Web Server Architecture

[NetManRob]

Hi Guys,
I need some help with a micro LAN design.
My home computer lab consists of three PCs, a cable modem and a hub.

PC1
Gateway
PII - 266 MHz
Mandrake - Linux 8.1

PC2
Linux/Apache
PIII - 866 MHz
Red Hat Linux 7.3

PC3
Wife'sPC
PIII - 866 MHz
Windows 2000 Pro

PC1 is equipped with 2 NICs, the first connects to the cable modem, the second to the hub. PC1 is running IP Masquerading with a typical IP tables firewall. It is also running Samba to share the network printer. PC2 and PC3 each have only one NIC connecting directly to the hub.

I now want to setup PC2 as a web server running Apache 2.0 and create a DMZ. My objectives are to run a secure and efficient web server and to protect to the greatest extent possible the data on PC3. I am considering two possible plans.

Plan A. Consists of installing a second NIC in PC2 and having PC2 connect to the cable modem via the first NIC and directly to PC1 with the second NIC. It will run a firewall that will block all but http. PC1 will continue to have two NICs, one connecting to PC2 and the other to the hub. Since PC1 is no longer the gateway, its role will be firewall and Samba server. No change to PC3, it has one NIC and connects to the hub.

Plan B. Install a third NIC in PC1 and connect it directly to PC2. Everything else stays the same.

My questions are:
1. Under plan A, how will the Internet connection be shared? Will both PC1 and PC2 have to run IP Masquerading?
2. Under plan B, how would I configure it so that the http requests made to NIC1 on PC1 get redirected to the Apache server on PC2?
3. Is plan A or plan B the preferred architecture?
4 or is there a plan C that will serve my goals even better?

Thanks in advance for your comments and help!

Rob

 

[MrTom]

plan B would be the normal way to go, i take it you have more than one external IP. altho you will probably have to start adding routes.

since you would only allow http access anyway then the easiest option would be to look at the port/server forwarding that xinetd offers. there's probably an equivalent way of doing this with IPtables but i forget how to do most stuff now.

 

[RhythmAce]

A router would be the best way but you should be able to do what you want with the hardware you already have. You shouldn't even need the second NIC in PC1. Your hub should have an uplink port that would get connected to the modem. Then everything else gets connected to the other ports. PC1 would have 2 ip addresses, one for the internet and the other for your intranet. PC1 would be setup as the gateway and have the ip address of 192.168.0.1. You would set it up as a proxy server and all the other machines will go through it for internet access. Once you have them all working with internet access, direct all http traffic to 192.168.0.2 (PC2) or whatever machine has the web server. The web server doesn't need to know anything about your local net since it can be set to listen for all addresses on all ports but will only answer http requests directed to it. This is just an overview since I assume you already have your network up and running and have internet access for all machines.