Re: [Openvds-devel] VDS Apache Features - Request for Comment

[Eje Gustafsson]

embedded

Tuesday, December 11, 2001, 06:34:18 AM, you wrote:

ro> OK,  up late tonite and got development issues...

ro> In the NEW openVDS, there are several issues that customers will expect.

ro> Most customers are *used* to certian ways that apache works.  When they get 
ro> this *new* technology, most will probably want the following:

ro> 1.)     ip based domains 
ro> 2.)     name based domains.

ro> Also, the best thing about a VDS is the ability for the customer to handle 
ro> thier dns administration.  I want hands off of that. I've been doing dns 
ro> entries for about 7 years now and sick of it.

ro> SO, correct me if I'm wrong, but right now an openVDS (or freevsd 1.4.x) 
ro> virtual dedicated server instance looks to me like it only can have one IP 
ro> address ??

ro> Is this the case?  In the latest skel for redhat 6.2 from the 
ftp.freevsd.org 
ro> site, there is no /etc/sysconfig/  folder.  

ro> Is anyone putting multiple ip's on the VDS? If so, how?

The way FreeVSD is designed it's only meant to have 1 ip per virtual
server which means you only can run 1 IP based domain per VS then you
will have to do name based if you want more then 1.

Would most likely require some serious redesign to make it work with more then 1
ip per virtual server.

ro> hmmm.... we need ip aliases in the VDS.
ro> we also need further to have ip based domains.
ro> also, we need dns servers running on the VDS as well.

DNS servers in the VS been done and can easily be done. Just need to
install BIND on the VS and configure it. The webadmin have some hooks
to do DNS servers.

ro> This all equals a full reseller package. An actual open Virtual Dedicated 
ro> Server.  This should be the difference between openVDS and freeVSD.

ro> I'm also probably not the only one who has read all the posts about ip 
ro> chains, ip tables, apache ports 8080, 8443, redirection and the like.....

ro> this needs to be tightened up.  Can someone summarize exactly how one can 
ro> accomplish the following. (which I consider to be a simple typical normal 
ro> setup).

ro> ------------------------------------

ro> physical server runs apache on http://10.1.1.1:80 and https://10.1.1.1:443
ro>     vds001 runs apache on http://10.1.1.50:80
ro>     vds002 runs apache on http://10.1.1.175:80  and https://10.1.1.175:443
ro>     vds003 runs apache on http://10.1.1.200:80  and http://10.1.1.201:80 
ro>           and http://10.1.1.202:80

ro> -------------------------------------

For security reasons you really don't want apache to run on port 80 it
requires root priv and you would have to either patch apache which
makes upgrade of apache a pain or you would have to use a redirector
in some form to a higher port.

ro> Lets assume that we all are running name based domains on the VDSes as well 
ro> in the above example.  I'm more concerned about the interaction of the 
ro> vsdredirect, ipchains, iptables and ip alias support.

ro> Oh, yea, I don't know how many of you folks out there actually need to know 
ro> where your web traffic comes from, but it certianly doesn't come from the 
ro> physical server!  The procedure for accurate log file reporting, port 80 
and 
ro> setup of the appropriate ipchains/iptables config should be clear and 
defined 
ro> here in the forum.

ro> Cheers to the betterment of openVDS,            

That is why you use iptables and the prerouting then the connection is
NOT coming from the local machine but will be logged to come from the
right machine..
IMO just drop ipchains and vsdredirect support from OpenVDS and use
iptables only for this pure reason. However there needs to be a
some secondary iptables rules written and fix so that connection that
originates from localhost reaches apache on the VS. Iptables
prerouting rules will NOT do this because prerouting is just for
incoming traffic not locally generated traffic.
If nobody fixes it I'll probably do it myself here shortly and post
the information to this list how the setup should be done.

- Eje