Received: (qmail 7462 invoked by uid 501); 9 Oct 2001 00:52:14 -0000 Message-Id: <20011009005214.7461.qmail@apache.org> Date: 9 Oct 2001 00:52:14 -0000 From: Craig Arno Reply-To: craig@arno.com To: submit@bugz.apache.org Subject: IP based Virtual Host firewall implementation must use ifconfig IP, not DNS IP X-Send-Pr-Version: 3.110 >Number: 8492 >Category: config >Synopsis: IP based Virtual Host firewall implementation must use ifconfig IP, not DNS IP >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: apache >Arrival-Date: Mon Oct 08 18:00:00 PDT 2001 >Closed-Date: Wed Oct 10 11:39:54 PDT 2001 >Last-Modified: Wed Oct 10 11:39:54 PDT 2001 >Originator: craig@arno.com >Release: Apache/1.3.6 (Unix) mod_ssl/2.3.9 OpenSSL/0.9.3a >Organization: >Environment: Linux arno.com 2.0.36 #13 Mon Nov 20 22:30:41 PST 2000 i686 >Description: My Linux machine is behind a firewall. The firewall forwards any port 80 or port 443 requests to an internal IP where the Linux server sits. The virtual host entries require the physical IP of the Linux network interface, not the logical DNS IP obtained from a domain name lookup. The DNS name/IP used to access the Linux system from the internet is actually connecting to and through an external firewall. Virtual host needs the physical IP as ifconfig would display, not the logical or domain IP as nslookup will display. The documentation wasn't clear on this point, but some experimenting found a workable configuration. Here is a snippet of my working httpd.conf file for this configuration: # Actual IP is 24.167.11.206:80 is forwarded to internal # IP 192.168.123.1:80. Virtual host needs the ifconfig IP, not the DNS IP. NameVirtualHost 192.168.123.1:80 ServerAdmin webmaster@arno.com DocumentRoot /home/www ServerAlias arno.com *.arno.com ServerName www.arno.com ServerAdmin kenneth@grimley.org ServerName www.grimley.org DocumentRoot /home/usr/kenneth/www ServerAlias grimley.org *.grimley.org BTW, thanks for a great product and great documentation! Craig Arno >How-To-Repeat: Buy a commercial internet router (SMC, Netgear, Asante, Linksys, ...), place the Linux machine behind it on a private IP. Then route web requests through the firewall to the Linux machine. >Fix: See the solution provided in my "Full Description". >Release-Note: >Audit-Trail: State-Changed-From-To: open-feedback State-Changed-By: slive State-Changed-When: Tue Oct 9 06:37:01 PDT 2001 State-Changed-Why: Hmmm. That case is specifically addressed at http://httpd.apache.org/docs/mod/core.html#namevirtualhost Do you have a specific suggestion on how to improve the docs? Thanks. State-Changed-From-To: feedback-closed State-Changed-By: slive State-Changed-When: Wed Oct 10 11:39:53 PDT 2001 State-Changed-Why: User was looking in the wrong documentation file. >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]