[SOLVED] Virtual Hosts and DNS mystery...

[BrandonSk]

Hello all,

me again, but I am pulling my hair out by now. I read almost everything and tried all the guides here, but it seems I can't web server's virtual hosts to work correctly. What is even worse, they work rather mysteriously.

So here goes basic info:
Zentyal
Zentyal 3.3.4 running in virtual box
Zentyal is gateway, runs also as DNS
Zentyal hostname: keskvisrv01
Zentyal domain: sushinet.lan
I only have 1 hostname registered under sushinet.lan (the keskvisrv01 with IP 10.201.1.1)
LAN interface: 10.201.1.1
WAN interface: 192.168.111.99, gateway 192.168.111.1 (to hw router)
Zentyal FW allows access on WAN interface on ports 80 and 443.
Zentyal administration port has been moved to another number.

HW router
LAN side: 192.168.111.x
WAN side: 192.168.4.96 (it's ISPs "LAN")
(but I have public IP of 194.1.130.107 by which you can reach the router on all ports - it works, don't ask me how, but it has been working in the past without zentyal perfectly, so issue is not here, as you will see later)
Ports 80 and 443 are forwarded to 192.168.111.99 (zentyal WAN interface)

I own domains susilafamily.com and teamdiehards.com
They are registered at my registrat and contain, among others, A record * (i.e. *.susilafamily.com and *.teamdiehards.com), which points to my public IP 194.1.130.107. In fact, all other A records point to this public IP.

Goal:
1) To have both sites accessible via http://www.sitename.com and http://sitename.com  (yes christian, I know the latter is a misconception - see my Site #2 attempt below).
2) Later I would like to turn on redirection/rewrite, so that you always get redirected to https://www.sitename.com

After reading many many posts on this forum, I did quite few experiments and based on [christian's] instructions found in different posts, I settled with two experiments, but none of them work quite well.

Site 1
So, in webserver module I created virtual host (?) named susilafamily.com
Enabled and Force SSL on.
The directory /srv/www/susilafamily.com was created as expected.
Also in DNS module, the domain susilafamily.com was created and a hostname of keskvisrv01 created there with IPs (10.201.1.1 and 192.168.111.99). I have removed these IPs (I also tried with them, but no luck) and created hostname www with IPs 10.201.1.1, 192.168.111.99, 127.0.0.1, 194.1.130.107

Site 2
In webserver module I created another virtual host, this time named www.teamdiehards.com
Enabled, SSL disabled.
The directory /srv/www/www.teamdiehards.com was created as expected.
In DNS module was created:
domain teamdiehards.com
hostnames: keskvisrv01 (10.201.1.1, 192.168.111.99); www (no IPs)
Again, after reading posts and experimenting with different setups, I have changed that to:
keskvisrv01 (no IPs)
renamed www hostname to * (IP 192.168.111.99)

This is setup as it is now. I also checked the generated ebox-susilafamily.com and ebox-www.teamdiehards.com files in /etc/apache2/sites-available (sites are also enabled) and the content points to correct directories.

FYI, before I experimented with different site names, so my /srv/www/ contains:
susilafamily.com/
www.susilafamily.com/
teamdiehards.com/
www.teamdiehards.com/

In each folder I have created index.html, which contains the name of the folder it is located in, so if you access the site from web, you know where Zentyal gets the data from.

Feel free to try, the server's up and running

Here comes the strange stuff (I am accessing it from a truly outside network, laptop is connected via mobile modem):

Going to:
1a) http://www.teamdiehards.com shows index.html file from directory /srv/www/teamdiehards.com (and not ..../www.teamdiehards.com as I would expect!).

1b) http://teamdiehards.com shows index.html file from directory /srv/www/teamdiehards.com (incorrect, as above).


2a) http://www.susilafamily.com shows index.html file from directory /srv/www/susilafamily.com (this is correct, according to the definition of virtual host in web server module).

2b) http://susilafamily.com shows index.html file from directory /srv/www/susilafamily.com (this is, again, correct).

(But for both, #2a and #2b please note, how the Force SSL has no effect!)

4) https://www.susilafamily.com (timed out) -> wrong, https should work
5) https://susilafamily.com (timed out) -> wrong, https should work

6&7) https for diehards also timed out -> ok, no https for this virtual host

(FYI, I did experiment by editing generated conf files for the sites by adding ServerAlias, but none of that helped. In fact, sometimes my experiments would cause the https to redirect me to the default web site in /var/www )

Well, I do not know where to go from here. This is setup as it is now, feel free to experiment. I do not know even what to ask, except "What is wrong?!?!" 

Well, maybe these questions:
1) Is this a DNS issue?
2) Is it really necessary to have DNS entries for virtual hosts, or can I safely delete them (I would be happy if those sites are available from internet only, and for that my DNS records at my registrar should be sufficient, right?)
3) Why is my https connection not working for susilafamily.com?
4) Why ForceSSL is not working on susilafamily.com (i.e. http is not switched to https)?

Any help is appreciated!

Cheers,
B.

PS: I was able to manually configure server before (web, mail, ftp, samba) and all was working. I switched to Zentyal for the ease of administration and also due to LDAP and domain abilities. But so far it seems it takes me more time to troubleshoot than to enjoy the fruits So I am slowly getting disappointed by Zentyal, although it is probably also my lack of knowledge.

[gzen]

brandon,
first of all, i ain't no expert here, just try to help as much as i can.

1. forget your internal DNS, if you have your domains hosted by your registrar, entries on their DNS is all that matters for internet users.  so when testing use external DNS on your computer.
2. you want to host more than one sites on a single IP, you do need virtual hosts on apache.
3. what directory/index files the site loading depends on the "DocumentRoot" directive in your /etc/apache2/sites-available/ebox-xxxxx.com conf file.
4. if you want www.abc.com and abc.com pointing to the same site, you can use ServerAlias directive in apache instead of creating two virtual hosts/sites.
5. you can have only one https per IP. so all your SSL enabled virtual hosts should have same certs SSLCertificateFile    /etc/apache2/ssl/ssl.pem.

[peterpugh]

brandon,
first of all, i ain't no expert here, just try to help as much as i can.

4. if you want www.abc.com and abc.com pointing to the same site, you can use ServerAlias directive in apache instead of creating two virtual hosts/sites.
5. you can have only one https per IP. so all your SSL enabled virtual hosts should have same certs SSLCertificateFile    /etc/apache2/ssl/ssl.pem.

+1 From me

I don't know what anybody else feels, but I have some opinions on the web server module.

Apache2 is another really good piece of opensource. Also the webadmin module works really well.
I just feel its short of just a few items. Reason is those two items are fairly common requirements.

The www ServerAlias directive could just be part of the normal template.

With a combination of the CertificateAuthority and WebServer it would be good to have options to select the cert to the applicable virt host.
Maybe also the generation of ready configured "selfcerts".

http://httpd.apache.org/docs/2.2/vhosts/name-based.html

http://doc.zentyal.org/en/appendix-c.html#advanced-service-customization

The jump to customisation is a fairly big hurdle at first for some fairly common requirements.

Dunno what you think?

[christian]

I do know I'm sometimes quite direct in my wording and writing especially when expressing my own opinion but do not take it as "instructions" when building your set-up 
Furthermore, I'm not web designer nor HTTP guru. I'm sure you will find much better "Apache / vhosts" specialists around here.

This being said, and expressing my point of view  :
- DNS is only used to reach the right physical server at the right point(*) on the network (or internet). You could still rely on default values if you're happy with this. With few servers this is manageable but I'm rather prone to describe in DNS everything really involved because in case of change (say you move one specific vhost to another physical server, you can clearly identify what needs to be changed.
- Zentyal DNS starting from 3.x is, from my standpoint, definitely not the best tool if you want to have fine and accurate control on what it returns, mainly because

• interaction with Samba
• automatic hosts creation with multiple IP addresses
• not directly linked to DNS but heavily impacting it: all services bind to all interfaces

- Zentyal vhost management is minimalist but also difficult, for me, if you want to feel everything under control    Interface allows very few settings and, on the other hand, Zentyal template mechanism rewrites everything you may change there.

Based on your - very accurate and exhaustive - description, or at least what I understand, I would say that in order to control where client is redirected when reaching Apache, it would be easier if default reply to unknown sites (fqdn) are turned off. What I mean is that in Zentyal design (like in most Apache installations BTW), Apache will handle requests not handles by vhosts nor explicitly defined in Apache. This is sometimes confusing especially during debugging.

Reading your problem description, I'm sure you understand how it works at Apache level, including vhosts. What you may not control is the fact that Zentyal will rewrite your vhost settings quite heavily. I personally do not try to customize it anymore but use symlink at system level to redirect content to the right folder. Not always flexible but less painful than trying to customize Zentyal conf (or I really don't know how to handle it as I'm always frustrated to not have it available in Zentyal GUI in order to customize it)

My 2 ultimate references are, for what concern Apache vhost (but you all know this already):
- by-name vhosts
- examples

useless ?    No    If you read it carefully again and again, the devil is often in the detail 

Still, I know it doesn't answer to your question. I would need to reproduce you set-up n order to understand the very detail... I'm afraid this is somehow matter of "non-matching URL" that uses default vhost or multiple matches then alias is used.
I'll try to come back on it later.

(*): of course there is an interesting debate about ip_based vs. name_based vhost  here we have only one single IP isn't it... what matters hat the end is what the host HTTP header will contain, thus name based vhosts. Furthermore, my statement is, on purpose, wrong. Goal is to simplify but if you look at details, DNS can be used later to determine default servername if missing.

[BrandonSk]

Thank you all for answers, suggestions. So I guess I will need to continue experimenting, but first, let's go 1 by 1.

1. forget your internal DNS, if you have your domains hosted by your registrar, entries on their DNS is all that matters for internet users.  so when testing use external DNS on your computer.

Cool, that's what I thought. In other words, Automatically generated Zentyal DNS entries are not important (ehm, at least when accessing from internet).

2. you want to host more than one sites on a single IP, you do need virtual hosts on apache.

Yes, I am aware of that and indeed Zentyal does create virtual hosts (Name Virtual Hosts to be precise).

3. what directory/index files the site loading depends on the "DocumentRoot" directive in your /etc/apache2/sites-available/ebox-xxxxx.com conf file.

I am aware of that too. That is what is strange, that my Zentyal's config file does contain the correct DocumentRoot, yet the file used is from different directory.
Here is the config of "/etc/apache2/sites-available/ebox-www.teamdiehards.com":

Code: [Select]

<VirtualHost *:80>
        ServerAdmin webmaster@keskvisrv01.sushinet.lan

        ServerName www.teamdiehards.com
        DocumentRoot /srv/www/www.teamdiehards.com

        ErrorLog /var/log/apache2/www.teamdiehards.com-error.log
        CustomLog /var/log/apache2/www.teamdiehards.com-access.log combined

        # Custom configuration goes in this file
        Include /etc/apache2/sites-available/user-ebox-www.teamdiehards.com/*
</VirtualHost>... go figure 

4. if you want www.abc.com and abc.com pointing to the same site, you can use ServerAlias directive in apache instead of creating two virtual hosts/sites.

Yes, had it before. Now I wanted to start with clean setup and I was hoping that maybe the DNS would interfere somehow, but as we agreed in point #1, that is not the case. I am adding server alias for further tests - see below.

5. you can have only one https per IP. so all your SSL enabled virtual hosts should have same certs SSLCertificateFile    /etc/apache2/ssl/ssl.pem.

I agree and disagree. Perhaps the definition is right but for IP based virtual hosts. I do not think this applies to Named Virtual Hosts. I had (on this very same public IP adress) vhosts running before, and one of them used its own self-signed ssl certificate while other used one certificate from startssl.com, and it worked ok. Once I get this working, I can share the configs for your information.

Apache2 is another really good piece of opensource. Also the webadmin module works really well.
I just feel its short of just a few items. Reason is those two items are fairly common requirements.

The www ServerAlias directive could just be part of the normal template.

I cannot agree more. The WebServer is in my opinion the most underdone (sloppy) module of all! By the way, I have a nifty script ready, that actualy helps a lot with rewriting zentyal's generated files with rather simple and "user friendly" way. I will share, but again, it will need some tweaking first and that I cannot do before I get this sorted out.

Based on your - very accurate and exhaustive - description

Yesss! First appreciation from christian! 
But yes, I agree with your comments regarding DNS and also IP vs Name based hosts. At least I know that I can put DNS out of the issue now.

OK, WE HAVE A PROGRESS
First of all, I will probably look like dork, but devil indeed lies in detail. I started to suspect there is something wrong with the HW router. I discovered it, because if you imagine setup like:
Internet <----------> HW router <--------> Zentyal
     [A]true WAN side     (B)Zentyal WAN    [C] Zenyal LAN side
I was able to reach Zentyal's web interface from (B) network, but not from [A] network.
Looking closer into the router, I discovered, that my ports are forwarded, but I have disabled the forward in some time in the past, due to testing, and never enabled it again. The same applied to port 443, that is why https was not working! Stupid me - professional blindness.
So question #3 from my original post is now solved.

Now, after enabling the ports, I also made the following change:
1) For susilafamily.com I added ServerAlias www.susilafamily.com *.susilafamily.com
2) For www.teamdiehards.com I added ServerAlias teamdiehards.com *.teamdiehards.com

I forgot to mention, that sites "default" and "default-ssl" I have disabled with a2dissite.
Restarted apache through GUI. But after restart, the default-ssl site gets enabled again (perhaps due to Force SSL setting on susilafamily.com?)

Results:
1a) www.susilafamily.com -> shows correct file
1b) susilafamily.com -> shows correct file
1c) foo.susilafamily.com -> shows correct file

2a) www.teamdiehards.com -> shows wrong(!) file [file is from /srv/www/teamdiehards.com]
2b) teamdiehards.com -> shows correct(!) file [file is from /srv/www/www.teamdiehards.com]
2c) foo.teamdiehards.com -> shows correct(!) file [file is from /srv/www/www.teamdiehards.com]
I am really puzzled by "2a" and have no idea how to troubleshoot.

HTTPS tests:
3a) https://www.susilafamily.com -> shows correct file
3b) susilafamily.com -> shows correct file
3c) foo.susilafamily.com -> shows correct file

4a) https://www.teamdiehards.com -> shows wrong(!) file [file is from /srv/www/teamdiehards.com]
4b) https://teamdiehards.com -> shows wrong(!) file [file is from /srv/www/teamdiehards.com]
4c) https://foo.teamdiehards.com -> shows wrong(!) file [file is from /srv/www/teamdiehards.com]

I have not removed the DNS entries yet - will do that for next step.
And yes, I do erase browsers cache each time before testing (I use Mozilla).

So to summarize:
Original questions 1,2 and 3 from my first post are solved/answered.

New questions:
1) Why is ForceSSL not working on susilafamily.com?!?! When you connect to http, you stay on http!
2) What is wrong with my 2a attempt?!
3) How come the 4a-4c even work, if SSL is desabled for diehards?! Despite showing the wrong file anyway, I  suppose this has something to do with the default-ssl site being enabled, but yet then it should point me to /var/www rather than what it does now...

I will wait for your comments/suggestions, before I proceed further.
From your previous comments it seems like you would recommend to discard zentyal's apache config and symlink the files to my own custom config - I thought of that, but I would like to avoid it. There's got to be a way...

Looking forward to your replies (server is running as described above).

Cheers,
B.

PS: FYI, seems like Zentyal 3.4 will get rid of apache instance that is running and is used for Zentyal's admin interface. I can imagine, that there can be some config conflicts between the two, but I haven't found any trace.

[christian]

But yes, I agree with your comments regarding DNS and also IP vs Name based hosts. At least I know that I can put DNS out of the issue now.

Rather keep your DNS nicely aligned with your web server, it will help avoiding mistakes and default - uncontrolled - behaviour 

Despite showing the wrong file anyway, I  suppose this has something to do with the default-ssl site being enabled, but yet then it should point me to /var/www rather than what it does now...

yes in a frst approach... except if you have some vhost matching first 
I'm quite busy and can't really look closer at your set-up right now but I'll do it because this is an interesting way of exposing potential problems or constraints due to Zentyal implementation

[/quote]PS: FYI, seems like Zentyal 3.4 will get rid of apache instance that is running and is used for Zentyal's admin interface. I can imagine, that there can be some config conflicts between the two, but I haven't found any trace.[/quote]

I'm not sure there is currently any real conflict but I hope this will give more flexibility on the Apache side.
Nginx is already used for admin console. This is definitely faster. Drawback is that I would not suggest Nginx as preferred engine to handle HTTP reverse proxy. Not this this is not feasible but Zentyal does not provide enough technical documentation for me to really understand what can be done and what should not.

[gzen]

5. you can have only one https per IP. so all your SSL enabled virtual hosts should have same certs SSLCertificateFile    /etc/apache2/ssl/ssl.pem.

I agree and disagree. Perhaps the definition is right but for IP based virtual hosts. I do not think this applies to Named Virtual Hosts. I had (on this very same public IP adress) vhosts running before, and one of them used its own self-signed ssl certificate while other used one certificate from startssl.com, and it worked ok. Once I get this working, I can share the configs for your information.

Brandon,
you're right, I looked it up, since apache 2.2.12, started support Server Name Indication (SNI), you can set up multiple ssl sites with single ip address.
your apache web server is definitely acting a bit strange, I'd suggest start over, remove all vhosts and create only two vhost sites www.teamdiehards.com and www.susilafamily.com only, get these two sites working correctly first, then use ServerAlias directive to blend short names in together.

[BrandonSk]

Dear all,

thanks for the answers and suggestions. At the moment I have a working set-up on http part. Next I will work on https (forced ssl) and post updates.
I did not solve the mystery however, and it boils down to "a bug", but probably caused by me in the first place. It seems that there is some "leftover" somewhere in where Zentyal stores config info (wherever that is). This leftover info seems to be (strangely enough) connected between webserver and DNS modules and I don't know what it is and how to get rid of it. Let me explain:

I own another domain "rbsforschung.com" and that one was never configured on this particular Zentyal installation. So I went ahead and tried to replicate the teamdiehards problem with it (i.e. in WebServer module I added new vhost www.rbsforschung.com; DNS record was created - did not touch it; added custom.conf file with ServerAlias rbsforschung.com *.rbsforschung.com). All was working as expected!

So I figured, this must be a problem strictly related to www.teamdiehards.com vhost. I removed the wrong directory /srv/www/teamdiehards.com to see what happens. When accessing the www.teamdiehards.com I got the 404 page error. At this point I started paying attention to one strange thing I noticed earlier, but did not worry about it (see next paragraph). When I removed the the www.teamdiehards.com virtual host and all its files, added a new virtual host, this time without www (i.e. only teamdiehards.com) and added appropriate server alias (www.teamdiehards.com *.teamdiehards.com) - everything works as expected. So bottom line is, for www.teamdiehards.com there is some config leftover, which causes it to fail...

Now to the strange thing and why I think there is a config junk somewhere. Whenever I change something in WebServer module (either existing vhost or add a new one, or delete existing...) a yellow Save changes button appears. After I click it, all changes are saved, I get the OK button, but the "Save changes" button stays in the top right corner, no matter how many times I click on it! The only way to get rid of it is, that I go to the DNS module and make any change (to whatever domain defined there, does not have to be the one I just modified in WebServer), then after I click Save changes, the button goes away. Strange, huh?!
I am lost in terms of where to look for info. I tried logs in /var/log/zentyal and based on modification time the only filed changed was zentyal.log -> I looked into it, and I could see entries regarding saving changes but no errors. All went fine according to the log.

I am not willing to reinstall nor to do a "clean-sweep" of all modules. Unless someone can point me into which (I suppose database) to look and search for clue, I will keep it as it is and just stick to teamdiehards.com vhost.

So to give an update on currently running (and working) conf, it is:
Virtual hosts:
1) susilafamily.com
2) teamdiehards.com
3) www.rbsforschung.com
with appropriate aliases, all working as expected.

Default and Default-ssl -> both enabled. They do not interfere anymore...

For DNS records, I removed all entries related to virtual hosts. I only have the local domain named "sushi net.lan" there. I know christian suggested otherwise, but at the moment I do not feel really strong about DNS and if my vhosts work from internet, that is all that matters for the moment. Once I have a fully working set-up, I might consider looking into DNS entries as well (quick question -> can I define for a domain and tell Zentyal to pull records for it from a different DNS server [something I would call a Slave DNS]?)

What is still not working is the ForceSSL option. My next steps will be:
1) change susilafamily.com vhost to www.susilafamily.com and check it works (I just like it better with www, don't ask me why )
2) Enable SSL for all sites (SSL allow) -> check https works as expected for all vhosts
3) Switch to ForceSSL mode for some or all sites

I am not marking as solved, because we haven't really solved it, did we?
But I will, I just want to post updates in here for reference for others. Then I will close it with Solved.

Cheers for now. Fingers crossed
B.

PS: I will keep the promise and provide (in a separate thread) the script for SSL and other custom configuration of hosts once I adjust it to final shape.

[BrandonSk]

Dear all, I think I finally nailed it.

I can’t answer why ForceSSL was not working in the above set-up. I ended up removing the WebServer module (it removed Zarafa too but that one I can add later) and to make sure all is gone I ran “sudo apt-get autoremove” (bunch of files got deleted) and “sudo apt-get -f install” to fix whatever was reported broken.
I also manually deleted all content in /srv/www

With such set-up I installed the webserver module again (through GUI). Now I took one vhost (www.susilafamily.com) and went step by step. Added ServerAlias susilafamily.com *.susilafamily.com to custom.conf file in the ebox-user-www.susilafamily.com directory.
Then tested http only, allow ssl, force ssl.
Testing names as per my posts above - after each step.

Http only and Allow SSL worked. All addresses www.susilafamily.com | susilafamily.com | foo.susilafamily.com worked as expected.

But after changing to ForceSSL situation changed, and redirection worked only for www.susilafamily.com, while any other setting would redirect me to default website!
The https:// addresses worked fine though when typed with https:// prefix.

So by coincidence I found the issue. Now, I do not know whether this is a bug or a feature but I did not find any meaningful reason for such feature.
When ForceSSL is turned on, the
Include /etc/apache2/sites-available/user-ebox-vhostname/*
(vhostname being www.susilafamily.com in my example)
was included only for the <VirtualHost *:443> part of the file!
Consequence? Well, my ServerAlias string was thus only loaded for https part and not for http!

I am not filing a bug, because I am not sure whether this is intentional or not.
Instead, I created myself a script, that originally was intended to help include custom SSL certificates, but now also takes care of this issue.
I am posting the script as promised before to a separate thread here:
http://forum.zentyal.org/index.php/topic,20566.0.html

And closing this one. Thanks everyone for helping and providing clues.

Cheers,
B.