I do something very similar to this, since none of our servers have externally available ip addresses and sit behind load balancers. However, the simplest method I found was to use DNS views to separate the internal and external requests. You mention that a DNS solution would be to expensive because of frequent changes, but if you wanted to automate the process, it would be pretty straightforward to setup dynamic updating.
On 1/28/06, hanasaki [email protected] wrote:
The goal is to have an internal webserver: - DONE - running on a high numbered port - DONE - firewall forwards 80->7777 on webserver - DONE - external hits on www.blah.com served by the httpserver - ???? - internal/intranet also can hit the webserver as www.blah.com
The problem is that www.blah.com resolves to the external internet IP and then gets routed out of the firewall which does not come back in and get forwarded to the internal webserver. It would be ideal if internal web browser hits went straight to the internal server.
I know this will work if i setup the host/domain www.blah.com on internal dns so it resolves to the internal server IP. It would also probably work with some fancy proxy config pac for the proxy setup in IE/Firefox. The DNS solution is high maintenance (hosts change quite often for business reasons). The proxy pac is, from what i understand fallen in disfavor and a bit of a pain to admin and keep working over both IE and Firefox. Proxy pac's also require an internal website to get them from in the config. We need to minimize user involvement in setup and also minimize overhead.
Any tips? anyone doing this now and care to share their solutions? Any alternative approaches or ways to accomplish what is needed?
===============network Internal workstations (10.x.x.x) Internal webserver:7777 (10.x.x.x) Squid Proxy : 8080 ^ | intranet | =========|== firewall w/ NAT == internet | | V The Ugly World web browsers hit firewall on :80 ===============/network
== proxies and http I am using a squid proxy on host:proxyhttp:8080 that is not transparent (ie: needs the proxy manually configured in the web browsers). This is because transparent proxies don't work for ports other than 80, unless they are configured for each outgoing http port, which then always goes via squid and cannot be used for any other purpose. Ran into this when trying to hit a CPanel at a web hoster that was on some high numbered port. _______________________________________________ Kclug mailing list [email protected] http://kclug.org/mailman/listinfo/kclug
-- Mortality sucks...