Thursday, August 9, 2012

Multiple Webservers Behind NAT

The problem is that we have got from the ISP a single public IP, and we need to host our own public webservers (more than one) in our LAN. How to do this?
The first thing to be done is to use port forwarding (also called Destination NAT or DNAT) to forward the tcp ports 80 and 443 from the gateway (MikroTik in out case) to an internal webserver on our LAN. Then we could use the name-based virtual hosting of apache2 to host several domains/subdomains on the same webserver and everything would be fine.
However the issue is a little bit more complicated than this, because sometimes it is not possible (or suitable, or convenient) to host two different websites on the same server. For example our website is built on Joomla, and it has some modules that do not work well with the latest version of PHP (5.3), and it depends on PHP-5.2. Also, sometimes it can be suitable/convenient to use appliancies from TurnKey Linux (http://www.turnkeylinux.org/), for easy installation and maintenance, but they need to have their own server. What to do in this case?
In this case, the Reverse Proxy module of apache2 comes to rescue. The idea is that the main webserver forwards the http requests to the other webservers, behaving like a kind of http gateway or hub.


Let's see how to do the configuration. Suppose that we have the subdomains www.cit.edu.alwww-test.cit.edu.almoodle.cit.edu.al and ocw.cit.edu.al. The first two domains will be hosted on the same webserver, and moodle and ocw will have their own webserver each.

1. DNS configurations

Add these lines on /var/cache/bind/db.cit.edu.al:
www             IN      A               109.69.4.170
www-test        IN      A               109.69.4.170

moodle          IN      CNAME           www
ocw             IN      CNAME           www
Don't forget to modify the serial number, and then restart the service with service bind9 restart.

2. Gateway (MikroTik) configurations

Add these firewall rules from the terminal (or from winbox):
ip firewall nat chain=dstnat action=dst-nat to-addresses=192.168.10.46 to-ports=80 protocol=tcp dst-address=109.69.4.170 dst-port=80 
ip firewall nat chain=dstnat action=dst-nat to-addresses=192.168.10.46 to-ports=443 protocol=tcp dst-address=109.69.4.170 dst-port=443 

3. Configurations on the main webserver

On the gateway webserver (192.168.10.46) do these apache configurations:
  • Enable SSL Name-Based virtual hosting.
    • Enable mode ssla2enmod ssl
    • Edit /etc/apache2/ports.conf and add the line NameVirtualHost *:443:
      <IfModule mod_ssl.c>
          # If you add NameVirtualHost *:443 here, you will also have to change
          # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
          # to <VirtualHost *:443>
          # Server Name Indication for SSL named virtual hosts is currently not
          # supported by MSIE on Windows XP.
          NameVirtualHost *:443
          Listen 443
      </IfModule>
    • Edit /etc/apache2/sites-available/default-ssl and change the VirtualHost statement (at the top) to <VirtualHost *:443>, like this:
      <IfModule mod_ssl.c>
      <VirtualHost *:443>
    • Then restart apache: service apache2 restart
  • Enable the proxy modules etc.:
    a2enmod proxy
    a2enmod proxy_http
    a2enmod proxy_connect
    a2enmod proxy_balancer
    a2enmod headers
    a2enmod cache
    a2enmod mem_cache       
  • On the directory /etc/apache2/sites-available, copy files default and default-ssl tocitcit-sslcit-testcit-test-sslmoodlemoodle-sslocwocw-ssl, etc. Then modify these files similarly to cit and cit-ssl below:
    • Add these lines at the top of cit:
      <VirtualHost *:80>
            ServerName www.cit.edu.al
            ServerAdmin 
       admin@cit.edu.al
      
            ProxyRequests off
            ProxyPass / http://www.cit.edu.al/
            ProxyPassReverse / http://www.cit.edu.al/
    • Add these lines at the top of cit-ssl:
      <IfModule mod_ssl.c>
      <VirtualHost *:443>
              ServerName www.cit.edu.al
              ServerAdmin 
       admin@cit.edu.al
      
              ProxyRequests off
              SSLProxyEngine on
              ProxyPass / https://www.cit.edu.al/
              ProxyPassReverse / https://www.cit.edu.al/
  • Enable the sites citcit-ssl, etc. like this:
    a2ensite cit
    a2ensite cit-ssl
    a2ensite cit-test
    a2ensite cit-test-ssl
    a2ensite moodle
    a2ensite moodle-ssl
    a2ensite ocw
    a2ensite ocw-ssl
  • Restart or reload apache2: service apache2 reload
  • Important! Modify the file /etc/hosts and append these lines:
    192.168.10.52   www.cit.edu.al
    192.168.10.52   www-test.cit.edu.al
    192.168.10.53   moodle.cit.edu.al
    192.168.10.54   ocw.cit.edu.al

4. Configurations on the webservers that are accessed through the proxy

On the webserver 192.168.10.52 (that is hosting the websites www.cit.edu.al and www-test.cit.edu.al), make these configurations:
  • Enable SSL Name-Based virtual hosting (as described previously).
  • Place the files of the websites on the directories /var/www/cit/ and /var/www/cit-test/.
  • On the directory /etc/apache2/sites-available, copy files default and default-ssl tocitcit-sslcit-testcit-test-ssl, and modify these files like this:
    • Add these lines at the top of cit:
      <VirtualHost *:80>
              ServerName www.cit.edu.al
              ServerAdmin 
       admin@cit.edu.al
      
              DocumentRoot /var/www/cit
              <Directory />
                      Options FollowSymLinks
                      AllowOverride None
              </Directory>
              <Directory /var/www/cit/>
                      Options Indexes FollowSymLinks MultiViews
                      AllowOverride All
                      Order allow,deny
                      allow from all
              </Directory>
    • Add these lines at the top of cit-ssl:
      <IfModule mod_ssl.c>
      <VirtualHost *:443>
              ServerName www.cit.edu.al
              ServerAdmin 
       admin@cit.edu.al
      
              DocumentRoot /var/www/cit
              <Directory />
                      Options FollowSymLinks
                      AllowOverride None
              </Directory>
              <Directory /var/www/cit/>
                      Options Indexes FollowSymLinks MultiViews
                      AllowOverride All
                      Order allow,deny
                      allow from all
              </Directory>
    • Add these lines at the top of cit-test:
      <VirtualHost *:80>
              ServerName www-test.cit.edu.al
              ServerAdmin 
       admin@cit.edu.al
      
              DocumentRoot /var/www/cit-test
              <Directory />
                      Options FollowSymLinks
                      AllowOverride None
              </Directory>
              <Directory /var/www/cit-test/>
                      Options Indexes FollowSymLinks MultiViews
                      AllowOverride All
                      Order allow,deny
                      allow from all
              </Directory>
    • Add these lines at the top of cit-test-ssl:
      <IfModule mod_ssl.c>
      <VirtualHost *:443>
              ServerName www-test.cit.edu.al
              ServerAdmin 
       admin@cit.edu.al
      
              DocumentRoot /var/www/cit-test
              <Directory />
                      Options FollowSymLinks
                      AllowOverride None
              </Directory>
              <Directory /var/www/cit-test/>
                      Options Indexes FollowSymLinks MultiViews
                      AllowOverride All
                      Order allow,deny
                      allow from all
              </Directory>
  • Enable the sites citcit-sslcit-testcit-test-ssl etc. like this:
    a2ensite cit
    a2ensite cit-ssl
    a2ensite cit-test
    a2ensite cit-test-ssl
  • Restart or reload apache2: service apache2 reload
Do the same thing for the other webservers as well.

5. Referencies

No comments:

Post a Comment