SOLVED Jails and apache

[Oriann]

Hello

I wanna ask maybe dumb thing but I have already tried some tests and nothing worked as I expected.

I have 2 jails now.
Jail 1 - nextcloud
jail 2 - syncthing

I wanna acces theese two services from my domain like accesing my nextcloud from cloud.mydomain.com and syncthing like sync.mydomain.com

DO I need to install FAMP separately into jail 1 and jail 2 to work this properly ?

I have already tried to do it bude I ended with apache error that service is in use or port is used, Lets Encrypt doesnt work too on jail 2 because on port 80 was already apache in jail 1

So is here a solution to run apache separately in every jail ?
OR do I need to run 1 jail with 1 apache and all services that I want to acces from mydomain must be in that jail with apache ?

I welcome every hint how to work this out please.
I am working 2 weeks already with freebsd but some solutions I cannot find on the google either.

Sorry for my english :)

 

[m0nkey_]

You need a reverse proxy. Apache supports this, but you can also use Nginx and HAproxy.

 

[Oriann]

So this guide is the right direction for me to start for 2 instances of apache ?

https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html

Or if you will be so kind and give some hint or example for me ...

 

[m0nkey_]

Yes, use the docs for your version of Apache.

 

[ascl]

If you use vnet interfaces in your jails, you should be able run multiple webservers (or any service really) listening on the same ports. This is exactly what I do in some of my jails so that I can just type foo.bah in the browser. A reverse proxy would also work, and perhaps if this is intended to be externally accessible (which it sounds like it is) that might be a better (albeit more complex, another moving part) solution.

If there are down sides of avoiding the reverse proxy approach, please let me know!

 

[Oriann]

If you use vnet interfaces in your jails, you should be able run multiple webservers (or any service really) listening on the same ports. This is exactly what I do in some of my jails so that I can just type foo.bah in the browser. A reverse proxy would also work, and perhaps if this is intended to be externally accessible (which it sounds like it is) that might be a better (albeit more complex, another moving part) solution.

If there are down sides of avoiding the reverse proxy approach, please let me know!

So accessing 2 webservers locally is better with vnet but remotely is better with reverse proxy. So I can do it with vnet or reverse proxy if I understand you.
I have been studying revese proxy on the apache site but I think I dont understand it correctly.

Here is virtualhost from server 1

Code:

<VirtualHost *:80>
  DocumentRoot "/usr/local/www/wordpress"
    ServerName mydomain.cz
    <FilesMatch .php$>
        SetHandler "proxy:fcgi://127.0.0.1:9000/"
    </FilesMatch>
    DirectoryIndex /index.php index.php
   
</VirtualHost>

<VirtualHost *:80>
    ServerName cloud.mydomain.cz
    ProxyPreserveHost On

    # Servers to proxy the connection, or;
    # List of application servers:
    # Usage:
    # ProxyPass / http://[IP Addr.]:[port]/
    # ProxyPassReverse / http://[IP Addr.]:[port]/
    # Example:
         <Location /nextcloud>
        order deny,allow
        deny from all
        allow from all
        ProxyPass http://cloud.mydomain.cz/
        ProxyPassReverse http://cloud.mydomain.cz/
    </Location>
</VirtualHost>

And here is virtualhost from server 2:

Code:

<VirtualHost *:80>
    DocumentRoot "/usr/local/www/nextcloud"
    ServerName cloud.mydomain.cz
    <FilesMatch .php$>
        SetHandler "proxy:fcgi://127.0.0.1:9000/"
    </FilesMatch>
    DirectoryIndex /index.php index.php
</VirtualHost>

Can somebody give me a hint what I am doing wrong ?
Server 2 which I am proxiing with server 1 give me Internal server error with this configuration but server 1 works

 

[ascl]

If you are using a reverse proxy, you will need to set up one reverse proxy that handles requests for both domains, and forwards them appropriately. Note the diagram in the linked page above with a single reverse proxy and multiple servers behind it. I kind of think this is overkill for your purposes, but @m0nkey_ may have reasons for suggesting a reverse proxy as a better approach.

 

[Oriann]

If you are using a reverse proxy, you will need to set up one reverse proxy that handles requests for both domains, and forwards them appropriately. Note the diagram in the linked page above with a single reverse proxy and multiple servers behind it. I kind of think this is overkill for your purposes, but @m0nkey_ may have reasons for suggesting a reverse proxy as a better approach.

So as you suggest I need another router before my server ? because I have just one router at home and it is routing all connection in house.
Still I cannot figure out how to properly code reverse proxy.
On the apache page there is something written about balancers but I think I dont need this function.
When I use the examples my cloud.mydomain.cz is still not accesible, it shows me index of / my wordpress server ??? :D
So now I have 2 domains and reverse proxy causing that I can acces just one server...

 

[ascl]

No, I am saying that you should have one reverse proxy that forwards things to your other services. This can (and in this scenario) probably should be on your NAS. You can either create a dedicated reverse proxy jail, or put it in one of the exist jails. But I still think this is a more complicated approach, if you make each of your jails have a unique IP via vnets, you can have both of them run apache (or whatever webserver you like), and listen on port 80.
If you want to pursue the reverse proxy approach, have a read of this: http://iws.io/multiple-web-servers-over-a-single-ip-using-apache-as-a-reverse-proxy/
It explains how to configure a reverse proxy with multiple webservers behind it... but consider each jail it's own webserver, you don't need physical servers.

 

[Oriann]

No, I am saying that you should have one reverse proxy that forwards things to your other services. This can (and in this scenario) probably should be on your NAS. You can either create a dedicated reverse proxy jail, or put it in one of the exist jails. But I still think this is a more complicated approach, if you make each of your jails have a unique IP via vnets, you can have both of them run apache (or whatever webserver you like), and listen on port 80.
If you want to pursue the reverse proxy approach, have a read of this: http://iws.io/multiple-web-servers-over-a-single-IP-using-apache-as-a-reverse-proxy/
It explains how to configure a reverse proxy with multiple webservers behind it... but consider each jail it's own webserver, you don't need physical servers.

So all I have to do is switch on vnet in jail 1 and 2, put default gateway as my router ipaddress and it will "just work" with classic apache virtual host settings?

 

[Oriann]

I have configured jail with vnet=0 parameter but after I have installed nextcloud and wordpress again for example, its not working as you said.
Still I have access just to one jail via VNET.
Did I make some misconfiguration in creating the jail ? I have configured ip address, default gateway, mask and network interface switched from re0(network adapter) to vnet0 is that correct ?

 

[ascl]

Your iocage create command should look something like:

Code:

iocage create -n "$APP"  -r $RELEASE  vnet=on bpf=yes defaultrouter=$GATEWAY resolver="nameserver $DNS" allow_raw_sockets=1 boot="on" ip4_addr=192.168.0.12

You need to have bpf=yes as well, and obviously you want to change the IP addresses and variables with whatever is appropriate for your network.

Are you running the latest version of FreeNAS?

 

[Oriann]

Your iocage create command should look something like:

Code:

iocage create -n "$APP"  -r $RELEASE  vnet=on bpf=yes defaultrouter=$GATEWAY resolver="nameserver $DNS" allow_raw_sockets=1 boot="on" ip4_addr=192.168.0.12

You need to have bpf=yes as well, and obviously you want to change the IP addresses and variables with whatever is appropriate for your network.

Are you running the latest version of FreeNAS?

And what should be IPV4 interface in this jail ? its not specified in you code.
Yes I am running 11.2-RELEASE so the latest.
I though that I need to make a bridge at first but jail will create it am I right ?
Anyway Is there a way how to test that vnet is working ? Because that will help me a lot with debugging
Also when I enable bpf then I need to configure jail firewall ...so I think that is complicating things for my needs.

 

[Oriann]

I have tried to install 1 jails with reverse proxy(nextcloud) but I have difficulties with nextcloud because after I make the initial setup of database username etc...I click done and after it loads it tells me error that I dont have permissions to view / .
So reverse proxy isnt bulletproof, I need to get vnet working for nextcloud...

 

[ascl]

Once you create the jail using the above iocage command, you can see a new vnet network device created by running ifconfig on the host. For example:

Code:

vnet0:4: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: beets
    options=8<VLAN_MTU>
    ether aa:8a:8a:4a:fa:30
    hwaddr 02:ea:da:0a:0a:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair 

 

[Oriann]

Once you create the jail using the above iocage command, you can see a new vnet network device created by running ifconfig on the host. For example:

Code:

vnet0:4: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: beets
    options=8<VLAN_MTU>
    ether aa:8a:8a:4a:fa:30
    hwaddr 02:ea:da:0a:0a:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair 

Got it.
So now I can install apache in jail 1 and it wont interfere with jail 2 where will be another apache webserver? Using port 80 in both and not required to set up reverse proxy to have 2 webservers runing on 1 Freenas host.

 

[ascl]

Exactly.

 

[Oriann]

Ok I have rebuild once more the jails with vnet setting as you posted earlier, but after I have enabled ports in my router and started jails with apps I am accesing just one app at a time from cloud.mydomain.cz and mydomain.cz so this setup just doeasnt work for me.
If I stop jail with wordpress I can acces cloud.mydomain.cz(as there is nextcloud), same as opposite with stopping nextcloud.
But if I run both jails, I cannot access apps separately. So running both jails will redirect me from cloud.mydomain.cz and mydomain.cz to nextcloud or just wordpress, it depends what jail is started first.
I am trying to solve why it is doing when I have separate jails with vnet and virtualhosts in each jail is pointing to one domain not to both...

 

[ascl]

Do both jails have unique IP addresses?

 

[Oriann]

Do both jails have unique IP addresses?

Yes jail 1 is 192.168.1.5 and the jail 2 192.168.1.6, both vnet0=bridge0, and default gateway 192.168.1.1, tried to switch bpf on both but it doesnt help I read somwhere that it is some kind of firewall but I dont need that.