Solved

How to handle two Virtual Web Servers in one Linux Box?

Posted on 2011-03-21
13
582 Views
Last Modified: 2012-05-11
Hello,

I have one external IP address, an ASUS router and a Fedora 14 box connected to it via the DMZ.

On the Fedora machine I'm running two Virtual Machines with Virtual Box.  Each has its own IP Address.  They are:

Virtual Machine 1 is Zimbra Email & Collaboration (Turnkey Linux)
Virtual Machine 2 is Joomla Content Management (Turnkey Linux)

It's very easy for me to expose one or the other of these VMs to the world by setting the IP address of that VM to that of th DMZ, but I need both to operate simultaneously.

So, how can I configure my network to allow both of these VMs to run simultaneously and seemlessly - while providing the functionality of each package?

Thanks,
Jason

How can I set this system
0
Comment
Question by:SqueezeOJ
  • 5
  • 3
  • 3
  • +1
13 Comments
 
LVL 9

Accepted Solution

by:
AriMc earned 350 total points
ID: 35183598
With a single external IP address you need to assign different ports to the different servers.

One way is to use the NAT (or NAPT) table of your router (if it supports it) and direct port 80 to one server and another, 8080 for example, to the other. Then the URLs from the public network become:

http://123.123.123.123/

and

http://123.123.123.123:8080/

0
 

Author Comment

by:SqueezeOJ
ID: 35183724
Hi AriMc,

Thanks for your quick response.  Let me see if I understand this...

The Joomla VM (VM2) is the one that runs my public website, so I'd want to leave it on port 80.  Therefore, its IP address will stay http://123.123.123.123.

The Zimbra VM (VM1) is a behind-the-scenes email service for my company only, so I'd assign it to another port, such as 8080, and reach it a http://123.123.123.123:8080.

That makes sense.

Now, would I need to reconfigure the Zimbra server to stop watching for traffic on port 80 and start watching for it on 8080?

Also, I assume that I'd need to do this with all over-lapping ports?  So, if they both allow ssh on port 22 then I'd want to leave the Joomla one at 22 and assign the Zimbra one to something like 8022?

How about port 25 - which is closed on Joomla but open on Zimbra?  This could probably be left alone as long as the port forward is properly set up?

Thanks,
Jason
0
 
LVL 9

Expert Comment

by:AriMc
ID: 35183788
1) Some routers allow port translation from 8080 to 80 while doing the NAT. In this case you don't need to reconfigure Zimbra. If your router only supports simple "one-to-one", ie.
incoming 8080 to 8080 of Zimbra, then you need to reconfigure.

2) Yes you need separate mappings for each externally available service on both computers.

3) Port 25 (STMP mail?) - you probably want only one mail server or do you see the need of having two publicly available ones?

0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 75 total points
ID: 35184227
One thing to be cautious about is that the application does not dynamically output its links.
i.e. you setup the reouter as AriMc outlined
public externalIP port 8080 to Zimbra VM server port 80.
The problem occurs when an access to a page spits out location: http://www.yourdomain.com:80 while the user was accessing http://www.yourdomain.com:8080
A possible way to handle this is to setup an Internal Reverse proxy i.e. http://www.yourdomain.com or http://zimbra.yourdomain.com  will land on your Reverse proxy that will "forward" the request to the correct internal server. caution should be taken to make sure that your internal application do not exempt or grant special privileges to the requests that come from the reverse proxy.
0
 
LVL 9

Expert Comment

by:AriMc
ID: 35184311
Good point Arnold! I haven't seen many web-sites using absolute links to their own subpages because it's basically very bad design, but it's a good thing to keep in mind.
0
 
LVL 76

Expert Comment

by:arnold
ID: 35184864
The issue is less with websites and rather more with sites that dynamically generate code I think webtrends was returning URL based on the IP on which the request came which complicates things when you have a reverse proxy in front of it since all URL links will be http://privateip:port/.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Assisted Solution

by:chedlin
chedlin earned 75 total points
ID: 35185107
You can use an additional apache process as a reverse proxy (on the host or a 3rd virtual box) to do host mapping and have them both seem to be on port 80.

If you use the host machine configure apache with virtual hosts on it's internal IP address.  Here is a configuration I use (not fedora but from /etc/apache2/site-enabled)

file1:
<VirtualHost *:80>
        ServerName Zimbra.example.com

        ServerAdmin webmaster@hedlin.com

        DocumentRoot /var/www/
        ProxyPass / http://Zimbra.internal/
        ProxyPassReverse / http://Zimbra.internal/

        ErrorLog /var/log/apache2/Zimbra-error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/Zimbra-access.log combined
        ServerSignature On

</VirtualHost>

and file2 would be the same but with the Joomla information.

if you need https you still have to use different ports although you could do the above if both hosts were in the same domain and you had a wildcard certificate.
0
 
LVL 9

Expert Comment

by:AriMc
ID: 35185182
Chedlin: That's a good point too but it leaves the overall system somewhat vulnerable as it requires Joomla to be alive for Zimbra to work.

0
 
LVL 2

Expert Comment

by:chedlin
ID: 35185503
AriMc: I disagree, that is why I suggested running Apache on the VirtualBox host computer (Fedora).  You can think of it along the lines of using an HTTP accelerator or load balancer, but it is using the Host header to make the routing decision.

If the resources exists you can make it a 3rd virtual machine to keep the host stripped bare, but I don't think I would personally do it that way (unless using a bare metal hyper-visor where I would have no choice).
0
 
LVL 9

Expert Comment

by:AriMc
ID: 35185572
Chedlin: Ok, I missed the part "on the host". Yes I agree in that case Joomla wouldn't be a potential vulnerability. Still, the Apache daemon on the host would be, so it would increase the complexity of the overall system.

But the main question here is the requirements of SqueezeOJ. If non-standard ports or incorrectly generated URLs from Zimbra do present a problem, then virtual server definitions on the host could provide the answer. If not, then a simple port redirection on the router in my opinion would be the cleanest solution.

0
 

Author Comment

by:SqueezeOJ
ID: 35186112
Wow.  You guys have given me a lot to think about!

I'm going to need to think about the things you've given me.

I know this is getting off track, but maybe I've gotten myself in too deep.  How do most SOHO's approach running both a website and collaboration software on one virtual machine?  I was really hoping to use the Turnkey Linux appliances because they're so simple but maybe they're overly complicating the situation...
0
 
LVL 2

Expert Comment

by:chedlin
ID: 35186266
If you want simple go with the earlier port based systems.  I have a tendency to over do things
0
 

Author Closing Comment

by:SqueezeOJ
ID: 35189792
Thanks to everyone for getting involved.  The implementation of the solution may lead to a host of additional questions!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now