You are here

Configuration of Hidden Virtual Hosts

Affects product: 
Airlock WAF
Affects version(s): 
4.2 all versions

This article explains how to set up virtual hosts on Airlock with IP adresses that are hidden, i.e. not published by ARP. This can be useful when you want to use the same IP address on several instances of Airlock and have a network device that can direct web requests to the correct instance using just the ethernet address. An example for such a network device would be a load balancer.

There is no need for hidden virtual hosts except for some very special network environments.

What is a Hidden Virtual Host?

We call a virtual host "hidden" if it is not visible outside of Airlock nor reachable by a regular web client unless there be a network device that make it reachable, e.g. a router that has special knowledge about the hidden host. Airlock allows to hide a virtual host by binding it to the loopback interface. This way the IP address will never be published by ARP and the address is indeed hidden inside Airlock.

Now, how can the virtual host be of any use then?

Well, if there is no visible virtual host configured on Airlock, a hidden virtual host is indeed locked away. Yet, if there exists any visible host such that it binds to an IP address that is reachable from outside of Airlock, we can trick the Web Listener to still accept requests on the hidden virtual host. How this is technically made possible is described in the "Technical Background". At this place it is sufficient to know that there exists a way to reach a hidden virtual host, we only need to know how to configure and use it.

Example

We will use an example throughout this article in order to illustrate how hidden virtual hosts are configured. Imagine the following scenario:

Ergon protects its homepage at www.ergon.ch with Airlock. To handle the ever increasing traffic on its website, Ergon decides to use a hardware load balancer in front of two instances of Airlock.

Both instances should directly be able to handle requests for www.ergon.ch and Ergon does not want to use NAT. The load balancer uses the MAC address to forward packets to them. Because both instances are deployed on the same physical network there will be conflicts if the virtual host for www.ergon.ch uses the same name and IP address on both instances. To solve these conflicts, Ergon decides to use hidden virtual hosts for www.ergon.ch.

Ergon uses the subnet 192.168.10.0/24 in the DMZ where both instances as well as a gateway for outbound traffic are located. The IP address of the gateway is 192.168.10.1.

Creating a Hidden Virtual Host

A hidden virtual host can be configured in the Configuration Center. It is configured just like any other regular virtual host, namely using the menu entry Application Firewall > Reverse Proxy > Virtual Host , with the exception that you have to check the check-box Bind to loopback interface in Tab Advanced. The External network interface ind Tab Basic must be the one that will be used physically by the network traffic (see section Configuration of Network Interface).

In our example, Ergon would create a virtual host for www.ergon.ch with the IP address 212.47.173.198. To prevent 212.47.173.198 from being published by ARP, they bind the virtual host to the loopback interface by checking the check-box Bind to loopback interface on the configuration page for www.ergon.ch. As on both instances of Airlock the physical network interface that is connected to the external network is bge0, it must be selected as External network interface of the hidden virtual hosts.

Assign Hidden Virtual Host to Mappings

On the Reverse Proxy page connect the mappings for which you would like to use the hidden virtual host to the hidden virtual host. This works in the same way as if it was a regular virtual host.

 

Example: Ergon uses a mapping public that maps www.ergon.ch to public.ergon.ch. To use the hidden virtual host, no change is needed, as www.ergon.ch is already connected to this mapping.

Configuration of Network Interface

A hidden virtual host relies on a network interface that must be up. This requires that there be either at least one regular virtual host or an SSL VPN endpoint configured. Choose what fits your situation better. But be aware that the network interface that you opt for here must be the same as the one configured as external network interface for the hidden virtual host.

Example: Ergon creates on each instance of Airlock a virtual host on the same physical network interface as used for the respective hidden virtual host, bge0, with the private IP addresses 192.168.10.10 and 192.168.10.11 respectively. The virtual host is not used for any mapping, but is only needed to set the network interface up that will be used physically by the hidden virtual host.

You must not set up a network interface manually in the ext-zone of Airlock. You risk that Airlock will not work correctly if you do so. There is no support for manual interventions on Airlock that are not advised by Ergon.

Routing Setup

To be able to use the hidden virtual host, you need to make sure that its outbound network traffic be routed correctly. If the IP address of the hidden virtual host does not share the subnet with any regular virtual hosts or SSL VPN endpoint, you need to set up a route for it in the Routing section (System Setup > Routes) of the Configuration Center. Choose the subnet of the hidden virtual host as Destination and a Gateway that lies within reach of the IP address on the network interface.

Example: To successfully route outbound traffic, Ergon configures the internal address of its gateway for outbound traffic, 192.168.10.1, as Default Gateway.

Technical Background

There are some properties of the underlying system of Airlock, that enable hidden virtual hosts:

  • A logical network interface will accept all packets that are sent to its MAC address.
  • The network stack of Solaris 10 on the IP-layer does not care about the interface on which an IP packet arrived. All IP packets that were accepted by a network interface driver will be processed normally as long as the system knows the destination IP address.
  • So we need to make sure that there is indeed a network interface up in the ext-Zone of Airlock, where the virtual hosts reside. Inbound IP packets for the hidden virtual host will be sent to the network interface using the MAC address and the network stack will automatically hand it over to the hidden virtual host based on the destination IP address.
  • It is mandatory to correctly specify the physical network interface of the hidden virtual host because the internal firewall of Airlock must allow traffic on it to make it work.
  • By setting routes that route the outbound IP packet over the active non-loopback network interface, a two-way TCP connection can be established.
Knowledge Base Categories: