[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LAN requests to internal web server (beware: involves mod_rewrite)



On Wed, Aug 17, 2005 at 01:39:03AM -0400, Peter Matulis wrote:
> When I needed to provide access to lan clients I added this line:
> 
> rdr on $INT inet proto tcp from $LAN_clients to $EXT port 80 -> 192.168.2.214
> 
> All is well.
Make sure you understand
  http://www.openbsd.org/faq/pf/rdr.html#reflect
Unless 192.168.2.214 is on a subnet separate from sonata (and replies
from 192.168.2.214 to sonata pass back through the pf box), the resets
are a normal (though possibly surprising) reaction, explained by the
document above. The easiest way to ensure this is described in the
section "Moving the Server Into a Separate Local Network", i.e. connect
the redirected-to server through a third NIC on a dedicated (sub)net.
If the setup works for some clients, but not all of them, make sure all
server replies are routed back through the pf box to all clients, and
the web server has no direct routes to any clients. On the same client
box, the browser (lynx vs. Mozilla) shouldn't matter in this regard.
The proxy's rewrite rule should not cause resets, there might be
additional problems (if only rewritten requests are reset), make sure
the above is resolved and follow-up if problems persist.
Running tcpdump with -s 1600 -vvvX might provide further hints (printing
the HTTP payload, after the TCP handshake).
Daniel