You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Darrel Austin <da...@visi.com> on 2002/01/15 07:33:46 UTC
Port-based Virtual Hosts
I had a question awhile back about getting two servers running behind
one IP. After almost giving up (as it looked like I just can't) I was
told offlist, to use the port-based virtual host configurations.
The documentation shows this:
Listen 80
Listen 8080
ServerName www.domain.tld
DocumentRoot /www/domain
<VirtualHost 111.22.33.44:8080>
DocumentRoot /www/domain2
...
</VirtualHost>
This doesn't tell me if I can actually have two actual servers,
however. Does the port-based VH have to be on the same machine as
that is hosting the default port 80 traffic? Or can this port-based
VH point at a seperate IP address + port behind the router? Is the
above config text supposed to be on the main server (listening on
port 80) or the other server (listening on port 8080)?
In attempting to enter the above on the main server, I get an error
'directory can not be found' for the VH on the other IP...leading me
to believe that this, in fact, will not work.
If that doesn't work, is there anyway to point at the second server
via a domain name or sub-domain name? At the very least, we'd like to
be able to point to the domain at an external site and have an HTML
redirect to this server (via a different port than the main
server...for example, 'xyz.com' would redirect to 'xyz.abc.com:8080')
but from what I can tell, we can probably only do a redirect if we
explicitly spell out the IP+port. It's ugly, but it'd work, suppose.
-Darrel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Port-based Virtual Hosts
Posted by Owen Boyle <ob...@bourse.ch>.
Darrel Austin wrote:
>
> > 11.22.33.44:80 <--> 192.168.0.1:80
> > 11.22.33.44:8080 <--> 192.168.0.2:80
>
> Yep. That's exactly how I have it set up.
>
> So, just to recap, I can set up a URL to DNS to 11.22.33.44. That traffic
> will come in on port 80 and be routed to 192.168.0.1. On that machine, I'll
> have a html refresh page that will point at 11.22.33.44:8080. The router
> will then route that traffic to 192.168.0.2
>
> So, on 192.168.0.1, I'll have a standard virtual host pointing to a
> directory on that server. On 192.168.0.2 I'll also have a standard virtual
> host pointing to a directory on that server.
>
> Correct?
Indeed.
>
> Alternatively, I can get a second IP address and solve all of this the easy
> way. ;o)
That would be cheating...
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Port-based Virtual Hosts
Posted by Darrel Austin <da...@visi.com>.
> 11.22.33.44:80 <--> 192.168.0.1:80
> 11.22.33.44:8080 <--> 192.168.0.2:80
Yep. That's exactly how I have it set up.
So, just to recap, I can set up a URL to DNS to 11.22.33.44. That traffic
will come in on port 80 and be routed to 192.168.0.1. On that machine, I'll
have a html refresh page that will point at 11.22.33.44:8080. The router
will then route that traffic to 192.168.0.2
So, on 192.168.0.1, I'll have a standard virtual host pointing to a
directory on that server. On 192.168.0.2 I'll also have a standard virtual
host pointing to a directory on that server.
Correct?
Alternatively, I can get a second IP address and solve all of this the easy
way. ;o)
Thanks a lot for walking me through the logic of this, Owen.
-Darrel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Port-based Virtual Hosts
Posted by Owen Boyle <ob...@bourse.ch>.
Darrel Austin wrote:
>
> > Port-based will kind-of work with the router setup you defined above but
> > the problem is that your URLs will be like http://domain1/ and
> > http://domain2:8080/ which is ugly, but worse, might not work in some
> > locations if an intermediate FW blocks non-standard ports like 8080.
>
> I wouldn't necessarily mind this. I'd be OK with that. The catch is, I'm not
> sure how to get http://domain2:8080 to show up. If I just send people to
> domai2:8080, would server 2, simply by listening to port 8080, know that it
> belongs to it? And, if so, would I then just set up port-based VHs on server
> 2?
Not really - remember that the IP address comes before the port number
in the grand scheme of things. You'd have to rely on your router to do
address translation. Say domain1 and domain2 both resolve to 11.22.33.44
(external) and your internal addresses are 192.168.0.1 ans 192.168.0.2.
Then your router would advertise to the web that it receives all
requests for 11.22.33.44 and then translate as follows:
11.22.33.44:80 <--> 192.168.0.1:80
11.22.33.44:8080 <--> 192.168.0.2:80
Note that the arrows are bi-directional: the router has to convert the
outgoing packets as well.. I've never used a router for this (usually,
it is a FW which does this kind of stuff).
Rgds,
Owen Boyle.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Port-based Virtual Hosts
Posted by Darrel Austin <da...@visi.com>.
> It's not to do with security - just separating web-sites: For example,
> you might have a production web site accessible on port 80 and connected
> to the web via a FW and a development version of the site on port 8000
> accessible only internally (the FW blocks access to 8000 form the web).
> So you can make changes to the development files and review them on port
> 8000 before checking them out on the production site.
Ah. That makes sense.
> - You have two separate machines which contain two separate sites.
Yep.
> For
> whatever reason, you cannot combine the content on a single server.
I could, of course. But we wanted to do this just to be able to play with
two servers (these are old machines, and we thought splitting the loads
wouldn't hurt). I KNOW that there is a better way to do this...switch ISPs
to one that provided multiple IPs. ;)
> - You have one external IP address to which both domain names are
> assigned.
Right.
> - You want to distinguish between the two sites...
Right.
> Clearly straight name-based VH-ing will not work because the sites are
> on different machines.
Right.
> Port-based will kind-of work with the router setup you defined above but
> the problem is that your URLs will be like http://domain1/ and
> http://domain2:8080/ which is ugly, but worse, might not work in some
> locations if an intermediate FW blocks non-standard ports like 8080.
I wouldn't necessarily mind this. I'd be OK with that. The catch is, I'm not
sure how to get http://domain2:8080 to show up. If I just send people to
domai2:8080, would server 2, simply by listening to port 8080, know that it
belongs to it? And, if so, would I then just set up port-based VHs on server
2?
> Coming back to NBVHing, using a redirect or rewrite [R] for the second
> site is cleaner (the user types in "domain2" but gets redirected to
> "domain2:8080") but still suffers from the risk of FW-blocking.
This would be even better. An HTML redirect was what I was thinking (what is
a rewrite?). If I did this, would I set up a VH on server one to accept
domain2.com to point to a page that redirects to domain2.com:8080 and then
have a port-based VH on server two?
> I'm not an expert on mod_proxy so RTFM thoroughly before going live but
> then the idea would be that server 1 would carry your external IP
> address and receive the requests but go to server 2 (which would carry
> an internal IP address) for domain2 data. Server 2 would just serve a
> single site with no need for NBVHing.
Wow. Sounds like I might have some fun figuring that out. ;o) If I go that
route, it sounds like server 1 would have to live outside of the router, and
server 2 would sit behind the router.
I might ponder this for a day or so and then I might just break down and get
a second IP address. ;)
Thanks, Owen!
-Darrel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Port-based Virtual Hosts
Posted by Owen Boyle <ob...@bourse.ch>.
Darrel Austin wrote:
>
> When would someone want to use
> port-based Virtual Hosts on the same machine? Would that be a
> security issue?
It's not to do with security - just separating web-sites: For example,
you might have a production web site accessible on port 80 and connected
to the web via a FW and a development version of the site on port 8000
accessible only internally (the FW blocks access to 8000 form the web).
So you can make changes to the development files and review them on port
8000 before checking them out on the production site.
> However, how would I then point a domain name at the
> machine listening on port 8080? AFAIK, the domain has to resolve to
> an IP address, which, by default, goes through port 80. So, I suppose
> my question is, can I redirect traffic that, by default is hitting
> the machine listening to port 80 to the machine listening to port
> 8080? My initial thought on the 'easy solution' was to point the
> domain name at the main server, and then just set up an HTML redirect
> to domain.com:8080 so that it goes to the other machine. Is that
> feasible?
>
> Maybe this would be a better layout of what I have set up:
>
> 255.255.255.255 (external IP that all domains point at.
> |
> |_ Router (set to direct ports to two different internal IPs)
> |
> |_ Machine 1 (internal IP: 10.0.0.10, listening on 80)
> | domain1.com
> | domain2.com
> |
> |_ Machine 2 (internal IP: 10.0.0.50, listening on 8080)
> domain3.com
> domain4.com
Is this a correct analysis of your situation:
- You have two separate machines which contain two separate sites. For
whatever reason, you cannot combine the content on a single server.
- You have one external IP address to which both domain names are
assigned.
- You want to distinguish between the two sites...
Clearly straight name-based VH-ing will not work because the sites are
on different machines.
Port-based will kind-of work with the router setup you defined above but
the problem is that your URLs will be like http://domain1/ and
http://domain2:8080/ which is ugly, but worse, might not work in some
locations if an intermediate FW blocks non-standard ports like 8080.
Coming back to NBVHing, using a redirect or rewrite [R] for the second
site is cleaner (the user types in "domain2" but gets redirected to
"domain2:8080") but still suffers from the risk of FW-blocking.
One other solution might be to use mod_proxy (needs to compiled in or
loaded). The primary server acts as a proxy - serving requests to
domain1 itself and retrieving requests for domain2 from the second
server. Then I think you'd do:
Server 1:
NameVirtualHost ip-addr
<VirtualHost ip-addr:80>
ServerName domain1
DocumentRoot /www/domain1
</VirtualHost>
<VirtualHost ip-addr:80>
ServerName domain2
ProxyRemote * http://server-2-ip-addr
</VirtualHost>
Server 2:
DocumentRoot /www/domain2
I'm not an expert on mod_proxy so RTFM thoroughly before going live but
then the idea would be that server 1 would carry your external IP
address and receive the requests but go to server 2 (which would carry
an internal IP address) for domain2 data. Server 2 would just serve a
single site with no need for NBVHing.
Rgds,
Owen Boyle.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Port-based Virtual Hosts
Posted by Darrel Austin <da...@visi.com>.
Owen:
Thanks for the reply!
>I'm not too clear what you want to do. If you have the content of both
>sites on the same physical machine and you want to do port based VH-ing,
>then that is no problem.
Nope. I actually have two separate machines. Both running apache.
Behind one IP. (so I'll skip on down to your second answer...)
Wait...actually, I do have a question. When would someone want to use
port-based Virtual Hosts on the same machine? Would that be a
security issue?
Anyways, on to my question...
>If you (for whatever reason) want to have *two* instances of apache,
>then you need two separate config files, start apache twice and make
>sure the IP/port allocations don't conflict, e.g.
>
>config 1:
>
> Listen 111.22.33.44:80
> ServerName www.domain.tld
> DocumentRoot /www/domain
>
>config 2:
>
> Listen 111.22.33.44:8080
> ServerName www.domain2.tld
> DocumentRoot /www/domain2
Can those two config files sit on two different physical machines? I
assume they can. However, how would I then point a domain name at the
machine listening on port 8080? AFAIK, the domain has to resolve to
an IP address, which, by default, goes through port 80. So, I suppose
my question is, can I redirect traffic that, by default is hitting
the machine listening to port 80 to the machine listening to port
8080? My initial thought on the 'easy solution' was to point the
domain name at the main server, and then just set up an HTML redirect
to domain.com:8080 so that it goes to the other machine. Is that
feasible?
Maybe this would be a better layout of what I have set up:
255.255.255.255 (external IP that all domains point at.
|
|_ Router (set to direct ports to two different internal IPs)
|
|_ Machine 1 (internal IP: 10.0.0.10, listening on 80)
| domain1.com
| domain2.com
|
|_ Machine 2 (internal IP: 10.0.0.50, listening on 8080)
domain3.com
domain4.com
I hope that makes better sense.
-Darrel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Port-based Virtual Hosts
Posted by Owen Boyle <ob...@bourse.ch>.
Darrel Austin wrote:
>
> I had a question awhile back about getting two servers running behind
> one IP. After almost giving up (as it looked like I just can't) I was
> told offlist, to use the port-based virtual host configurations.
>
> The documentation shows this:
>
> Listen 80
> Listen 8080
> ServerName www.domain.tld
> DocumentRoot /www/domain
>
> <VirtualHost 111.22.33.44:8080>
> DocumentRoot /www/domain2
> ...
> </VirtualHost>
>
> This doesn't tell me if I can actually have two actual servers,
> however. Does the port-based VH have to be on the same machine as
> that is hosting the default port 80 traffic? Or can this port-based
> VH point at a seperate IP address + port behind the router? Is the
> above config text supposed to be on the main server (listening on
> port 80) or the other server (listening on port 8080)?
>
> In attempting to enter the above on the main server, I get an error
> 'directory can not be found' for the VH on the other IP...leading me
> to believe that this, in fact, will not work.
>
> If that doesn't work, is there anyway to point at the second server
> via a domain name or sub-domain name? At the very least, we'd like to
> be able to point to the domain at an external site and have an HTML
> redirect to this server (via a different port than the main
> server...for example, 'xyz.com' would redirect to 'xyz.abc.com:8080')
> but from what I can tell, we can probably only do a redirect if we
> explicitly spell out the IP+port. It's ugly, but it'd work, suppose.
I'm not too clear what you want to do. If you have the content of both
sites on the same physical machine and you want to do port based VH-ing,
then that is no problem. Note that in the config example you give, you
are using one iste as the "main" domain (outside a VH) and the other
inside a VH - this works but is confusing and difficult to maintain. A
better config, where everything is at the same level in a VH is:
Listen 111.22.33.44:80
<VirtualHost 111.22.33.44:80>
ServerName www.domain.tld
DocumentRoot /www/domain
</VirtualHost>
Listen 111.22.33.44:8080
<VirtualHost 111.22.33.44:8080>
DocumentRoot /www/domain2
</VirtualHost>
The only snag with this approach is that the client has to specify port
8080 in the URL (and any FW between you and the client has to let it
through). You can do everything on port 80 if you use name-based VHs:
NameVirtualHost 111.22.33.44
Listen 111.22.33.44:80
<VirtualHost 111.22.33.44:80>
ServerName www.domain.tld
DocumentRoot /www/domain
</VirtualHost>
<VirtualHost 111.22.33.44:80>
ServerName www.domain2.tld
DocumentRoot /www/domain2
</VirtualHost>
This will serve the different sites depending on the "Host:" field in
the request (i.e. what the client types into the browser).
Note that in both cases, the two sites are running off the *same* server
- i.e. there is only one instance of apache running.
If you (for whatever reason) want to have *two* instances of apache,
then you need two separate config files, start apache twice and make
sure the IP/port allocations don't conflict, e.g.
config 1:
Listen 111.22.33.44:80
ServerName www.domain.tld
DocumentRoot /www/domain
config 2:
Listen 111.22.33.44:8080
ServerName www.domain2.tld
DocumentRoot /www/domain2
Since the two servers are distinct instances, you don't need VHs.
Functionally, this is the same as IP-base VHing but with the distinction
that you can stop one server without interrupting the other.
Not sure if this answers your question...
Rgds,
Owen Boyle.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org