Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: vshaulsk on September 29, 2011, 10:08:06 pm
-
I am thinking of using Nginx reverse proxy in order to connect to a webser located on one of my Vlans.
The server will have a couple of vhosts all on IP 192.168.0.112 (one will be named appointments.com and the other will be services.com)
My external host name is provided by dyndns so it is xxxxx.dyndns.org
I have looked at some google documentation on Nginx, but I am not entirely sure how to implement it.
I also would like to make it listen on port 8080 so that I don't change any of the apache configurations present within my lan.
Has anyone setup Nginx reverse proxy? Could you provide me with some instructions based on my scenario?? I don't want to cause an error in my Zentyal setup.
Thank you !!!
-
Hi,
I just setup a extra virtual Ubuntu server and redirect all port 80 and 443 to the nginx reverse proxy.
From there I redirect it to my servers.
It's very easy to install. Just install a basic Ubuntu server, apt-get install nginx and create virtual hosts in the sites-enabled directory.
Here is a example config wich I created right after the apt-get install nginx:
/etc/nginx/sites-enabled/zarafa
server {
listen 80;
server_name webmail.check-ict.nl mail.check-ict.nl;
access_log /var/log/nginx/access_zarafa.log;
location / {
proxy_pass http://10.10.1.20/;
}
}
Yours,
Nomad - Check ICT
-
Wow, dedicated (virtual) server to run Nginx :o You have plenty of resources ;D anyway...
I'm glad to see that somes are trying to use Nginx instead of Apache. The main added value here is speed (for static content) and small footprint. However, if it's done installing dedicated virtual server, I'm not sure footprint is small anymore ::)
Your example works. What might be required is to introduce some rewriting in case what you expose through Nginx is not 100% aligned with internal server.
e.g. you want to redirect http://my.public.domain/appointments/ to http://appointments.com/ and http://my.public.domain/services/ to http://services.com/
The trick here is to use rewrite as described here:
http://wiki.nginx.org/NginxHttpRewriteModule#rewrite (http://wiki.nginx.org/NginxHttpRewriteModule#rewrite)
in your case, this could be something like:
location /appointments {
rewrite /appointments/(.*) /$1 break;
proxy_pass http://appointments.com;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
-
Hehe, I have a big server with virtualisation. So it's no problem to create a little nginx server.
My only problem with nginx is that it can't forward SSL without having the keys etc. This is anoying when I want to forward https requests to Zentyal for example. I work around this by using a different port in the firewall, and redirect it to Zentyal.
Yours,
Nomad - Check ICT
-
I tried installing Nginx last night, but I failed to make it work....
I did not do any rewrite so that maybe the problem.
I need to set it to listen on port 999 (just a random chosen port). I setup a rule that anything that comes in on the external interface on port 80 gets redirected to port 999.
I also need to setup https to port forward to some port and make Nginx work for SSL.
To give me a better understanding .... in the end I want to use it in order to connect to my zarafa webacess. This is under Vhost webmail (192.168.0.1) and is forced SSL. Would this be possible to do with Nginx???
-
May I suggest we investigate one problem, solve it (hopefully ;D) then we will look at the next one...
starting with the first step that is to make Nginx working:
- you have installed Nginx listening on external interface, say port 999
- if your internal web server has exactly same structure than what you want to "expose" on internet, rewriting is not mandatory because the left part is handled by reverse proxy itself.
- simple redirect should do.
You need to authorize, at FW level, incoming flow on port 999 on external interface.
Do not bother with your firewall rule redirecting port 80 to 999.
You can just access, for testing purpose http://your.external.service:999/
Once all this stuff work, we can improve and fine tune. 8)
-
I was thinking just that: Start off basic and build on that.
So here is what I have tried so far. I have a vhost on 192.168.12.1 called test (regular http and https both)
Opened port 999 in the external firewall
I did the apt-get install nginx - installed correctly.
I opened /etc/nginx/sites-enabled/ and created directory test
Than I did a nano /etc/nginx/sites-enabled/test
this created a new file in which I put in the following text:
server {
listen 999;
server_name test;
access_log /var/log/nginx/access_zarafa.log;
location / {
proxy_pass http://192.168.12.1/;
}
}
perhaps my line under listen port is wrong.... I figured this was the line of the domain name that the proxy should redirect you to.... is this correct??
-
server_name should match the name of your server on internet. As you may guest, test is unreachable ;)
You also should add, in "http" section this:
# reverse proxy options
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
When you say HTTP section... what exactly are you reffering to?
Is this the section in file /etc/nginx/sites-enabled/test
do I put this under my http://192.168.12.1 ???
Also can I just change that address to http://test???
-
for the time being, you can add it in the location section.
Regarding server name, how are you going to reach test or http://test or anything that is not following internet naming convention?
it should be at least test.your-real-domain-name. No HTTP prefix neither.
Or do you try to test it from intranet?
then it should be test.home.lan isn't it?
-
sorry I meant in the proxy pass section. Should the location proxy pass be http://192.168.12.1 or could I put just http://test....
what if I have two vhosts on the same IP how would I make the reverse proxy point to the correct one??
-
the the file in /etc/nginx/sites-enabled/test would look like this??
server {
listen 999;
server_name xxxx.dyndns.org;
access_log /var/log/nginx/access_zarafa.log;
location / {
proxy_pass http://test/; (or would this line be http://192.168.12.1)
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
-
??? what is the issue for the time being?
To make reverse proxy relaying request or to fine tune to reach the right vhost? I'm lost with the various inputs you add.
Can't we make one simple easy design and describe it once with no changes around until it works?
- you have one server (vhost or not we don't care) exposing http://target.home.lan, not running on Zentyal gateway (could be another Zentyal server, it doesn't matter)
- you want to access it from internet
- you install Nginx on Zentyal gateway, listening on port 999
FW is configured to accept request on port 999 on external interface
- you configure Nginx to redirect requests to http://target.home.lan
et voila
This is the basics. Then it obviously requires some tuning but is it at this stage crystal clear to you?
-
Well, what you posted while I was replying look much better ;D except that http://test can't be reached :-[ still you can use the IP
-
Yes I understand trying to understand the basic:
Open the correct port:
Install nginx and make it listen on the port;
Make it relay requests from external address to the target inside my lan.
I get the concept of what to do:
I am just trying to actually implement what to do. Once I get once instance working ... I can start figuring out how to make it work for other instances.
-
I can't get nginx to work.
http://xxxx.dyndns.org:999/test does not take me to http://test inside my lan or even just the IP address 192.168.0.1
There has to be something I am missing or just not understanding:
1) open port 999 in firewall
2) create vhost in zentyal named test on IP 192.168.12.1
3) apt-get nginx
4) make new directory in /etc/nginx/sites-enabled = /etc/nginx/sites-enabled/test
5) edit ( nano /etc/nginx/sites-enabled/test ) new file - maybe not correct command??????
6) Put in the following script
server {
listen 999;
server_name xxxx.dyndns.org;
access_log /var/log/nginx/access_test.log;
location / {
proxy_pass http://192.168.12.1/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
7) control ^ X to save (maybe I did not save it correct)
8) restart nginx
9) put address http://xxxxx.dyndns.org:999/test into the browser and that should get you to test inside the lan ??????
However this does not work... so I am doing something wrong ...
-
I think I understand what you don't understand :)
What you need to do is to "configure" Nginx, not to create some "page" in /test.
Nginx config is done in /etc/nginx/nginx.conf
You have to edit this file.
It can contain "includes" to store additional conf (like in /conf.d) but can contain also everything directly inside.
Furthermore, your conf will point http://xxxxx.dyndns.org:999 to the internal serve (because of "location /"
-
when you say the conf will point to the internal server do you mean have it point to 127.0.0.1 internal localhost ??? Instead of going to the 192.168.0.1??
-
Could you please share your /etc/nginx/nginx.conf and your /etc/nginx/sites-enabled/test files?
When I wrote internal server, I meant server on the LAN, meaning 192.168.12.1
My point here is to say that URL to be accessed in order to reach the internal server is http://xxxxx.dyndns.org:999 (http://xxxxx.dyndns.org:999), not http://xxxxx.dyndns.org:999/test (http://xxxxx.dyndns.org:999/test)
-
Another thing to consider is if you are running nginx on your zentyal server, and you are accessing from the internal network, you need to add a firewall rule internal-network---> Zentyal allowing connection to nginx service (port999).
-
One other thing to remember is that you need to make a symlink from /etc/nginx/sites-available/test /etc/nginx/sites-enabled/test.
-
My sites-available file (name matches my FQDN xed out here)
server{
listen 82;
server_name xxxx.no-ip.com;
access_log /var/log/nginx/access_xxxx.log;
location /{
proxy_pass http://192.168.0.1/;
}
}
symlinked to my sites-enabled.
I created a service called nginx in Zentyal and configured tcp/udp 82 (matches my listen statement).
I added an allow rule in outside-networks to Zentyal and inside networks to Zentyal for service nginx.
I opened a web browser locally and typed in http://xxxx.no-ip.com:82 and connected to my telephone system (192.168.0.1). I then VPNed into work and RDPed into one of the machines and repeated the web browser thing and presto I was greeted with my telephone system login.
-
I have set up things more like I would if I was going to use it in production.
server{
listen 80;
server_name xxx.no-ip.com;
access_log /var/log/nginx/access_xxx.log;
location /{
proxy_pass http://192.168.0.3:81/;
}
location /asterisk/ {
rewrite /asterisk/(.*) /$1 break;
proxy_pass http://192.168.0.1/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
I set the Zentyal webserver to port 81 (notice the redirection in the first proxy_pass statement). This gives the same results as the earlier experiment. This would be usefull if you were, for instance running a tomcat server and wanted to integrate it into your main webserver.
-
Both you Half_life and Christian make sense with your explanations and examples. Combined with google I should have figured this out. I don't see my firewall dropping packets so it all must be in how I wrote the script. Alright I have attached it here.
Just for my clarification do I make a file in either /etc/nginx/sites-available or /etc/nginx/sites enabled ?? If I do does it matter what I name them?
Do I do add anything in the /etc/nginx/nginx.conf ???
I have attached two different attempts and one nginx.conf
-
I am going to answer a few pieces of this now and then take a little time to look over the rest of your setup. The accepted best practices for a sites-available, sites-enabled paradym is to make your files in sites-available and then symlink them to sites-enabled where the server will actually be looking. However, as long as you have the files in sites-enabled (symlinked or real) the server will find them. The default nginx.conf file will work "out of the box" so you don't need to change it.
//edited to correct where the server looks for its configuration files which is sites-enabled. <Smacks self in head>
-
Did you open port 82 to internal traffic (internal-networks to Zentyal)? Are you entering in http://your-server-ip:82/ for testing purposes?
-
I also remember that you have multiple vlans setup. Prior to trying nginx, where you able to access your web server (not the Zentyal gui but the "ITWORKS" page)?
-
From inside my lan I can get to the "IT Works" Page for ip 192.168.12.1 This is the IP for my Vlan interface named wifi.lan.
Half_life I copied your example (just changed some IP and names to match my system) ..... I created a service nginx on port 82. I added that port 82 to the firewall to both external and internal connections. I can see in the firewall logs that a connection came through. It does not say anything about it being dropped so I am assuming I am reaching the open port...
I left the original /etc/nginx/nginx.conf at default setting on my first attempt. I created a new file in /etc/nginx/sites-available/XXXX
I created a symlink between the sites available and sited enabled. Checked that the link existed.
put the following script into the file
server{
listen 82;
server_name xxxx.dyndns.org;
access_log /var/log/nginx/access_xxxx.log;
location /{
proxy_pass http://192.168.12.1/;
}
}
I just keep getting The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.
I have tried putting the script directly into the nginx.conf file - did not work
I have tried adding the lines
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Did not work either.
I can't connect from either inside my LAN or from the WAN.
It is almost as if I am not reaching nginx at all.
-
Standard implementation is has described in here attached picture.
BTW what you did looks correct. Notice you do have to keep the "proxy" related lines in your conf.
Then if you try to access from intranet to something defined on internet, it may require some tuning.
Port numbers I show on here attached picture do not match your but you will easily align ;)
In order to see whenever you reach or not Nginx, you can just try to telnet on Nginx port.
Why don't you try to set up everything internally, just to be sure you do not suffer from unexpected side effect because of FW, Zentyal or whatever?
Once it works, meaning you can use Nginx as reverse proxy, you can move it to Zentyal and adjust ports, firewall rules.
-
from a command prompt ps -ef |grep nginx. Do you get any results?
-
username(xxx) 3108 3071 0 20:08 pts/0 00:00:00 grep --color=auto nginx
-
sudo /etc/init.d/nginx start. Then repeat the first command. You should get one line for your grep command and one line for the server. ps (list running processes) -ef (e= all processes f=full listing) | (pipe the output) grep (search) nginx (we are looking for a running nginx process). You get one line that lists the command you just typed in and one for the server. To make the start command permanent "insserv nginx" (adds the neccessary symlinks to call nginx during the init process).
-
I could shoot myself, three days of increasingly complicated troubleshooting when I should have asked the "is it plugged in" questions first. Sorry for running you around in circles.
-
I am sorry for wasting half_life and christians time with this. I kept thinking that nginx was on, but I did not take into account that I restarted the server since the time I installed the program. I thought it would start on its own..... boy do I feel stupid now.
Well.... now I got nginx to take me to the standard it works page inside my server when I point it to port 82.
I tried to get it to point to a vhost.... wpad.wifi.lan..... but so far no success... just keeps pointing to the regular IT works page.
I am assuming it has to do with the rewrite rule..... I tried following your example half_life... perhaps I missed something or did not write the script correctly. I will try later today.
-
Rewriting can look strange and tricky at the beginning until you understand how it works.
Could you please post URL you type and URL you aim to reach along with your Nginx config (well, only the include section) ;)
-
the standard /etc/nginx/nginx.conf is default... did not touch it.
I created a new file /etc/nginx/sites-available/AAA
server {
server_name aaa.dyndns.org;
access_log /var/log/nginx/access_aaa.long;
location /wpad/ {
rewrite /wpad/(.*) /$1 break;
proxy_pass http://wpad.home.lan;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
if I type in the browser aaa.dyndns.org:82/wpad it takes me to the "It Works" page.... not the wpad.home.lan
-
Ha ha ha.... you like to make it complex isn't it ;D stacking both WPAD stuff with reverse proxy while none is fully working yet ::)
WPAD is a bit tricky because you do not control what browser is going to search as web server providing wpad.dat file. e.g. Depending on what you have set, assuming you use DNS method, then browser will try different URL based on host FQDN.
and something like htt:/whatever/wpad/ will never be searched... is will rather be http://wpad.whatever/wpad.dat
Thus I'm a bit confused with your example :-[
Then if you have index.html file at wpad.home.lan, this is different :) (I've one for testing purpose...)
This said, if your goal is to reach http://wpad.home.lan when you type http://aaa.dyndns.org/wpad/ then you don't need any rewrite here but redirect to http://wpad.home.lan/
Removing your "rewrite" directive should work so far... let me think twice about this...
-
my main reason for trying this is just to see if I the reverse proxy would get me to something other than the standard "IT Works" page. The wpad.home.lan does have the wpad.dat file located in the srv/www/wpad.home.lan. All I wanted to do is see if I can reach it by going through the reverse proxy.
My real implamentation of this will be different. I have a vhost which is called "webmail" which allows me to access zarafa if you type in http://webmail/webaccess in one of the clients machines. I want to be able to access zarafa from the external port, but for that I need to reach reach it. I was hoping to use reverse proxy to get me to http://webmail/webaccess. Is this possible with reverse proxy?? Can I setup something like zarafa to work this way??
-
Plus if I can get reverse proxy working to reach http://webmail/webaccess (IP 192.168.0.1) than I will create a full external webpage... under vhost http://aaa...family.com. and I will also install alfresco and have that reached through reverse proxy. Hope I am making sense on my final implementation.
I do like to make it complex because I want to learn and figure out how major corporations set things up. A lot of what I have setup so far is to try an mimic the company I work for... well the engineering building itself. The company is international so there is no way for me to have the same network setup.
-
My webmail/webaccess if forced SSL which I know requires a different setup. this is why I did not ask about it right away. I wanted to connect to something more simple first.
-
I share.
For this you can just host flat file on whatever server that is not Zentyal.
I'll try to install again Nginx on my Samba server and make such conf for you.
-
I just rewrote the location portion to this in order to test it .
server {
Listen 82;
server_name aaa.dyndns.org;
access_log /var/log/nginx/access_aaa.long;
location / {
proxy_pass http://wpad.home.lan;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
from my understanding this should work like this.
I type address aaa.dyndns.org:82 in a browser and I would see output from wpad.home.lan
I do not have an html file on wpad.home.lan..... all I have is the wpad.dat file. However when I try this senario I still get connected to just "It Works" and not my vhost wpad.home.lan
-
;D ;D
I was writing that listening on port 82 was missing.. when you added it ;)
-
So I made a quick test:
my Zentyal server (say server A) is running webmail at http://myserver.internal/webmail
I have another server, say server B, on which I did this:
- apt-get install nginx
- vi /etc/nginx/conf.d/proxy.conf to add proxy content
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- change /etc/sites-availables/default to:
> listen on port 82
> set server name test.internal
> change default location to:
location / {proxypass http://myserver.internal/;}
- /etc/init.d/nginx restart
and now when I type http://test.internal:82, I'm accessing webmail at http://test.internal/webmail exposing content of http://myserver.internal/webmail
I took me 6 minutes including some DNS adjustment because of new fake name.
Does it help?
-
Yes this helps a lot thank you !!!!
I believe I got my basic setup working to my test site. The only difference is that I currently have everything running on one server... maybe tonight I will start a virtual one.
Now lets see if I can get to my webaccess. The difference here is that my vhost webmail has forced SSL..... I know that nginx in the /etc/nginx/sites-available/default has https setup. You have to uncomment it and fill it out.
1) I am assuming that you follow the same basic steps except now you have to add the ssl certificate and the ssl key.
Now would the location of the certificate and key be located in /etc/apache2/ssl ???
-
Well I think I got Nginx to work through SSL, but I can still only connect to the default "It Works" page.
It is like it is just connecting to the IP address and not looking up the vhost on that address.
my Vhost= webmail= 192.168.0.1 From vhost webmail you can get to zarafa by typing http://webmail/webaccess.
However if you just type in the address 192.168.0.1 into the browser you get the default "It Works" page.....
Nginx only gets me to the default page ... even though in the proxy_pass I have https://webmail/;.... its seems to just go to the standard IP (the vhost's IP is the interface for one of the Vlan's)
Could this be because my Vhost and Nginx are on the same server..... would it act differently if the Vhost was on a separate server???
-
No, I think this is because of the regular expression and lack of rewrite if you need something not "direct".
If you look at my example, it works because I do not rewrite anything.
That's the reason why I suggest to start with the very basics: ensure the reverse proxy stuff relays properly to target server.
Once this works, you can fine tune. Devil is in the detail when it comes to rewrite.
Regarding HTTPS, I had no time, last night, to react because I launched 2.2 migration that failed :-[ and I needed to fix it.
you need to:
- enable HTTPS at Nginx level because client will need HTTPS. This is one certificate matching name of exposed server (the Nginx one) and you may also need to add the public part of CA having signed certificate on target server so that Nginx, as client (because in proxy mode, it acts as client too) can connect to target server, validating target certificate. But I saw you sorted it out ;)
-
I have a client who is running XBMC .... I set it up to allow network access on port 80.
I rewrote the /etc/nginx/sites-available/default.... to listen on a port of my choosing...and proxy_pass to http://revo.home.lan:80/;}. This worked perfectly... it redirected me to the webpage of XBMC and asked me for my log in and password. I have not tried this over HTTPS...
However when I try the same thing but make the proxy_pass http://(vhost).home.lan it only connects me to the "It Works" web page. It seems to only find the IP address (192.168.11.1) and not the actual vhost running at the same IP. I have two vhosts under that address... also that is the address to the interface for that lan.
Would rewrite really matter in this scenario (do I even need a rewrite).... since I am just trying directly to connect to the vhost ??????
-
Hey guys,
I'm trying to do reverse proxy as well, but on apache.
I've found this
2009/11/14 Eduardo J. Ortega U. <ejorte...@gmail.com>:
> Hi, Paul:
>
> Thanks for your reply. However, I am unsure about how to do that. I do
> not see any option for that on eBox DNS module, and from what I have
> read about split DNS for bind, i will need two DNS servers, not just
> one. Any hints or reading material on alternative ways to achieve it
> are greatly appreciated.
You don't need two dns servers for split dns, you can do it creating
two different "views": the external view will give to external IP, and
the internal view the internal IP.
You can achieve the same with a (probably) simpler solution: instead
of redirecting connections to port 80 to the internal host, you can
setup a reverse proxy in the eBox firewall and accept HTTP connections
in the eBox firewall. This way, apache will proxy the connection to
the internal hosts. This solution has the additional benefit that you
can have several internal web servers and proxy connections to them
depending on the name.
You can setup apache adding the file /etc/apache2/conf.d/proxy.conf
with this content:
---
ProxyRequests Off
# Intranet
<VirtualHost *:80>
ServerName www.example.com # You "official name"
ServerAlias intranet intranet.example.com # Aliases you may need
ProxyPass / http://ip_or_name_of_internal_host/
ProxyPassReverse / http://ip_or_name_of_internal_host/
</VirtualHost>
---
- You can have as many virtualhost definitions as you want for
different internal web servers
- Don't forget the "ProxyRequests Off" setting at the beginning, it
could be a MAJOR security problem
- Make sure you have the setting "NameVirtualHost *:80" somewhere in
your apache config file
Maybe it could be a nice feature to add this type of configuration to
eBox firewall module
Salu2!
--
Miguel Armas <k...@canarytek.com>
CanaryTek Consultoria y Sistemas SL
ModularIT http://www.modularit.org/
And so i've tryed to do
You can setup apache adding the file /etc/apache2/conf.d/proxy.conf
with this content:
---
ProxyRequests Off
# Intranet
<VirtualHost *:80>
ServerName www.example.com # You "official name"
ServerAlias intranet intranet.example.com # Aliases you may need
ProxyPass / http://ip_or_name_of_internal_host/
ProxyPassReverse / http://ip_or_name_of_internal_host/
</VirtualHost>
but no success :/
-
YokoBR, following our IRC chat, there is something wrong with your DNS: public DNS is showing your virtual server (the one on Apache) with IP address in the RFC1918 range, meaning it can't be reached from outside.
You have to set it with public routable IP, not a private one :-[
-
I have been trying to tweak my nginx configuration, but still can't get it to connect to any of the virtual hosts. Only connects to the standard "it works page" or if I setup a second server it connects to that machine. I see that there is a post about using Apache to reverse proxy.... would this be an easier solution ... is it a good idea to use for security reasons???
I guess my other thoughts are to create a virtual server and install zarafa plus any webserver content on that machine, but I will start a new thread on that.
In the end there is just something I am missing about Nginx... It has to be something I am not setting up right ... it hits the IP itself, but does not actually lookup the virtual host.
-
I spent quite a lot of time trying to help YokoBR on this: reverse proxy in Apache is pretty similar to Nginx.
BTW he was very close to implement something working but he all of a sudden changed his mind to directly connect his Microsoft server to internet and LAN at the same time: Reverse proxy was not required anymore and Zentyal firewall was shunted :o
Anyway, what is, to me, tricky with reverse proxy in Apache is:
- manual changes in Apache conf that is managed by Zentyal
- vhost mechanism in Apache can be simple if you rely on "vhost by name" only but can be also a nightmare (perhaps because of my poor understanding) when you need to mix vhost by name and IP and don't want to bind virtual hosts everywhere.
-
I would rather do it with Nginx...
This way it is separate from my zentyal server package.. It is a separate entity, but I just can't get vhost connection. No problem getting direct IP website connection... whether to a different box or to zentyal... it just does not look up vhost. I have read on google and tried a few things, but I feel like I am missing something.
I would thing that when you do a proxy_pass http://test (IP 192.168.0.1) it should forward that name through the DNS lookup and bring you the correct website. When I type that into the browser from the lan ... I get a website "test" If I type the IP 192.168.0.1 I get the website "It Works"..... From the reverse proxy it only reaches the IP directly even though the proxy pass has the vhost by name.
There has got to be some theory about how Nginx works and talks to DNS and Apache that I don't understand. How is it searching for the vhost name??? Where are the signals being sent???
-
OK, there is a couple of things you need to understand.... or I need to explain what "I" understand and if this makes sense to you, feel free to follow ;)
1 - reverse proxy mechanism is pretty straightforward until you have to rewrite because regular expression might be confusing.
2 - if your target server is an Apache vhost, then you do have to understand how this vhost is managed. If you have "vhost by IP", you can target it directly using IP address but if you have "vhost by name", then is you use the IP, you reach default server that light not be the one you are thinking about... Does it explain why you don't reach what you target?
For Zarafa... I don't know. I'm still not using it ;D ;D
Does it help?
-
How does zentyal work?? Is it vhost by name..... it seems that way.
How would I rewrite to make have nginx actually hit a vhost on IP 192.168.0.1 instead of default server.
-
When you create vhost using Zentyal, yes, Apache "available-site" is based on "vhost by name" model.
which mean that using proxy_pass http://name_of_your_vhost/ should work ;-)
-
But it does not .... it just reaches the default IP that the vhost is based on.
Maybe my problem is with the IP I assing the vhost. When you create a vhost it automatically assigns it to the first internal interface IP. From there you can go to DNS module and change the IP the vhost is on. Does this IP have to to be an interface or can it be any chosen IP of my choice???? Maybe I should choose an IP that is not also an interface IP????
-
Are we both speaking about virtual host you create in Web server module?
If yes, then you do not select the IP and can't change it, can you?
In DNS, CNAME is automatically create for this vhost at the IP of you Zentyal server.
-
yes in zentyal... when you go to webserver module and create vhost (example TEST) it will create this vhost and bind it to your first internal interface (example 200.200.200.1) ...save
Than go to DNS module and you will see your vhost TEST with IP 200.200.200.1 You can than click on modify and change the IP to whatever you like. You can also click under hostname and you will see NS 200.200.200.1 which you can also change to whatever IP you like.
The root to your vhost is in srv/www/(your Vhost) This file is empty until you put something there.
-
hum.... I don't share this understanding.
Something was, at least from my standpoint, very confusing with Virtual host creation in previous versions (it has been fixed in Zentyal 2.2) when you created vhost matching an existing domain: new DNS zone was created.
Let me explain.
You have one physical server (your Zentyal server) at 192.168.1.1 hostname is (e.g.) zentyal.home.lan
When you create vhost in web server section, if domain name is matching home.lan, then this action creates CNAME for zentyal.home.lan
In the past I think it was creating new domain, with NS record ::)
This said, no, you can't change this IP because it doesn't match anything existing unless you also create virtual IP but then nightmare begins because mixing vhost by name an dby IP is not as easy as it looks to be :-\
-
You would need to get into the /etc/apache2/sites-available/ and edit the vhost file there to have it bind to a specific lan interface. By default, it binds to all devices.
-
sure, this is what need to be done but not that simple, at least to me.
Not because of "vi" of course ;D but because mixing directives to have both "vhost by name" and "vhost by IP" never works easily :-[
+ you will have to strongly tweak *mas files of use hook don't you?
-
I guess at this point I don't understand than why if you point "proxy_pass to http://test" which is a good vhost .... why it just goes to the default "It Works" website.
-
I suppose this is because of the "vhost by name" mechanism.
Did you try, for test purpose only, to forward it to another internal web server that is not vhost on Zentyal itself, still using server name rather than IP address?
-
Yes I have tried to connect by name. I have an acer revo running as a client machine which has XBMC on it. The XMBC has a web gui enabled on port 80. If I set proxy_pass http://revo.home.lan.... it takes me right to the XBMC web interface.
So I know NGINX works, but unfortunately not for my vhost. This might not be a complete problem since all I have to do is just not use vhost for either the external website of zarafa mail service. I just liked the vhost approach because you can force SSL .... with zarafa this made it easier than having to reconfigure the zarafa files themselves to automatically go to HTTPS version.
With hardware not being an issue... what do you think about making a virtual server as zentyal slave... installing a full lamp stack and zarafa (basically using it for just webserver and mail). This way I can get NGINX to point right at it by name and possibly avoid the vhost problem?????