Our Zentyal under dyndns .

[topdog101]

Hi there.
We're very happy from our Zentyal, except , we're having a hard time trying to figure out what is wrong in our settings when working on firewall to declare a web server that should be reached from the outside world.

- we have a domain under  dyndns : ourdomain.dyndns.net   
- and and internal network ranging from 192.168.10.1 to 90 
- the 192.168.10.24 is our  web server ( under ubuntu 11.04) and has a local name of server01.zentyal-domain
I have created an object with that server an use it throughout the settings , firewall etc ..   I expressly opened any ports on it for testing , and tried to reach it  from http://server01.ourdomain.dyndns.net , internally It opens without problems , but when I try to type the address from the outside, I won't open.

I have spent two weeks on it and still no clue..  I am ordered to step down to physical router, that I don't want , because I know that  my zentyal can go beyond a normal router.
I have samba ( running ok )
a DC ( under zentyal-domain) with 192.168.10.10  and used a gateway , no problem too.
everything is working fine , but the access from outside.   I closed the access to zentyal completely as I was recently hacked and my zentyal server was down on its knees. 
I followed all directions from your manual, I cannot find  what I am missing. 
I was forced to use dyndns as our IP from provider is dynamic.

So I am wanting you kind support to help me figure out , I am sure I am missing something on the firewall side our DNS ..

Thank you

[christian]

If I understand well, web server you want to reach is not zentyal server itself but is connected on internal network.
If you want to reach it from Internet, you have to either:
- run reverse proxy at on Zentyal server
- configured port redirection at firewall level.

Components to run reverse proxy are there with Zentyal (this could be done with either Apache or even Squid if I'm not totally wrong) but there is nothing, as far as I know to configure it using web GUI.
Redirecting port can be done using web GUI: I suppose this is what you did. Do you confirm?

[half_life]

A reverse proxy is necessary to get the headers rewritten properly.  Apache does this As Christian points out.  I am getting ready to jump this hurdle in the next week.  I will check back and share my experiences.

[christian]

Half-life, let me please add some more comments to make the whole picture more accurate:
- you're basically correct, reverse proxy is the right way to go.
- forwarding at firewall will NOT work (because of headers, as you rightly stated) except,    if your internal domain has same name as the public one and if external DNS stores A record or CNAME for your fake internal server, meaning Zentyal external interface. In such case, there is not need for header rewriting. 
This is definitely not the cleanest approach but it works pretty well.

[half_life]

I stand corrected!  Thanks for adding that!

[half_life]

Not to kidnap this thread but,  I was thinking of using haproxy to move the configuration away from Zentyal to avoid dealing with having the apache files rewritten each time I update something.  Basically we are putting up a public facing portal to share our AVL (automatic vehicle location)  info.  I would like to keep this server distinct from anything else so am running it on the internal network as a virtualised machine.  Thoughts?

[christian]

Let's open another thread to discuss this interesting topic and not jeopardize this one.
To make it short (I'll elaborate on topic you will open), I share your view 

[topdog101]

A reverse proxy is necessary to get the headers rewritten properly.  Apache does this As Christian points out.  I am getting ready to jump this hurdle in the next week.  I will check back and share my experiences.

Yes !!!!  Not Zentyal .. but another server under IP : 192.168.10.24     You're talking about reverse proxy , do I still need to work something out on that level even if I did not activate the proxy server ?   I am trying out what you guys suggested and I'll post results here.

but; to be more accurate :

- network = eth1 external with ppp0e dynamic IP from ISP
                 eth0 internal  192.168.10.10 static serving DHCP
- my dyndns : is mydomain.dyndns.net 
- internal range DHCP :  192.168.10.2  to 192.168.10.70
- only computer with fixed IP ; called server01 is  : 192.168.10.24   and registered in the objects member of "internal servers"
- local domain for PDC : zentyal-domain
- active = firewal ; in external to internal network : I have opened neccessary 192.168.10.24  ports
- active = DHCP  : dynamic domain  :  mydomain.dyndns.net
                            static domain      :  zentyal-domain
- in DNS :  mydomain.dyndns.net (in hostnames =server01)
                 zentyal-domain (in hostnames =server01)

                 well ; I guess I gave enough clue to help you .. 
Big thank  you anyway.

[christian]

Sure, you gave us enough clue help us... helping you 

I'm talking about "reverse proxy" because what you need here is:
- either to redirect connection made on Zentyal external interface (192.168.10.10 on port.. say 8080) to 192.168.10.24 on port 80. This is done at firewall level
- have "proxy" listening on 192.168.10.10 (again why not on port 8080) and let this proxy request you internal web server.

As discussed with half-life, each design has some pros & cons and port redirection might not work for HTTP depending on domain names (internal vs. external).

To make it short, because you are using dyndns, firewall base approach (port redirection) doesn't work 

So maybe we are not jeopardizing your topic while discussing reverse proxy here 

Thus my comments about Half_life point:
- Apache is able to act as reverse proxy
- this is not currently handled by Zentyal
- one option is to use hooks to customize Apache conf. I do not feel very comfortable with this, although I'm convinced it should work very well
- another one is to deploy dedicated reverse proxy infrastructure. I don't know HAproxy (which should do it, even if designed for load balancing and HA, mechanisms are the same). This can be done with light HTTP servers like NginX, ligHTTPd. What really matters here is capability to rewrite header so that when user ask for http://server01.mydomain.dyndns.net, request reaches server01.zentyal-domain and page sent back to client is rewritten in the middle by reverse proxy to look as if it was sent from server01.mydomain.dyndns.net

This is what reverse proxy is supposed to do  (high level because it can do much more complex rewriting. Goal is for you to get the idea).

Does it make sense?