Stupid network question.
Nov. 29th, 2007 02:06 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
theweaselkingI've got a lovely smart SonicWall firewall.
I have multiple servers behind it.
I have multiple domain names.
I want to forward port 443 to machine A if the URL is "vpn.domain1.com" and to machine B if the url is "servername.domain2.com".
Both of those are the same IP in DNS, because that single IP is how you get to my network.
This HAS to be perfectly possible. Is there an easy way to do it from the firewall? If not, I suspect I can configure a server to use squid or the like to redirect, so I send all traffic to that server, which then forwards it to the correct server - does that seem sensible to you?
(right now, I've got one of them running a nonstandard port. I want to stop doing that.)
I have multiple servers behind it.
I have multiple domain names.
I want to forward port 443 to machine A if the URL is "vpn.domain1.com" and to machine B if the url is "servername.domain2.com".
Both of those are the same IP in DNS, because that single IP is how you get to my network.
This HAS to be perfectly possible. Is there an easy way to do it from the firewall? If not, I suspect I can configure a server to use squid or the like to redirect, so I send all traffic to that server, which then forwards it to the correct server - does that seem sensible to you?
(right now, I've got one of them running a nonstandard port. I want to stop doing that.)
(no subject)
Date: 2007-11-29 07:42 pm (UTC)Yes, but I can server multiple sites from the webserver easily. I don't want to do that - I want multiple destination servers, based on the name the surfer puts in.
the router would need to 1) tell the difference between VPN and web traffic
No, it wouldn't. Traffic to the first machine name goes to the first machine. Traffic to the second machine name goes to the second machine. Content of the traffic should not be relevant.
But yes.
(no subject)
Date: 2007-11-29 09:36 pm (UTC)The problem is that it doesn't know the machine name.
Oh, well, no worries.
(no subject)
Date: 2007-11-30 06:57 pm (UTC)This is a classic case for an application-level proxy, not a firewall - for example, it should be doable with apache in a reverse-proxy style setup (with a proper SSL-certificate for *.foo.tld). There's stuff that can do this (the better load-balancers for example, Radware etc.), but that's about a magnitude or two more expensive than a shitty SonicWall.
(no subject)
Date: 2007-11-29 08:20 pm (UTC)No.
The sonicwall has one-to-one NAT, but doesn't have port forwarding capabilities (which is what your scenario would need) because that requires full state packet inspection, which it doesn't perform. Sadly, expensive firewall can't perform a function that a cheap Chinese DSL router can perform. Granted, the firewall runs much faster than the cheap Chinese DSL router, and can handle multiple concurrent ethernet connections and tonnes of external IPs.
Or, to put it another way: The SonicWall's routing tables are DNS-ignorant. The report functions can resolve DNS, however the only thing the core architecture cares about is MAC and IP.
Sorry. I had the same issue. Thankfully my company has a netblock with a few IPs to spare.
(no subject)
Date: 2007-11-30 01:45 am (UTC)Run one and only one HTTPS/443 webswerver on the internal notwork. Make it apache with name-based virtualhosing. One virtual host for vpn.domain1.com and one for servername.domain2.com.
Give each virtualhost a DirectoryRoot of nothingness. Your magical configuration directive is:
ProxyPass ProxyPass / http://192.168.1.3/
Where "3" is the addy of the machine to which you want access. A different ProxyPass for each virtualhost.
Of course, this is nothing like what you were asking for. It centralizes the SSL on your apache instance, so you won't have separate certificates for each thingy, unless you set them up as SSL virtualhosts with independant certificates, etc. Additionally, it introduces the apache thingy as a single point of failure, etc.
But, I got the impression that it was a user experience you were trying to accomplish. It'll do the trick.
Personally, though, I use https://stupid.domain.com/server1/ and /server2/ as proxypasses instead of based on DNS. And I proxypass to other apaches on localhost so I can have different module version setups for different apps.
(no subject)
Date: 2007-11-30 02:29 am (UTC)And your solution seems to solve my problem (which is to say, the use of ugly ":port"s on the end of URLs for my users).
This is promising and entirely worthy of consideration.
So:
I take my existing SSL site, set the router to forward to 443 on it.
In my happy /sites-available/hostname file, I edit it to be which should cause all connections to thing.domain1.com to go right through blindly to it, and pass back the same way, and all connections to servername.domain2.com to be served locally?
I don't actually want multiple apaches running, but, if I did, I'd set up the other apaches to listen on other ports and I'd add a
"{VirtualHost *:443}
ServerName otherapache.me.com
ProxyPass / https://localhost:port/ " entry up top, right?
That seems... too easy. I like easy, mind, but this is a web server. Having things make that much sense is just weird.
But does it seem I've got the gist of it?
And if I wanted to do it your way, I'd have just one VirtualHost and just one SSL cert that gets called up, and then I'd have multiple ProxyPass statements:
ProxyPass /vpn/ https://[VPN IP HERE]/
ProxyPass /site1/ http://[other webserver]/
ProxyPass /ninjas/ http://localhost:1492/ohgod_ninjas/
(no subject)
Date: 2007-11-30 02:44 am (UTC)I forgot to warn you about that feeling.
Hang in there, you'll start to see the other caveats.
Weird things in the logs. Two logs to read instead of one. Internal apaches making up broken permalinks, etc.
(no subject)
Date: 2007-11-30 02:50 am (UTC)After all, it genuinely only cares about people who log in, and ALREADY logs itself to the apache server's syslog server all on it's own.
And the main server isn't going to change. It's just going to lose connections to domain1.com
(But, really, I have the concept down? And my syntax appears basically correct, including the ability to not include an SSL cert in my VirtualHost but to simply ProxyPass an HTTPS link?)
I plan to try all this out tomorrow morning, at work. I'd just rather have any REALLY obvious problems not waste my time, then.
And, by the way, Rob, I owe you a beer. Or a scotch. Or a coffee. Or whatever, the point is thanks a lot for the help you've offered on this and other problems.
(no subject)
Date: 2007-11-30 03:05 am (UTC)I use it all the time, and couldn't imagine my life without it.
I like to put all images, static content and SOAP services on apaches with a tiny memory footprint, and ProxyPass the web UI in to another apache that has perl and php and bloat. Superfly.
(no subject)
Date: 2007-11-30 03:11 am (UTC)You said:
ProxyPass /vpn/ https://[VPN IP HERE]/
That should work, based on my experience, but it's silly. The ProxyPasser will then be decrypting the traffic and re-encrypting. The user will see the cert installed on the ProxyPasser, not the cert from the internal host.
I believe this is what's referred to as a man-in-the-middle attack.
Works like a charm. Stupid as hell.
(no subject)
Date: 2007-11-30 03:39 am (UTC)I was hoping it would simply pass the traffic through without giving a shit, at all, about the actual content, or parsing any of it. That's not so good.
So, since...
1) the internal host *simply doesn't do* anything but HTTPS (being, itself, a hardware SSL-VPN device),
2) while I would love to have it simply serve HTTP I am also fine with the overhead involved in encrypting/decrypting the traffic if that's the only *real* cost of doing it this way[1]
3) I can't make *it* the primary server and have the web server just server HTTP, as much as I might want to
... do you have any suggestions beyond "create a cert for the VPN name on the Apache server and the users simply won't see what's going on"?
If there's a better way to do this, I'm all ears. I just don't know what that might be. And if this doesn't actually compromise security as long as the referrer is good, it might be worth doing.
[1]: As in, I might be perfectly willing to MITM my own SSL-VPN if it doesn't show to the outside world, since the most important things on the network are on the original Apache server. And, as far as I can tell, to take advantage of the flaw in this setup, one would have to compromise the Apache server, at which point the VPN is totally not my biggest worry, at all.
(no subject)
Date: 2007-11-30 11:50 am (UTC)Ie, you'll need your vpn.domain1.com certificate to be the same as the https.domain2 certificate.com, and either the browser or VPN client may then get an authentication issue (since the DNS name they're using won't match the name presented in the cert). Wildcard names, or certificates listing multiple domain names may help you, somewhat.
Here's an old but still slightly handy O'Reilly (http://www.onlamp.com/pub/a/apache/2005/02/17/apacheckbk.html) link, and some information (http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/) on a TLS extension that doesn't sound production-grade, yet.
(no subject)
Date: 2007-11-30 01:00 pm (UTC)You could run the VPN through the firewall on port 4433, with the apache server on 443 and 80. When someone accesses /vpn/ on the apache server, they just get back a redirect to port 4433.
Of course, the user's source network might be proxied and only permit access to ports 80 and 443.
(no subject)
Date: 2007-11-30 07:33 pm (UTC)Because making things Just Work is always a good thing, and this *seems* so simple, on paper - make the firewall put HTTPS to servername 1 to IP 1, servername 2 to IP 2.
And, really, it seems it's not as simple as I was hoping, but that doesn't make it not worth doing if the results are good.
(no subject)
Date: 2007-11-30 08:04 pm (UTC)Why not do the redirect to the secondary port?
(no subject)
Date: 2007-11-30 08:25 pm (UTC)As in, I don't think it's *possible* to have it listen to anything else. It demands an IP, but doesn't have any options to run it on a different port.
(I've contacted support about that)
(no subject)
Date: 2007-11-30 11:49 pm (UTC)(no subject)
Date: 2007-12-01 03:43 am (UTC)(and SonicWall devices don't let you change ports. Instead, you can only make firewall rules based on letting the ports of a "service" go from WAN to LAN to DMZ and whatever, and creating a "service" means setting a static port range.
Meaning, you can't put port X to port Y on this firewall. And no, I don't know why they did that.)
(no subject)
Date: 2007-12-01 07:55 am (UTC)I had a router once that couldn't pass from one port to another, but it cost me $30. While I was saving up $35 for a better one, here's what I did:
Forward port 4343 to Linux box. Port-forward 4343 on the Linux machine to 443 on the hardware appliance.
Worked like a charm for other protocols on other ports, don't see why it wouldn't work in your case.
(no subject)
Date: 2008-01-16 10:26 pm (UTC)I've got:
The server name works for all local stuff, I've got mod_proxy enabled, and I'm trying to make everything on https://server.domain.com/zimbra/ be loaded from http://192.168.1.15/
And I can't seem to make that work. I'm currently getting 403 Forbidden, with the error in the logs being
[Wed Jan 16 17:18:12 2008] [error] [client 192.168.1.1] client denied by server configuration: proxy:http://192.168.1.15/
All the proxy modules are enabled, but I'm obviously missing something critical, and it's probably something stupid.
Ideas?
(no subject)
Date: 2008-01-17 01:45 am (UTC)If it's "GET https://server.domain.com/zimbra HTTP/1.1" instead of "GET https://server.domain.com/zimbra/ HTTP/1.1" then that's your problem. The probypass requires you to add the / after zimbra.
Also, you're not telling me if that log is from the "ServerName server.domain.com" apache, or from the "ServerName 192.168.1.15" apache.
(no subject)
Date: 2008-01-17 02:16 am (UTC)And the 403 error message comes from it, not from 192.168.1.15.
Access log: [16/Jan/2008:21:10:17 -0500] "GET /zimbra/ HTTP/1.1" 403 372 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
Error log: [Wed Jan 16 21:10:17 2008] [error] [client 99.240.165.140] client denied by server configuration: proxy:http://192.168.1.15/
192.168.1.15's apache logs nothing at all when I make this attempt.
(no subject)
Date: 2008-01-17 02:40 am (UTC)It might not be the proxypass itself that you're having trouble with.
(no subject)
Date: 2008-01-17 03:08 am (UTC)(no subject)
Date: 2008-01-17 03:16 am (UTC)I didn't have a
[proxy *]
allow from all
[/proxy]
block
Now it's fixed, and I feel dumb.
Thanks!
(no subject)
Date: 2008-01-17 03:25 am (UTC)(no subject)
Date: 2008-01-17 03:42 am (UTC)And this is one of them.
(no subject)
Date: 2008-01-17 04:55 am (UTC)(no subject)
Date: 2008-01-17 04:58 am (UTC)But I'm going to pretend it is in this case.
(no subject)
Date: 2007-11-30 06:20 am (UTC)(no subject)
Date: 2007-11-30 01:27 pm (UTC)(no subject)
Date: 2007-11-30 07:41 pm (UTC)So it doesn't do packet inspection, meaning it can't parse the headers, or so I hear from the other people who user them.