getting to www servers from inside where they have an Internal IP

Rick Buford rick.buford at gmail.com
Sat Jan 28 15:22:07 CST 2006 

I do something very similar to this, since none of our servers have
externally available ip addresses and sit behind load balancers. However,
the simplest method I found was to use DNS views to separate the internal
and external requests. You mention that a DNS solution would be to expensive
because of frequent changes, but if you wanted to automate the process, it
would be pretty straightforward to setup dynamic updating.

On 1/28/06, hanasaki <hanasaki at hanaden.com> wrote:
>
> The goal is to have an internal webserver:
>         - DONE - running on a high numbered port
>         - DONE - firewall forwards 80->7777 on webserver
>         - DONE - external hits on www.blah.com
>                 served by the httpserver
>         - ???? - internal/intranet also can hit
>                 the webserver as www.blah.com
>
> The problem is that www.blah.com resolves to the external internet IP
> and then gets routed out of the firewall which does not come back in and
> get forwarded to the internal webserver.  It would be ideal if internal
> web browser hits went straight to the internal server.
>
> I know this will work if i setup the host/domain www.blah.com on
> internal dns so it resolves to the internal server IP.  It would also
> probably work with some fancy proxy config pac for the proxy setup in
> IE/Firefox.  The DNS solution is high maintenance (hosts change quite
> often for business reasons).  The proxy pac is, from what i understand
> fallen in disfavor and a bit of a pain to admin and keep working over
> both IE and Firefox.  Proxy pac's also require an internal website to
> get them from in the config.   We need to minimize user involvement in
> setup and also minimize overhead.
>
> Any tips? anyone doing this now and care to share their solutions?  Any
> alternative approaches or ways to accomplish what is needed?
>
> ===============network
> Internal workstations (10.x.x.x)
> Internal webserver:7777 (10.x.x.x)
> Squid Proxy : 8080
>          ^
>          |
> intranet |
> =========|== firewall w/ NAT ==
> internet |
>          |
>          V
> The Ugly World
> web browsers hit firewall on :80
> ===============/network
>
> == proxies and http
> I am using a squid proxy on host:proxyhttp:8080 that is not transparent
> (ie: needs the proxy manually configured in the web browsers).  This is
> because transparent proxies don't work for ports other than 80, unless
> they are configured for each outgoing http port, which then always goes
> via squid and cannot be used for any other purpose.  Ran into this when
> trying to hit a CPanel at a web hoster that was on some high numbered
> port.
> _______________________________________________
> Kclug mailing list
> Kclug at kclug.org
> http://kclug.org/mailman/listinfo/kclug
>



--
Mortality sucks...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kclug.org/pipermail/kclug/attachments/20060128/c998ae97/attachment.htm

More information about the Kclug mailing list