Ok, my basic premise here is to set up a web site/application development environment for multiple developers, in between 5 and 10 for now. Basic network layout is shown in the picture, I have a gateway, server1, server2, and workstations. Server1 resolves to olympus, server2 resolves to Gaia

Server1 is the DNS server, it also has other functions and the DNS has to be run on this server, Server2 is the application development server. Since we currently don't have a static ip, ive registered the mydomain.dyndns.org to resolve to the ip address of the gateway.

Now, what I'm looking for is this: I want my developers to be able to develop web sites / applications on server2. Server2 should keep SEPARATE directories for each site, as well as resolve within the network to different hostnames (for example devdomain1.mydomain.org OR devdomain1.gaia, it doesnt matter which way)

I don't care whether devdomain1.mydomain.org / devdomain1.gaiare accesible from outside the network.

So my questions are, how do I set this up?

Also, do i have to actually register devdomain.mydomain.org anywhere other than my internal name server? As in, do I have to pay for a domain name or anything, or can i just make up a name within the network to play with the virtual servers?

I am looking for a somewhat indepth explanation of what to do with apache on server2 (redhat, fc4) and bind on server1 (redhat, fc4).

http://www.promorphus.com/network/networkschema.gif

Here's the network environment, if it helps visualize it at all

If you only need to allow access to these sites from your local network then you can add these domain names to your internal dns. If you need them to be accesable from users elsewhere then you need to register the domain names, and get their details onto a world accessable dns server. Then the firewall needs to direct the traffic to the correct machine.

For internal access:

add the new domain names to the dns config:

devdomain1.gaia.com CNAME gaia.com.
devdomain2.gaia.com CNAME gaia.com.

the exact detail depends on the version of the dns server you are using.

For apache, you need to configure virtual hosts. A good place to look is on the apache documentation site http://httpd.apache.org.

basically, you need to have "NameVirtualHost *" uncommented. Then you need a virtual host section for the default site:

<VirtualHost *>
ServerName gaia.com
DocumentRoot /path/to/default/site
Options <Blah>
</VirtualHost>

Then you need a virtual host section for each domain:

<VirtualHost *>
ServerName devdomain1.gaia.com
DocumentRoot /path/to/dev/domain
Options <Blah>
</VirtualHost>

<VirtualHost *>
ServerName devdomain2.gaia.com
DocumentRoot /path/to/another/dev/domain
Options <Blah>
</VirtualHost>

Ensure that you have the necessary module loaded:
LoadModule vhost_alias_module modules/mod_vhost_alias.so
(for apache 2)

and then restart the daemon.

any requests to devdomain1 will be directed to the files in /path/to/dev/domain, any requests for devdomain2 will be directed to the files in /path/to/another/dev/domain, and everything else will be directed to the files in /path/to/default/site.


HTH

Dylan

Before I respond and ask yet MORE questions, I'd like to say thanks for your help, its been educational and somewhat enlightening. I'm still confused as to some of the aspects of it, please bear with me as I have been trying to become an all-round sysadmin/developer/project lead on this thing. Here goes...


I am using RedHat Fedora Core 4, running BIND as my name server, the version is 9.3.1, where exactly do I add these settings? Or is there an easy point and drool utility I can use to accomplish said feat?


Ok, my question regarding this is as such, you're saying I need virtual host sections, correct? Where? in the httpd.conf on which server?? the name server or the webdev server?

Again, my problem is that Im not sure what is supposed to take place where, thats about it. I can screw em up and find em out if I know where everything's supposed to go, but that's precisely where I'm having the problems. My impulse is to assume dns direction on the dns server, and all the virtual stuff on the webserver, correct or no?

Your impulse is correct.

It seems like FC4 has a GUI for dns setup under the "System Settings" menu.

If I'm wrong then you can download webmin ( http://www.webmin.com ). It gives a graphical web interface for DNS setup and just about any other server or configurable option under the sun. A lot of people around here don't like it, but I like it.

You're welcome. We all start somewhere!




The files for dns are usually in /var/named/. Bind 9 has lots of help pages on the web, howto's man pages etc. There should be a few files under /var/named/, one for the root dns, one for reverse lookups of your network, and one for each of the domains that you run locally, and possibly one or two other files (like the daemon config file!). The only gotcha I remember is to increment the serial number near the top of the file after each update (bind uses this to determine if the file has changed and needs re-reading). Otherwise it can confuse the hell out of you when you're testing.

I have to say that Bind is not an easy daemon to understand just by reading the config files, so I'd google for some dns howto's, or use a gui if there is one (not something I can help with as I don't use them). Incidentally yum lists a package called "system-config-bind" as being available for my machine, so there is at least one tool available!


The httpd.conf file controls the httpd daemon (aka apache). This is running on the webdev server (gaia as I understand your layout). The virtual hosts section is in httpd.conf. Look in the file for "NameVirtualHost" - there is a commented out directive ready for use in a default installation, followed by an example <VirtualHost *> section. Again the apache documentation site, while terse at times is very useful, as are most howto's you might find via google. You might also like to goto http://www.tldp.org - the Linux Documentation Project and look through their howtos.

Correct. DNS configuration on the dns server, apache (httpd.conf) configuration on the webdev server.

a quick overview of the process (as I understand it) -

You launch a web browser and type in a website address (domain1.gaia). The browser then needs a numeric (ip) address for this name so it asks its local dns server for an answer. Assuming it gets it, it should now know the ip address for this website. You can test this part using nslookup mydomain.gaia at the command line.
Having obtained an address the browser then connects to this machine and opens a connection to port 80. It then asks for the website named mydomain.gaia. The server respoonds with the content, and the connection closes. You can test the second bit by using "telnet domain1.gaia 80", then typing:
"GET / HTTP/1.1
Host:domain1.gaia

"

without the quotes, all spaces are important, as are two carriage returns at the end, and there should be no mistakes (backspace can mess it up). The response should be the content of the default page for the domain.

HTH

Dylan

Ok, again, thanks for all the help, I'm a lot farther along now, but I'm having a weird problem, I was wondering whether you guys could help me solve it before I posted it to another forum, I know it has to do with file permissions, I'm just not sure how to fix it!

I now have the DNS layout working properly and the subdomains are resolving properly as well. However, when apache tries to serve files out of the subdomain directories, it spits out a rather interesting error...

Forbidden

You don't have permission to access /nutzoid2.html on this server.



So obviously, I looked in the apache logs to see if it would give me a more specific error. It did....here it is....

[error] (13)Permission denied: file permissions deny server access: /var/www/html/index.html

So, obviously, I looked at the files I had created in the directory via samba....they were all owned by my user and the group owner was NOT apache, I tried changing their owners and all of a sudden apache can serve them when the owner is apache or the group is apache...so the question quickly becomes, how am I able to create files in the subdomain directories that are servable by apache and don';t have their creators' default group?

The way I see it, there are two options, and I know how to do neither. The first is to make it so that ANY files created within these directories are servable by apache...I'm not sure that is so secure though, and I really wouldnt like it if others were able to use my scripts and so on and so forth, so possibly make only certain directories servable?

The second options is to let apache serve its files with another user name / group so that I would not have to change permissions on the directories.

So that's my dilemma, any help would be appreciated, any suggestions?

If you add the user apache to the group they are in, would that work for you?

Example.

my user name is benji and my group name is benji. The members of the 'benji' group would be 'benji' , the user, and 'apache'.

Benji is correct, that is one way to do it. Another is to set world readable permissions, though if there are any scripts in the files with 'secret' information then this is not a good idea!
The other way that I know of is to make the group or user 'sticky'. This means that any new files / directories created will have the same user/group permissions. The sticky bits are the ones set to the left of the traditional rwxrwxrwx bits. Look up "linux sticky permissions" on google for more useful help.

To restrict access to certain directories there are options available in apache (httpd.conf) to do this. Such as all directories called private can be restricted:
<Location /private>
Order Deny, Allow
Deny from All
</Location>

or
<Directory /home/user/html/private>
Order Deny, Allow
Deny from All
</Directory>

though the latter should only affect one directory, the former all directories on all virtual hosts called '/private'. Also note that the effect changes if you place these inside a <virualhost> directive

Again the apache documentation site is invaluable http://httpd.apache.org

Hope that's not too confusing!

Dylan

Also I can highly recommend customising the output in your access_log with the Custom_Log and Transfer_Log directives. these can give you more information about the access requests, including any 404's. And you can ensure that you get a timestamp for all accesses. Unfortunately as far as I know you can't modify the output in error_log.

D

Oh wow, I think I didn't express myself clearly. Let me rephrase now, explain the situation a little better.

My PDC is server1 (olympus) and the webserver is server2 (gaia).

Now, gaia, will only serve webpages which have either ownership by the user 'apache' or group membership in group 'apache'.

However, all the files created within the virtual host directories are made by users that authenticate through the PDC (olympus), which has a completely different set of users and groups than gaia!!

Basically, it doesn't matter whether I add the user 'apache' to the groups that the individual users are in, because those groups DONT EXIST on the webserver.

I'm thinking that I need to setup domain groups or something, or get the webserver to pull its groups from the pdc, but i have no idea how to do that....


Any ideas?

If I understand correctly you need to add the user to the apache group, not apache to the users groups.

As an alternative have you tried making the files world readable?

Have you also made sure that the users numeric values match on both the pdc and the webserver?

Dylan

Well, I've had a little time to think about this, and have taken all suggestions into account. First of all, I do NOT want to make all the files world readable, that takes away the entire purpose of having a PDC with groups that specifically allow certain users access to certain folders. Secondly, adding the apache user to other groups or adding other users to the apache group also does not work for multiple reasons (firstly, that the users dont exist on the webserver machine, secondly because to make that work properly, the uesrs would have to make apache their PRIMARY group, which is definitely not agreeable, or unless I could get the users to write in that directory ONLY as members of that group).

So, the question turns two ways: 1) how do I get the users and groups to the webserver? For this, I started running NIS, and now, I can get the users to logon to the webserver and do their normally ascribed operations, but for some reason, the groups arent transfering, so its still somewhat of a mess.

2) Is there anyway to MODIFY the apache server to execute files that are in certain groups? If so, where and how? I tried looking at apache.org and browsing the 2.0 documents, but I havent been able to find anything.

Suggestions? comments?

Ah, I think I understand your problem now. Is it possible in the samba setup to force a certain group on all files created? I believe that you can when using workgroups, I've never tried in a pdc though.

If I remeber correctly there are a few parameters that need to be set. Here are the params I set up on a box I use on a workgroup, where all files are created with the same user and group:

write list = @permittedusers
force user = nobody
force group = permittedusersgroup
guest ok = no
force directory mode = 0755
directory mask = 0775
force create mode = 0755
create mask = 0775

It has been a while since I worked on this config file, so I would suggest looking in the samba documentation, http://www.samba.org/samba/docs/man/...TO-Collection/ is a good starting point.

HTH

Dylan

Everyone, thanks so much for your help, I got everything resolved and working properly, all shares are now in tip-top shape and performing as expected. Now, I have a smaller problem, but a little more confusing, I think its probably just a configuration problem.

I set up NIS to deal with the users and groups in between servers, the web server (gaia) is now pulling users, groups, etc from the server1 (olympus), and using them to authenticate and whatever else. The webserver works perfectly. However, I'm running into something peculiar on server1 (olympus). Sometimes ypserv starts perfectly, other times it doesn't...and I dont even know where to go to see the log for it, thats the weird part. I will post this in a thread of its own as well, but I was wondering if anyone could tell me where to check and see if this problem is resolved, or give me a log file I can go to or something, I will post relevant information as it is asked for.

Thanks again for all your help, it's been invaluable.