----- Original Message -----
From: "Michael Stauber" <bq (at mark) solarspeed.net>
To: <coba-e (at mark) bluequartz.org>
Sent: Friday, December 07, 2007 1:50 AM
Subject: [coba-e:11369] Re: IP changes for SSL
> Hi Colin,
>
>> We have a BQ server behind a firewall using 1 to 1 NAT for external IP
>> addresses.
>>
>> Currently we have a number of vhosts on the server all using the same
>> shared IP 192.168.10.130
>> We have a site that now needs an SSL cert, so I changed the IP to
>> 192.168.10.131 on that site and created a NAT forward from the firewall
>> for a different external IP.
>>
>> The external IP forwards to the server from the firewall fine
>> The server has 192.168.10.131 as an alias on the primary interface
>> The httpd vhosts file looks fine
>>
>> But apache cannot find the site.
>>
>> I have trawled through the mailing list but cannot find anything.
>>
>> Anybody got a clue?
>
> You do NOT have to re-configure Apache to run on both the
> internal/external IP
> for that site. Just use the private IP is sufficient. I'm using that kind
> of
> setup on all my servers in my own office.
>
> First of all, troubleshoot it from the command line on the server. Run
> this
> commands on the command line as root from SSH:
>
> lynx http://192.168.10.131
> lynx https://192.168.10.131
>
> If the site comes up in the command line web browser "lynx", then you know
> that the site is generally working and that the problem is rather related
> to
> your routing your NAT or DNS.
>
> What you need in general terms is this:
>
> 1.) Set up the site to run on the private IP 192.168.10.131
>
> 2.) Set up the NAT for <public IP> to map port 80, 81, 443 and 444 to the
> respective ports on the private IP 192.168.10.131. If you also provide FTP
> and email services for that IP, you also have to map the ports 21, 25,
> 110,
> 143, 587, 993 and 995 as well.
>
> 3.) If you run multiple different servers (servers, not just virtual
> sites!)
> on NAT and if it is necessary that the servers can send email to each
> other,
> then you may have to configure and use a separate (internal!) DNS server
> which is tied into your /etc/resolv.conf on all servers that run on the
> private IPs. If you have multiple DNS servers in your /etc/resolv.conf,
> then the internal DNS server MUST be the first one listed.
>
> This internal DNS server should have identical records to your public DNS
> server, but instead of the public IPs it has all the respective private
> IPs
> in it.
>
> The reason for the private DNS server is that otherwise your emails are
> routed
> through the public IPs instead, which your firewall will most likely not
> permit (i.e.: external traffic routed through the internal network
> interface).
>
> But: JUST for web related traffic you don't have to go through the hassles
> of
> setting up a separate DNS server with the internal IPs.
>
> --
> With best regards,
>
> Michael Stauber
Michael
Thanks for the info.
Would it work if with https if
https://www.someDomain.com
and
https://www.someOtherDomain.com
had separate internal IPs but the same external IP?
----
Ken Marcus
Ecommerce Web Hosting by
Precision Web Hosting, Inc.
http://www.precisionweb.net
>