Rob Tanner wrote:
> Hi,
> I have a web server behind a firewall and in it's own address space that
> eventually will become a DMZ. The addresses on the public side of the
> firewall are not the same as on the private side, and the firewall takes
> care of the translations. Here's the problem. Because we run a proxy
> service for the library on that server, sometimes the server has to look
> up it's own address and send a get request to itself. But what it gets
> when it looks itself up is its public, in front of the firewall
> address. And because it's behind the firewall, it can't reach that address.
>
> Normally, /etc/hosts would be the perfect solution except that the proxy
> service requires wild card lookups (i.e., *.ezproxy.linfield.edu) and
> /etc/hosts does not recognize wild cards. The option I can think of is
> running a local DNS with forwarding enabled. There are only 4 IP
> addresses that the local server will be authoritative for (one
> in-addr.arpa segment), but it needs to think that it's authoritative for
> the entire linfield.edu domain but forward any address it can't resolve
> in that domain (i.e., any hostname that not one of the 4) to one of our
> regular servers. And that's what I can't figure out how to do.
>

Forwarding is to be avoided if possible.

If your firewall can't be taught to "loop back" these requests to the
sender, or if the performance hit of that loopback is too high, then add
all of the external-only names -- including wildcards -- to the internal
version of the linfield.edu zone and point the proxy to that version. In
this way, the proxy can resolve those external-only names without
forwarding, while still resolving its own name to the internal address.

Watch out for any negative interactions between wildcards and your
internal SMTP routing, though, since some MTAs have issues with
wildcards. From the looks of it, your wildcards are limited in scope, so
this shouldn't be an issue.

If it is an issue, you may have to resort to 3 versions of linfield.edu
-- internal, external and DMZ, with the DMZ version only existing on the
proxy itself, initially.


- Kevin