Re: [Shorewall-users] Acces to diffent web server in DMZ

Thu, 14 Feb 2019 10:12:05 -0800 

On 2/12/19 6:46 AM, Rommel Rodriguez Toirac wrote:
> El 11 de febrero de 2019 2:46:47 PM GMT-05:00, Tom Eastep 
> <teas...@shorewall.net> escribió:
>> On 2/11/19 6:16 AM, Rommel Rodriguez Toirac wrote:
>>>  I have a DMZ with several hosts providing some services such as
>> email, FTP, jabber, web and others. These services can be accessed both
>> of all from the local network and from outside my network. 
>>>
>>>  Until now in the DMZ I had only one host that provided the web
>> service (with apache), but now in the host where run email service I
>> installed an application to serve webmail access (rainloop), it is
>> configured using a web server (apache); also, in other host I installed
>> the Nextcloud+ONLYOFFICE combination as a server in the clouds and it
>> is hosted on an Apache server to.
>>>  These mean that in the DMZ are different hosts listening to ports 80
>> and 443.
>>>  Until now I had used a simple DNAT rule to forward all traffic
>> coming from outside of my network to ports 80 and 443, to the IP of the
>> host where the web service is running in DMZ:
>>>
>>> DNAT:info net dmz:192.168.14.8 tcp 80,443
>>>
>>>  But now there are three different hosts running apache listenig on
>> port 80 and 443, so when I try to access from outside of my local
>> network or DMZ, to the host where is running Nextcloud, the webpage
>> that respond is the webpage hosted in the host running the web service,
>> not the Nextcloud webpage.
>>>
>>>  How can I prevent that this happen? I mean, when someone outside of
>> my network try to access the webmail (rainloop) that is running in a
>> host different (different IP) than the host where run the web services
>> the page that the user see in the browser correspond with the rainloop
>> webpage, or maybe when try to access to Nextcloud the web page
>> correspond whit the service that try to access.
>>>
>>> This is the configuration of /etc/zones:
>>>
>>> fw  firewall
>>> net ipv4
>>> loc ipv4
>>> dmz ipv4
>>>
>>>  
>>> /etc/interfaces
>>>
>>> net enp4s1  tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
>>> loc enp5s0  tcpflags,nosmurfs,routefilter,logmartians
>>> dmz enp7s0  tcpflags,nosmurfs,routefilter,logmartians
>>>
>>>
>>>  /etc/policy
>>>
>>> loc net ACCEPT  info
>>> net all DROP    info
>>> all all REJECT  info
>>>
>>>
>>> The network interfaces use static IP:
>>>
>>> enp4s1: 10.10.120.254
>>> enp7s0: 192.168.14.1
>>> enp5s0: 192.168.41.1
>>>
>>>
>>> The server IP address are:
>>>
>>> gtmem.gtm.onat.gob.cu - 192.168.14.3
>>> gtmd.gtm.onat.gob.cu - 192.168.14.8
>>> gtmnb.gtm.onat.gob.cu - 192.168.14.11
>>> gtmoffice1.gtm.onat.gob.cu - 192.168.14.14
>>>
>>
>> Given that you only have one external IP address and you apparently
>> want
>> to run the web servers on separate hosts, a reverse proxy is probably
>> the best way to go. Both Apache and Ngnix can be configured as a
>> reverse
>> proxy which would run on the Shorewall system. The proxy accepts
>> incoming connections and forwards them based on the host name being
>> connected to.
>>
>> -Tom
> 
> 
>  Hello Tom;
> 
> yes, I want to run different web servers, in different hosts in the DMZ.
> 
>  You propouse me to install in the Firewall a reverse proxy. In the DMZ I 
> have a host configured as proxy using squid, with this I provide the Internet 
> access to my local lan and others hosts outside of my network.  
>  This is a problem or not to the solution you provide me?
> 
>  Thanks fo your attention.
> 
> 

Reverse proxies are something different. You can accomplish a similar
thing with multiple DNAT rules per server. For gtmem.gtm.onat.gob.cu:

DNAT    net     dmz:192.168.14.3:80     tcp     10080
DNAT    net     dmz:192.168.14.3:443    tcp     10443
...

The problem with both approaches (DNAT and reverse proxy) is that
external users will have to specify a non-standard port. To access
gtmem.gtm.onat.gob.cu, the user would have to connect to:

        http://gtmem.gtm.onat.gob.cu:10080

or

        https://gtmem.gtm.onat.gob.cu:10443

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to