Bind issue? DNS issue? Domain provider issue? Cannot reach Apache virtual hosts internally.
by rnturn from LinuxQuestions.org on (#4Y8N9)
I have three domains registered for the static IP we have from our ISP: 'family.org', 'hobby.org', 'hobby.com'. I'm setting up two virtual hosts for each of those domains: 'www.family.org' and 'test.family.org', etc. The 'www' sites are hosted on one server ('Prod') while the 'test' sites are on another (my desktop system). All the virtual hosts are listening on port 8080. Nginx is in the mix, too, not only as the Nginx service but as the internal DNS service. The network's firewall is routing all port 80 traffic to the Nginx system where is it is forwarded to the 'Prod'/'Test' servers via port 8080. The attached drawing shows what I'm trying to configure. At the moment, external connections to the 'prod' websites are working. (Ultimately, whatever solution gets implemented needs to make sure the 'test' sites are not accessible from the Internet.)
The internal network is currently set up as 'family.net'. I have no resistance to changing that to something else, say, 'home.net' if it helps make things less ambiguous and eases debugging, maintenance, etc. There aren't that many hosts that would need to be modified and rebooted.
My aim is for users to be able to access the test sites using, for example, 'http://test/family.org' and the 'prod' sites by issuing 'http://www.family.org' without having to append ':8080'. My understanding from reading a few articles in the internet is that Apache virtual hosts should be listed in the DNS zone as CNAME entries/aliases to the host that they reside on. That sort of makes sense but that, I think, assumes that the web servers are listening on port 80. My thought was to point DNS entries to the Nginx server so that my desktop browser port 80 connections would look like they came from the internet/firewall. So... I added the CNAME records to be associated with the Nginx server (port 80 in --> port 8080 out). Well that's not working.
Some test results using 'lynx' to try and access the sites internally:
Code:$ lynx test.family.org --> goes to www.test.family.org.com --> then www.org.com
$ lynx test.hobby.org --> goes to www.hobby.org.com --> then www.org.com
$ lynx test.hobby.com --> goes to www.test.hobby.com.com --> then 'com.com'
$ lynx www.family.org --> goes to www.www.family.org.com
$ lynx www.hobby.org --> goes to www.www.hobby.org.com
$ lynx www.hobby.com --> goes nowhere; unable to connect to remote host.(Man... debugging was so much easier when there weren't so many bozos intercepting bad web requests and popping up domain registration ads.) All of those look like the current DNS settings that are intended to handle these virtual hosts are badly broken.
Looking at the 'host' results... they're totally weird. From the DNS server, I can't resolve host names for anything. From the firewall, I get strange things like:
Code:$ host www.family.org
www.family.org.family.net is an alias for ns1.family.net.
ns1.family.net has address 192.168.13.2 <-- at last, something that's correctBut I can ping 'www.family.org' and the other virtual hosts since, in the end, the IP address is correct.
From all other hosts on the internal network, 'host hostname' results cannot be obtained (NXDOMAIN). Reverse lookups work just fine. Likely a missing or misplaced '@' or '.'. At one point, trying to do lookups for the 'www' virtual hosts returned the static IP on the firewall. Commenting out the CNAME records for the virtual hosts fixes all the 'host' command problems. (Though, obviously, no lookups for the virtual hosts is possible.)
Q: Just what is the correct way to add virtual hosts to the DNS files?
One other thing I've just tried is to ensure that my desktop system has 'files dns ...' as the order in '/etc/nsswitch' and adding the virtual host names as aliases to a record for the Nginx server in /etc/hosts. I can reach all of the 'test' virtual hosts but I'm not able to reach any of the 'www' virtual hosts---if a connection is made to Apache at all, it's to the default virtual host's page. I'll double check the virtual host configuration on the 'prod' Apache server. 'nmap' reports that 8080 is listening and `apachectl -S' show that servers are all listening on '8080'. I'll try using 'curl' to push some requests into that Apache system to see what I get back.
Note: I'm posting this with a warning of sorts that I'll likely be unable to respond with any additional information someone might request as I'll be away from these systems for a couple of days. (There should be internet access where I'm going to be, so I can respond to questions, but posting any files from the systems won't be possible.)
Thanks in advance for any hints, suggestions, etc.
Attached Thumbnails
The internal network is currently set up as 'family.net'. I have no resistance to changing that to something else, say, 'home.net' if it helps make things less ambiguous and eases debugging, maintenance, etc. There aren't that many hosts that would need to be modified and rebooted.
My aim is for users to be able to access the test sites using, for example, 'http://test/family.org' and the 'prod' sites by issuing 'http://www.family.org' without having to append ':8080'. My understanding from reading a few articles in the internet is that Apache virtual hosts should be listed in the DNS zone as CNAME entries/aliases to the host that they reside on. That sort of makes sense but that, I think, assumes that the web servers are listening on port 80. My thought was to point DNS entries to the Nginx server so that my desktop browser port 80 connections would look like they came from the internet/firewall. So... I added the CNAME records to be associated with the Nginx server (port 80 in --> port 8080 out). Well that's not working.
Some test results using 'lynx' to try and access the sites internally:
Code:$ lynx test.family.org --> goes to www.test.family.org.com --> then www.org.com
$ lynx test.hobby.org --> goes to www.hobby.org.com --> then www.org.com
$ lynx test.hobby.com --> goes to www.test.hobby.com.com --> then 'com.com'
$ lynx www.family.org --> goes to www.www.family.org.com
$ lynx www.hobby.org --> goes to www.www.hobby.org.com
$ lynx www.hobby.com --> goes nowhere; unable to connect to remote host.(Man... debugging was so much easier when there weren't so many bozos intercepting bad web requests and popping up domain registration ads.) All of those look like the current DNS settings that are intended to handle these virtual hosts are badly broken.
Looking at the 'host' results... they're totally weird. From the DNS server, I can't resolve host names for anything. From the firewall, I get strange things like:
Code:$ host www.family.org
www.family.org.family.net is an alias for ns1.family.net.
ns1.family.net has address 192.168.13.2 <-- at last, something that's correctBut I can ping 'www.family.org' and the other virtual hosts since, in the end, the IP address is correct.
From all other hosts on the internal network, 'host hostname' results cannot be obtained (NXDOMAIN). Reverse lookups work just fine. Likely a missing or misplaced '@' or '.'. At one point, trying to do lookups for the 'www' virtual hosts returned the static IP on the firewall. Commenting out the CNAME records for the virtual hosts fixes all the 'host' command problems. (Though, obviously, no lookups for the virtual hosts is possible.)
Q: Just what is the correct way to add virtual hosts to the DNS files?
One other thing I've just tried is to ensure that my desktop system has 'files dns ...' as the order in '/etc/nsswitch' and adding the virtual host names as aliases to a record for the Nginx server in /etc/hosts. I can reach all of the 'test' virtual hosts but I'm not able to reach any of the 'www' virtual hosts---if a connection is made to Apache at all, it's to the default virtual host's page. I'll double check the virtual host configuration on the 'prod' Apache server. 'nmap' reports that 8080 is listening and `apachectl -S' show that servers are all listening on '8080'. I'll try using 'curl' to push some requests into that Apache system to see what I get back.
Note: I'm posting this with a warning of sorts that I'll likely be unable to respond with any additional information someone might request as I'll be away from these systems for a couple of days. (There should be internet access where I'm going to be, so I can respond to questions, but posting any files from the systems won't be possible.)
Thanks in advance for any hints, suggestions, etc.
Attached Thumbnails