Date: Mon, 2 Sep 2002 02:40:05 -0700 (PDT) From: Pat Lashley <patl+freebsd@volant.org> To: freebsd-ports@FreeBSD.org Subject: Re: ports/42318: NATD redirect limitations Message-ID: <200209020940.g829e5YP093582@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/42318; it has been noted by GNATS.
From: Pat Lashley <patl+freebsd@volant.org>
To: Mark Weisman <mark@outlander.us>,
freebsd-gnats-submit@FreeBSD.org
Cc:
Subject: Re: ports/42318: NATD redirect limitations
Date: Mon, 02 Sep 2002 02:36:28 -0700
--==========3490849384==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
--On Monday, September 02, 2002 01:49:49 AM -0700 Mark Weisman=20
<mark@outlander.us> wrote:
>> Number: 42318
>> Category: ports
>> Synopsis: NATD redirect limitations
> ...
> Is there a way to redirect a singular incoming port to two internal IP
> Addresses using NATD? I want to say the www.domain1.com and
> www.domain3.com go to an internal address of 192.168.1.2 using
> redirect_port tcp 192.168.1.2:http 80
> however, I'd also like to say if I get requests for www.domain2.com that
> they be routed to an internal IP address of 192.168.1.3 using a second
> redirect line in my rc.conf file: redirect_port tcp 192.168.1.3:http
> 80
> then have each instance of Apache webserver appropriately direct the
> traffic to the right folder. Is there a way to do this?
>> How-To-Repeat:
> Build a standard IPFW firewall, with NATD services installed, and try to
> redirect a port to multiple internal addresses.
>> Fix:
> Potentially use Perl scripting in my config file for rc.conf, able to
> stipulate the name request then direct accordingly? my (reqname);
> reqname =3D {remote name requested};
> if {reqname eq "www.domain2.com"} {
> document.url=3D("192.168.1.3");
> elsif {reqname ne "www.domain2.com"){
> document.url=3D("192.168.1.2");
> };
> Something like that anyways.
This isn't a bug report, it's a question. Or possibly a badly phrased
request for enhancement.
The problem is that NATd works at the IP protocol level. It doesn't
have much to go on besides the source and destination IP addresses,
ports, IP protocol number, a few flags, etc. It has no way to recognize
an HTTP request nor to parse it. This is a Good Thing. It keeps natd
simple and fast.
If you actually have more than one externally visible IP address, then
you could assign one to each of your domains and redirect based on that.
But if you have only one, your best bet is to have natd redirect them
all to Apache on one of the servers; and use Apache's proxy capabilities
to forward some of the requests to the other server.
-Pat
--==========3490849384==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE9czEnncYNbLD8wuMRApPnAKDZWTO9VCrq3y3o96/fLYm9pXaaiQCgo6LR
D0LXfVHZdSkvrgHEl+laB9s=
=R6Ki
-----END PGP SIGNATURE-----
--==========3490849384==========--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209020940.g829e5YP093582>