Main Content

Routers, Firewalls and multilayer servers

Archive - Originally posted on "The Horse's Mouth" - 2009-05-01 20:18:54 - Graham Ellis

We only have one IP address at Well House Manor, but lots of computers. How does that work?

Internally, all our machines are on 192.168.200.xxx network but the router re-writes those to our single IP address on output, and for traffic where the client is at our place (that's most traffic such as web browsers and FTP clients) it remembers who has opened which particular connection so that replies can be written back correctly.

Accesses to any servers that we run locally are slightly more problematic; incoming traffic of a particular type can only be routed to one machine ... and indeed we have one machine set up as the default destination for all types of traffic / ports (this machine is known as a DMZ or demilitarised zone) and care needs to be taken of the security on it. Then we make exceptions - the diagram showing how all traffic on TCP port 80 (web service) is routed to our web server, and traffic for printing is routed to a printer.


By using a single instance of httpd, fronting a number of machines running Tomcat, you can have a single web server that's targeted for all traffic that then distributes it to other services. This distribution is done by httpd via mod_proxy_balancer, mod_rewrite or mod_jk (and there are some other historic ways too).

As well as allowing traffic to be sent to a single machine, this approach also means that the main servers - running Tomcat - can be hidden behind a firewall and the high level of protection only need be applied to the httpd machine.


One of the issues of splitting traffic between a number of back end servers is that you have to make sure that sessions are continued properly - it's no good having a user start his work on machine "X" then get transferred to machine "Y" if machine "Y" isn't even aware of what he has done on "X".

There are a number of solutions to this issue, including the inclusion of a cookie in the initial response to instruct the user's browser to ask for the same machine next time (we do this in real life - "I was talking to Mavis about it ... can you put me through to her again please"). This diagram shows another approach - how the parallel machines can all co-ordinate via another machine behind them - perhaps running a database such as MySQL, or perhaps even another instance of Tomcat.