getting to www servers from inside where they have an Internal IP

hanasaki hanasaki at hanaden.com
Sat Jan 28 14:08:03 CST 2006 

The goal is to have an internal webserver:
	- DONE - running on a high numbered port
	- DONE - firewall forwards 80->7777 on webserver
	- DONE - external hits on www.blah.com
		served by the httpserver
	- ???? - internal/intranet also can hit
		the webserver as www.blah.com

The problem is that www.blah.com resolves to the external internet IP
and then gets routed out of the firewall which does not come back in and
get forwarded to the internal webserver.  It would be ideal if internal
web browser hits went straight to the internal server.

I know this will work if i setup the host/domain www.blah.com on
internal dns so it resolves to the internal server IP.  It would also
probably work with some fancy proxy config pac for the proxy setup in
IE/Firefox.  The DNS solution is high maintenance (hosts change quite
often for business reasons).  The proxy pac is, from what i understand
fallen in disfavor and a bit of a pain to admin and keep working over
both IE and Firefox.  Proxy pac's also require an internal website to
get them from in the config.   We need to minimize user involvement in
setup and also minimize overhead.

Any tips? anyone doing this now and care to share their solutions?  Any
alternative approaches or ways to accomplish what is needed?

===============network
Internal workstations (10.x.x.x)
Internal webserver:7777 (10.x.x.x)
Squid Proxy : 8080
         ^
         |
intranet |
=========|== firewall w/ NAT ==
internet |
         |
         V
The Ugly World
web browsers hit firewall on :80
===============/network

== proxies and http
I am using a squid proxy on host:proxyhttp:8080 that is not transparent
(ie: needs the proxy manually configured in the web browsers).  This is
because transparent proxies don't work for ports other than 80, unless
they are configured for each outgoing http port, which then always goes
via squid and cannot be used for any other purpose.  Ran into this when
trying to hit a CPanel at a web hoster that was on some high numbered port.

More information about the Kclug mailing list