Topic: Virtual Hosts

[WayneJVM]

I'm setting up a dynamic dns system with virutal hosts behind and SME 9.1 server and gateway. I've been able to reach all of the servers on the LAN side if the network using the http://virtualhost.domain.com url with full functionality including server administration at each of the virtual hosts. However, whenever I attempt to reach any of the hosts using the http://virtualhost.domain.com from the WAN side I am forwarded to the server-manager of the server and gateway rather than the server-manager of the desired sub-domain host.

I've tried proxypasses with no luck. I know there's something I'm missing here but I am unable to ascertain what it is after searching Contribs documentation and this forum.

Thanks for the help!

Wayne

[Jean-Philippe Pialasse]

First I think you are using too much the words virtualhost, virtual and host in your description which make everything confusing.
Vrtualhost is usually used to describe a configuration of apache, which does not seems to be the case.

How many servers/ sme have you there ?
What is the network architecture?
Try to draw a schema if too hard to explain.
I feel you are using a lot virtual here to design servers or machine that are virtualized, however for a dns and redirection problem this is not that relevant, and the designation virtual machine is more appropriate anyway.

In term of dns rather the use of subdomain than virtualhost: subdomain.domain.tld or better use machine2.mydomain.com pointing to machine2.

What server is doing the dyndns update

What are the ouput of  the following commands on the Gateway:

Code: [Select]

db domains show

db hosts show
 (Hide any password if there are present in the output)

[janet]

WayneJVM

You need to more fully describe your network so we can understand your physical & virtual arrangement.

If you want direct https access to server manager from outside then probably you will need to use different ports than 443 & setup port fowards to each VM.

Allowing direct external https access to server manager is considered a security risk so is not advisable.

A better more secure approach is to setup a ssh (putty) tunnel to each server (VM) & then access server manager using https://localhost/server-manager

I am pretty sure this question has been answered many years ago so spend some more time searching the forums for details.

[WayneJVM]

Here's the system layout.
                                                    (WAN)
                                                      |
                                        Server/Gateway(SME9.1)
                                                      |
                                                      |
                                                      |
        ----------------------------------------------------------------------------------               
        |                                   |                                   |                                        |
Media(SME9.1)             File/Web(SME9.1)               Backup(SME9.1)              Automation(Dedicated)

I would like to be able to reach each of the servers and all of the ports through a subdomain. For example media.MyDomain.tld or file.MyDomain.tld.

I would like each of the subdomain servers to be exposed to the Internet as if they were in a DMZ.

Here's the db hosts show result:

backup.MyDomain.tld=host
    Comment=Backup Server
    ExternalIP=
    HostType=Local
    InternalIP=192.168.0.4
    MACAddress=
(Server/Gateway).MyDomain.tld=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
    ReverseDNS=yes
    static=yes
ftp.MyDomain.tld=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
(File/Web).MyDomain.tld=host
    Comment=Home Server
    ExternalIP=
    HostType=Local
    InternalIP=192.168.0.8
    MACAddress=
(Automation).MyDomain.tld=host
    Comment=ISY Controller
    ExternalIP=
    HostType=Local
    InternalIP=192.168.0.30
    MACAddress=
mail.MyDomain.tld=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
media.MyDomain.tld=host
    Comment=Media Server
    ExternalIP=
    HostType=Local
    InternalIP=192.168.0.2
    MACAddress=
proxy.MyDomain.tld=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
wpad.MyDomain.tld=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
www.MyDomain.tld=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=

db domains show results in:

MyDomain.tld=domain
    Content=Primary
    Description=Primary domain
    Nameservers=localhost
    Removable=no
    SystemPrimaryDomain=yes
    customdns=
    customprotocol=
    dns=DYNDNS1
    login=WayneJVM
    mx=10 MyDomain.tld
    password=xxxxx

Note: (File/Web) and (Server/Gateway) are used for clarity and consistency with the chart above.

As this stands, as long as I access the network on the local side of the Gateway/Server, I am able to reach each machine's server-manager. However, if I attempt to reach the server-manager of the media server by using http://media.MyDomain.tld/server-manager from the WAN side of the Gateway/Server, I am redirected to the Gateway/Server server-manager or alternately if I disable remote management on the Gateway/Server I get the Forbidden page.

I apologize for my lack of clarity in my original post. This isn't as much about virtual hosts as it is physical hosts behind a Gateway/Server. Also the "Automation" server is not an SME server but requires the proper forward of port 443 as well.

Thanks in advance for your help!

[janet]

WayneJVM

So these are physical servers behind the sme server gateway.

Using proxypass for each subdomain is part of the answer (one method), as is using port forwards on different ports for server manager etc.
Problem is you can only forward a specific port to one subdomain device & you still need to access port 443 on the main gateway server for server manager.
You could access server manager for subdomain1 via port 5000 & then forward that port to 443 (localhost) on server1
For subdomain2 server manager, access via port 5500 & forward to port 443 (localhost) on server 2 & so on.

As you already say you have standard access to your subdomains, then a more secure approach would be to use seperate ssh tunnels for server manager access for each subdomain via https://localhost/server-manager

[Jean-Philippe Pialasse]

So your problem is more getting access to all server when you are not at home, and you were already trying a solution that can only be fully implemented with multiple external ip (to get access to all ports without having to use alternative port to forward).

Basically, except for http with proxypass, all other protocol and port will use the ip as destination, not the domain, so you can not route them accordingly unless you have a single external ip per domain. And if you do, you will need manual configuration of your gateway, this is not part of sme design.

You can use a vpn, as for example, i imagine you want an access for yourself and not for the world to the server manager.

Smeserver-openvpn-bridge could be a solution.

[WayneJVM]

Thank you all for your help. The answer to my question is that I cannot achieve full access (all ports) via a subdomain through an SME server/gateway. I'll research the VPN approach for server management. Thank you very much!

[janet]

WayneJVM

Why do you need access to all ports on all subdomains ?

[WayneJVM]

One of the physical servers is on off-site backup for my businesses. I use BackupPC to perform the backups and I'd like to be able to securely connect to retrieve archived files from the office.

[Stefano]

If so, you only need to connect to 443 TCP port

[WayneJVM]

True. But I'd like to be able to connect to each physical server on port 443 without creating a web of forwarding.

[Jean-Philippe Pialasse]

For the backup you can use smeserver-openvpn-s2s

This will help creating a vpn between the two sites or servers.

For administration as roadwarrior you can use smeserver-openvpn-bridge.

[Jean-Philippe Pialasse]

If so, you only need to connect to 443 TCP port

If i remember well, rsync is ssh tunelled for backuppc

[WayneJVM]

That's correct. An I have been using rsync in Unison and BackupPC for some time. However, when I need to restore a file using BackupPC it's difficult to do so remotely without setting a port forward in the gateway for port 443 - which I would do if it were the only server that used port 443 and I only wanted to acces that one server. I haven't tried using a VPN tunnel because my past experience (probably from SME 5 or 6) was that a PPTP tunnel was slow.  I'll be working on that today.

[CharlieBrady]

True. But I'd like to be able to connect to each physical server on port 443 without creating a web of forwarding.

You can't. Why do you think "a web of forwarding" would be a problem? [For "web of forwarding", I assume you mean "one proxy pass per subdomain".]

[WayneJVM]

Each of the servers use port 443 for server-manager and BackupPC administration. I would much prefer not to have to make specialized port forwarding rules for each physical server (ie. backup.MyDomain.tld, File/Web.MyDomain.tld, etc.). Currently on the LAN side of the server-gateway I can reach each of the above physical servers by using http://backup.MyDomain.tld/backuppc. However, I cannot access the 443 port for each of the subdomain servers from the WAN side of the server-gateway. The server-gateway routes any call to the 443 port to itself. I only want to administer the server-gateway SME server when I make a call to http://server-gateway.MyDomain.tld/server-manager. My objective here is to create individual DMZs for the SME servers on the LAN side of the Server-Gateway while still protecting any other devices on the network.