We're doing exactly this on Apache. If you have specific questions about this type of setup, let me know.

We're not doing anything special that I can think of to make this work.

Hey Marcs,
Thanks for the reply.

Please let me know if you're doing this with vitrual domains.

I have no problem setting this up on the same ip address, I just want to do this so that certain domains respond to certain ip address requests.

What are you using to configure this? I know the way that I don't want to do it is called "virtual domains". What would be the terminology for this technique?

Thanks again in advance.

Zuko

I have an interest in this topic as well - I'm on IIS and need to start using SSL Certificates for my various websites on the one server.

I still can't understand how my behind the firewall server can have unique external IP addresss and still be behind the router/firewall.

You will want to use virtual hosts :

<virtualhost www.your_site.com>
ServerAdmin webmaster@your_site.com
ServerName www.your_site.com
DocumentRoot /www/htdocs/your_site
TransferLog logs/your_site-access-log
</virtualhost>

I still can't understand how my behind the firewall server can have unique external IP addresss and still be behind the router/firewall.

Your firewall/router simply needs to know where (what machine) to send traffic for those IPs to.

txbakers,
be sure to open up port 443 on your firewall for the ssl communication on those external ip addresses as well.

Marcs,
One last question.

IF you type in a browser the request: [ip.ip.ip.ip...]

where ip.ip.ip.ip is the ip address of each individual website, do you get each respective website that those ip's resolve to from the domain name?

Thanks again.

Zuko

The router takes one WAN IP address, and then we forward port 80 requests to the IP address of the web server. Right now it's one machine and I'm using Host Headers.

When I buy multiple IPs they will be outside the firewall, but the internal machine still will have 1.

txbakers,
Might want to assign multiple internal ip addresses to that webserver.

each internal address will be configured on the webserver to serve each respective site. (This is my original howto question that I am still looking for the anwser, otherwise just use hostnames, and use 1 internal address, and for that matter, just use 1 public ip address for all of the domains if you cannot figure out how to configure the webserver to serve sites based on the ip rather than the domain name)

setup pinholes in the firewall where requests for public ip address A on port 80 and 443, go to internal address A, requests form public ip address B, etc.....

make sure though that you open up port 443 or SSL communications will not work.

Zuko

I have multiple domains, multiple ip addresses. I want to set them up on just one webserver. Is this possible

Yes it is possible. Bind uses the domain's zone file to resolve an IP to a domain name, so each IP can resolve to a different domain. SSL sites must have a unique IP to work correctly.

I want to know if a browser resolves a domain name to a certain ip address and the request comes down on that ip address to the webserver, then could the webserver logic say "ok, this request came for this ip address so I will send it this site information".

If the browser requested an IP address, and only one domain resolved to that IP, the correct information would be returned, unless the webserver was configured to return something else for the requested IP.

With IIS (Internet Information Server OR Services), there is a feature called "host headers". What that allows you to do is have multiple domains on a single IP address. IIS will take the requests for various domain names and, even though all of those domains utilize the same IP address, it will direct the request to the appropriate site. No need for virtual domains. You can run many sites on 1 IP, 1 connection, etc.

IIS support SSL certificates for each site as well.

It works great.

txbakers,

I don't know if you understood what zuko105 was saying there or if you even need this at all. Thought this might be a little easier put.

Your firewall has both an External IP and an Internal IP (192.168.0.1 or something). All requests from outside world would enter your firewall via the External IP, however, the firewall/router has the ability to map those requests to internal addresses (192.168.0.2 or something) via it's Internal IP. Your site still appears as External to the visitor, but your router appears as local to your network.

Did that even make sense?

Kudos Davegerard,
That was a much better explanation than mine.

Zuko

When I buy multiple IPs they will be outside the firewall, but the internal machine still will have 1.

Can't do that, tx. You'll need to assign seperate internal IPs for every site on the machine.

You can't use host headers with SSL. Chicken-and-egg problem - the server needs to secure the connection before it gets to the point where the HTTP headers are transmitted. And if it doesn't know which site is being requested, it won't use the proper certificate.

tx, You'll need to do One-to-One NAT mapping on the PIX. Basically, let's assume you have an internal class C of 10.10.10.10.0/24, and your provider assigned you 192.168.0.0/24 (I realize this is private space, but follow me for a sec). Check it:

Let's assume your DNS has the following entries:

192.168.0.3 - www.widgetco.com
192.168.0.4 - www.pearlwidgets.com
192.168.0.5 - www.widgetsandmore.com
192.168.0.6 - www.bankofjake.com

When you set up the PIX, this will remain unchanged - you'll still assign live IP addresses in DNS. You'll tell your PIX to do one to one NAT mapping, like so:

192.168.0.3 - 10.10.10.3
192.168.0.4 - 10.10.10.4
192.168.0.5 - 10.10.10.5
192.168.0.6 - 10.10.10.6

And then, you'll set your server up with the internal (10.x) addresses. The actual commands used for the PIX are fairly trivial, but probably outside the scope of this topic.

I am in the same situation. Our programmers are working on the project using one Windows 2003 server to host mutilple web sites, each having an unique external ip.. Without a firewall, we can browse the unique web site using [ip.ip.ip.ip....] My job is the hardware and OS. My problem is looking for a firewall, allowing MANY to ONE NAT. Can anyone recommand such firewall or router with firewall?

MANY to ONE NAT

I'd do one-to-one with a lot of IP addresses, much like I've described above. You can get as many internal addresses as you need from the available private space that's been allocated by IANA.

Oh, and pretty much any commercial (real) firewall will do what you're looking for. I'm a fan of the PIX for solid-state stuff, and like to roll my own BSD boxes on occasion as well.

Bakedjake,

Can you recommand a least price PIX for my project? So far I have only used a PIX 501.

We really want to use one server to do the job.