Thread: resolving locally
View Single Post

  #2 (permalink)  
Old 01-31-2004
Cameron Kerr
 
Posts: n/a
Default Re: resolving locally
Paddy <patrick@scotcomms.co.uk> wrote:

NOTE: Have a look at my last comment first, I think that may the most
likely cause of some of your problems.

> Hi,
>
> We have apache running a SSL site and a few name based virtual sites. This
> server sits in our DMZ. All names on the server resolve to private IPs via
> hosts.

Are you using DNS at all?

I suggest that you give each side of the firewall a different domain
name, and then each uses it's own search record in /etc/resolv.conf
(btw, what is on resolv.conf?). Then, have an A or CNAME record for the
webserver registered in each domain if you need to have a access it via
a different IP address.

You're using name-based virtual sites, so DNS is fairly crucial, I would
have thought.

> The firewall maps public IPs to private IPs.

You mean you're doing port forwarding to get back through a NAT?

> All is working well until now. We now need to do curl from one of the
> virtual sites to the secure site.

So you're accessing what is essentially localhost? Is it accessing it
via 127.0.0.1, or the normal IP address?

> For some reason Apache is resolving the name to the Public IP
> and the Firewall is stopping this from happening.

You mean its dropping packets? Does it work when there are ONLY the
rules for NAT installed?

Check that the reverse DNS lookups resolve to what you expect.

> If (on the local machine) I ping the name of any of the sites I get a
> response from the correct private IP. If I telnet the same name it tries to
> connect to the public IP.

What rules exactly are installed in your firewall for doing NAT?

> Why would ping return the IP from the hosts file yet Apache, Lynx and telnet
> resolve to the public IP. I noticed in host.conf that multi was set to on, I
> set this to off but it didn't help. In hosts.conf the order is hosts bind.

hosts.conf is the old version. What is in /etc/nsswitch.conf? It could
be the two are not equal, and that ping is using the older hosts.conf,
while the rest is using the newer nsswitch.conf.

--
Cameron Kerr
cameron.kerr@paradise.net.nz : http://nzgeeks.org/cameron/
Empowered by Perl!
Reply With Quote