/sgd interface only on 1 ip /tarantella on 2 ip's
I have the following problem.
a sgd 4.2with 2 network interfaces, 1 in a DMZ 1 in the internal lan
on the internal LAN i want users to be able to access the the /sgd user interface
and the /tarantella user interface.
on the DMZ interface i only want to allow the /tarantella user interface
if i do a redirect in the jsp pages this will effect both network "sides" off my SGD server.
my "plan" is to get tomcat to listen only on my interlan ip adress
but i don't have any clou how to do this.
regards,
Cock van't Hoog
Dupaco Distribution b.v.
# 1
Hi Cock,
Sounds like Apache Access Control can be your solution.
http://httpd.apache.org/docs/2.0/howto/auth.html
ScriptAlias /tarantella/cgi-bin /opt/tarantella/var/docroot/cgi-bin
Alias /tarantella /opt/tarantella/var/docroot
<Directory /opt/tarantella/var/docroot>
Options FollowSymLinks
AllowOverride AuthConfig
Allow from 192.168.0
</Directory>
The addition I suggest for you in the httpd.conf file is the "Allow from" line. Replace "192.168.0" with your internal network. See the Apache documentation on the Allow directive:
http://httpd.apache.org/docs/2.0/mod/mod_access.html#allow
Regards,
Arno Staal
Divider B.V.
# 2
> Hi Cock,
>
> Sounds like Apache Access Control can be your
> solution.
> http://httpd.apache.org/docs/2.0/howto/auth.html
>
> ScriptAlias /tarantella/cgi-bin
> /opt/tarantella/var/docroot/cgi-bin
> Alias /tarantella /opt/tarantella/var/docroot
> <Directory /opt/tarantella/var/docroot>
>Options FollowSymLinks
> AllowOverride AuthConfig
>Allow from 192.168.0
> rectory>
>
> The addition I suggest for you in the httpd.conf file
> is the "Allow from" line. Replace "192.168.0" with
> your internal network. See the Apache documentation
> on the Allow directive:
> http://httpd.apache.org/docs/2.0/mod/mod_access.html#a
> llow
>
> Regards,
>
> Arno Staal
> Divider B.V.
Hello arno,
your suggestion does the opposit
and will restrict access to the /tarantella userinterface and web pages
I only want access restrictions on my /sgd virual directory
this is only revered to in httpd.conf as
JkMount /sgd tta
JkMount /sgd/* tta
i tried the following in the httpd.conf file:
<VirtualHost 192.168.1.1:443>
ServerName lanservername.domain.local
JkMount /axis axis
JkMount /axis/* axis
JkMount /sgd tta
JkMount /sgd/* tta
JkMount /examples/* examples
</VirtualHost>
but this results in /sgd not working on both ipadresses.
Regards,
Cock van't Hoog
Dupaco Distribution B.V.
# 3
Cock,
Can you specify if you have SGD in Firewall Traversal Mode?
If you are using the Firewall Traversal Mode you will have a question which is not that easy to answer. Since the http-packages will be send via SGD (I always say the Security Pack) to the webserver. Apache will always think a user is connecting to 127.0.0.1 (firewall-forwarding-url).
The easiest thing I can think of is to set up 2 SGD servers. Both (or at least one) running in a seperate zone.
- Remold Krol | Everett
# 4
> Cock,
>
> Can you specify if you have SGD in Firewall Traversal
> Mode?
>
> If you are using the Firewall Traversal Mode you will
> have a question which is not that easy to answer.
> Since the http-packages will be send via SGD (I
> always say the Security Pack) to the webserver.
> Apache will always think a user is connecting to
> 127.0.0.1 (firewall-forwarding-url).
>
> The easiest thing I can think of is to set up 2 SGD
> servers. Both (or at least one) running in a seperate
> zone.
>
> - Remold Krol | Everett
hello remold,
this helped a lot,
my final solution is this, on the LAN side the user can only use the unencrypted
/sgd interface
the /tarantella interface encrypted en unencrypted works on both sides
from the dmz the firewall is only passing https to SGD server
and i disabled access to " https://server/sgd" by putting this in the
httpd.conf
<Location /sgd/>
Order Deny,Allow
Deny from 127.0.0.1
</Location>
Remold, Arno thanks !
regards,
Cock van't Hoog
Dupaco
