You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Craig Arno <cr...@arno.com> on 2001/10/09 02:52:14 UTC

config/8492: IP based Virtual Host firewall implementation must use ifconfig IP, not DNS IP

>Number:         8492
>Category:       config
>Synopsis:       IP based Virtual Host firewall implementation must use ifconfig IP, not DNS IP
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Oct 08 18:00:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     craig@arno.com
>Release:        Apache/1.3.6 (Unix) mod_ssl/2.3.9 OpenSSL/0.9.3a
>Organization:
apache
>Environment:
Linux arno.com 2.0.36 #13 Mon Nov 20 22:30:41 PST 2000 i686
>Description:
My Linux machine is behind a firewall.  The firewall forwards any port 80 or port 443 requests to an internal IP where the Linux server sits.  The virtual host entries require the physical IP of the Linux network interface, not the logical DNS IP obtained from a domain name lookup.

The DNS name/IP used to access the Linux system from the internet is actually connecting to and through an external firewall.  Virtual host needs the physical IP as ifconfig would display, not the logical or domain IP as nslookup will display.

The documentation wasn't clear on this point, but some experimenting found a workable configuration.

Here is a snippet of my working httpd.conf file for this configuration:

# Actual IP is 24.167.11.206:80 is forwarded to internal
# IP 192.168.123.1:80.  Virtual host needs the ifconfig IP, not the DNS IP.
NameVirtualHost 192.168.123.1:80

<VirtualHost 192.168.123.1>          
    ServerAdmin webmaster@arno.com
    DocumentRoot /home/www 
    ServerAlias arno.com *.arno.com
    ServerName www.arno.com
</VirtualHost>

<VirtualHost 192.168.123.1>          
    ServerAdmin kenneth@grimley.org
    ServerName www.grimley.org
    DocumentRoot /home/usr/kenneth/www
    ServerAlias grimley.org *.grimley.org
</VirtualHost>


BTW, thanks for a great product and great documentation!  Craig Arno
>How-To-Repeat:
Buy a commercial internet router (SMC, Netgear, Asante, Linksys, ...), place the Linux machine behind it on a private IP.  Then route web requests through the firewall to the Linux machine.
>Fix:
See the solution provided in my "Full Description".
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]