webserver / network setup

Hi,

What you would do is:

- Setup your router to point to your webserver1 (192.168.1.100) via NAT
- Setup your webserver1 and add 4 virtual domains:
  abc.com
  def.com
  ghi.com
  jkl.com
- Setup your webserver2 and add 2 virtual domains:
  ghi.com
  jkl.com
- Add proxy module to your webserver1and define reverse proxying to ghi.com and jkl.com to reverse proxy to webserver2
 

Notes on the above solution:
-Since the basic structure you will use would be reverse NAT (Mapping an internal servers Port 80 to your outside interface's 80 port) it is not possible to direct it to an internal DNS and respond it from there.
- Apache HTTP solution is a name based virttual hositng solution in that you have one address and several domains. They are identified decoding the request and seeing what site the request has been made and direct the request to that folder so the correct page is served.

So once the NAT operation of mapping webserver1 :80 to your cable IP's port 80 go edit the configuration file for the webserver1 apache configuration locate this line:

NameVirtualHost *:80

and add these lines under the statement:

### webserver1 Begin ###
<VirtualHost *:80>
    ServerAdmin root@abc.com.tr
    DocumentRoot /var/www/html/abc.com
    ServerName www.abc.com
    ErrorLog logs/abc.com-error_log
    CustomLog logs/abc.com-access_log common
</VirtualHost>
 
<VirtualHost *:80>
    ServerAdmin root@def.com.tr
    DocumentRoot /var/www/html/def.com
    ServerName www.def.com
    ErrorLog logs/def.com-error_log
    CustomLog logs/def.com-access_log common
</VirtualHost>
 
 
<VirtualHost *:80>
  ServerName www.ghi.com
  ServerAlias www.ghi.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / http://ghi.webserver2.sec/
  ProxyPassReverse / http://ghi.webserver2.sec/
  DocumentRoot /var/www/html/ghi.com 
  Errorlog logs/www.ghi.com-log
  CustomLog logs/www.ghi.com-access_log combined
</VirtualHost>
 
<VirtualHost *:80>
  ServerName www.jkl.com
  ServerAlias www.jkl.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / http://jkl.webserver2.sec/
  ProxyPassReverse / http://jkl.webserver2.sec/
  DocumentRoot /var/www/html/ghi.com 
  Errorlog logs/www.jkl.com-log
  CustomLog logs/www.jkl.com-access_log combined
</VirtualHost>
#### webserver1 end ####

Select allOpen in new window

Then go to webserver2 edit the httpd.conf and locate namvirtualhost directive and enter these lines under it:

#### webserver1 begin ####
<VirtualHost *:80>
    ServerAdmin root@ghi.com
    DocumentRoot /var/www/html/ghi.com
    ServerName www.ghi.com
    ErrorLog logs/ghi.com-error_log
    CustomLog logs/ghi.com-access_log common
</VirtualHost>
 
<VirtualHost *:80>
    ServerAdmin root@jkl.com.tr
    DocumentRoot /var/www/html/jkl.com
    ServerName www.jkl.com
    ErrorLog logs/jkl.com-error_log
    CustomLog logs/jkl.com-access_log common
</VirtualHost>
 
#### webserver2 end ####

Select allOpen in new window

Ooops sorry. Please change the webserver1 settings this way. and place your ghi and jkl website files directly under webserver2 /apache_home/ghi and /apache_home/jkl.

This way you wont need to define virthosts in webserver2 and directly proxy the requests.

### webserver1 Begin ###
<VirtualHost *:80>
    ServerAdmin root@abc.com.tr
    DocumentRoot /var/www/html/abc.com
    ServerName www.abc.com
    ErrorLog logs/abc.com-error_log
    CustomLog logs/abc.com-access_log common
</VirtualHost>
 
<VirtualHost *:80>
    ServerAdmin root@def.com.tr
    DocumentRoot /var/www/html/def.com
    ServerName www.def.com
    ErrorLog logs/def.com-error_log
    CustomLog logs/def.com-access_log common
</VirtualHost>
 
 
<VirtualHost *:80>
  ServerName www.ghi.com
  ServerAlias www.ghi.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / http://webserver2/ghi
  ProxyPassReverse / http://webserver2/ghi
  DocumentRoot /var/www/html/ghi.com 
  Errorlog logs/www.ghi.com-log
  CustomLog logs/www.ghi.com-access_log combined
</VirtualHost>
 
<VirtualHost *:80>
  ServerName www.jkl.com
  ServerAlias www.jkl.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / http://webserver2/jkl
  ProxyPassReverse / http://webserver2/jkl
  DocumentRoot /var/www/html/ghi.com 
  Errorlog logs/www.jkl.com-log
  CustomLog logs/www.jkl.com-access_log combined
</VirtualHost>
#### webserver1 end ####

Select allOpen in new window

Here I am assuming that pinging webserver2 would resolve the internal address. If not add the appropriate doman extension such as webserver2.local etc. If you wan to access it just by name go and add an alias to your hosts file in webserver1 such as:


192.168.1.100    webserver1.sec webserver1      
192.168.1.101    webserver2.sec webserver2

This way you will be able to ping using just the name hence the above setting for reverseproxy requests will resolved to an ip.

Cheers,
K.
 

KeremE,

thanks for the quick response, I see what you are telling me to do. since this is a new setup i can change the port forwarding if i wanted to.  would i make more sense to turn off port forwarding?  if this keeps growing ( new domains keep getting added) then this solution might get a bit messy I would guess.

knightdog

Yeah but you can no eliminate port forwarding. Because all your requests come to a single IP address and when you get the request you dont have a URL but a HTTP request with embedded requested URL. So you'll need an application proxy to decode the URL request and forward the request to the required host. This can not be accomplished with DNS.

Your other alternatives are:
- Directing all requests to a reverse proxy and distributing the requsts to backend servers on requested URL.
- Creating a Web Cluster with a virtual IP address that will respond all incoming requests.

In each solution you'll be using the port forwarding to a single address whether it is a proxy for backend  web servers or a Cluster. Furthermore it is not easy to maintain an application Cluster in that it will require special administration and special hardware suches mulitpoint iSCSI connections etc.

If you want to keep it simple then use a reverse proxy and distribute load from there.

KeremE,

Do you have any suggestions on the reverse proxy option?

I would like to stay freeware if at all possiable and I use CentOS5 mainly



Knightdog

Hi,

My initial solution for webserver1 ghi.com, jkl.com were actually reverse proxy requests. So all you need is apache daemon for reverse proxying. Plese note the lines:

  ProxyPass / http://webserver2/jkl
  ProxyPassReverse / http://webserver2/jkl

These are doing the reverse proxying. In that solution you'l have a reverse proxy whic wil get all requests and depending on the request URL redirect them to backend webservers.

So in my original solution Webserver1 is reverse proxying ghi.com and jkl.com sites. You can use the conifguration snippet as a template.

Cheers,
K.

 

KeremE,

thanks for the help so far, i am trying to get it to work.  domain ghi.com is actually a nagios server which is https. I have changed the httpd.conf on server1 to reflect

<VirtualHost 192.168.1.72:80>
  ServerName nagios.ghi.com
  ServerAlias nagios.ghi.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / https://192.168.1.70/nagios
  ProxyPassReverse / https://192.168.1.70/nagios
#  DocumentRoot /var/www/html/ghi.com
#  Errorlog /var/www/vhosts/nagios/logs/error_log
#  CustomLog logs/www.ghi.com-access_log combined
</VirtualHost>

when you hit it directly
https://192.168.1.70/nagios   you get the login page for nagios.

I have edited the c:\windows\system32\drivers\etc\hostst  file and added      nagios.ghi.com  on my local testing workstation

now when you go to     https://nagios.ghi.com you get

Forbidden
You don't have permission to access / on this server.

did i miss a step?

knightdog

> now when you go to     https://nagios.ghi.com you get

As you have noticed our virtualhost is *:80 so virtualhost is listening to HTTP port not the HTTPS port.

So to access the site over the settings you'll need to change your URL so that it would be:

http://nagios.ghi.com 

Https will be between nagios and proxy. Client to proxy communication will be clear text.

If you want to access the https site you need to create another virtualhost for the port 443. Then setup SSL for your proxy.

If you want to proxy the request for ssl you need to put the reverse proxying request to your ssl.conf file so that the namevirtualhost vill be asigned to HTTPS (445)

the file should have

NameVirtualHost *:445  ( instead of *:80 )

<VirtualHost *:445>
  ServerName nagios.ghi.com
  ServerAlias nagios.ghi.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / https://192.168.1.70/nagios
  ProxyPassReverse / https://192.168.1.70/nagios
#  DocumentRoot /var/www/html/ghi.com
#  Errorlog /var/www/vhosts/nagios/logs/error_log
#  CustomLog logs/www.ghi.com-access_log combined
</VirtualHost>

I don't know on what distro you're installing LAMP on but if it is redhat based the file should be in /etc/httpd/conf.d/ssl.conf.

BTW dont change the VirtualHost name. So instead of this:

<VirtualHost 192.168.1.72:80>

Try to to keep:

<VirtualHost *:80>

So that you won't hard code the IP in your config and it will be easier to move to another system.

*:80 means that bind to the port 80 of all interfaces.

 If you specify a hard coded IP then make sure that NameVirtualHost  directive contains the same text.

KeremE,

please forgive me for asking the basic question:
1-remove
    <VirtualHost 192.168.1.72:80>
    ServerName nagios.ghi.com
    ServerAlias nagios.ghi.com
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / https://192.168.1.70/nagios
    ProxyPassReverse / https://192.168.1.70/nagios
    #  DocumentRoot /var/www/html/ghi.com
    #  Errorlog /var/www/vhosts/nagios/logs/error_log
    #  CustomLog logs/www.ghi.com-access_log combined
    </VirtualHost>

from webserver1   /etc/httpd/conf.d/httpd.conf  file

2- add to webserver1
<VirtualHost *:445>
  ServerName nagios.ghi.com
  ServerAlias nagios.ghi.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / https://192.168.1.70/nagios
  ProxyPassReverse / https://192.168.1.70/nagios
#  DocumentRoot /var/www/html/ghi.com
#  Errorlog /var/www/vhosts/nagios/logs/error_log
#  CustomLog logs/www.ghi.com-access_log combined
</VirtualHost>

in file  /etc/httpd/conf.d/ssl.conf  file

so what is the question here? :)

My suggestions were:
- Don't use <VirtualHost 192.168.1.72:80> but use <VirtualHost *:80> as your NameVirtualHost *:80 directive suggests. The notation with ip addresses were for the older version of Apache when it was lacking the option *.

- If you want to get the resulting site in HTTPS rather than HTTP then put the webserver1 virtualhost directive in your SSL configuration file. But the place off this file is varying depending on the distro you use. So I'd just give an example from RedHAT / Fedora / CentOS. Where this file resides in /etc/httpd/conf.d/ssl.conf. Please locate the actual place in your distro.

KeremE,

on webserver1(CentOS5.2) I have added to /etc/httpd/conf.d/ssl.conf

<VirtualHost *:445>
  ServerName nagios.ghi.com
  ServerAlias nagios.ghi.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / https://192.168.1.70/nagios
  ProxyPassReverse / https://192.168.1.70/nagios
</VirtualHost>

I get the warning page when i go there and i have to add an exception for the certificate and then i get

Forbidden
You don't have permission to access / on this server.

KeremE,

Did I say something wrong?


knightdog

Oops I've mae a typo I guess. Please change this:
<VirtualHost *:445>

into

<VirtualHost *:443>

and please add this line before the corrected line:

NameVirtualHost   *:443

So the final version should read:

NameVirtualHost   *:443
      
<VirtualHost *:443>
  ServerName nagios.ghi.com
  ServerAlias nagios.ghi.com
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / https://192.168.1.70/nagios
  ProxyPassReverse / https://192.168.1.70/nagios
</VirtualHost>

These lines must be placed after:
<VirtualHost _default_:443>
.
.
.
</VirtualHost>

Stanza. BTW I'm using a similar solution. So I'm sure this is working :)

it is still giving me the error

would it be possiable to IM outside of here to go a little bit deeper into this?  

gomi69 at hotmail dot com

knightdog

I am still getting the error:

Forbidden
You don't have permission to access / on this server.

Ok lets see:

- First of all you won't like to  reverse proxy https://192.168.1.70/nagios because it would always return the HTTPS certificate from the server and since it will not reolve your outside web it will be alaost always get a certificate mismatch. Also since the communication will be in intranet between nagios server and your reverse proxy you wont need https. So change it to http instead.

- Secondly the url you specify your server is https://192.168.1.70/nagios and this is not interpreted by the server. So what you are trying to get from the backend server is actually https://192.168.1.70/nagiosindex.html which will always result in a page 404 error.  So please change the url to this:
http://192.168.1.70/nagios/

- Lastly reenable the log lines that I've proposed earlier but you've commented ou and eventually removed:

DocumentRoot /var/www/html/ghi.com
Errorlog  logs/https-www.ghi.com-error_log
CustomLog logs/https-www.ghi.com-access_log combined

How would you know what went wrong if you've disabled the logs?

KeremE:
please forgive the late response on this.  can you give me a hand with this again?

here is the setup ( back to basic )

external ip forwarded to front end webserver

<VirtualHost *:80>
ServerName abc.org
ServerAlias abc.org
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://192.168.2.220/abc.org
ProxyPassReverse / http://192.168.2.220/abc.org
DocumentRoot "/var/www/vhosts/abc.org/public_html"
Errorlog logs/http-www.abc.org
CustomLog logs/http-www.abc.org combined
<Directory "/var/www/vhosts/abc.org/public_html">
allow from all
Options +Indexes
</Directory>
</VirtualHost>

backend web server

<VirtualHost *:80>
DocumentRoot "/var/www/vhosts/abc.org/public_html"
ServerName abc.org
<Directory "/var/www/vhosts/abc.org/public_html">
allow from all
Options +Indexes
</Directory>
</VirtualHost>


when i enter in www.abc.org into my web browser (fire fox) i get:
Not Found

The requested URL /abc.org was not found on this server.
Apache/2.2.3 (Red Hat) Server at abc.org Port 80


thanks for the help

No Problem :)

First of all what you're requesting  from your back-end server through your front end is:

http://192.168.2.220/abc.org

But your backend server has a root at:

/var/www/vhosts/abc.org/public_html

so probebaly it is where you have your index.html

but you are requesting:

http://http://192.168.2.220/abc.org

which basically means:

http://192.168.2.220/abc.org/index.html 

So you're looking for a directory under your root over your backend !! Do you really have it ?

If not please remove the aoc.org from the end fo your request.

 

if i edit my host file (windows machine) and add the entry
192.168.2.220  www.abc.org

and open up a web browser and enter in  www.abc.org it goes to the back end server.

what do you mean "remove the abc.org from the end of your request"

so this is still not working for me from outside on the internet

Thank you for you help and time this took.  I am sorry it took so long

You're welcome :) It is OK.