When I do something that is not trivial and needs some research, I try to summarize it and write it down, in case that I will need later to do the same thing again. It may also be useful for other people that could be trying to do something similar.
Thursday, August 9, 2012
Multiple Webservers Behind NAT
The problem is that we have got from the ISP a single public IP, and we need to host our own public webservers (more than one) in our LAN. How to do this?
The first thing to be done is to use port forwarding (also called Destination NAT or DNAT) to forward the tcp ports 80 and 443 from the gateway (MikroTik in out case) to an internal webserver on our LAN. Then we could use the name-based virtual hosting of apache2 to host several domains/subdomains on the same webserver and everything would be fine.
However the issue is a little bit more complicated than this, because sometimes it is not possible (or suitable, or convenient) to host two different websites on the same server. For example our website is built on Joomla, and it has some modules that do not work well with the latest version of PHP (5.3), and it depends on PHP-5.2. Also, sometimes it can be suitable/convenient to use appliancies from TurnKey Linux (http://www.turnkeylinux.org/), for easy installation and maintenance, but they need to have their own server. What to do in this case?
In this case, the Reverse Proxy module of apache2 comes to rescue. The idea is that the main webserver forwards the http requests to the other webservers, behaving like a kind of http gateway or hub.
Let's see how to do the configuration. Suppose that we have the subdomains www.cit.edu.al, www-test.cit.edu.al, moodle.cit.edu.al and ocw.cit.edu.al. The first two domains will be hosted on the same webserver, and moodle and ocw will have their own webserver each.
1. DNS configurations
Add these lines on /var/cache/bind/db.cit.edu.al:
www IN A 126.96.36.199
www-test IN A 188.8.131.52
moodle IN CNAME www
ocw IN CNAME www
Don't forget to modify the serial number, and then restart the service with service bind9 restart.
2. Gateway (MikroTik) configurations
Add these firewall rules from the terminal (or from winbox):
ip firewall nat chain=dstnat action=dst-nat to-addresses=192.168.10.46 to-ports=80 protocol=tcp dst-address=184.108.40.206 dst-port=80
ip firewall nat chain=dstnat action=dst-nat to-addresses=192.168.10.46 to-ports=443 protocol=tcp dst-address=220.127.116.11 dst-port=443
3. Configurations on the main webserver
On the gateway webserver (192.168.10.46) do these apache configurations:
Enable SSL Name-Based virtual hosting.
Enable mode ssl: a2enmod ssl
Edit /etc/apache2/ports.conf and add the line NameVirtualHost *:443:
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
Edit /etc/apache2/sites-available/default-ssl and change the VirtualHost statement (at the top) to <VirtualHost *:443>, like this:
On the directory /etc/apache2/sites-available, copy files default and default-ssl tocit, cit-ssl, cit-test, cit-test-ssl, moodle, moodle-ssl, ocw, ocw-ssl, etc. Then modify these files similarly to cit and cit-ssl below: