Article 11369 at 07/12/07 18:50:25 From: bq (at mark) solarspeed.net Subject: [coba-e:11369] Re: IP changes for SSL

Index: [Article Count Order] [Thread]
Date:  Fri, 7 Dec 2007 10:50:06 +0100
From:  Michael Stauber <bq (at mark) solarspeed.net>
Subject:  [coba-e:11369] Re: IP changes for SSL
To:  coba-e (at mark) bluequartz.org
Message-Id:  <200712071050.07121.bq (at mark) solarspeed.net>
In-Reply-To:  <683F5FB5E2C08E4A8FE8D499A890A3EA0378B7 (at mark) mainserver.mainline.local>
References:  <683F5FB5E2C08E4A8FE8D499A890A3EA0378B7 (at mark) mainserver.mainline.local>
X-Mail-Count: 11369

Hi Colin,

> We have a BQ server behind a firewall using 1 to 1 NAT for external IP
> addresses.
>
> Currently we have a number of vhosts on the server all using the same
> shared IP 192.168.10.130
> We have a site that now needs an SSL cert, so I changed the IP to
> 192.168.10.131 on that site and created a NAT forward from the firewall
> for a different external IP.
>
> The external IP forwards to the server from the firewall fine
> The server has 192.168.10.131 as an alias on the primary interface
> The httpd vhosts file looks fine
>
> But apache cannot find the site.
>
> I have trawled through the mailing list but cannot find anything.
>
> Anybody got a clue?

You do NOT have to re-configure Apache to run on both the internal/external IP 
for that site. Just use the private IP is sufficient. I'm using that kind of 
setup on all my servers in my own office.

First of all, troubleshoot it from the command line on the server. Run this 
commands on the command line as root from SSH:

lynx http://192.168.10.131
lynx https://192.168.10.131

If the site comes up in the command line web browser "lynx", then you know 
that the site is generally working and that the problem is rather related to 
your routing your NAT or DNS.

What you need in general terms is this:

1.) Set up the site to run on the private IP 192.168.10.131

2.) Set up the NAT for <public IP> to map port 80, 81, 443 and 444 to the 
respective ports on the private IP 192.168.10.131. If you also provide FTP 
and email services for that IP, you also have to map the ports 21, 25, 110, 
143, 587, 993 and 995 as well.

3.) If you run multiple different servers (servers, not just virtual sites!) 
on NAT and if it is necessary that the servers can send email to each other, 
then you may have to configure and use a separate (internal!) DNS server 
which is tied into your /etc/resolv.conf on all servers that run on the 
private IPs.  If you have multiple DNS servers in your  /etc/resolv.conf, 
then the internal DNS server MUST be the first one listed.

This internal DNS server should have identical records to your public DNS 
server, but instead of the public IPs it has all the respective private IPs 
in it.

The reason for the private DNS server is that otherwise your emails are routed 
through the public IPs instead, which your firewall will most likely not 
permit (i.e.: external traffic routed through the internal network 
interface).

But: JUST for web related traffic you don't have to go through the hassles of 
setting up a separate DNS server with the internal IPs.

-- 
With best regards,

Michael Stauber