webserver / network setup

hello
I have been tasked with the following:
domains:
             abc.com
             def.com
             ghi.com
             jkl.com

internet connections:
           cable 24.24.24.24

machines:
         webserver1       standard LAMP  192.168.1.100
         webserver2       standard LAMP  192.168.1.101

what i need to do is have on webserver1   abc.com and def.com
                                               webserver2  ghi.com  and  jkl.com

external DNS is pointing all 4 domains to  24.24.24.24

How do I get abc.com and def.com to resolve to webserver1 and ghi.com and jkl.com to resolve to server2.  Port forwarding of 80 is on but that only goes to webserver1.  I was thinking about an internal DNS server but how do you get the domains to resolve to the correct internal server?  

Is there a better way of doing this? I have thought about getting multiple IP's but if it can be done without doing that it would be better.

Thanks for the help
knightdogsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kerem ERSOYPresidentCommented:
Hi,

What you would do is:

- Setup your router to point to your webserver1 (192.168.1.100) via NAT
- Setup your webserver1 and add 4 virtual domains:
  abc.com
  def.com
  ghi.com
  jkl.com
- Setup your webserver2 and add 2 virtual domains:
  ghi.com
  jkl.com
- Add proxy module to your webserver1and define reverse proxying to ghi.com and jkl.com to reverse proxy to webserver2
 
0
Kerem ERSOYPresidentCommented:
Notes on the above solution:
-Since the basic structure you will use would be reverse NAT (Mapping an internal servers Port 80 to your outside interface's 80 port) it is not possible to direct it to an internal DNS and respond it from there.
- Apache HTTP solution is a name based virttual hositng solution in that you have one address and several domains. They are identified decoding the request and seeing what site the request has been made and direct the request to that folder so the correct page is served.

So once the NAT operation of mapping webserver1 :80 to your cable IP's port 80 go edit the configuration file for the webserver1 apache configuration locate this line:

NameVirtualHost *:80

and add these lines under the statement:



### webserver1 Begin ###
<VirtualHost *:80>
    ServerAdmin root@abc.com.tr
    DocumentRoot /var/www/html/abc.com
    ServerName www.abc.com
    ErrorLog logs/abc.com-error_log
    CustomLog logs/abc.com-access_log common
</VirtualHost>
 
<VirtualHost *:80>
    ServerAdmin root@def.com.tr
    DocumentRoot /var/www/html/def.com
    ServerName www.def.com
    ErrorLog logs/def.com-error_log
    CustomLog logs/def.com-access_log common
</VirtualHost>
 
 
<VirtualHost *:80>
  ServerName www.ghi.com
  ServerAlias www.ghi.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / http://ghi.webserver2.sec/
  ProxyPassReverse / http://ghi.webserver2.sec/
  DocumentRoot /var/www/html/ghi.com 
  Errorlog logs/www.ghi.com-log
  CustomLog logs/www.ghi.com-access_log combined
</VirtualHost>
 
<VirtualHost *:80>
  ServerName www.jkl.com
  ServerAlias www.jkl.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / http://jkl.webserver2.sec/
  ProxyPassReverse / http://jkl.webserver2.sec/
  DocumentRoot /var/www/html/ghi.com 
  Errorlog logs/www.jkl.com-log
  CustomLog logs/www.jkl.com-access_log combined
</VirtualHost>
#### webserver1 end ####

Open in new window

0
Kerem ERSOYPresidentCommented:
Then go to webserver2 edit the httpd.conf and locate namvirtualhost directive and enter these lines under it:
#### webserver1 begin ####
<VirtualHost *:80>
    ServerAdmin root@ghi.com
    DocumentRoot /var/www/html/ghi.com
    ServerName www.ghi.com
    ErrorLog logs/ghi.com-error_log
    CustomLog logs/ghi.com-access_log common
</VirtualHost>
 
<VirtualHost *:80>
    ServerAdmin root@jkl.com.tr
    DocumentRoot /var/www/html/jkl.com
    ServerName www.jkl.com
    ErrorLog logs/jkl.com-error_log
    CustomLog logs/jkl.com-access_log common
</VirtualHost>
 
#### webserver2 end ####

Open in new window

0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Kerem ERSOYPresidentCommented:
Ooops sorry. Please change the webserver1 settings this way. and place your ghi and jkl website files directly under webserver2 /apache_home/ghi and /apache_home/jkl.

This way you wont need to define virthosts in webserver2 and directly proxy the requests.


### webserver1 Begin ###
<VirtualHost *:80>
    ServerAdmin root@abc.com.tr
    DocumentRoot /var/www/html/abc.com
    ServerName www.abc.com
    ErrorLog logs/abc.com-error_log
    CustomLog logs/abc.com-access_log common
</VirtualHost>
 
<VirtualHost *:80>
    ServerAdmin root@def.com.tr
    DocumentRoot /var/www/html/def.com
    ServerName www.def.com
    ErrorLog logs/def.com-error_log
    CustomLog logs/def.com-access_log common
</VirtualHost>
 
 
<VirtualHost *:80>
  ServerName www.ghi.com
  ServerAlias www.ghi.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / http://webserver2/ghi
  ProxyPassReverse / http://webserver2/ghi
  DocumentRoot /var/www/html/ghi.com 
  Errorlog logs/www.ghi.com-log
  CustomLog logs/www.ghi.com-access_log combined
</VirtualHost>
 
<VirtualHost *:80>
  ServerName www.jkl.com
  ServerAlias www.jkl.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / http://webserver2/jkl
  ProxyPassReverse / http://webserver2/jkl
  DocumentRoot /var/www/html/ghi.com 
  Errorlog logs/www.jkl.com-log
  CustomLog logs/www.jkl.com-access_log combined
</VirtualHost>
#### webserver1 end ####

Open in new window

0
Kerem ERSOYPresidentCommented:
Here I am assuming that pinging webserver2 would resolve the internal address. If not add the appropriate doman extension such as webserver2.local etc. If you wan to access it just by name go and add an alias to your hosts file in webserver1 such as:


192.168.1.100    webserver1.sec webserver1      
192.168.1.101    webserver2.sec webserver2

This way you will be able to ping using just the name hence the above setting for reverseproxy requests will resolved to an ip.

Cheers,
K.
 

0
knightdogsAuthor Commented:
KeremE,

thanks for the quick response, I see what you are telling me to do. since this is a new setup i can change the port forwarding if i wanted to.  would i make more sense to turn off port forwarding?  if this keeps growing ( new domains keep getting added) then this solution might get a bit messy I would guess.

knightdog
0
Kerem ERSOYPresidentCommented:
Yeah but you can no eliminate port forwarding. Because all your requests come to a single IP address and when you get the request you dont have a URL but a HTTP request with embedded requested URL. So you'll need an application proxy to decode the URL request and forward the request to the required host. This can not be accomplished with DNS.

Your other alternatives are:
- Directing all requests to a reverse proxy and distributing the requsts to backend servers on requested URL.
- Creating a Web Cluster with a virtual IP address that will respond all incoming requests.

In each solution you'll be using the port forwarding to a single address whether it is a proxy for backend  web servers or a Cluster. Furthermore it is not easy to maintain an application Cluster in that it will require special administration and special hardware suches mulitpoint iSCSI connections etc.

If you want to keep it simple then use a reverse proxy and distribute load from there.
0
knightdogsAuthor Commented:
KeremE,

Do you have any suggestions on the reverse proxy option?

I would like to stay freeware if at all possiable and I use CentOS5 mainly



Knightdog
0
Kerem ERSOYPresidentCommented:
Hi,

My initial solution for webserver1 ghi.com, jkl.com were actually reverse proxy requests. So all you need is apache daemon for reverse proxying. Plese note the lines:

  ProxyPass / http://webserver2/jkl
  ProxyPassReverse / http://webserver2/jkl

These are doing the reverse proxying. In that solution you'l have a reverse proxy whic wil get all requests and depending on the request URL redirect them to backend webservers.

So in my original solution Webserver1 is reverse proxying ghi.com and jkl.com sites. You can use the conifguration snippet as a template.

Cheers,
K.

 
0
knightdogsAuthor Commented:
KeremE,

thanks for the help so far, i am trying to get it to work.  domain ghi.com is actually a nagios server which is https. I have changed the httpd.conf on server1 to reflect

<VirtualHost 192.168.1.72:80>
  ServerName nagios.ghi.com
  ServerAlias nagios.ghi.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / https://192.168.1.70/nagios
  ProxyPassReverse / https://192.168.1.70/nagios
#  DocumentRoot /var/www/html/ghi.com
#  Errorlog /var/www/vhosts/nagios/logs/error_log
#  CustomLog logs/www.ghi.com-access_log combined
</VirtualHost>

when you hit it directly
https://192.168.1.70/nagios   you get the login page for nagios.

I have edited the c:\windows\system32\drivers\etc\hostst  file and added      nagios.ghi.com  on my local testing workstation

now when you go to     https://nagios.ghi.com you get

Forbidden
You don't have permission to access / on this server.

did i miss a step?

knightdog
0
Kerem ERSOYPresidentCommented:
> now when you go to     https://nagios.ghi.com you get

As you have noticed our virtualhost is *:80 so virtualhost is listening to HTTP port not the HTTPS port.

So to access the site over the settings you'll need to change your URL so that it would be:

http://nagios.ghi.com 

Https will be between nagios and proxy. Client to proxy communication will be clear text.

If you want to access the https site you need to create another virtualhost for the port 443. Then setup SSL for your proxy.
0
Kerem ERSOYPresidentCommented:
If you want to proxy the request for ssl you need to put the reverse proxying request to your ssl.conf file so that the namevirtualhost vill be asigned to HTTPS (445)

the file should have

NameVirtualHost *:445  ( instead of *:80 )

<VirtualHost *:445>
  ServerName nagios.ghi.com
  ServerAlias nagios.ghi.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / https://192.168.1.70/nagios
  ProxyPassReverse / https://192.168.1.70/nagios
#  DocumentRoot /var/www/html/ghi.com
#  Errorlog /var/www/vhosts/nagios/logs/error_log
#  CustomLog logs/www.ghi.com-access_log combined
</VirtualHost>

I don't know on what distro you're installing LAMP on but if it is redhat based the file should be in /etc/httpd/conf.d/ssl.conf.

BTW dont change the VirtualHost name. So instead of this:

<VirtualHost 192.168.1.72:80>

Try to to keep:

<VirtualHost *:80>

So that you won't hard code the IP in your config and it will be easier to move to another system.

*:80 means that bind to the port 80 of all interfaces.

 If you specify a hard coded IP then make sure that NameVirtualHost  directive contains the same text.
0
knightdogsAuthor Commented:
KeremE,

please forgive me for asking the basic question:
1-remove
    <VirtualHost 192.168.1.72:80>
    ServerName nagios.ghi.com
    ServerAlias nagios.ghi.com
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / https://192.168.1.70/nagios
    ProxyPassReverse / https://192.168.1.70/nagios
    #  DocumentRoot /var/www/html/ghi.com
    #  Errorlog /var/www/vhosts/nagios/logs/error_log
    #  CustomLog logs/www.ghi.com-access_log combined
    </VirtualHost>

from webserver1   /etc/httpd/conf.d/httpd.conf  file

2- add to webserver1
<VirtualHost *:445>
  ServerName nagios.ghi.com
  ServerAlias nagios.ghi.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / https://192.168.1.70/nagios
  ProxyPassReverse / https://192.168.1.70/nagios
#  DocumentRoot /var/www/html/ghi.com
#  Errorlog /var/www/vhosts/nagios/logs/error_log
#  CustomLog logs/www.ghi.com-access_log combined
</VirtualHost>

in file  /etc/httpd/conf.d/ssl.conf  file
0
Kerem ERSOYPresidentCommented:
so what is the question here? :)

My suggestions were:
- Don't use <VirtualHost 192.168.1.72:80> but use <VirtualHost *:80> as your NameVirtualHost *:80 directive suggests. The notation with ip addresses were for the older version of Apache when it was lacking the option *.

- If you want to get the resulting site in HTTPS rather than HTTP then put the webserver1 virtualhost directive in your SSL configuration file. But the place off this file is varying depending on the distro you use. So I'd just give an example from RedHAT / Fedora / CentOS. Where this file resides in /etc/httpd/conf.d/ssl.conf. Please locate the actual place in your distro.

0
knightdogsAuthor Commented:
KeremE,

on webserver1(CentOS5.2) I have added to /etc/httpd/conf.d/ssl.conf

<VirtualHost *:445>
  ServerName nagios.ghi.com
  ServerAlias nagios.ghi.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / https://192.168.1.70/nagios
  ProxyPassReverse / https://192.168.1.70/nagios
</VirtualHost>

I get the warning page when i go there and i have to add an exception for the certificate and then i get

Forbidden
You don't have permission to access / on this server.
0
knightdogsAuthor Commented:
KeremE,

Did I say something wrong?


knightdog
0
Kerem ERSOYPresidentCommented:
Oops I've mae a typo I guess. Please change this:
<VirtualHost *:445>

into

<VirtualHost *:443>

and please add this line before the corrected line:

NameVirtualHost   *:443
0
Kerem ERSOYPresidentCommented:
So the final version should read:

NameVirtualHost   *:443
      
<VirtualHost *:443>
  ServerName nagios.ghi.com
  ServerAlias nagios.ghi.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / https://192.168.1.70/nagios
  ProxyPassReverse / https://192.168.1.70/nagios
</VirtualHost>


0
Kerem ERSOYPresidentCommented:
These lines must be placed after:
<VirtualHost _default_:443>
.
.
.
</VirtualHost>

Stanza. BTW I'm using a similar solution. So I'm sure this is working :)
0
knightdogsAuthor Commented:
it is still giving me the error

would it be possiable to IM outside of here to go a little bit deeper into this?  

gomi69 at hotmail dot com

knightdog
0
knightdogsAuthor Commented:
I am still getting the error:

Forbidden
You don't have permission to access / on this server.
0
Kerem ERSOYPresidentCommented:
Ok lets see:

- First of all you won't like to  reverse proxy https://192.168.1.70/nagios because it would always return the HTTPS certificate from the server and since it will not reolve your outside web it will be alaost always get a certificate mismatch. Also since the communication will be in intranet between nagios server and your reverse proxy you wont need https. So change it to http instead.

- Secondly the url you specify your server is https://192.168.1.70/nagios and this is not interpreted by the server. So what you are trying to get from the backend server is actually https://192.168.1.70/nagiosindex.html which will always result in a page 404 error.  So please change the url to this:
http://192.168.1.70/nagios/

- Lastly reenable the log lines that I've proposed earlier but you've commented ou and eventually removed:

DocumentRoot /var/www/html/ghi.com
Errorlog  logs/https-www.ghi.com-error_log
CustomLog logs/https-www.ghi.com-access_log combined

How would you know what went wrong if you've disabled the logs?
0
knightdogsAuthor Commented:
KeremE:
please forgive the late response on this.  can you give me a hand with this again?

here is the setup ( back to basic )

external ip forwarded to front end webserver

<VirtualHost *:80>
ServerName abc.org
ServerAlias abc.org
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://192.168.2.220/abc.org
ProxyPassReverse / http://192.168.2.220/abc.org
DocumentRoot "/var/www/vhosts/abc.org/public_html"
Errorlog logs/http-www.abc.org
CustomLog logs/http-www.abc.org combined
<Directory "/var/www/vhosts/abc.org/public_html">
allow from all
Options +Indexes
</Directory>
</VirtualHost>

backend web server

<VirtualHost *:80>
DocumentRoot "/var/www/vhosts/abc.org/public_html"
ServerName abc.org
<Directory "/var/www/vhosts/abc.org/public_html">
allow from all
Options +Indexes
</Directory>
</VirtualHost>


when i enter in www.abc.org into my web browser (fire fox) i get:
Not Found

The requested URL /abc.org was not found on this server.
Apache/2.2.3 (Red Hat) Server at abc.org Port 80


thanks for the help
0
Kerem ERSOYPresidentCommented:
No Problem :)

First of all what you're requesting  from your back-end server through your front end is:

http://192.168.2.220/abc.org

But your backend server has a root at:

/var/www/vhosts/abc.org/public_html

so probebaly it is where you have your index.html

but you are requesting:

http://http://192.168.2.220/abc.org

which basically means:

http://192.168.2.220/abc.org/index.html 

So you're looking for a directory under your root over your backend !! Do you really have it ?

If not please remove the aoc.org from the end fo your request.

 

0
knightdogsAuthor Commented:
if i edit my host file (windows machine) and add the entry
192.168.2.220  www.abc.org

and open up a web browser and enter in  www.abc.org it goes to the back end server.

what do you mean "remove the abc.org from the end of your request"
0
knightdogsAuthor Commented:
so this is still not working for me from outside on the internet
0
Kerem ERSOYPresidentCommented:
Your forntend erver requests a page from here:

http://192.168.2.220/abc.org

on your backend server you can reach your home page with:

http://192.168.2.220   not  http://http://192.168.2.220/abc.org

So go to you frontend server and remove ab.corg from the ProxyPass and ProxyPassReverse statements !!!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
knightdogsAuthor Commented:
Thank you for you help and time this took.  I am sorry it took so long
0
Kerem ERSOYPresidentCommented:
You're welcome :) It is OK.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Servers

From novice to tech pro — start learning today.