What's the simpliest way to redirect http/https to another ip from samba dc?

domain
samba4
v7

#1

NS 7.4 set up as local dc, company.com is the domain, used for users, email file sharing and web.
Local machines logged into the dc need to be redirected to another server for http/https.
What’s the simplest, easiest way to do this with the minimum of module installs?
There are several ways to do this but am thinking of an easy, best practice for Nethserver.

If there’s a previous discussion of this I haven’t seen, please point me to that.


(Johan Wauters) #2

You can add a record in DNS for any local ‘redirect’ you want. Works well unless your users have the habit of using IP addresses instead of URLs :slight_smile:


(Markus Neuberger) #3

What about just creating /var/www/html/index.php with following content

<?php
  header('Location: https://192.168.1.1');
  exit;
?>

or a minimal /var/www/html/index.html with

<meta http-equiv="refresh" content="0; URL='https://192.168.1.1'" />

Simple, NethServer compatible, still being able to reach NS webapps like “https://REDIRECTINGNETHSERVER/nextcloud” for example and works if users use IPs.
Doesn’t work when browsing to a specific web path like “http://REDIRECTINGNETHSERVER/somepath”.


#4

If you do that, it redirects everything… like ldap… which is bad.


(André Wismer) #5

@fasttech

Another option would be to use the Reverse proxy to redirect your users.

It depends on the reasons for redirecting:
If the content is specifically stored on another server for storage and accessibility reasons, not to reduce traffic on the primary host, this would be quite usable, I’m actually using this for productive clients.

I actually have a productive server running here, which redirects any swiss access (.ch) to the proper server, running somewhere in Italy. It’s not only running in Italy, the italian state is actually running and paying for this!
But almost all access is via a Reverse proxy running on a SME-Server, soon to be replaced with a NethServer.

Advantages: One simple module from software center, one URL to redirect…
And all the web-stats available locally.

Actually, the old Proxy-Pass contrib in SME-Server was a bit more powerful than the NethServers Reverse Proxy.
I haven’t been able to redirect a whole domain, only a directory with NethServer.

A reverse proxy doesn’t interfere with any existing DNS stuff or anything other than http/https.
You can make additional DNS entries to ease naming/access, but it’s usually not even necessary.

Example:
At all clients using NethServer, http and https are routed to the NethServer by the firewall.
I’d like external clients to reach anything on the nethserver, but also the monitoring server (Zabbix or Nagios).
The external DNS points both entries to the gateway, which itself forwards all http/https to the Nethserver.

External DNS looks like this:

nethserver.your-domain-name.com IN CNAME gw.your-domain-name.com
zabbix.your-domain-name.com IN CNAME gw.your-domain-name.com
gw.your-domain-name.com IN A 12.34.65.78 (Your external IP)

The Nethserver points all access to the URL /zabbix/ to the internal server at:
http://192.168.123.29/zabbix/ (The IP of your monitoring server)

This also has the advantage that your monitoring server doesnt have to worry about SSL. You can use LetsEncrypt SSL on your Nethserver - the reverse proxy will use SSL to encrypt / decrypt the packages en route…
(This means using https://nethserver.your-domain-name.com/zabbix/ internally and externally for SSL - still a limitation of LetsEncrypt 'til 2018 Q1…)

Internally, I’d like to access the nethserver for almost everything except the monitoring server (Zabbix), which I’d like users to reach directly. (If the Nethserver is down, the people in-house can still see in the monitoring system what’s down!)

So Internal DNS looks like this:

nethserver.your-domain-name.com IN A 192.168.123.20 (IP of Nethserver)
zabbix.your-domain-name.com IN A 192.168.123.29 (IP of monitoring / Zabbix Server)
gw.your-domain-name.com IN A 192.168.123.1 (Your gateways internal IP)

Using internal and external DNS to achieve different things is known as split DNS…
Your internal DNS should be able to resolv even every network printer in house, the external DNS doesn’t need any internal printer entries.

-> External DNS is not allowed to use internal IPs like 10.x.x.x, 172.16.x.x-172.32.x.x, 192.168.x.x

My 2 cents…

Andy


(Johan Wauters) #6

not if ldap has its own dns entry. Using dns entries instead of IP addresses makes everything more reliant on the DNS service, but you gain flexibility.


(André Wismer) #7

@trobbelke

Quite right! You can use LookupTable-Magic to direct clients to the right host. Flexibility!

But then - does ANYTHING really work without DNS?
This way, you see DNS errors right away.

Besides which, if anyone doesn’t understand the basics of DNS, that person should NOT be configuring a UN*X / Linux Server, much less anything to do with Gateway and Internet or DNS / DHCP.

Sure you can ssh to any server on the Internet - if you know it’s IP address!
But mail or Web using IP? More than half the Internet are Name-based virtual hosting, using an IP won’t get you the right webpage. And mail doesn’t work on IP, that needs DNS, nowadays even more so because of spam and checking reverse-lookup dns.

OK, I happen to be a DNS guru, as other people claim…
But the days you could use a simple hosts file on the internet are long over!

-> DNS isn’t THAT difficult, once you grasp the basic forward and reverse concepts.
I’ve set up plenty of Microsoft ADs, but NONE use a .local domain! All use real live DNS domains!
OK, IPv6 does make things a bit more difficult, but IPv4 basic dns knowhow is a must for anyone managing a LAN / Router / Servers!

My 2 cents
Andy


#8

So, Nethserver is not for noobs then?


(André Wismer) #9

@fasttech

As easy as it is, as stable as it is, yes!

Nethserver is definetely also for Noobs.

I’ve motivated three friends, all non IT guys, to setup and use a nethServer as a Home-Server.

BUT:

If it’s your Job, or you charge money for services, then I expect you to know what you’re doing!
I think every car driver should have driving lessons, yes. But I’d rather have a seasoned and fair cab driver, then one who doesen’t give you confidence as a guest…

:wink:


#10

Well, this post was about the simplest way, from a Nethserver best practice standpoint, there was nothing in my post or your comment about the qualifications of the user, whether they’re a highly educated and experienced expert (you, I guess), a home user, a noob or just someone who was thrust into IT management because they’re the only one on staff who “knows computers”.


#11

At this point I would like this post deleted.

When I have time, I will come up with a best practice and post it to the wiki. if the “experts” don’t like it, too bad.


(André Wismer) #12

Sry, didn’t mean to argue…

My bad!

If you’re forced something you didn’t choose, it’s not really your job, even though you’re the one actually doing it.