Re: can iptables distinguish difference between domains?

To: debian-isp@lists.debian.org
Cc: debian-isp@lists.debian.org
Subject: Re: can iptables distinguish difference between domains?
From: Scott Edwards <supadupa@gmail.com>
Date: Wed, 9 Mar 2005 13:24:53 -0700
Message-id: <[🔎] a53adc4605030912243d873941@mail.gmail.com>
Reply-to: Scott Edwards <supadupa@gmail.com>
In-reply-to: <[🔎] 90301850C569713F4560CA7B@d216-220-25-60.dynip.modwest.com>
References: <[🔎] 20050309193347.95362.qmail@web52402.mail.yahoo.com> <[🔎] 90301850C569713F4560CA7B@d216-220-25-60.dynip.modwest.com>

On Wed, 09 Mar 2005 12:56:46 -0700, Michael Loftis <mloftis@modwest.com> wrote:
> --On Wednesday, March 09, 2005 11:33 -0800 "Shannon R." wrote:
> > we have limited public IPs and we're trying to run as
> > many web servers behind 1 public IP as we can.
> 

If your gateway can run apache, it will be reverse proxy all requests,
each to a respective server (site1, site2 etc).  This involves no
iptables rules.

If you can't run apache on the gateway, you could forward all traffic
(network layer) to one machine, and have it reverse proxy (application
layer) for sites served on the other machine(s).  iptables would take
this to site1.example.com, and apache would reverse proxy stuff for
site2.example.com from there. (big if on the gateway here).  You'll
only use one iptables rule for this.

> No.  You need some sort of higher level stuff than is default....There are
> some projects out tehre to provide some of this funcionality, but what you
> might be better off doing is using a reverse proxy apache setup or
> soemthing similar and let it decide who to proxy the connection to.  The
> downside is you'll lose track of who's connecting from where on the end
> servers.

You can record these logs at the proxy.  You can also use the
libapache-mod-proxy-add-forward package on the gateway, and use
libapache-mod-rpaf site1+site2. (feel free to research those, and see
if that's accurate or not).  You could even keep the logs small on the
proxy by conditionally logging requests only stuff with
x-forwarded-for, or anything not for site1+site2.  Everything else
should end up on the other two boxes (and you can always ignore the
conditionals if you're troubleshooting something)

Conditional Logging: (turn some requests off)
http://httpd.apache.org/docs/logs.html#conditional

> Another downside is the current netfilter modules that allow for
> this sort of behaviour are all pretty resource intensive.

With so many netfilter modules, which one are you speaking of?  (maybe
I should just look??) I do agree it will be more resource intensive,
because it'll have to inspect more data, higher up in the network
stack (OSI Model).

Thank you,

Scott Edwards
-- 
Daxal Communications - http://www.daxal.com
Surf the USA - http://www.surfthe.us

Reply to:

References:
- can iptables distinguish difference between domains?
  - From: "Shannon R." <shannon_mtbikes@yahoo.com>
- Re: can iptables distinguish difference between domains?
  - From: Michael Loftis <mloftis@modwest.com>

Prev by Date: Active Software-based file replication
Next by Date: Re: can iptables distinguish difference between domains?
Previous by thread: Re: can iptables distinguish difference between domains?
Next by thread: Re: can iptables distinguish difference between domains?
Index(es):
- Date
- Thread