Is one IP to many domains, possible to set up with ISPconfig?

Discussion in 'Installation/Configuration' started by whynot, Mar 1, 2012.

  1. whynot

    whynot New Member

    Debian Squeeze host with Debian Squeeze OpenVZ containers.

    I am new to ISPconfig and I am hoping ISPconfig will simplify an area I am lost in to start with. I'd appreciate being steered to the easiest way to do the below configuration:

    With ISPconfig, is it possible to configure one IP on my host node and allow many different private IP address domains, each IP for a particular OpenVZ container? And if so, how is that set up?

    Just to be clear, I mean I will have several domains pointing at my single static IP address and I want to use ISPconfig to make sure traffic for each unique domain goes to the right container.

    Thanks! :)
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Currently you can assign only one IP to a host container, but we will change that in the nextrelease so that multiple IP's can be added.
  3. whynot

    whynot New Member

    I'm sorry. I have not done a good enough job explaining what I am doing and where my problem is at. I am building this at home as a real project I intend to implement but also as a first learning experience. I will only have only one incoming static IP address to my Host Node. My several domain names will all be pointed at that one static IP all incoming communications (port 80 443 ) will be coming in on that one IP address. So, it doesn't matter if ISPconfig later allows multiple IP's later....I only have one to work with.

    I think what I am asking is, does ISPconfig allow me to key on the incoming domain name in the URL in order to switch or direct each incoming communication to it's correct container which is dedicated to that domain name's specific operations? Or do I need to learn iptables at NetFilter in order to do this??? Or what? And where or what is the easiest thing to study to do this? For instance, is there a HowTo on this topic somewhere?

    And along the same lines, I have looked at several firewall apps which say they manipulate iptables so that you don't have to, which to me means they are a higher level of operation, but when it comes to what the commands they use are, everything very quickly gets very skimpy if anything in their documentation and it looks like they are still expecting a knowledge of iptables commands very soon in trying to create anything. I have not looked at the Bastile firewall ISPconfig uses I am trying to find the right path for me to be on, first, as I have been going in circles. If you can point me also to the basic knowledge I need to acquire to successfully pass through setting up the firewall, I'd really appreciate it....especially if it is simple and basic enough for dummies to understand it. I waded through the first 5 chapters of the Netfilter "tutorial" not understanding anything...and decided, there must be something more direct and basic somewhere!!!

    Thanks! :)
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    are you talking about openvz virtual machines or about vhosts / websites? You can run as many websites as yoz like on a single IP, just select the IP or * in the website settings. The routing is done by apache or nginx, no need for iptables. When it comes to openvz virtual machines, ecah virtual machine needs its own ip address. and using multiple virtual machines when you have only one external ip makes not much sense anyway.

    In general, filtering by domain name is not done on firewall level. For a setup where you run multiple internal servers or virtual machines with one external IP you use normally a reverse proxy. The reverse proxy, e.g. apache or ngincx receives the icoming http reuests and forwards them to the different internal IP addresses.
    Last edited: Mar 1, 2012
  5. whynot

    whynot New Member

    I am using OpenVZ, although, I have read that Debian isn't going to support it past Squeeze, which means I guess, if one wants to upgrade debian past squeeze, LXC is the answer? Is ISPconfig going to support LXC in the future?

    I want to create separate websites, one per OpenVZ container. I want the containers isolated and secure from each other's activities.

    I have venet (VE Ethernet) on OpenVZ working great as long as long as my private ip containers are on the same subnet as my host node. From inside the container I can ping anything on the internet and any of my actual physical computers on the same lan can ping in through the host to the containers. However, my experiments to have the host on one subnet and the containers on a different subnet have not worked. I'm missing some command to iptables, I think, concerning dnat...but the commands I have found others using, didn't seem to work out for me.

    Trying to make veth (virtual ethernet) work hasn't worked....I'm missing knowledge there, so I am hoping ISPconfig works with venet as I'd like to finally get through all this initial setup and get to doing what I wanted to work with in the first place. I have been stuck here a long time...

    Early on, I was advised by someone who runs a OpenVZ set up with lots of containers to accomplish the networking of the containers in the following manner, but this appears to be over my head and I haven't found tutorials that shed the necessary light to know the commands to accomplish this, which is why I was wondering if ISPconfig would provide a easier routing scheme of the network for me that is still secure:

    I was told to have the host node's firewall to direct all port 80 & 443 traffic and also all IP traffic to container 101, where a firewall like shorewall exists. This fiirewall maps the port numbers to the containers individual IP addresses and sends all IP traffic directly to their respective containers. As for domain http/s traffic, this firewall directs all of it to container 102 which is setting inside container 101's DMZ. (I have no idea what putting this in the DMZ does for me.) Container 102 contains Apache running in Virtutal Host Mode which then handels all external incoming and internal outgoing domain name based http/s traffic by bi-directionally translating it. It does this by reading the incoming domain names and changes the headers of the incoming communications, which then maps the URL domain names to their assigned port numbers - which are high numbers (unique numbers assigned to each container) by swapping the new port number replacing port 80 in the addressing and then sending the new addressing back to the firewall in Container 101, which recognizes the port number in its mapping of port numbers to IP addresses and immediately sends it to the proper Container. Each container then has it's own apache server listening on it's unique port number for that container. And in this way, I could run many separate websites secure from one another.

    I have no notes on the return path. I am assuming it is suppose to simply work in the same reverse path.

    Also, this is the first time I have heard the phrase " reverse proxy" applying to what I need to do.

    So, will ISPconfig get me past setting up the networking of the containers and the firewalling I need to do in this area so that I can skip the above use of Container 101's firewall and Container 102's apache processing that I described above?

    And also, can you point me at the basic knowledge or application that I am going to need
    to create the firewalls with each container when I finally get that far??? I notice that ISPconfig uses Bastile Firewall....what do I need to know to use it?

    Thanks for your thoughts on plotting a course for me at my level! :)
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    LXC is still missing features that are required for hosting. But if LXC gets these features, we might support it in ISPConfig.

    ISPConfig is a hosting control panel, setting up iptable routers is not within the scope of ispconfig. You can run other software inside containers that you created in ispconfig that does this job.

    Th bastille firewall is a simple iptables based firewall script. It is used to open / close ports in hosting servers. It is not meant as router.

    But why do you want to use such a complicated setup? The setup you describe might be installed by Linux professionals with many years experience, thats nothing for beginners.
  7. whynot

    whynot New Member

    Hi Till Brehm!

    The reason I was trying to follow such a complicated way of doing this, is because I had temporarily met a linux professional who listened to what I wanted to do, and who then quickly verbally outlined how he would do it. I then later wrote down everything I remembered about what he had said, and then began attempting to do it that way....because I thought that must be the way to do it.

    I'd really appreciate a simpler, easier outline using easier to use apps, if you would care to take the time to show me the path I should follow. Right now, I can get the networking working correctly on OpenVZ using their venet. That is where I am at on squeeze.

    I just want to be able to set up independent isolated websites for myself and my friends as needed, some of which will be used to launch internet startup business ideas, each website being inside a separate container of its own, like having it's own server, and in some cases, I want to be able to send secure information from one container to another as part of a process connecting with another process in another container automatically.

    How do I get from where I am, to working inside the containers installing and programming stuff?

    Thanks! :)

Share This Page