP only into 1 machine
as (I) already explained: that machine must be a proxy

According your environment, it needs to be the apache server where you configure name-based virtual hosts: one for the apache server itself and the other one as transparent proxy to your ISS.
Configuarion examples already given.
0
 

Author Comment

by:dewacorp_alliances
ID: 22762858
Just want to clarify, due to firewall can only forward into internal 1 IP address, you are saying that I need another box runnning on apache and this box will be like some sort of redirection control. Is this correct? In this redirection, I basically insert to line that Redimido explained above. Correct?

Thanks

0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 22763341
To clarify: your firewall forward into the internal linux machine.

you setup as we showed in the example

it should work with no more hassle

:)

An yes, what ahoffmann commented was as is, what you had to do. We only elaborated ;-)
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:dewacorp_alliances
ID: 22763528
Thanks Redimido.

My other question is from the linux box (the redirection centre - sort of speak), how to do alias and point the IIS box?

Thanks
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 25 total points
ID: 22766550
> how to do alias and point the IIS box?
what do you mean by that?
If you're running apache on that linux bix, see above configurations how to use it as proxy. "your IIS box" is probably what Redimido named internalCRM.yourorg.
So you either need DNS, or a local host entry or you need to use the IP here.
0
 

Author Comment

by:dewacorp_alliances
ID: 22782493
Thanks ahoffmann

Undertood.
0
 

Author Comment

by:dewacorp_alliances
ID: 22805589
Hi Guys

Continuing on this:

1 public URL and needs to handle 2 websites (crm.test.com and extranet.test.com with NT challange login - one is in apache and the second one is in Ms IIS). The firewall forwards all 80 port to 192.168.100.11:80 where is the apache sits.

In the configuration for the 000-default (/etc/apache2/sites-enabled/000-default), I've followed the configuration as per above.

I've tested this externally and works ok if I access to crm.test.com but when I tested the extranet.test.com is saying that:Forbidden - You don't have permission to access / on this server.

Any ideas?


NameVirtualHost 192.168.100.11:80

ProxyRequests Off

<VirtualHost 192.168.100.11:80>

	ServerAdmin webmaster@localhost

	

	DocumentRoot /var/www/

	<Directory />

		Options FollowSymLinks

		AllowOverride None

	</Directory>

	<Directory /var/www/>

		Options Indexes FollowSymLinks MultiViews

		AllowOverride None

		Order allow,deny

		allow from all

	</Directory>
 

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

	<Directory "/usr/lib/cgi-bin">

		AllowOverride None

		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

		Order allow,deny

		Allow from all

	</Directory>
 

	ErrorLog /var/log/apache2/error.log
 

	# Possible values include: debug, info, notice, warn, error, crit,

	# alert, emerg.

	LogLevel warn
 

	CustomLog /var/log/apache2/access.log combined

	ServerSignature On
 

    Alias /doc/ "/usr/share/doc/"

    <Directory "/usr/share/doc/">

        Options Indexes MultiViews FollowSymLinks

        AllowOverride None

        Order deny,allow

        Deny from all

        Allow from 127.0.0.0/255.0.0.0 ::1/128

    </Directory>
 

</VirtualHost>

<VirtualHost 192.168.100.11:80>

	ServerName extranet.test.com

	ServerAlias extranet.test.local

	ProxyPass / http://extranet.test.local/

	ProxyPassReverse / http://extranet.test.local/

	ProxyPassReverseCookieDomain internal-domain public-domain

</VirtualHost>

Open in new window

0
 

Author Comment

by:dewacorp_alliances
ID: 22805614
Adding to that:

Both Internal DNS for crm.test.local and extranet.test.local are pointing to both 192.168.100.11 (apache)
0
 

Author Comment

by:dewacorp_alliances
ID: 22805903
After tweaking this, we found the solution and apparently there is setting in the /etc/apache2/mods-available/proxy.conf that needs to comment out: Deny from all



0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 22806024
maybe you should start eliminating the ip address, since you are serving by the URL not by IP:


NameVirtualHost *:80

ProxyRequests Off

 

<VirtualHost *:80>

Open in new window

0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 22806031
in fact, this is an example of a working setup (the internal machine is reached by ip address)
NameVirtualHost *
 

<VirtualHost *>

    ServerAdmin webmaster@see.me.from.outside.com

    ServerName see.me.from.outside.com

    ServerAlias see.me.from.outside.com.mx

    ProxyPass / http://10.254.0.2/

    ProxyPassReverse / http://10.254.0.2/

    ErrorLog /var/log/httpd/see.me.from.outside.com-error_log

    CustomLog /var/log/httpd/see.me.from.outside.com-access_log common

</VirtualHost>
 

you can replace "see.me.from.outside.com" with "extranet.test.com"

Open in new window

0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
System Analysis 5 51
FTP output from Wireshak 6 76
IPv6 Implementation - Cisco ASA5512 and Windows DHCPv6 1 56
How To Allow IIS 10 Anonymous Permissions 3 16
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now