Solved

Mapping Publid Subdomain into internal address

Posted on 2008-10-17
16
419 Views
Last Modified: 2012-05-05
Hi all
We have the following infrastructure:
1. Public DNS - everydns.net
2. Smootwall Firewall
3. Windows 2003 Server 2003 Small Business Server (DNS, DHCP, etc etc)
4. Linux box (crm box)
5. Only 1 Public Address - 123.123.123.123 (for example)

The crm application is located in 192.168.100.11 and at this stage we configured in our firewall to forward all the request (only port 80) to go to this internal ip address - 192.168.100.11 (port 80 as well). In our public dns (everydns.net), we set the subdomain for instance : http://crm.TEST.com and point to 123.123.123.123. This thing works OK and no problem.

But if I want to have another web application using port 80 still for instance: intranet and we only get 1 public IP address, how do I do this? We have Windows 2003 Server as our primary server (DNS etc) but don't know how to utilise this? Anyway ... is this possible? I think this is possible but maybe our firewall not be able to achive this? We can't see any options excepts forwading?!?!

Thanks
0
Comment
Question by:dewacorp_alliances
  • 7
  • 5
  • 3
  • +1
16 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 22749526
you either have to use a proxy, or your web server needs to support virtual hosts
0
 
LVL 32

Accepted Solution

by:
shalomc earned 100 total points
ID: 22752033
ahoffman said it in a very concise manner, I will elaborate a bit.

you can only do NAT to a single address, so this address must act as a "HTTP forwarder".

a method that works is to setup an Apache web server (runs on windows too).
this web server should have proxy and virtual hosts enabled.
your DNS will have an alias for each web site you need, all pointing to the same address.
you then create a virtual host for each alias, and direct all requests via a reverse proxy to the actual web servers.
ensure that the web servers do not use fully qualified URLs, or this will not work.
a nice addtition will be mod_security to better protect your web sites.

ShalomC
# example setup

# See also http://httpd.apache.org/docs/2.2/mod/mod_proxy.html 
 

NameVirtualHost *:80

ProxyRequests Off
 

<VirtualHost *:80>

   ServerName crm.TEST.com

   ServerAlias support.TEST.com

   ProxyPass / http://internalCRM.yourorg/

   ProxyPassReverse / http://internalCRM.yourorg/

   ProxyPassReverseCookieDomain internal-domain public-domain 

</VirtualHost>
 

<VirtualHost *:80>

  ServerName www.othertest.com

  ProxyPass / http://otherserver.yourorg/

  ProxyPassReverse / http://otherserver.yourorg/

  ProxyPassReverseCookieDomain internal-domain public-domain 

</VirtualHost>

Open in new window

0
 
LVL 19

Expert Comment

by:Redimido
ID: 22760145
If I am reading your question correctly, then previous answers go further than what you asked.

Let's start saying many web-hosting companies have only one ip per machine, and still share hundreds of websites on that server. HOW?

This is a feature present since a lot of time on web servers: Virtual Domains. The webserver daemon will check the URL and answer with the appropiate set of webpages depeding upon it.

this is a standard virtual domain setup in apache: (more or less what shalomc put, but without "PROXIES" enabled, which is a step further)

Take into consideration, all these domains should point to 123.123.123.123, and the web server will be the one that will discrimitante using the URL.:
This is for several virtual hosts in the same server:

------8<---------------------------------------

NameVirtualHost *:80

ProxyRequests Off

 

<VirtualHost *:80>

   ServerName crm.TEST.com

   ServerAlias support.TEST.com

   ServerAdmin webmaster@TEST.com

   DocumentRoot /var/www/htdocs/crm

   ErrorLog /var/log/apache/crm.TEST.com-error_log

   CustomLog /var/log/apache/crm.TEST-access_log combined

</VirtualHost>

 

<VirtualHost *:80>

   ServerName www.othertest.com

   ServerAlias othertest.com

   ServerAdmin webmaster@TEST.com

   DocumentRoot /var/www/htdocs/www.othertest.com

   ErrorLog /var/log/apache/www.othertest.com-error_log

   CustomLog /var/log/apache/www.othertest.com-access_log combined

</VirtualHost>

------8<---------------------------------------
 
 

NOW: is you want to share a web page in your windows server too, then the technology used for that is a PROXY. Apache can do that too, and the example is what shalomc put in his answer.
 

you can also COMBINE any number of sites in your linux box with any number of internal sites proxyed using apache. is just a matter of adding the 
 

<VirtualHost *:80>

</VirtualHost>
 

blocks.
 

HTH

Open in new window

0
 

Author Comment

by:dewacorp_alliances
ID: 22762066
Hi all

The issue is that:

Let say in my internal servers, I have 1 web server linux and 1 web server in windows. In my firewall, I can only do for the following rule:

PORT FORWADING > PROTOCOL (80) - EXTERNAL IP SOURCE (ALL) - SOURCE PORT (80) - DESTINATION IP (192.168.100.11)  - DESTINATION PORT (80)

See the issue is that I can only point DESTINATION IP only into 1 machine (192.168.100.11).

Thanks
0
 
LVL 19

Expert Comment

by:Redimido
ID: 22762239
Then the answer was already given.

check the post from shalomc: he is telling you how to make apache "proxy" the other internal web server so it appears to be server from your linux web server.

then check my last post, where I show how to setup your domain as a virtual domain.

if you mix these two, you will be able to share both web servers
NameVirtualHost *:80

ProxyRequests Off

 

<VirtualHost *:80>

   ServerName crm.TEST.com

   ServerAlias support.TEST.com

   ServerAdmin webmaster@TEST.com

   DocumentRoot /var/www/htdocs/crm

   ErrorLog /var/log/apache/crm.TEST.com-error_log

   CustomLog /var/log/apache/crm.TEST-access_log combined

</VirtualHost>

 

<VirtualHost *:80>

   ServerName crm.TEST.com

   ServerAlias support.TEST.com

   ProxyPass / http://internalCRM.yourorg/

   ProxyPassReverse / http://internalCRM.yourorg/

   ProxyPassReverseCookieDomain internal-domain public-domain 

</VirtualHost>
 

this way.

Open in new window

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 22762777
> .. DESTINATION IP only into 1 machine
as (I) already explained: that machine must be a proxy

According your environment, it needs to be the apache server where you configure name-based virtual hosts: one for the apache server itself and the other one as transparent proxy to your ISS.
Configuarion examples already given.
0
 

Author Comment

by:dewacorp_alliances
ID: 22762858
Just want to clarify, due to firewall can only forward into internal 1 IP address, you are saying that I need another box runnning on apache and this box will be like some sort of redirection control. Is this correct? In this redirection, I basically insert to line that Redimido explained above. Correct?

Thanks

0
 
LVL 19

Expert Comment

by:Redimido
ID: 22763341
To clarify: your firewall forward into the internal linux machine.

you setup as we showed in the example

it should work with no more hassle

:)

An yes, what ahoffmann commented was as is, what you had to do. We only elaborated ;-)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:dewacorp_alliances
ID: 22763528
Thanks Redimido.

My other question is from the linux box (the redirection centre - sort of speak), how to do alias and point the IIS box?

Thanks
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 25 total points
ID: 22766550
> how to do alias and point the IIS box?
what do you mean by that?
If you're running apache on that linux bix, see above configurations how to use it as proxy. "your IIS box" is probably what Redimido named internalCRM.yourorg.
So you either need DNS, or a local host entry or you need to use the IP here.
0
 

Author Comment

by:dewacorp_alliances
ID: 22782493
Thanks ahoffmann

Undertood.
0
 

Author Comment

by:dewacorp_alliances
ID: 22805589
Hi Guys

Continuing on this:

1 public URL and needs to handle 2 websites (crm.test.com and extranet.test.com with NT challange login - one is in apache and the second one is in Ms IIS). The firewall forwards all 80 port to 192.168.100.11:80 where is the apache sits.

In the configuration for the 000-default (/etc/apache2/sites-enabled/000-default), I've followed the configuration as per above.

I've tested this externally and works ok if I access to crm.test.com but when I tested the extranet.test.com is saying that:Forbidden - You don't have permission to access / on this server.

Any ideas?


NameVirtualHost 192.168.100.11:80

ProxyRequests Off

<VirtualHost 192.168.100.11:80>

	ServerAdmin webmaster@localhost

	

	DocumentRoot /var/www/

	<Directory />

		Options FollowSymLinks

		AllowOverride None

	</Directory>

	<Directory /var/www/>

		Options Indexes FollowSymLinks MultiViews

		AllowOverride None

		Order allow,deny

		allow from all

	</Directory>
 

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

	<Directory "/usr/lib/cgi-bin">

		AllowOverride None

		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

		Order allow,deny

		Allow from all

	</Directory>
 

	ErrorLog /var/log/apache2/error.log
 

	# Possible values include: debug, info, notice, warn, error, crit,

	# alert, emerg.

	LogLevel warn
 

	CustomLog /var/log/apache2/access.log combined

	ServerSignature On
 

    Alias /doc/ "/usr/share/doc/"

    <Directory "/usr/share/doc/">

        Options Indexes MultiViews FollowSymLinks

        AllowOverride None

        Order deny,allow

        Deny from all

        Allow from 127.0.0.0/255.0.0.0 ::1/128

    </Directory>
 

</VirtualHost>

<VirtualHost 192.168.100.11:80>

	ServerName extranet.test.com

	ServerAlias extranet.test.local

	ProxyPass / http://extranet.test.local/

	ProxyPassReverse / http://extranet.test.local/

	ProxyPassReverseCookieDomain internal-domain public-domain

</VirtualHost>

Open in new window

0
 

Author Comment

by:dewacorp_alliances
ID: 22805614
Adding to that:

Both Internal DNS for crm.test.local and extranet.test.local are pointing to both 192.168.100.11 (apache)
0
 

Author Comment

by:dewacorp_alliances
ID: 22805903
After tweaking this, we found the solution and apparently there is setting in the /etc/apache2/mods-available/proxy.conf that needs to comment out: Deny from all



0
 
LVL 19

Expert Comment

by:Redimido
ID: 22806024
maybe you should start eliminating the ip address, since you are serving by the URL not by IP:


NameVirtualHost *:80

ProxyRequests Off

 

<VirtualHost *:80>

Open in new window

0
 
LVL 19

Expert Comment

by:Redimido
ID: 22806031
in fact, this is an example of a working setup (the internal machine is reached by ip address)
NameVirtualHost *
 

<VirtualHost *>

    ServerAdmin webmaster@see.me.from.outside.com

    ServerName see.me.from.outside.com

    ServerAlias see.me.from.outside.com.mx

    ProxyPass / http://10.254.0.2/

    ProxyPassReverse / http://10.254.0.2/

    ErrorLog /var/log/httpd/see.me.from.outside.com-error_log

    CustomLog /var/log/httpd/see.me.from.outside.com-access_log common

</VirtualHost>
 

you can replace "see.me.from.outside.com" with "extranet.test.com"

Open in new window

0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now