Apache virtual hosts for intranet and external site
I have Apache running on my home LAN server "washu" (based on Fedora Core 2), and can request test pages successfully across the LAN. I want to set up both an intranet and a site for external visitors, and configure these as virtual hosts in Apache.
(I've done some minor edits to httpd.conf before, but haven't tried virtual host setup yet.) My home network has a dynamic DNS hostname (with dyndns.org) for access from outside, and "washu" has an internal IP address of 192.168.123.101. I'm aiming for the following: - users from inside the network will enter http://washu/ (which resolves to 192.168.123.101 internally), and see the intranet pages - visitors from outside will enter http://abc.dyndns.org/ (where "abc" is the real name :) ), and see the "external" pages (they should not be able to access the intranet) To achieve the above, would I need to edit the httpd.conf file with something like this? NameVirtualHost 192.168.123.101 NameVirtualHost * # Intranet <VirtualHost 192.168.123.101> DocumentRoot /path/to/intranet/site/root ServerName washu ServerAlias intranet </VirtualHost> # External site <VirtualHost *> DocumentRoot /path/to/external/site/root ServerName abc.dyndns.org ServerAlias external </VirtualHost> Thanks, Tim |
You don't need 2 instances of NameVirtualHost... you have a * beside the one, so that means it will respond to any IP address. To have another one with a specific IP is redundant and apache will probably ignore it. Also, serveralias is not correct... it's supposed to be alternate domain names that will work for that vhost instead of the ServerName.
I think you can probably do what you want without having to add any new vhost to your setup. Have you tried typing in http://washu into the browser? Does that work? I would think it does already. If not, you may want to get rid of the "intranet" virtual host you have there and in the other one, change your serveralias to "washu". |
Quote:
I probably wasn't too clear with my original explanation, though. I can already request pages successfully from Apache, but I don't want external visitors to get the pages intended for my home network. Just to clarify: I want to set up two separate sets of pages - one for inside my LAN, and one for outside. Once I allow port 80 connections through my home router from outside, how would I make sure that external surfers will get an "external" site, but won't be able to access the "intranet" site? Thanks :) Tim |
Ah! Sorry I didn't realize that before. Well, that helps explain why you wrote those 2 vhost entries like you described in your first post. I think you may have been on the right track with that.
Let me make sure I understand... you have your router doing port forwarding so that people who access your external IP will be forwarded to your box sitting behind the router? So that means technically, all of your requests are being directed to your internal IP (i.e. 192.168...) You can probably do this VERY easily if you don't mind using a non-standard port. Like you can add the Listen 8080 directive to your config file and then for the virtual host, you can put... <VirtualHost 192.168.123.101:8080> But that means you'd have to type in http://washu:8080 into the browser everytime, and I suspect you don't want to do that. Right? |
Second almost as quick answer.
Add a second IP to the machine. One of the IP addresses will be set up on the 'internal' the other 'external' Set your router to pass http traffic to the external IP address. -Mike |
This is really much easier to do with name-based virtual hosts, rather than IP-based. Check the Apache documentation for more info on virtual hosts. Your original config was pretty close. Try the following.
Code:
NameVirtualHost * I moved the external VH to the top because when Apache gets a request which is ambiguous, it will default to the first VH (and you said people from outside should never see the washu site). You can also uncomment the ErrorLog and CustomLog directives in each VH to keep those seperate. Of course, how well this will work is also dependent on your router. As mgargiullo said, you'll have to NAT port 80 requests from the WAN to 192.168.123.101. Enjoy! --- Cerbere [edit] You may want to put a 'ServerAlias *.washu.*' line in the washu VH, in case someone enters www.washu.com. [/edit] |
Thanks everyone - you're all stars :D
Donboy: Yes, you were right about the router, in that I can forward requests for port 80 through to "washu" (at 192.168.123.101 internally). I could set up a different port (e.g. 8080) for one of the virtual hosts, though as you say, it might not be ideal for this purpose. (Could be useful for testing sites in future, so I'll bear it in mind - thanks for the idea!) mgargiullo said: Quote:
Cerbere: I think your idea looks like the most promising, so I'll give that a try and write back here with any news. Thanks again for your ideas and feedback - this site rocks! :) Tim. P.S. Did anyone spot where the name "washu" comes from? |
You can add a second IP to the machine pretty easy... Here's how... Open the file /etc/sysconfig/network-scripts/ifcfg-eth0. In the first couple of lines, it will say DEVICE=eth0. Change that line to say DEVICE=eth0:0. Lower down in the same file, change the line that says IPADDR=123.456.789.10 to say whatever IP address you want. Leave everything else alone. Save the file as some other name (doesn't matter what). Now run the command service network restart and you should have a new IP address added to the machine.
What you have actually done is create something called an ip alias. Your network card now responds to 2 different ip addresses. If anything goes wrong, just delete that file and restart the network again. |
Quote:
Enjoy! --- Cerbere |
Thanks for the IP alias advice - I never knew you could do that with Linux. Must try that sometime!
Quote:
Thanks again! Tim |
Update on the virtual hosts
Well, I gave Cerbere's solution a try, just to see what happened. Actually, I'm still trying to work out what did happen...!
Just to recap, I have set up two virtual hosts, one for an intranet and one for when I let visitors in from the WAN side. The lines in httpd.conf are: Code:
# External site Code:
NameVirtualHost * Code:
Your browser sent a request that this server could not understand. Code:
NameVirtualHost *:80 This may be relevant: I just restarted Apache with /usr/sbin/apachectl graceful, and got this message: Code:
[Thu Jun 24 19:39:58 2004] [warn] NameVirtualHost *:80 has no VirtualHosts Thanks for reading, and for your fine help so far :D Tim |
First off, you may want to edit your previous post to hide your actual domain name (your earlier posts suggest you didn't intend to reveal it).
Next, look through your httpd.conf for a line which reads either: Port 80 or Listen 80 If you don't see such a line, that might explain why you need to declare the port in NameVirtualHost and VirtualHost (and they must agree regardless). There's nothing wrong with your current setup, as long as it's working, but it is curious that you should have to specify in your VH directives that the server listen on port 80. Enjoy! --- Cerbere |
Quote:
Strangely enough, there is a "Listen 80" directive in the conf file, so maybe I'll have to look through the rest to see if anything else is amiss. Thanks for your help - at least I have a working setup now :) Tim |
All times are GMT -5. The time now is 06:39 PM. |