Hosting Web Server By Proxy

[Lupius]

Our office is upgrading from an off-site web server to a new on-site web server that is behind a corporate firewall that we don't want to mess with. I'm wondering if there is a way to keep the old server running as a proxy for public users to access the new server?

My current approach is to have an ssh tunnel running between the two servers and have an unused port on the old server forwarded to port 80 on the new server, but I must be missing something because it won't work at all.

To put it simply, here is what I want to accomplish in a nutshell:

new_server_ip is invisible to the internet, so I want to map our website domain name to old_server_ip:forwarded_port so that the new server can be accessed from the outside.

Is this at all possible? Any help is appreciated.

[Jason Cooper]

Maintaining tunnels like this is not a great idea. You are effectively giving everyone a tunnel to a specific port on a specific machine inside your firewall. Also you would need to make sure that the tunnel would always be up, which would involve making sure that it is created when either machine is restarted and if the ssh process fails on either machine.

Also there would be performance issue your bandwidth would be limited by the lowest bandwidth in the route between the browser, your web server proxy and your new web server.

It would be a much better idea to make sure your corporate network has a demilitarized zone (DMZ) which you can put your web server, and any public facing services, in. This would let you keep it separated off from your main network and then you can open a hole in your firewall for it. Finally after you have it up and running you can change the DNS for your old web server to point to your new web server.

[Infiltrator]

Placing a server in a DMZ, its not a very good idea, it completely exposes the host to the internet, making it more vulnerable to attacks. To give the new server more protection and easy access to users from outside, I would place it behind a firewall and just forward port 80.

Any user on the outside of the network, all they need to do is type the URL into their web browser to access the web server.

[Jason Cooper]

Placing a server in a DMZ, its not a very good idea, it completely exposes the host to the internet, making it more vulnerable to attacks. To give the new server more protection and easy access to users from outside, I would place it behind a firewall and just forward port 80.

Any user on the outside of the network, all they need to do is type the URL into their web browser to access the web server.

I think you are confusing a DMZ with a DMZ host option that you find on SOHO routers. A proper DMZ doesn't expose every port on every machine in it. They are sat behind a firewall which blocks access to all ports except the ones you want open. There is also a firewall sat between the machines on the DMZ and the rest of your internal network. This blocks access to your machines from your server, and potentially to your server from your machines.

A DMZ doesn't make a host more vulnerable to attacks it gives attackers another hurdle to get through if they do manage to get control of your exposed server.

Of course if Lupius is talking about using a SOHO router then he would be better off sticking with external hosting (perhaps a VPS if they need it to do more than hosting web pages).

[Lupius]

Thanks for the suggestions.

We are an off-campus research lab and we need a website to do sciency things (recruitment, collaboration, etc). The research institute we're located at has really strict IT policies so we had to host our old server on campus, which meant we had to walk over there every time something's gone majorly wrong.

I don't think we're allowed access to the corporate DMZ, if there is one. So is there really no other way to host a server locally?

[Infiltrator]

Couple of thoughts:

1) If you have access to a phone line, you could subscribe to an ISP and have your own ADSL line.

2) You could use an USB dongle from either ATA or Verizon, not sure how good the upload speed from these carries are, so something to think about.

3) I know you said, you IT policy is very strict, but have tried talking to the IT department on whether they could open a port for your webserver, on their firewall.

[Jason Cooper]

Thanks for the suggestions.

We are an off-campus research lab and we need a website to do sciency things (recruitment, collaboration, etc). The research institute we're located at has really strict IT policies so we had to host our old server on campus, which meant we had to walk over there every time something's gone majorly wrong.

I don't think we're allowed access to the corporate DMZ, if there is one. So is there really no other way to host a server locally?

You do realise that you can set up a server so that you can manage it remotely. Some of the servers I am responsible for are in a machine room next to me, others are located on the other side of the world. I use SSH for managing all of them (If you are using a windows server then there are similar remote access options available). That would let you leave the machine anywhere that your IT Department policies dictate and still give you access.

If the machine has a habit of locking up completely or stopping you accessing it remotely and needs physical interaction (restarting a service or rebooting the whole machine) then figure out the cause of the problem and fix it.

3) I know you said, you IT policy is very strict, but have tried talking to the IT department on whether they could open a port for your webserver, on their firewall.

That was my first thought after reading Lupis's post. Talk to your IT department, they will be able to help. They may well be able to offer you a virtual server in the DMZ with remote access.

If they won't help then get the most senior person you can in your department to talk their head of department. You would be surprised how quick an IT department can become helpful when their department head has been complained to.