getting to www servers from inside where they have an Internal IP

To: LIST - Debian Security <debian-security@lists.debian.org>
Subject: getting to www servers from inside where they have an Internal IP
From: hanasaki <hanasaki@hanaden.com>
Date: Sun, 29 Jan 2006 12:45:09 -0600
Message-id: <[🔎] 43DD0D35.1000409@hanaden.com>

The goal is to have an internal webserver:
	- DONE - running on a high numbered port
	- DONE - firewall forwards 80->7777 on webserver
	- DONE - external hits on www.blah.com
		served by the httpserver
	- ???? - internal/intranet also can hit
		the webserver as www.blah.com

The problem is that www.blah.com resolves to the external internet IP
and then gets routed out of the firewall which does not come back in and
get forwarded to the internal webserver.  It would be ideal if internal
web browser hits went straight to the internal server.

What iptable rule can be put on the firewall so that internal port 80
traffic going to the external NIC on port 80 comes back to the internal
webserver on port 7777?

Is there a way to make squid get all hits to a specific address (the
external) from a diff address (the internal)?  I tried jares redirector
but that changes the URL and the web server uses virtual hosts.

I know this will work if i setup the host/domain www.blah.com on
internal dns so it resolves to the internal server IP.  It would also
probably work with some fancy proxy config pac for the proxy setup in
IE/Firefox.  The DNS solution is high maintenance (hosts change quite
often for business reasons).  The proxy pac is, from what i understand
fallen in disfavor and a bit of a pain to admin and keep working over
both IE and Firefox.  Proxy pac's also require an internal website to
get them from in the config.   We need to minimize user involvement in
setup and also minimize overhead.

Any tips? anyone doing this now and care to share their solutions?  Any
alternative approaches or ways to accomplish what is needed?

===============network
Internal workstations (10.x.x.x)
Internal webserver:7777 (10.x.x.x)
Squid Proxy : 8080
         ^
         |
intranet |
=========|== firewall w/ NAT ==
internet |
         |
         V
The Ugly World
web browsers hit firewall on :80
===============/network

== proxies and http
I am using a squid proxy on host:proxyhttp:8080 that is not transparent
(ie: needs the proxy manually configured in the web browsers).  This is
because transparent proxies don't work for ports other than 80, unless
they are configured for each outgoing http port, which then always goes
via squid and cannot be used for any other purpose.  Ran into this when
trying to hit a CPanel at a web hoster that was on some high numbered port.

Reply to:

Follow-Ups:
- Re: getting to www servers from inside where they have an Internal IP
  - From: martin f krafft <madduck@debian.org>
- Re: getting to www servers from inside where they have an Internal IP
  - From: Jan Luehr <jan@kabelwelt-shop.de>

Prev by Date: Re: [SECURITY] [DSA 952-1] New libapache-auth-ldap packages fix arbitrary code execution
Next by Date: Re: getting to www servers from inside where they have an Internal IP
Previous by thread: Re: "Fix" of sudo with DSA-946-1
Next by thread: Re: getting to www servers from inside where they have an Internal IP
Index(es):
- Date
- Thread