external access to intranet

[Jonas Nordström <Jo...@ei.sigma.se>]

Hello,

In our organisation, we wanted the employees to be able to reach our
intranet from anywhere on the internet. We have therefore made a gateway
using an extra linux-server, SSL, Apache and mod-perl. We wanted to
translate the incoming URL request, for example
https://gateway_server/intranet_host/filename.html
to an intranet request, in this case http://intranet_host/filename.html. We
then fetch that file using HTTP::UserAgent, massage the links if it is a
HTML file using HTML::Filter and send the response back to the client. This
works fine, but is HTML::Filter the best way to go? Would it be easier using
HTML::TreeBuilder or something else?
I would be grateful for any input.

Jonas Nordstrom

Re: external access to intranet

[Vladimir Ivaschenko <ha...@cyp.maks.net>]

Jonas Nordstr?m wrote about "external access to intranet":

> Hello,
> 
> In our organisation, we wanted the employees to be able to reach our
> intranet from anywhere on the internet. We have therefore made a gateway
> using an extra linux-server, SSL, Apache and mod-perl. We wanted to
> translate the incoming URL request, for example
> https://gateway_server/intranet_host/filename.html
> to an intranet request, in this case http://intranet_host/filename.html. We
> then fetch that file using HTTP::UserAgent, massage the links if it is a
> HTML file using HTML::Filter and send the response back to the client. This
> works fine, but is HTML::Filter the best way to go? Would it be easier using
> HTML::TreeBuilder or something else?
> I would be grateful for any input.

There a nice module for this already - Apache::RewritingProxy. I use a
modified version of it with great success.

Vladimir

Re: external access to intranet

[jwd <jw...@choice.net>]

I had exactly the same need. Only, we wanted to use SecurID for
authentication.  I found two alternatives and the best one for my use
was not a perl module but a C module called mod_securid.  Here is the
URL: http://persoweb.francenet.fr/~pasty/mod_securid/  

Patrick Asty has down an outstanding job on this.  

jim drash
<jw...@choice.net>

Jonas Nordström wrote:
> 
> Hello,
> 
> In our organisation, we wanted the employees to be able to reach our
> intranet from anywhere on the internet. We have therefore made a gateway
> using an extra linux-server, SSL, Apache and mod-perl. We wanted to
> translate the incoming URL request, for example
> https://gateway_server/intranet_host/filename.html
> to an intranet request, in this case http://intranet_host/filename.html. We
> then fetch that file using HTTP::UserAgent, massage the links if it is a
> HTML file using HTML::Filter and send the response back to the client. This
> works fine, but is HTML::Filter the best way to go? Would it be easier using
> HTML::TreeBuilder or something else?
> I would be grateful for any input.
> 
> Jonas Nordstrom

Re: external access to intranet

[Mads Toftum <ma...@toftum.dk>]

I've had to do something similar a while back, and ended up doing this without
modperl. I might end up switching to modperl one of these days.
It looks something like:

-----      ----    ----------------------    -------------------------
|SSL|  ->  |FW| -> |proxy.internaldom.dk| -> |somehost.internaldom.dk|
-----      ----    ----------------------    -------------------------

The frontend SSL server is set up with mod_proxy and has an entry
for each internal host that looks like:

ProxyPass /intra/somehost/	http://somehost.internaldom.dk/	
ProxyPassReverse /intra/somehost/      http://somehost.internaldom.dk/

And then making sure that all is handled through the proxy:

ProxyRemote http http://proxy.internaldom.dk:12345/

The internal proxy is quite simply set up to push all html through one
simple regexp:	s|http://(\w+).internaldom.dk|/intra/$1|g

Currently my proxy is based on http://muffin.doit.org/ NoThanks, but
will probably end up as some kind of Apache/mod_perl once I get my
new proxy machine.

There is two obvious advantages about this approach - only one regexp,
which means only one pass of the html is needed and that the connection
from the external machine through the firewall is restricted to one
simple rule in the FW machine and that it can be easily protected with
encryption/authentication.

This probably doesn't answer your question ;-) But I hope that at least
the idea is useful.

vh

Mads Toftum, QDPH

Re: external access to intranet

[darren chamberlain <da...@boston.com>]

Jonas Nordström (Jonas.Nordstrom@ei.sigma.se) said something to this effect:
> Hello,
> 
> In our organisation, we wanted the employees to be able to reach our
> intranet from anywhere on the internet. We have therefore made a gateway
> using an extra linux-server, SSL, Apache and mod-perl. We wanted to
> translate the incoming URL request, for example
> https://gateway_server/intranet_host/filename.html
> to an intranet request, in this case http://intranet_host/filename.html. We
> then fetch that file using HTTP::UserAgent, massage the links if it is a
> HTML file using HTML::Filter and send the response back to the client. This
> works fine, but is HTML::Filter the best way to go? Would it be easier using
> HTML::TreeBuilder or something else?
> I would be grateful for any input.
> 
> Jonas Nordstrom

Have you considered ProxyPass, from mod_proxy, one of the standard
Apache modules (no mod_perl or custom programming required).

Something like:

ProxyPass /intranet_host http://intranet_host/
<Location /intranet_host>
  AuthName "Intranet"
  AuthType Basic
  ...etc
</Location>

This will set it up so that all request to 
http://gateway_server/intranet_host/some/file.html get translated to
http://intranet_host/some/file.html (you need to be careful with
absolute pathnames on the intranet server's pages).

darren

-- 
Jazz is not dead...it just smells funny.