Scared to try to use NS and vhosts

Can you list files under /etc/httpd/nethserver.d there is something that i don’t understand.

@davidep

Hi, still stupid here, but I’ve run out of time today.

Was messing around today, installed wordpress straight from wordpress.org into the base NS, copied the owncloud.conf over to a new wordpress.conf, edited with wordpress of course, and dumped the wp files into a folder next to owncloud, browsing to testserver/wordpress, wordpress works great.

Was looking at the vhosts some more. Wondered to myself… why do I need to have entries in dns - hosts? This is standalone behind a gateway.

But here’s the thing… I think that in order to use vhosts it’s necessary to use server alias or e-smith will not create the vhost confs. I think that when I originally created the server aliases those confs for the ibay directories were left over even though I deleted the aliases and made entries in hosts. The reason I say this is that the 00default:80.vhost has all the test domains listed in it but if I browse to any domain I always get the index.html that is the last listed domain in that 00default file.

So nothing works like I posted above anymore and I’m even more confused.

So, I’m making notes for myself here… and tomorrow, if I have time, I may recreate those entries in server alias to see what happens.

My end goal here is to spin up an NS instance in Google cloud, with a wordpress installation hosting 5 sites for 5 domains with email on a single ip… but this is getting out of hand…

Hi @fasttech ,

AFAIK, this can be done only through Reverse Proxy (you have only one public IP and you must publish to the Web different domains (www, webmail), NOT ALIASES, hosted on the same machine, with the same port (80, 443).

Of course, maybe I’m wrong.

When I have looked for MS ISA Server replacement (ISA/Forefront TMG can do Reverse Proxy), I read on a forum that you need another Linux Machine to do Reverse Proxy if your Linux Firewall/Router can’t do that.

Endian and Sophos can do Reverse Proxy from UI but only for paid versions.

I ask for this feature for a long time and for many, many times, but …
Apache can do Reverse Proxy but I don’t know how.
I think that if Apache is a part of NS, this can be done on the same machine.
I read some docs from Apache website but I’m not good enough to make this.

http://www.apachetutor.org/admin/reverseproxies
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html

EDIT:

@Hunv just published here:

Proposal for ns7 VirtualHost page

about this.

@fasttech @GG_jr

If you need help in configuring the reverse proxy on the Nethserver, feel free to contact me. I’ve got it running (but I’m not a Pro in Linux/Apache at all ;)).

Hi Kristian,

Thank you very much for your offer!

Can you do something for NS Community?
I think this is a great improvement for NS!
And many of us need this.

BR,
Gabriel

PS:

NS 7 is still far away.
We need this feature also in NS 6.7 because we will use this version for a long time (I understand that the upgrade to NS 7 will be not so facile because of all improvements).

I can post my configuration, but I don’t think that this is like it is intended to be.
Basically I simply created a new file at /etc/httpd/conf.d that must have the ending .conf.
The content of that file is:

<VirtualHost *:80>    
	ServerName subdomain.domain.com    
	ProxyPreserveHost On    
	ProxyPass / http://10.10.0.10/    
	ProxyPassReverse / http://10.10.0.10/
</VirtualHost>

<VirtualHost *:443>   
	ServerName subdomain.domain.com    
	ProxyPreserveHost On    
	SSLEngine On    
	SSLProxyEngine Off    
	SSLCertificateFile /etc/httpd/conf.d/subdomain.domain.com.pem    
	SSLCertificateKeyFile /etc/httpd/conf.d/subdomain.domain.com.key    	
	SSLCertificateChainFile /etc/httpd/conf.d/intermediate_cl1_ca.pem    
	SSLCACertificateFile /etc/httpd/conf.d/root_ca.pem    
	ProxyPass / http://10.10.0.10/    
	ProxyPassReverse / http://10.10.0.10/
</VirtualHost>

But I am ignoring the Template-Stuff of Nethserver doing this.

Port 80:
The configuration redirects every request to Nethserver that is to the domain subdomain.domain.com to my server 10.10.0.10 and passes also the HTTP-Header.

Port 443:
If a query to subdomain.domain.com is to the Nethserver, it will forward the HTTPS-Request as an HTTP-Request to my Webserver 10.10.0.10. The HTTP-Answer will be “converted” to an HTTPS-Answer by the ReverseProxy (=Nethserver) and send back to the Client.
The infrastructure for this scenario is
Client => HTTPS => Nethserver => HTTP => Webserver
So the Webserver don’t need to be configured to do something with HTTPS (except you are using Tomcat in some cases as I figured out). You need valid SSL-Certificates for the HTTPS stuff.

Thats how I did it.

PS:
You can repeat the config above for each (sub)domain you have. Just change the “ServerName”-Parameter. The first config that matches your Parameters will be processed by the build in Apache in Nethserver.

PPS:
After you updated the .conf-File you have to execute this command at the console of Nethserver:
signal-event nethserver-httpd-update

3 Likes

If someone need info on proxy pass, take also a look to the manual :wink: http://docs.nethserver.org/en/latest/proxy_pass.html

2 Likes

This is where I started

2 Likes

Looking forward adding it to the WebUI you should create a new doc about it :slight_smile:

1 Like

Hi Gabriel,
Virtual hosts is not Reverse proxy. Virtual hosts are different than Reverse proxy even if in some functionality they can behave the same

A reverse proxy can “fetch” information from internal servers and then serve this information to the internet clients on requests, as if itself was the content provider.

Reverse proxy can be used for balancing request to multiple internal servers for example.

Virtual Hosts are multiple “different” directories under the same apache / nginx / tomcat server.
Even if the pages are served from the same server they are in different folders and can be associated with different DNS hosts or domains.

By “different” i mean that for each host/domain (URL) that the server is queried, you can define the options on what to serve, what is the folder for serving the information, type HTTP or HTTPS or other options.

For example www is a different host or can be an alias of the original FQDN of NethServer. Either it can be defined to serve different content (from a specified distinct folder) or it can be the same folder as /srv/www

I have made those clarifications as not to confuse the roles of the VHOSTS and Rev. Proxies.

Hope this helps :slight_smile:

2 Likes

Hi Bogdan,

Thank you for your clarifications.

I will give an example and I will put at the end two questions and I will explain why:

I understand that the problem is to use one public IP for publishing different hosts, something like this:

Let’s say that the WAN IP is 91.195.63.5.
We have different domains, registered into a external name server, which are pointing to this IP:
http://www.mydomain.com
http://www.mydomain2.com
http://www.mydomain3.com
https://mail.mydomain.com
https://mail.mydomain2.com
https://mail.mydomain3.com

We have two servers in DMZ (or even one, it’s the same thing):

  • for web hosting: 10.0.0.2
  • for mail hosting: 10.0.0.3

To reach www or mail from WAN (RED) to DMZ (ORANGE) we must create rules through NS firewall (portforwarding), something like this (short version):

for www.mydomain.com: rule 1: RED (91.195.63.5) -> ORANGE (10.0.0.2:80)
for www.mydomain2.com: rule 2: RED (91.195.63.5) -> ORANGE (10.0.0.2:80)
for www.mydomain3.com: rule 3: RED (91.195.63.5) -> ORANGE (10.0.0.2:80)
for mail.mydomain.com: rule 4: RED (91.195.63.5) -> ORANGE (10.0.0.3:443)
for mail.mydomain2.com: rule 5: RED (91.195.63.5) -> ORANGE (10.0.0.3:443)
for mail.mydomain3.com: rule 6: RED (91.195.63.5) -> ORANGE (10.0.0.3:443)

When I had this situation, no matter what I wanted to reach, worked only for the first rules from each categories (rule 1 and rule 4).

As far I have used MS ForeFront TMG or even ISA Server, it worked.
When I have replaced MS ForeFront with SOPHOS (Trial) it worked.
When I have replaced MS ForeFront with Endian Community it doesn’t worked.
At that time, I understand that I need to use Reverse Proxy.

We are lucky and we have own public subnet and I used for WAN 2 additional IP adresses, with proper register in external name server:

www. mydomain.com and mail.mydomain.com pointing to 91.195.63.5
www. mydomain2.com and mail.mydomain2.com pointing to 91.195.63.6
www. mydomain3.com and mail.mydomain3.com pointing to 91.195.63.7

and:

for www.mydomain.com: rule 1: RED (91.195.63.5) -> ORANGE (10.0.0.2:80)
for www.mydomain2.com: rule 2: RED (91.195.63.6) -> ORANGE (10.0.0.2:80)
for www.mydomain3.com: rule 3: RED (91.195.63.7) -> ORANGE (10.0.0.2:80)
for mail.mydomain.com: rule 4: RED (91.195.63.5) -> ORANGE (10.0.0.3:443)
for mail.mydomain2.com: rule 5: RED (91.195.63.6) -> ORANGE (10.0.0.3:443)
for mail.mydomain3.com: rule 6: RED (91.195.63.7) -> ORANGE (10.0.0.3:443)

How can you do all this with only one IP?
With Reverse Proxy or with Virtual Host?

I ask because I don’t want to make again the same mistake to put the wrong question or to give the wrong answer.

TIA,
Gabriel

1 Like

Hi Gabi,
There are different things to consider here.

You must first add into NS DNS the domain(s) that you want to manage. (domain.com)
This way the queries for host.domain.com can be managed and translated by NS

Where HOST is the hostname that you assign for the server in the DMZ

Then you add for example a rule for HTTP and HTTPS in port forward like this.

Any -> host.domain.com on port 80, Forward to 10.0.0.2 Port 80
Any -> host.domain.com on port 443, Forward to 10.0.0.2 Port 443

This is redirect for any queries in the RED interface of the NS for host to the internal web server in the DMZ.

As you can see here there was no Vhost used.
If you do not want to have several servers in LAN or DMZ to serve your queries but instead you want to use NS as serving server you have to define Vhosts.

First you create aliases for the NS in the DNS section.
For example if your NS server Is named SRV001. and you want to add a www and webmail hosts you
create aliases to SRV001 alias -> WWW and SRV001 alias ->WEBMAIL

This will make all the queries for www.domain.com and webmail.domain.com to be the same as for SRV001.domain.com.

Then, you will have to let apache know about the two extra hosts that you added. WWW and WEBMAIL.

You define your virtual hosts like this

<VirtualHost *:80>
    ServerName www.domain.com
	ServerAlias domain.com
	DocumentRoot /path_to_the_directory_containing_the_files/WWW_directory
</VirtualHost>

<VirtualHost *:80>
    ServerName webmail.domain.com
	DocumentRoot /path_to_the_directory_containing_the_files/WEBMAIL_directory
</VirtualHost>

In short this should be it.
You can define different domains in NS and also define different hosts aliases for the same public IP.

Also in virtualhosts you can define the port 80 or 443

I have not tried this myself on NS but this should be the same

For mails you do not need vhosts unless you want to serve web based email services (Roundcube, Squirrel or OWA).
Otherwise A simple DNS and AAA or CNAME setting in DNS should be enough (and MX). :slight_smile:

Hope this helps.
If anyone can bring more information or has seen something not correct in this post please correct me so we do not share wrong information!!

2 Likes

I’m working on dokuwiki to use directly the domain name https://toto.com instead of https://toto.com/dokuwiki

this is my virtualhost for example (in /etc/httpd/conf.d/dokuwiki.conf)

<VirtualHost *:80>
ServerName toto.com
DocumentRoot  /usr/share/dokuwiki/
Redirect permanent / https://toto.com/
</VirtualHost>


<VirtualHost *:443>
SSLEngine on
ServerName toto.com
DocumentRoot  /usr/share/dokuwiki/

<Directory /usr/share/dokuwiki>
    AllowOverride None
    Options +FollowSymlinks
    AddType application/x-httpd-php .php
    Order Allow,Deny
    Allow from all
    php_admin_value memory_limit 200M
    php_admin_value upload_max_filesize 200M
    php_admin_value post_max_size 200M
    php_admin_value upload_tmp_dir /var/lib/dokuwiki/data/tmp
    php_admin_value session.save_path /var/lib/dokuwiki/data/tmp
</Directory>

<Directory /usr/share/dokuwiki/inc>
    Order Deny,Allow
    Deny from all
</Directory>

<Directory /usr/share/dokuwiki/inc/lang>
    Order Deny,Allow
    Deny from all
</Directory>

<Directory /usr/share/dokuwiki/lib/_fla>
    ## no access to the fla directory
    Order allow,deny
    Deny from all
</Directory>

## no access to the conf directory
<Directory /etc/dokuwiki>
    Order allow,deny
    Deny from all
</Directory>
<Directory /usr/share/dokuwiki/conf>
    Order allow,deny
    Deny from all
</Directory>

## no access to the data directory
<Directory /usr/share/dokuwiki/data>
    Order allow,deny
    Deny from all
</Directory>
<Directory /var/lib/dokuwiki>
    Order allow,deny
    Deny from all
</Directory>

</VirtualHost>

Hi Bogdan,

Sorry but I’m a bit confused and I think I was not clear enough in last post. Because of that, I drew a diagram.

All hosted domains are managed by an external Name Server (ns1.md.com). In this case why is necessary to add again in NethServer DNS, which act like a Proxy Server (utm-ns.dn.com / 91.195.63.5), all those domains?

The only thing that I must to do is to create rules for HTTP and HTTPS in port forward like you said:

Any -> www.md.com on port 80, Forward to 10.0.0.2 Port 80
Any -> www.md1.com on port 80, Forward to 10.0.0.2 Port 80
Any -> www.md2.com on port 443, Forward to 10.0.0.2 Port 443
Any -> mail.md.com on port 443, Forward to 10.0.0.3 Port 443
Any -> mail.md1.com on port 443, Forward to 10.0.0.3 Port 443
Any -> mail.md2.com on port 443, Forward to 10.0.0.3 Port 443

AFAIK, you cannot do port forward for one public IP address to the same port for more than one time.
(I did that in Endian but did not worked with only one public IP on the RED Interface, because for the free edition Reverse Proxy is not available. For this reason, I configured additional public IP addresses on RED Interface, I have changed the settings for domains in ns1 and after that, it worked.)

From your response I understand that when you have several servers in DMZ for different services, Vhost is not used and when you have a single server, which is acting as All In One, Vhost and Aliases must be used. Am I wrong?

So, using NethServer as Proxy Server with one single public IP on RED and with several servers in DMZ for different services, which are the settings that must be done to work this configuration?

I hope this time I am more clear.

BR,
Gabriel

Hi Gabriel,

Yes this is correct.

In your case you say that an external NS is resolving the domains for md.com, md1.com and md2.com.
But what IP’s have you put in that record ?
If you put the domain - IP’s to point to the NethServer RED interface then all the queries will expect to get information from Nethserver. But Nethserver will have to know to whom to forward the queries down the path.

If there is no DNS entry in Nethserver that pairs the domain with a specific IP, Nethserver will not know what to do with the information requests and NS will not forward any requests to the internal DMZ.

You have to declare your internal hosts in the DNS part of Nethserver so that he will now exactly to what DMZ host to forward the queries.
Otherwise it will not be possible to forward the correct request to the right host. Because it will not know to what host to forward.

Let’s take this as an example.
I’m asking your office colleague (This is the Name Server) for a X document.
He is pointing to you as the one who handles that request. (He resolves the Name for that query to your IP )
When i get to you I, ask you about X document. (I have reached Nethserver Red IP and ask for md.com).
If you have no DNS entries AND no port forward you will say:
“I have no knowledge of that document or where is stored” (Because NS does not know about the hosts or domain MD.com)
If you only have Port forwarding but no DNS resolution:
You say “wait I’ll forward your request to an internal worker” (Port forward to one internal host but no name resolution).

This will be 50% chance that the request will be sent to the correct host or not.

Because Nethserver will not try all the redirects for port 80. Only the first port forward will work.

In your setup you have made a 1:1 port forward for multiple RED IP addresses. It is like resolving Name queries manually.

I suggest that you assume ns1.md.com is working exactly like the rotld registar.

Rotld Itself does not solve any host IP, but he is pointing to a DNS system that should. You have added one more DNS that points to the Nethserver (Nethserver should solve the host to IP queries) and should also act as a forwarder

Hope this helps. I’m not sure I made myself clear but if you have more question drop me an PM and we can talk on the phone.

Hi Bogdan,

In those records, you put the public IP of the NethServer RED Interface; in this example, 91.195.63.5

In NethServer (utm-ns.md.com) → Configuration → DNS → DNS Servers → Primary DNS you will put the ns1.md.com IP address (for example, let’s say: 91.195.63.2). All requests will be solved by ns1.md.com. It’s that correct?

My problem is how to get to work this scenario with NethServer as Proxy, with a single public IP on RED Interface.
In this moment, for me, it works with Endian as Proxy/UTM with all settings that I mentioned till now.

Gabriel

No this wont work.
This way NS is just a “forwarder” but for queries from lan.
there are two components for DNS in Nethserver.

1 is the DNS query (upstream so to speak)
2 are the DNS entries for what Nethserver is responsable ( this is the part that you are intersted in)

The first part is the same DNS setting that you will find in home router.
This tels to the NethServer to send queries to a nother NameServer.

if you take this example you will see the logic.

( NameServer for md.com) -----> ( Nethserver "who is md.com ?") ----> let's ask NameServer for md.com ---|
       ^--------------------------------------------------------------------------------------------------

1 You declare the domain in the NS.md.com. and tell that “x” Ip is for that domain (ok for now)
2 Ip “x” is directing to Nethserver. (ok for now)
3 Nethserver is set up to ask for name resolution for the Domain MD.com to the NameServer NS.md.com (Not OK !)
it goes back again to the Nameserver of domain MD.com server because he does not know about domain MD.com !

so basically you have NethServer ask again the Nameserver. You create a loop.

Question:
Why you do not want to set up DNS on Nethserver to solve the md.com and other domains ??
You are making all sorts of tricks, to resolve DNS queries and jump trough a lot of hoops to solve something that in the end will be just a manual DNS solver? (if it works…)

Thank you for your patience!

You are right! My mistake. In my drawing, I didn’t showed the LAN section because this is not the problem.

As I said, with additional public IPs added to RED Interface and only with Port Forwarding (DNAT) it works with Endian.

Questions:

  1. In the same mod (same settings), if I replace Endian with NethServer will work?
  2. Which are the settings that must be made on NethServer if will replace Endian and I have a single public IP (any other parts in this scenario remaining untouched).

BR,
Gabriel

PS:
I will send a PM to you.

yes this it will work
Because on the NS.md.com you have specified each domain with another IP.
And on NS you have declared on RED those IP’s
And then you have made port forward 1:1 on those public IP’s to inside DMZ.

All this can be replaced with:
1 declare on the NS.md.com the RED ip of the Nethserver for all domains
2 On Nethserver add the hosts from DMZ into the DNS section (not the forwarder) This will turn Nethserver into DNS authoritative master for that domains
3 allow DNS queries to be received on RED interface (firewall)
4 make the port forward from red to the DMZ based on what host is asked on the RED interface of Nethserver

1 Like

After the “phone meeting” with you, finally I understood how DNS section (Hosts, Server alias, and Domains) it works.

Thank you again!

CC: @alefattorini

I’m sure that the section Domains needed to be moved from Mail area to DNS area.