itemprop="text"> I would like to configure Apache so that it normally denies requests for iFrames (for instance, by setting Header always append X-Frame-Options DENY ) but , it allows a specific directory to be embedded as iFrame, independently from the origin of the request (for instance, src="www.mysite.com/mydir"> ) Is that possible? itemprop="text"> class="normal">Answer See documentation for href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options" rel="nofollow noreferrer"> X-Frame-Options . You can allow embedding from https://example.com/mydir : Header always append X-Frame-Options ALLOW-FROM=https://example.com/mydir allow embedding of

I would like to configure Apache so that it normally denies requests for iFrames (for instance, by setting Header always append X-Frame-Options DENY ) but , it allows a specific directory to be embedded as iFrame, independently from the origin of the request (for instance, ) Is that possible? Answer See documentation for X-Frame-Options . You can allow embedding from https://example.com/mydir : Header always append X-Frame-Options ALLOW-FROM=https://example.com/mydir allow embedding of https://example.com/mydir by adding it only when Location doesn't match /mydir , with the LocationMatch directive . ServerName example.com Header always append X-Frame-Options DENY to maximize security, add a combination of these i.e. only allow embedding of /mydir from ... . You can't limit it to alone, but the embedding can also be done as or .

itemprop="text"> I haven't changed anything related to the DNS entry for serverfault.com , but some users were reporting today that href="https://meta.stackexchange.com/questions/7070/serverfault-down-how-to-get-into-superuser-beta/7079#7079">the serverfault.com DNS fails to resolve for them . I ran a href="http://just-ping.com/index.php?vh=serverfault.com&c=&s=ping!" rel="nofollow noreferrer">justping query and I can sort of confirm this -- serverfault.com dns appears to be failing to resolve in a handful of countries, for no particular reason that I can discern. (also confirmed via href="http://www.whatsmydns.net/" rel="nofollow noreferrer">What's My DNS which does some worldwide pings in a similar fashion, so it's confirmed as an issue by

I haven't changed anything related to the DNS entry for serverfault.com , but some users were reporting today that the serverfault.com DNS fails to resolve for them . I ran a justping query and I can sort of confirm this -- serverfault.com dns appears to be failing to resolve in a handful of countries, for no particular reason that I can discern. (also confirmed via What's My DNS which does some worldwide pings in a similar fashion, so it's confirmed as an issue by two different sources.) Why would this be happening, if I haven't touched the DNS for serverfault.com ? our registrar is (gag) GoDaddy, and I use default DNS settings for the most part without incident. Am I doing something wrong? Have the gods of DNS forsaken me? is there anything I can do to fix this? Any way to goose the DNS along, or force the DNS to propagate correctly worldwide? Update: as of Monday at 3:30 am PST, everything looks correct.. JustPing reports site is reachable from all locations. Than

itemprop="text"> We have a set of shared, static content that we serve up between our websites at rel="noreferrer">http://sstatic.net . Unfortunately, this content is not currently load balanced at all -- it's served from a single server. If that server has problems, all the sites that rely on it are effectively down because the shared resources are essential shared javascript libraries and images. We are looking at ways to load balance the static content on this server, to avoid the single server dependency. I realize that round-robin DNS is, at best, a low end (some might even say ghetto ) solution, but I can't help wondering -- is round robin DNS a "good enough" solution for basic load balancing of static content? There is some discussion of this in the href=&quo

We have a set of shared, static content that we serve up between our websites at http://sstatic.net . Unfortunately, this content is not currently load balanced at all -- it's served from a single server. If that server has problems, all the sites that rely on it are effectively down because the shared resources are essential shared javascript libraries and images. We are looking at ways to load balance the static content on this server, to avoid the single server dependency. I realize that round-robin DNS is, at best, a low end (some might even say ghetto ) solution, but I can't help wondering -- is round robin DNS a "good enough" solution for basic load balancing of static content? There is some discussion of this in the [dns] [load-balancing] tags, and I've read through some great posts on the topic. I am aware of the common downsides of DNS load balancing through multiple round-robin A records: there's typically no heartbeats or failure detection with DN

I´m experiencing a weird write iops limitation with a HP P410 256mb cache controller and 4x consumer grade ssd´s (Samsung EVO 850) in RAID5/10. After upgrade to latest firmware (6.64) for HP P410 controller, it continues with problems. Iostat output: Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util sda 0.00 0.00 1.00 158.00 36.00 15631.00 197.07 12.16 75.84 6.00 76.28 6.30 100.10 158 writes/s and 100 % util. My hpacucli output: => ctrl all show config detail Smart Array P410 in Slot 2 Bus Interface: PCI Slot: 2 Serial Number: PACCR9SYLZ34 Cache Serial Number: PACCQ9SYP5CK RAID 6 (ADG) Status: Disabled Controller Status: OK Hardware Revision: C Firmware Version: 6.62 Rebuild Priority: Medium Expand Priority: Medium Surface Scan Delay: 15 secs Surface Sc

I´m experiencing a weird write iops limitation with a HP P410 256mb cache controller and 4x consumer grade ssd´s (Samsung EVO 850) in RAID5/10. After upgrade to latest firmware (6.64) for HP P410 controller, it continues with problems. Iostat output: Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util sda 0.00 0.00 1.00 158.00 36.00 15631.00 197.07 12.16 75.84 6.00 76.28 6.30 100.10 158 writes/s and 100 % util. My hpacucli output: => ctrl all show config detail Smart Array P410 in Slot 2 Bus Interface: PCI Slot: 2 Serial Number: PACCR9SYLZ34 Cache Serial Number: PACCQ9SYP5CK RAID 6 (ADG) Status: Disabled Controller Status: OK Hardware Revision: C Firmware Version: 6.62 Rebuild Priority: Medium Expand Priority: Medium Surface Scan Delay: 15 secs Surface Scan Mode: Idle Queue Depth: Automatic Monitor and Performance Delay: 60 min El

itemprop="text"> I am currently building a storage unit for our office. It is rather low budget at the moment, but it needs to be extendable. basically we have a huge database that will grow over the next few months quite heavily. Therefore, ideally we would just like to throw hard discs at our new server. We have not purchased the server yet, but going through some details. However, I would like to get an answer to a question first. How easy is it to expand existing RAID systems? We will start with two HDD 4TBs WD black. But after about 1 month we will need to add another 2 4TB disks. The server we are going to get has 12 bays. Mirroring is important, However RAID 1 only works with 2 disks. Raid 10, would already allow us to mirror a RAID 0. And from what I have seen even the raid 10 can be installed with two disks. Ho

I am currently building a storage unit for our office. It is rather low budget at the moment, but it needs to be extendable. basically we have a huge database that will grow over the next few months quite heavily. Therefore, ideally we would just like to throw hard discs at our new server. We have not purchased the server yet, but going through some details. However, I would like to get an answer to a question first. How easy is it to expand existing RAID systems? We will start with two HDD 4TBs WD black. But after about 1 month we will need to add another 2 4TB disks. The server we are going to get has 12 bays. Mirroring is important, However RAID 1 only works with 2 disks. Raid 10, would already allow us to mirror a RAID 0. And from what I have seen even the raid 10 can be installed with two disks. However, what happens after that ? Is there any recommendation to achieve a flexible RAID system ? On the OS layer I would just like to build a LVM, that recognises once there is space add

itemprop="text"> I have every 30 minutes smartd messages on /var/log/messages: smartd[3588]: Device: /dev/sdc, 176 Currently unreadable (pending) sectors This drive (sdc) is part of RAID 5 configured with mdadm. Mdadm monitor tells RAID is ok but i want to know if i need to change the drive or not. Also if its neccesary to mark as bad this sectors or OS already did it. If i need to change the drive, how can i chose the replacement one? I can´t find the number of blocks in hard drive specifications so if i chose one with less blocks than original, i will be in trouble. Thanks. itemprop="text"> class="normal">Answer Yes, change the drive. Unreadable (pending) sectors are sector whose contents could not be read. On a normal non-RAID situation that would resul

I have every 30 minutes smartd messages on /var/log/messages: smartd[3588]: Device: /dev/sdc, 176 Currently unreadable (pending) sectors This drive (sdc) is part of RAID 5 configured with mdadm. Mdadm monitor tells RAID is ok but i want to know if i need to change the drive or not. Also if its neccesary to mark as bad this sectors or OS already did it. If i need to change the drive, how can i chose the replacement one? I can´t find the number of blocks in hard drive specifications so if i chose one with less blocks than original, i will be in trouble. Thanks. Answer Yes, change the drive. Unreadable (pending) sectors are sector whose contents could not be read. On a normal non-RAID situation that would result in either a read error, or a long delay while the drive attempts to read the sector again and again until it succeeds (or until it eventually gives up). With RAID two things are happening: Your disk is probably configured with a short TLER value. Thus is will give u

I had my own private VPS that my hosting service managed and now I am switching to a cloud server where I have to manage everything myself. I am trying to mimic their secure setup that they had. On my old & new server, I have my users/websites set up like those listed below. My Apache Virtual Hosts have these as the DocumentRoot, so they are running right now: /home/user1/site1.com /home/user1/site2.com /home/user2/site3.com /home/user3/site4.com ..... Basically on my old VPS, the Apache web server could run all of these sites, and at the same time , each user did not have access to the other user's files (in case one site got hacked, the hacker couldn't access the rest of the sites). I noticed that directories had 755 and files 644 permissions. The way I set up now, everything in these user directories are in the www-data group, the directorie

I had my own private VPS that my hosting service managed and now I am switching to a cloud server where I have to manage everything myself. I am trying to mimic their secure setup that they had. On my old & new server, I have my users/websites set up like those listed below. My Apache Virtual Hosts have these as the DocumentRoot, so they are running right now: /home/user1/site1.com /home/user1/site2.com /home/user2/site3.com /home/user3/site4.com ..... Basically on my old VPS, the Apache web server could run all of these sites, and at the same time , each user did not have access to the other user's files (in case one site got hacked, the hacker couldn't access the rest of the sites). I noticed that directories had 755 and files 644 permissions. The way I set up now, everything in these user directories are in the www-data group, the directories have 775 and files 664 permissions. Files from one user's website are accessible from another user's website (not good). H

I need to manage multiple SSL Certificates on Amazon ELC instances farm, running multiple domains on a Ruby on Rails application. The problem is that we need to dynamically add new certificates to the instances or balancer to provide SSL. We need to do it every time a new domain is directed to our application, or when a domain already linked is selected to enable SSL and a new certificate is uploaded. At this moment we have one Elastic Load Balancer and 8 instances(and counting) behind it. But one ELB only allows one certificate, and create one balancer per domain is not a desirable option. I'm thinking in complement the ELB with HAProxy to share the same IP/Port using SNI, but I'm not sure if this is possible and works on all browsers. We tried to enable SSL on the instances, but required to use as many ports as certificates so it'

I need to manage multiple SSL Certificates on Amazon ELC instances farm, running multiple domains on a Ruby on Rails application. The problem is that we need to dynamically add new certificates to the instances or balancer to provide SSL. We need to do it every time a new domain is directed to our application, or when a domain already linked is selected to enable SSL and a new certificate is uploaded. At this moment we have one Elastic Load Balancer and 8 instances(and counting) behind it. But one ELB only allows one certificate, and create one balancer per domain is not a desirable option. I'm thinking in complement the ELB with HAProxy to share the same IP/Port using SNI, but I'm not sure if this is possible and works on all browsers. We tried to enable SSL on the instances, but required to use as many ports as certificates so it's not easy to manage, and still have to add more balancers. What alternatives would you try? In your opinion, what's the best way to dynamic

itemprop="text"> When specifying servers, like (I would assume) many engineers who aren't experts in storage, I'll generally play it safe (and perhaps be a slave to marketing) by standardising on a minimum of 10k SAS drives (and therefore are "enterprise"-grade with a 24x7 duty cycle, etc) for "system" data (usually OS and sometimes apps), and reserve the use of 7.2k mid/nearline drives for storage of non-system data where performance isn't a significant factor. This is all assuming 2.5" (SFF) disks, as 3.5" (LFF) disks are only really relevant for high-capacity, low IOPs requirements. In situations where there isn't a massive amount of non-system data, I'll generally place it on the same disks/array as the system data, meaning the server only has 10k SAS drives (generally a "One Big RAID1

When specifying servers, like (I would assume) many engineers who aren't experts in storage, I'll generally play it safe (and perhaps be a slave to marketing) by standardising on a minimum of 10k SAS drives (and therefore are "enterprise"-grade with a 24x7 duty cycle, etc) for "system" data (usually OS and sometimes apps), and reserve the use of 7.2k mid/nearline drives for storage of non-system data where performance isn't a significant factor. This is all assuming 2.5" (SFF) disks, as 3.5" (LFF) disks are only really relevant for high-capacity, low IOPs requirements. In situations where there isn't a massive amount of non-system data, I'll generally place it on the same disks/array as the system data, meaning the server only has 10k SAS drives (generally a "One Big RAID10" type of setup these days). Only if the size of the non-system data is significant do I usually consider putting it on a separate array of 7.2k mid/nearlin

itemprop="text"> We have a server that hosts an old application that uses a serial dongle to license its product. We converted the physical server to a virtual server running in VMWare server running on Windows and everything is working fine. We now are looking to move on to ESX or ESXi for our virtual environment. We played around with ESXi and found that it does not support the serial dongle. We installed a trial of ESX and it works perfectly, however, it seems a bit pricey for our low level needs. Anyway to get around this serial dongle? The company that makes the software is no longer in business and the software is very specialized and nothing on the market exists to replace it in it's entirety. That research has been ongoing but not pertinent for this discussion. Am I wrong about serial support in ESXi? class="post-

We have a server that hosts an old application that uses a serial dongle to license its product. We converted the physical server to a virtual server running in VMWare server running on Windows and everything is working fine. We now are looking to move on to ESX or ESXi for our virtual environment. We played around with ESXi and found that it does not support the serial dongle. We installed a trial of ESX and it works perfectly, however, it seems a bit pricey for our low level needs. Anyway to get around this serial dongle? The company that makes the software is no longer in business and the software is very specialized and nothing on the market exists to replace it in it's entirety. That research has been ongoing but not pertinent for this discussion. Am I wrong about serial support in ESXi? Answer Yes you are wrong, ESX (regular, NOT 'i' version, both in 3.5 and 4) supports locally attached serial devices - even on the free version. Here's how you do it;

itemprop="text"> -edit- i figured it out. I needed to use adduser username group instead. I added a user with the command useradd -G myapp_user newusername then i changed the group on the public folder that i want the user to access. Here is the line using ls -l I see the group has been set. drwxrwxr-x 3 root myapp_user 4096 Jul 9 19:13 public I cd into it and do it again to and i see files like the below with the group. I also see rwx on both the public folder and on the content inside the directory. -rwxrwxr-x 1 root myapp_user 4403 Oct 10 2007 info.png Then i login as the user and CD into the folder i wrote touch a and i got a permission error. I cant add, delete or do anything even though i see 775 is the permission. I also tried useradd -G myapp_user new

-edit- i figured it out. I needed to use adduser username group instead. I added a user with the command useradd -G myapp_user newusername then i changed the group on the public folder that i want the user to access. Here is the line using ls -l I see the group has been set. drwxrwxr-x 3 root myapp_user 4096 Jul 9 19:13 public I cd into it and do it again to and i see files like the below with the group. I also see rwx on both the public folder and on the content inside the directory. -rwxrwxr-x 1 root myapp_user 4403 Oct 10 2007 info.png Then i login as the user and CD into the folder i wrote touch a and i got a permission error. I cant add, delete or do anything even though i see 775 is the permission. I also tried useradd -G myapp_user newusername to find the user is already part of the group what am i missing? am i suppose to flush something before it takes effect? restart something? why cant the user modify anything in the public folder? using putty and winscp. But right n

itemprop="text"> I manage a few Mac OSX XServes for production websites and have recently run into an issue dealing with the server resolving the DNS of some of the sites. Further investigation revealed that httpd.conf was configured to listen on all IPs (port 80), but the virtual host configurations only applied to the actual IP for the domain (not localhost). eg (freehand configuration, probably syntactically incorrect and missing irrelevant options): in httpd.conf: Listen 80 in domainA:80.conf: ServerName domainA.com Now, in the /etc/hosts file, it had this entry: 127.0.0.1 localhost 127.0.0.1 domainA.com what would happen when domainB.com called out to domainA.com on the same machine, it would use the localhost IP address. Therefore, instead of using the correct virtualHost configuration, it used the

I manage a few Mac OSX XServes for production websites and have recently run into an issue dealing with the server resolving the DNS of some of the sites. Further investigation revealed that httpd.conf was configured to listen on all IPs (port 80), but the virtual host configurations only applied to the actual IP for the domain (not localhost). eg (freehand configuration, probably syntactically incorrect and missing irrelevant options): in httpd.conf: Listen 80 in domainA:80.conf: ServerName domainA.com Now, in the /etc/hosts file, it had this entry: 127.0.0.1 localhost 127.0.0.1 domainA.com what would happen when domainB.com called out to domainA.com on the same machine, it would use the localhost IP address. Therefore, instead of using the correct virtualHost configuration, it used the default configuration (this took me so damn long to figure out, but it makes perfect sense) I don't really have a need to access the domains from localhost, so my question is: What's the be

itemprop="text"> This is my build: LSI 9260-8i: MAX read throughput of 2,875 MB/s, write performance of 1,800 MB/s 24x SAS 10K RPM drives 2x 100GB Dell SSDR (SATA) drives for ZIL and L2ARC All plugged to same controller. With ZFS as the file system, can the LSI9260-8i sustain the peak loads? Do I need dedicated RAID controller for SSD's? Can use any SATA RAID like SAS6i? itemprop="text"> class="normal">Answer The LSI 9260-8i has 8 x 6Gb/s SAS ports and that's the amount of throughput you'll get. However, depending on your workload/application, disks rarely run at 100% throughput. It's more likely you'll reach the max number of IOPS of your disks (unless you're doing bulk reads, streaming, etc). It

This is my build: LSI 9260-8i: MAX read throughput of 2,875 MB/s, write performance of 1,800 MB/s 24x SAS 10K RPM drives 2x 100GB Dell SSDR (SATA) drives for ZIL and L2ARC All plugged to same controller. With ZFS as the file system, can the LSI9260-8i sustain the peak loads? Do I need dedicated RAID controller for SSD's? Can use any SATA RAID like SAS6i? Answer The LSI 9260-8i has 8 x 6Gb/s SAS ports and that's the amount of throughput you'll get. However, depending on your workload/application, disks rarely run at 100% throughput. It's more likely you'll reach the max number of IOPS of your disks (unless you're doing bulk reads, streaming, etc). It also depends on how your SAS backplane "exports" these disks. For instance, some backplanes will have as many mini-SAS or standard SAS ports as there are disks. Others will use an expander like the SuperMicro 846E1 (24 disks for a mini-SAS x4 port). SuperMicro has a chassis that (TQ edition) t

itemprop="text"> I always did this: chown apache2:apache2 /var/www/ -vR chmod 555 /var/www/ -vR chmod 755 /var/www/a/special/dir/which/needs/write/permissions/ -vR OR instead of 2, 3 just set permissions to 755 Recently I came to know that setting apache as user is not secure, how come? And what are the alternatives? What are other good practices for increasing a webserver (apache) security? Answer You may want to investigate chroot -ing your web-servers as well. Better yet, run each application in its own virtual machine with its own apache and what nots. That way, even if compromised, the only vulnerable machine is the VM one. However, when you talk about apache security, you should be a little more specific about what kind of attacks are you interested in protecting a

I always did this: chown apache2:apache2 /var/www/ -vR chmod 555 /var/www/ -vR chmod 755 /var/www/a/special/dir/which/needs/write/permissions/ -vR OR instead of 2, 3 just set permissions to 755 Recently I came to know that setting apache as user is not secure, how come? And what are the alternatives? What are other good practices for increasing a webserver (apache) security? Answer You may want to investigate chroot -ing your web-servers as well. Better yet, run each application in its own virtual machine with its own apache and what nots. That way, even if compromised, the only vulnerable machine is the VM one. However, when you talk about apache security, you should be a little more specific about what kind of attacks are you interested in protecting against.

I have two servers. The first server uses a hostname of myserver.com, and I set the A record for myserver.com as the IP address of the first server. The second server uses the hostname server2.myserver.com, and I set the A record for server2.myserver.com as the IP address of the second server. The second server, a DigitalOcean droplet (CentOS), hosts a simple WordPress website, mywebsite.com and a couple of other sites. The IP is 138.xxx.xxx.148. When a message is sent from the contact form on mywebsite.com, it arrives in Gmail spam. The SPF check is "neutral" and the message it says is: Received-SPF: neutral (google.com: 138.xxx.xxx.148 is neither permitted nor denied by best guess record for domain of info@server2.myserver.com) client-ip=138.xxx.xxx.148; I have added an SPF record for mywebsite.co

I have two servers. The first server uses a hostname of myserver.com, and I set the A record for myserver.com as the IP address of the first server. The second server uses the hostname server2.myserver.com, and I set the A record for server2.myserver.com as the IP address of the second server. The second server, a DigitalOcean droplet (CentOS), hosts a simple WordPress website, mywebsite.com and a couple of other sites. The IP is 138.xxx.xxx.148. When a message is sent from the contact form on mywebsite.com, it arrives in Gmail spam. The SPF check is "neutral" and the message it says is: Received-SPF: neutral (google.com: 138.xxx.xxx.148 is neither permitted nor denied by best guess record for domain of info@server2.myserver.com) client-ip=138.xxx.xxx.148; I have added an SPF record for mywebsite.com: v=spf1 a ip4:138.xxx.xxx.148/32 a:server2.myserver.com ~all And I added the same SPF record for the myserver.com. Somewhere here I must be making an error but cannot seem to fig

I configured my Windows 7 box for 4.2.2.4 as the primary DNS and an internal DNS server for secondary. When I make lookup queries for private IP'd internal servers I get an error from the primary DNS that the IP could not be found. The secondary DNS server is not getting the request. If I swap the primary and secondary DNS servers the query works fine. The reason for 4.2.2.4 as primary is that our DNS servers are in Europe.

I configured my Windows 7 box for 4.2.2.4 as the primary DNS and an internal DNS server for secondary. When I make lookup queries for private IP'd internal servers I get an error from the primary DNS that the IP could not be found. The secondary DNS server is not getting the request. If I swap the primary and secondary DNS servers the query works fine. The reason for 4.2.2.4 as primary is that our DNS servers are in Europe.

itemprop="text"> I'm having a DNS resolving issue that is affecting the performance of my locally hosted web site when browse it on my local machine. If I attach my network's DNS suffix to my local machine name when I go to the URL in my browser, the site has terrible load times (100+ times slower) than without the DNS suffix. I thought I could fix this by using my hosts file to avoid the need for a lookup. I added an entry to my hosts file like this 127.0.0.1 myMachine.MyDnsSuffix But this didn't change the load times, even after a reboot. Although it is not important to resolve this specific problem, I would really like to know why this happens. Also, when I run nslookup on the domain myMachine.MyDnsSuffix , I notice it uses my network's DNS server to find the IP. Could this be related to

I'm having a DNS resolving issue that is affecting the performance of my locally hosted web site when browse it on my local machine. If I attach my network's DNS suffix to my local machine name when I go to the URL in my browser, the site has terrible load times (100+ times slower) than without the DNS suffix. I thought I could fix this by using my hosts file to avoid the need for a lookup. I added an entry to my hosts file like this 127.0.0.1 myMachine.MyDnsSuffix But this didn't change the load times, even after a reboot. Although it is not important to resolve this specific problem, I would really like to know why this happens. Also, when I run nslookup on the domain myMachine.MyDnsSuffix , I notice it uses my network's DNS server to find the IP. Could this be related to my problem or am I just mis-understanding how nslookup works? Answer I believe nslookup is used to test a DNS server itself, as opposed to utilizing your HOSTS file. http://suppor

itemprop="text"> We have here to web servers behind a router - one IIS and one Tomcat (on different machines / IP addresses). The domain is pointing to out external IP, which is forwarded to IIS (internal IP 192.168.1.10 for example). I'm trying to do the following: when [www.]ourdomain.com is entered the default web site on IIS have to be loaded (this part is ok), but when test.ourdomain.com is entered I want to redirect this request to another web server (192.168.1.11 for example). I created a site "test" on IIS and it is displayed when test.ourdomain.com is entered. Then I tried to redirect it with following rule: Requested URL matches the pattern: * (using wildcards) Condition: {HTTP_HOST} matches test.ourdomain.com Action type: Rewrite Rewrite URL: http://192.168.1.11/ {R:0} but when I try to load test.ourdomain.

We have here to web servers behind a router - one IIS and one Tomcat (on different machines / IP addresses). The domain is pointing to out external IP, which is forwarded to IIS (internal IP 192.168.1.10 for example). I'm trying to do the following: when [www.]ourdomain.com is entered the default web site on IIS have to be loaded (this part is ok), but when test.ourdomain.com is entered I want to redirect this request to another web server (192.168.1.11 for example). I created a site "test" on IIS and it is displayed when test.ourdomain.com is entered. Then I tried to redirect it with following rule: Requested URL matches the pattern: * (using wildcards) Condition: {HTTP_HOST} matches test.ourdomain.com Action type: Rewrite Rewrite URL: http://192.168.1.11/ {R:0} but when I try to load test.ourdomain.com now I get IIS's error 404 page. Obviously I'm wrong :-) How can I do such a redirect? Answer A rewrite needs to be a relative path on disk, under th