- I got 2 public IP: 192.0.2.1 and 192.0.2.2
- Firewall hold all the public IP via IP aliasing (eg. eth0:1 = 192.168.0.2.1, eth0:2 = 192.0.2.2)
- I'm running authoritative DNS on my firewall
- I initially have 2 webserver inside firewall, with IP address 172.16.0.1 (xavier) and 172.16.0.2 (magneto)
- My domain name is example.com
- Subdomain www.example.com is served by xavier, and webmail.example.com is served by magneto
- DNS was configured so that www.example.com will be resolved to public IP 192.0.2.1 and webmail.example.com will be resolved to public IP 192.0.2.2
- IPTables was used to redirect port 80 from public IP to its corresponding private IP (eg. 192.0.2.1 -> 172.16.0.1)
- All webserver must run on port 80 and is using Apache 2.x.
How can I do that? I only have 2 public IP! I cannot use other non-standard port!
It comes in the mixture of DNS and Apache reverse proxy.
- add subdomain dev.example.com to resolve to public IP 192.0.2.1
- restart DNS service
On Apache 2.x web server in xavier (172.16.0.1)
- make sure mod_proxy is enabled in /etc/httpd.conf
- create a new file in /etc/httpd/conf.d/ (eg. dev.example.com.conf)
- in the file, put the following directives
ProxyPass / http://172.16.0.3/
ProxyPassReverse / http://172.16.0.3/
Allow from all
- restart Apache service
That's it. Try to surf the new subdomain http://dev.example.com using anonymous surfing site (eg. http://anonymouse.org/) and you should be presented with the content of cyclops web server.
How does it work?
- The subdomain dev.example.com will be resolved to public IP 192.0.2.1 by our DNS server.
- Request for port 80 to dev.example.com will be forwarded to the Apache web server running on xavier (172.16.0.1)
- On xavier, the VirtualHost directive is aware that it is serving for subdomain dev.example.com
- But that directive contains a ProxyPass instruction to pass all request (hence "/" or root directory) to the server cyclops (172.16.0.3)
- It also have the directive ProxyPassReverse to pass everything received from cyclops back to the client as if the root (/) is on the server
- Other directive is left as an exercise to the reader to find out
Other usage of Apache reverse proxy
- Reverse proxy can be used to mask/map port 80 to webserver hosted on non-standard port (eg. 8080) **I believe IPtables port manipulation can achieve the same result
- Shield not-so-secure I*S web server running on not-secure-at-all W*s host.
This will not protect against SQL injection or other web-based attacks. It can help to shield the server from OS related attacks because client will see that the webserver is Apache running on Linux, not I*S running on W*s. You might want to take a look at mod_security for added protection
Have fun :)