How To: Setup Cisco EtherChannel with ESX Server

In this blog, I will go through on how to setup a Port-Channel in a Cisco Catalyst 3750G switch, and setup that port-channel (etherchannel) to work properly with ESXi Server version 5.5. In my environment, it took, much, much longer to get this running because I had to completely re-architect my network to function this way. But if you’re building an environment from scratch, then this should be pretty easy to do.

I’ve verified that this config will also work with other Catalyst switches (2960’s, 3500’s, 3700’s, 4500’s, and 6500 series switches). This configuration will NOT work with Cisco Nexus switches, because the Cisco Nexus switches have different command line parameters than their Catalyst cousins.

So, let’s get going here.

I’m going to start by configuring a Port-Channel on my Catalyst switch.

interface Port-channel2
description Port Channel interface to DL380 Server
switchport trunk encapsulation dot1q
switchport mode trunk


After you create your port channel, you need to add switch ports to that port-channel. See below, as I add 8 ports to this port-channel.

interface GigabitEthernet4/0/11
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/12
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/14
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/15
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/21
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/22
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/23
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/24
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on


From here I need to mirror the same VLANs that the ESXi server will have on it. So, lets create 5 VLANs to start. We can add more at any time.

interface Vlan1
no ip address
!
interface Vlan10
description Outside zone between pfSense and ASA
no ip address
 
interface Vlan20
description Inside network
ip address 192.168.1.2 255.255.255.0

interface Vlan30
description Front DMZ for direct connections from the Internet
no ip address

interface Vlan40
description Back DMZ -- Teired DMZ for server systems
no ip address

interface Vlan50
description Wireless network
no ip address


Now that the Cisco Catalyst switch is configured, let’s log into ESXi vSphere Client and configure the server to communicate with our switch.


I actually just bought a new quad port network adapter off of eBay just for this project. So after I installed it in my HP DL 380 G6 Server, I went in to verify that the card worked. And from this screenshot, it looks like it is working just fine.

esxi-1


Now go over to the “Networking” section. You can see I already have multiple vSwitches defined for my other 4 port network card that was already installed in the server. What my plan is going to be, is that I want all eight of my network adapters to be part of one port-channel. This will maximize the throughput and bandwidth to and from the server, as well as provide a reliable 8 way path to my core switch. The only downside to this is that my core switch is now my single point of failure on the network. I recommend that if you’re going to do this in your environment, you should have an identical switch and a full backup of the configuration on your primary switch so that you can swap out if the primary fails.

esxi-2


From here, click on “Add Networking…”

esxi-3


You need to select “VMkernel” here. You’ll be using “Virtual Machine” network type later. For now, VMkernel, then click “Next”:

esxi-4


Select the network adapters you want to participate in the port channel, then click “Next”:

esxi-5


Since this is a Port-Channel, or Etherchannel, you want this to trunk all of your VLANs from the Cisco Catalyst switch to your ESXi server. Make it easy and name this “Port-Channel” and allow all VLANs to traverse the link, then click “Next”:

esxi-6


You’ll want to enable management on this, so give it an IP address on your Internal network. Please, for the love of all that is right and just, do NOT open up management access to the Internet or any of your DMZs!

esxi-7


Verify your settings on the “Summary” screen, then click “Finish” to continue.

esxi-8


After you create your switch, you’ll see it appear in the “Networking” screen of your vSphere client. You’ll see that I haven’t attached network cables yet, which is why all my adapters are showing as “Down” with the red “X” next to each physical adapter.

Go ahead and click on “Properties…” to continue.

esxi-9


Make sure your vSwitch is highlighted in the left column, then click, “Edit…”

esxi-10


In the vSwitch Properties window, make sure that you have ESXi “Route based on IP Hash”, then click okay.

esxi-11


Now you can add in all your VLANs that will live on this vSwitch. So click on “Add Networking…” to continue:

esxi-3


Here is where you’re going to use the “Virtual Machine” connection type. Click Next to continue.

esxi-12


We’re going to bind this VLAN to the new switch we created. So select the vSwitch you created earlier in this process, then click “Next” to continue.

esxi-13


Here, I will create a Business-to-Business VLAN, and I’ll tag all traffic in this VLAN to #75. Then click “Next” to continue.

esxi-14


Verify your changes in the “Summary” screen, then click “Finish” to continue.

esxi-15


After you create all of your VLANs and add your virtual machines to each network you desire, your end result will look like this:
esxi-16



If you have any questions, please feel free to contact me at any time!

http://vmwaremine.com/vmware-vsphere-best-practices/
http://vmwaremine.com/2012/05/29/networking-configuration-for-esx-ot-esxi-part-3/
http://frankdenneman.nl/2013/01/28/vmotion-and-etherchannel-an-overview-of-the-load-balancing-policies-stack/
http://www.virtualizetips.com/2011/03/05/esxi-management-network-issues-when-using-etherchannel-and-nic-teaming/
http://blog.scottlowe.org/2008/07/16/understanding-nic-utilization-in-vmware-esx/
http://blog.scottlowe.org/2006/12/04/esx-server-nic-teaming-and-vlan-trunking/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004048
http://www.sysadmintutorials.com/tutorials/vmware-vsphere-4/vcenter4/network-teaming-with-cisco-etherchannel/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003825
http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1010778
http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1003825
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003806
http://searchnetworking.techtarget.com/tip/How-to-configure-Virtual-Switch-Tagging-for-vSphere-VLANs
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003825
http://blog.scottlowe.org/2006/12/04/esx-server-nic-teaming-and-vlan-trunking/
http://www.sysadmintutorials.com/tutorials/vmware-vsphere-4/vcenter4/network-teaming-with-cisco-etherchannel/
http://serverfault.com/questions/628541/esxi-5-5-nic-teaming-for-load-balancing-using-cisco-etherchannel
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1001938
http://www.simongreaves.co.uk/vmware-nic-trunking/
http://www.geekmungus.co.uk/vmware/vmwareesxi55managementnetwork-nicteamingandvlantrunking
http://www.mustbegeek.com/configure-nic-teaming-in-esxi-server/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004074
http://www.ahmedchoukri.com/?p=298
https://glazenbakje.wordpress.com/2012/05/10/cisco-catalyst-switch-ether-channel-settings-to-vmware-esxi-5/
http://blog.scottlowe.org/2006/12/04/esx-server-nic-teaming-and-vlan-trunking/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004048
http://longwhiteclouds.com/2012/04/10/etherchannel-and-ip-hash-or-load-based-teaming/
http://wahlnetwork.com/2012/05/09/demystifying-lacp-vs-static-etherchannel-for-vsphere/
http://www.amirmontazeri.com/?p=18

VN:D [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

AT&T u-Verse Static IP work around with pfSense

First off, I’d like to give AT&T an honorable mention (sarcasm) for using the fucking worst, P.O.S. garbage, DSL Modems on the planet: 2WIRE. These things are ridiculous. You’d think that if a provider was able to route a /28 subnet to your home/business, that they’d be able to properly manage that subnet through their “firewall” or whatever you want to call it. The way this normally works is through routing a network range to your device. But AT&T and 2WIRE ensure that for every public static IP address you have, it has to have a unique MAC address and it must look like a different device all together. This is asinine.

So, with the help of my business partner, we’ve come up with a solution on how to get a set of static IP addresses to work so that you can host services on AT&T u-Verse. The way we accomplished this was through the use of an open source and free operating system named, “pfSense”. I’m sure there are other systems out there that we could have used, or just done it in Linux, but pfSense is really robust and has a nice interface. So that’s what we went with.

Additionally, I’m sure not everyone and their mother have an HP DL380 running in their basement, but… welcome to the Erdmanor. I have a DL380 in my basement. So what we’ve done is virtualized a firewall. We’re running pfSense in a virtual machine on the DL 380, which is running ESXi 5.5. I know ESXi 6.0 has been out for a few months now, but to be honest, I’m just too damn lazy to upgrade my box.

Anyways, here’s how we configured the virtual firewall. In ESX, we provisioned the system to have 8 network adapters, a 10GB HDD, 2GB RAM, and 1 virtual CPU. From there we added the VM to access the three different network segments (DMZ, Internal, Outside), and created the interfaces within pfSense. Then we programmed the AT&T gateway to use the external addresses that were provided by them, making sure that the proper interfaces and MAC addresses lined up between the ESX server, the AT&T gateway and the pfSense console. Also, in the AT&T gateway, we setup the system to be in DMZplus Mode, which you can read about in the screenshot below.

pfSense1

pfSense2

pfSense3

att-config0

att-config1

att-config2

att-config3



Now that our AT&T gateway is properly forwarding External IP traffic to the proper interfaces on our pfSense firewall, we can go through and create all the inbound NATs, firewall rules and network security that we wish to have.

If you have any further questions on how to set this up, just ask!

Thanks!





VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Debian Wheezy mpt-status

After recently moving our Debian servers over to ESXi 5.5, I’ve been seeing the “mpt-status” package reporting issues in the syslog. After some searching around, according to Debian.org “The mpt-status software is a query tool to access the running configuration and status of LSI SCSI HBAs. mpt-status allows you to monitor the health and status of your RAID setup.”

That’s interesting because none of our Debian servers have RAID partitions.

So naturally, I just removed the package. I haven’t had any errors with the servers, nor do I expect any.

Here’s what I did to remove the package:

sudo service mpt-statusd stop
sudo apt-get purge mpt-status

Problem solved!

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Connecting FreeNAS 9.2 iSCSI to ESXi 5.5 Hypervisor and performing VM Guest Backups

In this blog we’re going to work through connecting your FreeNAS box to your ESXi server for easy backups. ESXi is a hypervisor from VMware that is arguably the best ever made. I like it the most because of many reasons, including the fact that it’s free, it’s a non-Microsoft product, and if you need additional features, the licensing is reasonably priced.

Now, I’ve already gone through and setup my whole server, so what I’ll do is just retrace my steps here and show how easy this process really is.
Lets get started with FreeNAS. I have an old computer that I used for setting up FreeNAS. It’s an ASUS motherboard with an Intel Core 2 Quad (Q6600), 12GB of DDR2 memory, and 6x Western Digital 3TB Disks. I did a basic install on the system, and I’m running the OS from a SanDisk 8GB USB thumb drive. Microcenter has them cheap, so I grabbed a bunch for redundancy.

After you have FreeNAS installed and running with a ZFS volume of your choice, that’s the point that I’ll be starting with here. My need for an iSCSI target was brought on by the need for backups. While I am running a RAID 10 on my ESX server (there are 2 striped RAID arrays mirrored, 1+0), the redundancy still wasn’t enough for my peace of mind. SAS drives can fail at any time, and since my environment is pretty high availability, I didn’t want to take a chance losing 2 drives in my ESX server and losing all my data.

So I have a dilemma, spend a lot of money on backup software, or connect my ESXi server to my FreeNAS server. Seems pretty cut and dry to me, so I’ll backup my VM guests from the ESXi server and save money at the same time.

 

 

Start of at your FreeNAS web interface. Go to the Services section and click on “Control Services”. You should see a screen like this. If you never setup iSCSI before, then you’ll need to turn on the “iSCSI” service. After you start the service, go ahead and click on the wrench icon next to the on/off switch.

 

 

In the “Target Global Configuration” section, fill out the info that you need to so that it pertains to your environment. The biggest item here is to make sure that the “Enable LUC” option is ENABLED. If it isn’t your iSCSI target won’t ever show up in ESXi.

 

 

From there, now go to the “Portals” tab. And click on “Add Portal”. If you have multiple NICs in your FreeNAS box, you may want a direct link to your FreeNAS box with an Ethernet Cable. If so, select the adapter you expect it to be on, otherwise you can leave it as “0.0.0.0”. You’ll want to keep the port number set as 3260.

 

 

Now go to the Initiators tab. Click on “Add Initiator”. You can leave it set to “ALL” for both, but I would recommend at least setting it up for the network or host that you expect to connect from.

 

 

Now go to the “Targets” tab. Make the target name and alias “esxi”, leave the serial number as-is, Target Flags should be “Read-Write”, your dropdown menus for Portal and Initiator should be available from the ones you setup previously, and then click “OK”.

 

 

Now head on over to the Extents tab. Name the Extent “esxi”. What I did is create a folder on my existing ZFS volume named “iSCSI”, which is located in the “/mnt/primary/iSCSI” path. Then just type the file name that you want to use. In my path it looked like this: “/mnt/primary/iSCSI/esxi.extent”. I allocated 550GB of space because that’s approximately how much space I have on the ESXi server. Then click OK.

 

 

Now click on the “Associated Targets” tab. Click on “Add Target / Extent”. Your options should be available in the two dropdown menus. Select those and then click OK.

 

 

Looking great so far. Now log in on your ESXi server with the vSphere software. After you log in, go to the “Inventory” view, then click on the “Configuration” tab.

 

 

Click on the “Add Networking…” button. Select the option for creating a new “VMkernal” and click “Next >”

 

 

From here you can see what network adapters you can choose to assign to your new network. We’re going to use VMNIC3, which is actually Port 4 on our server. Click Next to continue.

 

 

Here is where you can assign a name to your network. I like to name things so they can be easily identified. We’re going to name our’s “iscsi”. We’re not using VLANs here, so leave that as NONE, and click “Next” to continue.

 

 

Since this is a direct cable connection, we’re going to lock down the network with a subnet where there are only two hosts. We aren’t using the “10.254.254.X” network anywhere so that works too. We will make the secondary adapter in the FreeNAS box “10.254.254.1” and this can be “.2”. Notice the subnet mask ends in 252. That states that there are only 4 IPs in the network, with “.0” being the network, and “.4” as the broadcast. There doesn’t need to be a gateway, so don’t worry about changing that; it’ll never be used. Click “Next” to continue.

 

 

This is just a summary page, just click on finish.

 

 

Now you’re back to the ” Configuration / Networking ” section. From here you can see your newly added “iscsi” switch that was just added, and see that it is tied to the “vmnic3”.

 

 

Now head on over to the “Storage Adapters” link in the left column. We’re going to reuse the Broadcom iSCSI Adapter “vmhba35”. Right click on that adapter and then click “Properties”.

 

 

You’ll see this screen come up. From there, click on the “Network Configuration” tab.

 

 

We need to bind the adapter to this iSCSI initiator so that our ESX box knows where to send iSCSI traffic. Click on the “Add…” button.

 

 

You should see the “iscsi” switch that we just created listed here. Click on that, then click “OK”.

 

 

You should now see your “iscsi” virtual switch listed in the “VMkernel Port Bindings” section. Now click on the “Dynamic Discovery” tab.

 

 

Click the “Add…” button near the bottom of the window. In the window that appears, type in the IP address of your FreeNAS server. It should be 10.254.254.1 if you set yours up exactly like mine. Otherwise, change it accordingly. Leave the port number default at 3260. Then click “OK”.

 

 

After clicking “OK” on the last window, you should see your FreeNAS box listed in the “iSCSI Server Location”. Click the “Close” button on that window.

 

 

When you click close, you’ll see a window appear that asks you to rescan the location. Click “OK” on that, and wait for the rescan process. After the rescan, you should see your storage pool show up in the Details pane, as you can see in this screenshot.

 

 

From here, all you need to do is Click on the “Storage” link in the left hand column, and then click on the “Add Storage…” link in the upper right hand corner. That will bring you to this screen. From here, just click “Next”.

 

 

After you follow the prompts you should see your new Data Store listed.

 

 

 

 

While there’s a ton of individual steps involved here, it’s not that difficult to complete this, nor does it really take that long.

VN:F [1.9.22_1171]
Rating: 4.5/5 (2 votes cast)
VN:D [1.9.22_1171]
Rating: +3 (from 3 votes)

Creating a Reverse Proxy with Apache2

Sometimes there is a need for hosting multiple websites from one server, or from one external IP address. For whatever your reason or need is, in this tutorial, I’ll just go through what I did to setup Apache server to forward requests.

In my setup here, I have a Debian Wheezy server in my DMZ, and in my tier 2 DMZ I have 5 Web servers. My objective is to host all these server from 1 IP address, and introduce some security.

I found a ton of info out there on setting up Apache as a reverse proxy, but none of them really spelled out exactly what to do, and what the results would be. Some of them did, but it wasn’t what I was looking for. So I took a bunch of stuff I see others doing, modify it to fit my needs and report back to you. I hope this helps.

Lets get started.

You’ll want a base install of Debian Wheezy which you can find at www.debian.org. After you download that, just follow my guide for install if you need: Debian Minimal Install: The base for all operations

As I stated before, I have a bunch of web servers in my tier 2 DMZ, and a Debian box in my Internet facing DMZ. It is my intention that the web servers never actually communicate with the end users. I want my end users to talk to my Debian box, the Debian box to sanitize and optimize the web request, and then forward that request on to the web server. The web server will receive the request from the Debian box, process it, and send back all the necessary data to the Debian server, which will in turn reply to the end user who originally made the request.

It sounds complicated to some people, but in reality it’s pretty simple, and the reverse proxy is transparent to the end user. Most people out there don’t even realize that many sites out there utilize this type of technology.

My Debian server needs some software, so I installed these packages:

sudo apt-get install apache2 libapache2-mod-evasive libapache2-mod-auth-openid libapache2-mod-geoip
libapache2-mod-proxy-html libapache2-mod-spamhaus libapache2-mod-vhost-hash-alias libapache2-modsecurity

From here you’ll want to get into the Apache directory.

cd /etc/apache2

Let’s get going with editing the main Apache config file. These are just recommendations, so you’ll want to tweak these for what ever is best for your environment.

sudo vim apache2.conf

I modified my connections for performance reasons. The default is 100.

# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 500

Also, what security engineer out there doesn’t know that without logs you have no proof that anything is happening. We’ll cover log rotation and retention in another blog, but for now, I set my logging to “notice”. Default was “warn”.

# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel notice

Perfect. Now, you may want to tweak your server a little differently, but for now this is all we need for here.

Now let’s get into some security hardening of the server.

sudo vim /etc/apache2/conf.d/security

We do have security in mind, so let’s not divulge any information that we don’t need to. Set “ServerTokens Prod”

# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#
#ServerTokens Minimal
#ServerTokens OS
#ServerTokens Full
ServerTokens Prod

Now let’s set “ServerSignature Off”

# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
#ServerSignature Off
ServerSignature On

And lastly, go ahead and uncomment these three lines in your config. We’ll configure “mod_headers” later.

Header set X-Content-Type-Options: "nosniff"

Header set X-XSS-Protection: "1; mode=block"

Header set X-Frame-Options: "sameorigin"

Sweet, looking good. Go ahead and save that, and we can get “mod_headers” activated. First, I’d like to point out that you can view what modules you have installed by using the “a2dismod” program. Simply enter the command, and it will ask you what modules you’d like to disable. Obviously, if you see it in the list, it’s already enabled. just hit “Ctrl+C” to stop the program.

To enable a module in Apache, you need to first made sure it’s installed, then you can just use the program “a2enmod”… like this:

sudo a2enmod headers

Now that we’ve enabled “mod_header”, lets verify we have the other necessary modules enabled as well.

steve @ reverseproxy ~ :) ᛤ>   a2enmod
Which module(s) do you want to enable (wildcards ok)?
cache
Enabling module cache.
Could not create /etc/apache2/mods-enabled/cache.load: Permission denied
steve @ reverseproxy ~ :( ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
cache
Enabling module cache.
To activate the new configuration, you need to run:
  service apache2 restart
steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
proxy_ajp
Considering dependency proxy for proxy_ajp:
Module proxy already enabled
Enabling module proxy_ajp.
To activate the new configuration, you need to run:
  service apache2 restart
steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
proxy_balancer
Considering dependency proxy for proxy_balancer:
Module proxy already enabled
Enabling module proxy_balancer.
To activate the new configuration, you need to run:
  service apache2 restart
steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
proxy_connect
Considering dependency proxy for proxy_connect:
Module proxy already enabled
Enabling module proxy_connect.
To activate the new configuration, you need to run:
  service apache2 restart
steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
proxy_ftp
Considering dependency proxy for proxy_ftp:
Module proxy already enabled
Enabling module proxy_ftp.
To activate the new configuration, you need to run:
  service apache2 restart
steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
proxy_http
Considering dependency proxy for proxy_http:
Module proxy already enabled
Enabling module proxy_http.
To activate the new configuration, you need to run:
  service apache2 restart
steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
rewrite
Enabling module rewrite.
To activate the new configuration, you need to run:
  service apache2 restart
steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
vhost_alias
Enabling module vhost_alias.
To activate the new configuration, you need to run:
  service apache2 restart
steve @ reverseproxy ~ :) ᛤ>   sudo a2enmod
Which module(s) do you want to enable (wildcards ok)?
vhost_hash_alias
Enabling module vhost_hash_alias.
To activate the new configuration, you need to run:
  service apache2 restart

Here is a list of the Modules I just enabled:
cache proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http rewrite vhost_alias vhost_hash_alias

Now let’s just restart Apache, and keep going.

steve @ reverseproxy ~ :) ᛤ>   sudo service apache2 restart
[ ok ] Restarting web server: apache2 ... waiting .

Perfect, moving right along… Now what we need to do is setup a new file in the “/etc/apache2/conf.d/sites-available” directory. I named mine, “reverseproxy”, as it’s easy to figure out what it is.

Now, to correctly setup your reverse proxy, this server should not be hosting ANY websites. This is a proxy server, not a web host. So go ahead and delete the config sym link for the default website. We don’t want to host that.

sudo rm /etc/apache2/sites-enabled/000-default

Now we can edit our “reverseproxy” file.

sudo vim /etc/apache2/sites-available/reverseproxy

#enter this code into your file

<VirtualHost *:80>
  ServerName yoursite.info
  ServerAlias www.yoursite.info yoursite.info
  ServerAdmin info@yoursite.info
  ProxyPreserveHost On
  ProxyPass / http://www.yoursite.info/
  ProxyPassReverse / http://www.yoursite.info/
  <Proxy *>
        Order allow,deny
        Allow from all
  </Proxy>
  ErrorLog /var/log/apache2/yoursite.info.log
  CustomLog /var/log/apache2/yoursite.info.log combined
</VirtualHost>



<VirtualHost *:80>
  ServerName anothersite.com
  ServerAlias anothersite.com www.anothersite.com
  ServerAdmin info@anothersite.com
  ProxyPreserveHost On
  ProxyPass / http://www.anothersite.com/
  ProxyPassReverse / http://www.anothersite.com/
  <Proxy *>
        Order allow,deny
        Allow from all
  </Proxy>
  ErrorLog /var/log/apache2/anothersite.com.log
  CustomLog /var/log/apache2/anothersite.com.log combined
</VirtualHost>




<VirtualHost *:80>
  ServerName thirdsite.cc
  ServerAlias thirdsite.cc www.thirdsite.cc
  ServerAdmin info@thirdsite.cc
  ProxyPreserveHost On
  ProxyPass / http://www.thirdsite.cc/
  ProxyPassReverse / http://www.thirdsite.cc/
  <Proxy *>
        Order allow,deny
        Allow from all
  </Proxy>
  ErrorLog /var/log/apache2/thirdsite.cc.log
  CustomLog /var/log/apache2/thirdsite.cc.log combined
</VirtualHost>

Awesome, now save that file and we can get it enabled. Just like setting up new modules, we’re going to sym-link our new file to the “sites-enabled” folder.

sudo ln -s /etc/apache2/sites-available/reverseproxy /etc/apache2/sites-enabled

Now we can just reload the Apache server (no restart required) the server so that it picks up the new settings.

sudo service apache2 reload

Now we need to edit the /etc/hosts file so that our reverse proxy server knows where to push site traffic to on our DMZ. So lets do that:

127.0.0.1       localhost
127.0.1.1       reverseproxy.internal.dmz  reverseproxy
192.168.0.26   www.thirdsite.cc
192.168.0.26   thirdsite.cc
192.168.0.26   www.anothersite.com
192.168.0.26   anothersite.com
192.168.0.65   www.yoursite.info
192.168.0.65   yoursite.info

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Sweet, all done!
Now you can test from a computer that all your sites are working. They *should* be! 🙂

I’ll work on a blog eventually to show how to enable mod_security with this setup so that we can sanitize user interaction with our site. Our visitors are probably good people, but attackers and skiddies are always out there trying to damage stuff.

Thanks for reading!!

References:
http://ubuntuguide.org/wiki/Apache2_reverse_proxies
http://www.raskas.be/blog/2006/04/21/reverse-proxy-of-virtual-hosts-with-apache-2/
http://www.askapache.com/hosting/reverse-proxy-apache.html
http://www.integratedwebsystems.com/2010/06/multiple-web-servers-over-a-single-ip-using-apache-as-a-reverse-proxy/
http://httpd.apache.org/docs/current/vhosts/examples.html
http://geek-gogie.blogspot.com/2013/01/using-reverse-proxy-in-apache-to-allow.html
http://www.ducea.com/2006/05/30/managing-apache2-modules-the-debian-way/
http://www.akadia.com/services/apache_redirect.html
http://unixhelp.ed.ac.uk/manual/mod/mod_proxy.html
https://httpd.apache.org/docs/2.2/vhosts/
https://httpd.apache.org/docs/2.2/vhosts/name-based.html
https://httpd.apache.org/docs/2.2/vhosts/examples.html
https://httpd.apache.org/docs/2.2/vhosts/mass.html
https://httpd.apache.org/docs/2.2/vhosts/details.html

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)