Dear all, we would like to run multiple Apache 2.2 instances as frontend / proxy to separate concerns of different applications and clients. The idea was to run a separate Apache configured to listen exclusively on a virtual interface, e.g eth1:10, eth0:11, etc. for each Tomcat backend server. That way we thought it should be possible to have fine grained security policies / firewall rules to control the connections between the Apache instance and the Tomcat servers. Our testbed on CentOS 5 has shown a major issue: even though the Apache instances are only listening on their own virtual IP, mod_jk and mod_proxy are using the IP address of the physical interface of the Apache host to connect to the Tomcat backends. This renders the setup pretty useless as we could not control which Apache instance should be allowed access to a specific Tomcat server. netstat shows all connections from the Apache instances to port 8009 / 8080 are originating from the "real" IP address of the Apache host instead of the configured "Listen" address. Is there a way to bind an Apache instance to use only a specific virtual interface? Listen xxx.xxx.xxx.xxx seems to be useless for backend connections that are established by mod_proxy / mod_jk. Thanks in advance for any suggestions! Dirk
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
|