Name based virtual hosting on non-routable IPs

anfieldroad asked:

Vague title I know but I wasn’t sure how to summarise what I am trying to achieve.

Basically, I have an internet router port forwarding port ext port TCP 443 to the same port on an internal IP addressed linux reverse proxy running apache 2.2.

This reverse proxy is then forwarding connections on to the actual hosts of the web content.

Previously the server doing the reverse proxying was the internet gateway, and this worked as it had the public IP address that the CNAME resolved to for the name based vhosting.

However, since now this server has an internal IP address this is broken.

How can I achieve this or is there a better way if I want to use CNAMEs for name based vhosting.

What I had tried and failed at was to use rewrite to rewrite the address to the internal hostname but since that changes the address for the client of course they can’t hit it.

<VirtualHost blah.somedomain.net:443>
    ServerName blah.somedomain.net

    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^blah\.somedomain\.net$
    RewriteRule (.*) https://blah-proxy.somedomain.int
    <Location />
        Order deny,allow
        Allow from all
    </Location>
</VirtualHost>

<VirtualHost blah-proxy.somedomain.int:443>
    ServerName blah-proxy.somedomain.int
    ProxyPass / http://blah.somedomain.int/
    ProxyPassReverse / http://blah.somedomain.int/

    <Location />
        ProxyPassReverse /
        Order deny,allow
        Allow from all
    </Location>
    SSLEngine On
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/blah.somedomain.net/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/blah.somedomain.net/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/blah.somedomain.net/chain.pem
</VirtualHost>

Any suggestions?

Cheers

Andy

My answer:


Your virtual hosts never match because you used names in them, though this is documented as not recommended. Your current setup is one reason why.

Because you used a name, Apache must look up the name to find the IP address to listen on, for connections that match that virtual host. Since that machine no longer has a global IP address, the IP address from DNS will never match.

You should instead match on any address. There’s occasionally a good reason to specify an IP address in <VirtualHost>, but there’s virtually never a good reason to use a name. In this case there’s no real reason to use either.

<VirtualHost *:443>

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.