expose VPN services to internet

[NeoIce]

so I have an external server and an internal server connected via OpenVPN. I'd like to expose specific services on the internal server (say, apache) to the internet via the external server. I have a feeling this should be a fairly simple task involving either iptables, squid or NAT but I'm not exactly sure how to do this.

anyone have a quick thought or tutorial link? I'd even accept a book title for something related to complex Linux networking config.

thanks,
-rb

[paulkoan]

I think using squid or apache on the external server as a reverse proxy is the way to go here if you are considering web traffic. This way you are not permitting direct access to the internal server.

Is the external server already running a web server?

[NeoIce]

I think using squid or apache on the external server as a reverse proxy is the way to go here if you are considering web traffic. This way you are not permitting direct access to the internal server.

Is the external server already running a web server?

yes, the external server is running apache2. should I look at something like mod_proxy?

[paulkoan]

Yes, mod_proxy would be the way to go I think. Give it a whirl and report back if you get stuck!

[NeoIce]

Yes, mod_proxy would be the way to go I think. Give it a whirl and report back if you get stuck!

wow, its working great. now all I need to do is stress-test apache this evening. (its had some stability issues so I like to slap it around after changing configs / adding modules)

thanks

[edit] actually, this only works for HTTP. thats what I'm trying to do at the moment, but eventually, I may want to do this for non-HTTP protocols.

[edit2] if I have a line like:

Code:

ProxyPass /tank http://192.168.10.1/tank

and I connect to example.com/tank, it attempts to connect to 192.168.10.1. however, if I add the trailing slash (example.com/tank/), then everything works correctly. I'm lazy and leave the trailing slash off frequently, so should I just alias things to add the slash? whats the reasoning behind this behavior?

[NeoIce]

Yes, mod_proxy would be the way to go I think. Give it a whirl and report back if you get stuck!

have any tips on cgi-bin? I've tried ReverseProxy, but it doesnt seem to be working how I think it is.

[paulkoan]

Code:

ProxyPass /tank {url}/tank

and I connect to example.com/tank, it attempts to connect to 192.168.10.1. however, if I add the trailing slash (example.com/tank/), then everything works correctly. I'm lazy and leave the trailing slash off frequently, so should I just alias things to add the slash? whats the reasoning behind this behavior?

When you use the / at the end, you are saying this is a directory, and it should open one of the Index documents, such as default.html or index.php

Otherwise it thinks it is a file it is trying to get.

[paulkoan]

have any tips on cgi-bin? I've tried ReverseProxy, but it doesnt seem to be working how I think it is.

Sorry - I am not clear on what you are trying to do with cgi-bin...

[NeoIce]

Sorry - I am not clear on what you are trying to do with cgi-bin...

well, if I do a line like
ProxyPass /nagios http://192.168.10.1/nagios3

I get cgi-bin errors. I dont think mod_proxy is doing exactly what I think it is because I'd expect the 192 address to be running the cgi and then returing the results over the proxy.

similarly, I'm having issues with a page that use AJAX. my requests make it to the server, but I dont ever see the server responses until I refresh.

I think this is what ProxyPassReverse was for, but I couldnt seem to get that to work either.