0

In my environment I have a few web services that are exposed to the internet with an nginx reverse proxy. Moreover, for some of these nginx does a port translation (es. internal 8080 -> public 80). We also have a few of internal services that from LAN need to contact the reverse proxyed ones: what is the best practice to accomplish this? Here is what I thought:

  • Create a fake DNS zone in our internal DNS, so if an internal services contacts publicservice1.example.com is redirected directly to nginx DMZ IP
  • Do not touch anything, but the traffic loops out and in our network (LAN-> Internet (public IP) -> nginx reverse proxy in DMZ )
J.B.
  • 325

1 Answers1

1

It's subjective but barring any new information, I will make the following recommendation:

Let the LAN clients hit the public IP and route back into the DMZ. It is simpler, Clearer and more consistent for end users.

You won't have to explain why a cached DNS entry from the office is blocking access from home. You won't have to worry about the split horizon synchronization and keeping the records in each updated.

If you have other reasons for deploying split horizon and you have other systems configured in this manner, then keep things as consistent as possible.

Daniel Widrick
  • 3,488
  • 2
  • 13
  • 27
  • Thank you for your advice. Gathering more informations about this topic I found that the LAN->Internet->DMZ loop is called "NAT reflection" or "NAT loopback", and this answer link guided me to a correct configuration. – J.B. Jun 19 '17 at 16:04