Apache virtual hosts for intranet and external site
 

I have Apache running on my home LAN server "washu" (based on Fedora Core 2), and can request test pages successfully across the LAN. I want to set up both an intranet and a site for external visitors, and configure these as virtual hosts in Apache.
(I've done some minor edits to httpd.conf before, but haven't tried virtual host setup yet.)

My home network has a dynamic DNS hostname (with dyndns.org) for access from outside, and "washu" has an internal IP address of 192.168.123.101.

I'm aiming for the following:

- users from inside the network will enter http://washu/ (which resolves to 192.168.123.101 internally), and see the intranet pages
- visitors from outside will enter http://abc.dyndns.org/ (where "abc" is the real name :) ), and see the "external" pages (they should not be able to access the intranet)

To achieve the above, would I need to edit the httpd.conf file with something like this?

NameVirtualHost 192.168.123.101
NameVirtualHost *

# Intranet
<VirtualHost 192.168.123.101>
DocumentRoot /path/to/intranet/site/root
ServerName washu
ServerAlias intranet
</VirtualHost>

# External site
<VirtualHost *>
DocumentRoot /path/to/external/site/root
ServerName abc.dyndns.org
ServerAlias external
</VirtualHost>

Thanks,
Tim

You don't need 2 instances of NameVirtualHost... you have a * beside the one, so that means it will respond to any IP address. To have another one with a specific IP is redundant and apache will probably ignore it. Also, serveralias is not correct... it's supposed to be alternate domain names that will work for that vhost instead of the ServerName.

I think you can probably do what you want without having to add any new vhost to your setup. Have you tried typing in http://washu into the browser? Does that work? I would think it does already. If not, you may want to get rid of the "intranet" virtual host you have there and in the other one, change your serveralias to "washu".

You probably worked out I'm not too familiar with Apache virtual hosts - thanks for untangling that :)

I probably wasn't too clear with my original explanation, though. I can already request pages successfully from Apache, but I don't want external visitors to get the pages intended for my home network. Just to clarify: I want to set up two separate sets of pages - one for inside my LAN, and one for outside.

Once I allow port 80 connections through my home router from outside, how would I make sure that external surfers will get an "external" site, but won't be able to access the "intranet" site?

Thanks :)

Tim

Ah! Sorry I didn't realize that before. Well, that helps explain why you wrote those 2 vhost entries like you described in your first post. I think you may have been on the right track with that.

Let me make sure I understand... you have your router doing port forwarding so that people who access your external IP will be forwarded to your box sitting behind the router? So that means technically, all of your requests are being directed to your internal IP (i.e. 192.168...)

You can probably do this VERY easily if you don't mind using a non-standard port. Like you can add the Listen 8080 directive to your config file and then for the virtual host, you can put...

<VirtualHost 192.168.123.101:8080>

But that means you'd have to type in http://washu:8080 into the browser everytime, and I suspect you don't want to do that. Right?

Second almost as quick answer.

Add a second IP to the machine. One of the IP addresses will be set up on the 'internal' the other 'external'

Set your router to pass http traffic to the external IP address.

-Mike

This is really much easier to do with name-based virtual hosts, rather than IP-based. Check the Apache documentation for more info on virtual hosts. Your original config was pretty close. Try the following.Donboy was correct about your double NameVirtualHost directives and also about ServerAlias: it's there to handle cases where people enter www.abc.dyndns.org (for example).

I moved the external VH to the top because when Apache gets a request which is ambiguous, it will default to the first VH (and you said people from outside should never see the washu site).

You can also uncomment the ErrorLog and CustomLog directives in each VH to keep those seperate.

Of course, how well this will work is also dependent on your router. As mgargiullo said, you'll have to NAT port 80 requests from the WAN to 192.168.123.101.

Enjoy!
--- Cerbere

[edit] You may want to put a 'ServerAlias *.washu.*' line in the washu VH, in case someone enters www.washu.com. [/edit]

Thanks everyone - you're all stars :D

Donboy: Yes, you were right about the router, in that I can forward requests for port 80 through to "washu" (at 192.168.123.101 internally). I could set up a different port (e.g. 8080) for one of the virtual hosts, though as you say, it might not be ideal for this purpose. (Could be useful for testing sites in future, so I'll bear it in mind - thanks for the idea!)

mgargiullo said:
That's too complicated for me, I'm afraid, but thanks for suggesting it ;) (Just out of interest, would I set up the extra IP address as part of a virtual host in httpd.conf, or somewhere else?)

Cerbere: I think your idea looks like the most promising, so I'll give that a try and write back here with any news.

Thanks again for your ideas and feedback - this site rocks! :)

Tim.

P.S. Did anyone spot where the name "washu" comes from?

You can add a second IP to the machine pretty easy... Here's how... Open the file /etc/sysconfig/network-scripts/ifcfg-eth0. In the first couple of lines, it will say DEVICE=eth0. Change that line to say DEVICE=eth0:0. Lower down in the same file, change the line that says IPADDR=123.456.789.10 to say whatever IP address you want. Leave everything else alone. Save the file as some other name (doesn't matter what). Now run the command service network restart and you should have a new IP address added to the machine.

What you have actually done is create something called an ip alias. Your network card now responds to 2 different ip addresses. If anything goes wrong, just delete that file and restart the network again.

Yeah, it came from your first post ;-)

Enjoy!
--- Cerbere

Thanks for the IP alias advice - I never knew you could do that with Linux. Must try that sometime!

Didn't quite mean it like that ;) It was just in case there were any Tenchi Muyo! fans out there...

Thanks again!

Tim

Update on the virtual hosts
 

Well, I gave Cerbere's solution a try, just to see what happened. Actually, I'm still trying to work out what did happen...!

Just to recap, I have set up two virtual hosts, one for an intranet and one for when I let visitors in from the WAN side. The lines in httpd.conf are:
Two strange things here. First, if this line is present:
I get this error page, code 400 ("Bad Request"):
There is a comment in the file about needing a port specifier if mod_ssl is being used (I don't think it is, or at least it shouldn't be). So, if I change the line to
I don't get the 400 page, but this is the second problem: I see the "external site", even if I'm viewing from the LAN (and should therefore get the intranet page).

This may be relevant: I just restarted Apache with /usr/sbin/apachectl graceful, and got this message:
When I changed the two <VirtualHost *> tags to <VirtualHost *:80>, I got the intranet page, as I was hoping for. OK, it works, but I wonder if it's a bit of a "jerry-rigged" solution, and there might be a more elegant way to solve the problem?

Thanks for reading, and for your fine help so far :D

Tim

First off, you may want to edit your previous post to hide your actual domain name (your earlier posts suggest you didn't intend to reveal it).

Next, look through your httpd.conf for a line which reads either:

Port 80
or
Listen 80

If you don't see such a line, that might explain why you need to declare the port in NameVirtualHost and VirtualHost (and they must agree regardless).

There's nothing wrong with your current setup, as long as it's working, but it is curious that you should have to specify in your VH directives that the server listen on port 80.

Enjoy!
--- Cerbere

D'oh! Thanks for pointing that out (red face on other side of monitor)... I've changed the domain name in the post, though I suppose it's been Google-cached by now :(

Strangely enough, there is a "Listen 80" directive in the conf file, so maybe I'll have to look through the rest to see if anything else is amiss.

Thanks for your help - at least I have a working setup now :)

Tim