Multiple Webservers Behind NAT

Reading time ~4 minutes

2012-08-09-multiple-web-servers-behind-nat

2012-08-09-multiple-web-servers-behind-nat

The problem is that we have got from the ISP a single public IP, and we need to host our own public webservers (more than one) in our LAN. How to do this?

The first thing to be done is to use port forwarding (also called Destination NAT or DNAT) to forward the tcp ports 80 and 443 from the gateway (MikroTik in out case) to an internal webserver on our LAN. Then we could use the name-based virtual hosting of apache2 to host several domains/subdomains on the same webserver and everything would be fine.

However the issue is a little bit more complicated than this, because sometimes it is not possible (or suitable, or convenient) to host two different websites on the same server. For example our website is built on Joomla, and it has some modules that do not work well with the latest version of PHP (5.3), and it depends on PHP-5.2. Also, sometimes it can be suitable/convenient to use appliancies from TurnKey Linux (http://www.turnkeylinux.org/), for easy installation and maintenance, but they need to have their own server. What to do in this case?

In this case, the Reverse Proxy module of apache2 comes to rescue. The idea is that the main webserver forwards the http requests to the other webservers, behaving like a kind of http gateway or hub.

Let's see how to do the configuration. Suppose that we have the subdomains www.cit.edu.al, www-test.cit.edu.al, moodle.cit.edu.al and ocw.cit.edu.al. The first two domains will be hosted on the same webserver, and moodle and ocw will have their own webserver each.

1 DNS configurations

Add these lines on /var/cache/bind/db.cit.edu.al: 

www             IN      A               109.69.4.170
www-test        IN      A               109.69.4.170

moodle          IN      CNAME           www
ocw             IN      CNAME           www

Don't forget to modify the serial number, and then restart the service with service bind9 restart.

2 Gateway (MikroTik) configurations

Add these firewall rules from the terminal (or from winbox): 

ip firewall nat chain=dstnat action=dst-nat to-addresses=192.168.1.246 to-ports=80 protocol=tcp dst-address=109.69.4.170 dst-port=80 
ip firewall nat chain=dstnat action=dst-nat to-addresses=192.168.1.246 to-ports=443 protocol=tcp dst-address=109.69.4.170 dst-port=443

3 Configurations on the main (gateway/hub) webserver

On the gateway webserver (192.168.1.246) do these apache configurations:

  • Enable SSL Name-Based virtual hosting.
    • Enable mode ssl: a2enmod ssl
    • Edit /etc/apache2/ports.conf and add the line NameVirtualHost *:443: 
      <IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    NameVirtualHost *:443
    Listen 443
</IfModule>
    • Edit /etc/apache2/sites-available/default-ssl and change the VirtualHost statement (at the top) to <VirtualHost *:443>, like this: 
      <IfModule mod_ssl.c>
<VirtualHost *:443>
    • Then restart apache: service apache2 restart
  • Enable the proxy modules etc.: 
    a2enmod proxy
a2enmod proxy_http
a2enmod proxy_connect
a2enmod proxy_balancer
a2enmod headers
a2enmod cache
a2enmod mem_cache
  • On the directory /etc/apache2/sites-available, copy files default and default-ssl to cit, cit-ssl, cit-test, cit-test-ssl, moodle, moodle-ssl, ocw, ocw-ssl, etc. Then modify these files similarly to cit and cit-ssl below:
    • Add these lines at the top of cit: 
      <VirtualHost *:80>
      ServerName www.cit.edu.al
      ServerAdmin admin@cit.edu.al

      ProxyRequests off
      ProxyPass / http://www.cit.edu.al/
      ProxyPassReverse / http://www.cit.edu.al/
    • Add these lines at the top of cit-ssl: 
      <IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerName www.cit.edu.al
	ServerAdmin admin@cit.edu.al

	ProxyRequests off
	SSLProxyEngine on
	ProxyPass / https://www.cit.edu.al/
	ProxyPassReverse / https://www.cit.edu.al/
  • Enable the sites cit, cit-ssl, etc. like this: 
    a2ensite cit
a2ensite cit-ssl
a2ensite cit-test
a2ensite cit-test-ssl
a2ensite moodle
a2ensite moodle-ssl
a2ensite ocw
a2ensite ocw-ssl
  • Restart or reload apache2: service apache2 reload
  • Important! Modify the file /etc/hosts and append these lines: 
    192.168.1.252   www.cit.edu.al
192.168.1.252   www-test.cit.edu.al
192.168.1.253   moodle.cit.edu.al
192.168.1.254   ocw.cit.edu.al

4 Configurations on the webservers that are accessed through the proxy

On the webserver 192.168.1.252 (that is hosting the websites www.cit.edu.al and www-test.cit.edu.al), make these configurations:

  • Enable SSL Name-Based virtual hosting (as described previously).
  • Place the files of the websites on the directories /var/www/cit/ and /var/www/cit-test/.
  • On the directory /etc/apache2/sites-available, copy files default and default-ssl to cit, cit-ssl, cit-test, cit-test-ssl, and modify these files like this:
    • Add these lines at the top of cit: 
      <VirtualHost *:80>
	ServerName www.cit.edu.al
	ServerAdmin admin@cit.edu.al

	DocumentRoot /var/www/cit
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/cit/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>
    • Add these lines at the top of cit-ssl: 
      <IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerName www.cit.edu.al
	ServerAdmin admin@cit.edu.al

	DocumentRoot /var/www/cit
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/cit/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>
    • Add these lines at the top of cit-test: 
      <VirtualHost *:80>
	ServerName www-test.cit.edu.al
	ServerAdmin admin@cit.edu.al

	DocumentRoot /var/www/cit-test
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/cit-test/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>
    • Add these lines at the top of cit-test-ssl: 
      <IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerName www-test.cit.edu.al
	ServerAdmin admin@cit.edu.al

	DocumentRoot /var/www/cit-test
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/cit-test/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>
  • Enable the sites cit, cit-ssl, cit-test, cit-test-ssl etc. like this: 
    a2ensite cit
a2ensite cit-ssl
a2ensite cit-test
a2ensite cit-test-ssl
  • Restart or reload apache2: service apache2 reload

Do the same thing for the other webservers as well.

Author: Dashamir Hoxha

Created: 2019-01-24 Thu 05:13

Emacs 25.1.1 (Org mode 8.2.10)

Validate

Read More

OpenPGP Web Key Directory

OpenPGP Web Key DirectoryOpenPGP Web Key DirectoryTable of Contents1. Introduction2. How WKD works3. Building a WKD3.1. Create the direct...… Continue reading

SMTP Server with LDAP Authentication

Published on April 17, 2021

Using WireGuard VPN

Published on November 09, 2020