Date: Tue, 11 Dec 2001 06:57:47 +0100 From: "Benedikt Schmidt" <s_bschmi@ira.uka.de> To: Julian Elischer <julian@elischer.org> Cc: Tom Peck <tom@masaclaw.co.nz>, freebsd-net@FreeBSD.ORG Subject: Re: 1 IP - 1 Firewall - 2 Webservers Message-ID: <20011211055747.GA1486@wn4-marvin.wn4.uni-karlsruhe.de> In-Reply-To: <Pine.BSF.4.21.0112102109140.2586-100000@InterJet.elischer.org> References: <5.1.0.14.2.20011211121120.0287ddb0@mail.masaclaw.co.nz> <Pine.BSF.4.21.0112102109140.2586-100000@InterJet.elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer <julian@elischer.org> wrote: > On Tue, 11 Dec 2001, Tom Peck wrote: > > We have ONE static IP with our ISP via a Cable Modem. Connected at our end > > of the Cable Modem is a FreeBSD Firewall / Internet Gateway for the rest of > > the internal Lan. > > > > On the Internal Network we have 2 Web / Mail servers which collect mail and > > serve HTTP requests recieved from the gateway box. > > > > INTERNET ---> GATEWAY_BOX ---> WEBSERVER_1 (www.domain1.com, bla@domain1.com) > > ---> WEBSERVER_2 (www.domain2.com, bla@domain2.com) > > ---> WORKSTATIONS > > > > > > We are currently using squid to forward on the HTTP requests to the web > > servers decided by domain requested, ie if someone goes to > > www.domain1.com/index.htm this request will be forwarded by Squid to the > > WEBSERVER_1. > > > > This has been working fine, until I decided to run some tests, and look > > through the apache logs on the WEBSERVER_1. ALL incoming Client IP's and > > Addresses are always that of the GATEWAY_BOX. This poses a problem for > > websites which have security on them for OUTSIDE addresses, as this > > security will no longer work.. Also, WebStats are going to be invalid as > > all requests are made from the Gateway IP. > > > > Does anybody have any solutions for this problem? Other software solutions > > which will fun on FreeBSD? Any help would be most appreciated - even just > > a "I wouldn't have a clue, e-mail this group" or something. > I have a solution for exactlythis problem > You need the patch I submitted for ipfw fwd of incoming packets > about 3 weeks ago. > > it allows load sharing to an arbitrary number of webservers transparently > I sent it to "net" and it had a subject of RFC: (something) > > the mail includes how to set it up.. > it uses about 1% of cpu redirecting a 10Mb ethernet to 2 servers. > (sorry to be vague but look it up in the archives with > julian AND RFC AND ipfw in the net list.. The new ipfw fwd functionality looks really nice. But it seems like Tom needs forwarding based on the name (www.domain1.com or www.domain2.com) in the HTTP GET Request. I don't think that can be handled in ipfw or ipf. One thing you could do is using both servers for both domains and use the load balancing described by Julian. This has the drawback that the servers are not separated but on the other hand you get redundancy for both servers. -- Benedikt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011211055747.GA1486>