From owner-freebsd-security Tue Oct 17 9:34:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from slash.ab.videon.ca (slash.ab.videon.ca [206.75.216.210]) by hub.freebsd.org (Postfix) with ESMTP id 60F8E37B4E5 for ; Tue, 17 Oct 2000 09:34:32 -0700 (PDT) Received: from rolf-e-laptop.meccamediagroup.com (firewall.meccamediagroup.com [24.108.76.66]) by slash.ab.videon.ca (8.9.2/8.9.2) with ESMTP id KAA18835; Tue, 17 Oct 2000 10:33:58 -0600 (MDT) Message-Id: <5.0.0.25.2.20001017101924.00ab9808@127.0.0.1> X-Sender: redwards/firewall.meccamediagroup.com@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Tue, 17 Oct 2000 10:34:03 -0600 To: Adam Laurie From: Rolf Edwards Subject: Re: Multiple Web/SSL behind firewall Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <39EC6236.419081FC@algroup.co.uk> References: <5.0.0.25.2.20001016165911.00aa83e0@127.0.0.1> <5.0.0.25.2.20001017080850.00ac9510@127.0.0.1> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:29 AM 10/17/2000, Adam Laurie wrote: >Rolf Edwards wrote: > > > > > > > > > What should I do to handle this situation. The web server will have a > > > > non-routeable ip, so acting as a gateway won't quite work. > > > > > >freeby$ cat /etc/natd.conf > > ># redirect web to internal > > >redirect_port tcp a.b.c.d:80 e.f.g.h:80 > > >redirect_port tcp a.b.c.d:443 e.f.g.h:443 > > > > > >where a.b.c.d is your internal webserver address and e.f.g.h is the one > > >you want the world to connect to. > > > > The problem is that there are multiple web servers so that will not work, > > as it assumes that there is only one. > >You could have multiple IP aliases on your outside net. Alternatively, >if you want them to come in on a single address, you could point them at >a single back end server that then does the >round-robin/load-balanced/whatever forwarding. mod_backhand is quite >cool for this kind of stuff. (http://www.backhand.org/) Reviewing the backhand site, it looks as though it isn't a great fit. Do you think I can redirect the SSL port to the web port and use squid to redirect? I think squid will do the web requestes ok, but can SSL be redirected like that? or will the IP changes cause conflicts? Rolf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message