Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 11 Dec 2001 06:57:47 +0100
From:      "Benedikt Schmidt" <s_bschmi@ira.uka.de>
To:        Julian Elischer <julian@elischer.org>
Cc:        Tom Peck <tom@masaclaw.co.nz>, freebsd-net@FreeBSD.ORG
Subject:   Re: 1 IP - 1 Firewall - 2 Webservers
Message-ID:  <20011211055747.GA1486@wn4-marvin.wn4.uni-karlsruhe.de>
In-Reply-To: <Pine.BSF.4.21.0112102109140.2586-100000@InterJet.elischer.org>
References:  <5.1.0.14.2.20011211121120.0287ddb0@mail.masaclaw.co.nz> <Pine.BSF.4.21.0112102109140.2586-100000@InterJet.elischer.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer <julian@elischer.org> wrote:
> On Tue, 11 Dec 2001, Tom Peck wrote:
> > We have ONE static IP with our ISP via a Cable Modem.  Connected at our end 
> > of the Cable Modem is a FreeBSD Firewall / Internet Gateway for the rest of 
> > the internal Lan.
> > 
> > On the Internal Network we have 2 Web / Mail servers which collect mail and 
> > serve HTTP requests recieved from the gateway box.
> > 
> > INTERNET ---> GATEWAY_BOX  ---> WEBSERVER_1 (www.domain1.com, bla@domain1.com)
> >                             ---> WEBSERVER_2 (www.domain2.com, bla@domain2.com)
> >                             ---> WORKSTATIONS
> > 
> > 
> > We are currently using squid to forward on the HTTP requests to the web 
> > servers decided by domain requested, ie if someone goes to 
> > www.domain1.com/index.htm this request will be forwarded by Squid to the 
> > WEBSERVER_1.
> > 
> > This has been working fine, until I decided to run some tests, and look 
> > through the apache logs on the WEBSERVER_1.  ALL incoming Client IP's and 
> > Addresses are always that of the GATEWAY_BOX.  This poses a problem for 
> > websites which have security on them for OUTSIDE addresses, as this 
> > security will no longer work..  Also, WebStats are going to be invalid as 
> > all requests are made from the Gateway IP.
> > 
> > Does anybody have any solutions for this problem?  Other software solutions 
> > which will fun on FreeBSD?  Any help would be most appreciated - even just 
> > a "I wouldn't have a clue, e-mail this group" or something.

> I have a solution for exactlythis problem
> You need the patch I submitted for ipfw fwd of incoming packets
> about 3 weeks ago.
> 
> it allows load sharing to an arbitrary number of webservers transparently
> I sent it to "net" and it had a subject of RFC: (something)
> 
> the mail includes how to set it up..
> it uses about 1% of cpu redirecting a 10Mb ethernet to 2 servers.
> (sorry to be vague but look it up in the archives with 
> julian AND RFC AND ipfw    in the net list..

The new ipfw fwd functionality looks really nice. But it seems like
Tom needs forwarding based on the name (www.domain1.com or
www.domain2.com) in the HTTP GET Request. I don't think that can
be handled in ipfw or ipf. 
One thing you could do is using both servers for both domains and
use the load balancing described by Julian. This has the drawback
that the servers are not separated but on the other hand you get
redundancy for both servers.

-- 
Benedikt

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011211055747.GA1486>