I do something very similar to this, since none of our servers have externally available ip addresses and sit behind load balancers. However, the simplest method I found was to use DNS views to separate the internal and external requests. You mention that a DNS solution would be to expensive because of frequent changes, but if you wanted to automate the process, it would be pretty straightforward to setup dynamic updating.
<br><br><div><span class="gmail_quote">On 1/28/06, <b class="gmail_sendername">hanasaki</b> <<a href="mailto:hanasaki@hanaden.com">hanasaki@hanaden.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
The goal is to have an internal webserver:<br> - DONE - running on a high numbered port<br> - DONE - firewall forwards 80->7777 on webserver<br> - DONE - external hits on <a href="http://www.blah.com">
www.blah.com</a><br> served by the httpserver<br> - ???? - internal/intranet also can hit<br> the webserver as <a href="http://www.blah.com">www.blah.com</a><br><br>The problem is that
<a href="http://www.blah.com">www.blah.com</a> resolves to the external internet IP<br>and then gets routed out of the firewall which does not come back in and<br>get forwarded to the internal webserver. It would be ideal if internal
<br>web browser hits went straight to the internal server.<br><br>I know this will work if i setup the host/domain <a href="http://www.blah.com">www.blah.com</a> on<br>internal dns so it resolves to the internal server IP. It would also
<br>probably work with some fancy proxy config pac for the proxy setup in<br>IE/Firefox. The DNS solution is high maintenance (hosts change quite<br>often for business reasons). The proxy pac is, from what i understand<br>
fallen in disfavor and a bit of a pain to admin and keep working over<br>both IE and Firefox. Proxy pac's also require an internal website to<br>get them from in the config. We need to minimize user involvement in<br>setup and also minimize overhead.
<br><br>Any tips? anyone doing this now and care to share their solutions? Any<br>alternative approaches or ways to accomplish what is needed?<br><br>===============network<br>Internal workstations (10.x.x.x)<br>Internal webserver:7777 (
10.x.x.x)<br>Squid Proxy : 8080<br> ^<br> |<br>intranet |<br>=========|== firewall w/ NAT ==<br>internet |<br> |<br> V<br>The Ugly World<br>web browsers hit firewall on :80<br>===============/network
<br><br>== proxies and http<br>I am using a squid proxy on host:proxyhttp:8080 that is not transparent<br>(ie: needs the proxy manually configured in the web browsers). This is<br>because transparent proxies don't work for ports other than 80, unless
<br>they are configured for each outgoing http port, which then always goes<br>via squid and cannot be used for any other purpose. Ran into this when<br>trying to hit a CPanel at a web hoster that was on some high numbered port.
<br>_______________________________________________<br>Kclug mailing list<br><a href="mailto:Kclug@kclug.org">Kclug@kclug.org</a><br><a href="http://kclug.org/mailman/listinfo/kclug">http://kclug.org/mailman/listinfo/kclug
</a><br></blockquote></div><br><br clear="all"><br>-- <br>Mortality sucks...