Topic: Redirect external web request to internal server behind SME firewall and iBay se

[tolistim]

Hi Folks,


Rather that open my SME server up to a new Web Team, we would like to create an internal server (running Apache on CentOS 7) and then redirect an iBay to that internal server.  For example:


http://support.foo.com is resolved as belonging to our SME server's iBay, but the actual requests are made to and handled by an internal server at 192.168.1.55.


Does anyone have a HOWTO on configuring the support iBay entry to talk to the internal server instead?

[Jean-Philippe Pialasse]

What you want is to proxy pass.


And there is a wiki page for all the possibilities on SME https://wiki.contribs.org/SME_Server:Documentation:ProxyPass

[tolistim]

What you want is to proxy pass.


And there is a wiki page for all the possibilities on SME https://wiki.contribs.org/SME_Server:Documentation:ProxyPass

Thanks for that pointer, Jean-Philippe, it's not knowing what to search for that got in my way .

[tolistim]

After reading through that, I'm curious about how that would be applied to handle the top level site instead of a sub-page.
For example, I have foo.org registered and I have an iBay set for support.foo.org.  How would I set up the db entries so that anyone coming to support.foo.com gets forwarded to the internal system?

[ReetP]

In simple terms, cheat.

There are other threads on this in the forums. I answered one only recently.

Basically create a new domain called

support.foo.org

Point to ibay

Remove uneccesary hosts

Do your proxy thing.

[tolistim]

In simple terms, cheat.

There are other threads on this in the forums. I answered one only recently.

Basically create a new domain called

support.foo.org

Point to ibay

Remove uneccesary hosts

Do your proxy thing.

I'd actually tried just that last night and I end up with "You don't have permission to access / on this server"And now, when I go to the server-manager and click iBays, I get a bad table:

EDIT - I don't know why the image isn't showing.  Here's the link:
http://images.tolisgroup.com/KoozaliiBay-1.png


My changes after creating the iBay was to copy the basic accounts settings in that wiki page.  Here's what the db shows for support:

# db accounts show support
support=ProxyPass
    Description=ProxyToInternalServer
    HTTP=on
    HTTPS=on
    Target=http://10.0.0.3

The commands that I performed were:

[root@mail ~]# db accounts set support ProxyPass
[root@mail ~]# db accounts setprop support Target http://10.0.0.3
[root@mail ~]# db accounts setprop support Description ProxyToInternalServer
[root@mail ~]# db accounts setprop support HTTP on
[root@mail ~]# db accounts setprop support HTTPS on
[root@mail ~]# expand-template /etc/httpd/conf/httpd.conf
[root@mail ~]# sv t httpd-e-smith

What should I be looking into at this point?

[ReetP]

I think you are getting confused with the plethora of options on that page and I'm not sure how many are relevant to v9.

You really need to be able to read and check httpd.conf and template files for this.

I can't do anything tonight but I'll make a few notes tomorrow on how I do it with rocketchat.

Also look at

https://wiki.contribs.org/Webapps-common

[ReetP]

OK, ultimately the file that dictates what goes where is:

/etc/httpd/conf/httpd.conf

The templates that generate that are in

/etc/e-smith/templates/etc/httpd/conf/httpd.conf

If you are going to mess with ANYTHING in there, copy the fragments to the templates-custom directory and play from there.

I had a quick a look through the templates for Proxy stuff (I am no guru on this) These seem to be the two relevant fragments and show the keys that can be set.

/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35ProxyPass

/etc/e-smith/templates/etc/httpd/conf/httpd.conf/ProxyPassVirtualHosts/ProxyPassContent

Check the httpd.conf file for the proxy lines. Are they there ? Are they what you expect to see? Are there any errors in the logs when you expand the file?

For rocketchat I create a separate virtual host with its own templates and domain. It's a bit of a cheat but means you can point directly to say foobar.domain.com instead of domain.com/foobar

Here's the dummy domain:

chat.mydomain.com=domain
    Content=Primary
    Description=Chat Server
    Nameservers=localhost
    ProxyPassTarget=http://127.0.0.1:3000/
    TemplatePath=ProxyPassVirtualRocketchat
    letsencryptSSLcert=enabled

I then have a directory called

/etc/e-smith/templates/etc/httpd/conf/httpd.conf/ProxyPassVirtualRocketchat

In there I have a set of templates to generate the config for httpd.conf - you can use some of the existing templates to help you here.

Note the Proxypass target can be anywhere. Just so happens here it points to a docker instance on the same host.

Hope that helps.

[tolistim]

I think you are getting confused with the plethora of options on that page and I'm not sure how many are relevant to v9.

You really need to be able to read and check httpd.conf and template files for this.

I can't do anything tonight but I'll make a few notes tomorrow on how I do it with rocketchat.

Also look at

https://wiki.contribs.org/Webapps-common

I was just following what was in that linked page.
I'll dig into the other stuff this morning, thanks.

[ReetP]

Yeah there are a lot of methods

From what i saw in the templates, your settings 'should' work.

Check if there are any errors on template expansion in /var/log/messages and httpd/error_log and then take a look at what ends up in httpd.conf.

You can paste it here if you can find it.

[michelandre]

Hi tolistim,

If you need only http://support.foo.com and not also https://support.foo.com

At the registrar of foo.com, make sure you add a CNAME support pointing to @.

On main server:

Code: [Select]

db domains set support.foo.com domain
db domains setprop support.foo.com Nameservers internet
db domains setprop support.foo.com ProxyPassTarget http://192.168.1.55/
db domains setprop support.foo.com TemplatePath ProxyPassVirtualHosts
signal-event domain-create support.foo.com

Code: [Select]

# mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
# cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/25SSLDirectives  \
                    /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
Add the lines between ##### to /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/25SSLDirectives

Code: [Select]

#####
if ( $port eq "80" && $virtualHost eq "support.foo.com")
   {
       $OUT .= "    \n";
       $OUT .= "    # For redirection to support.foo.com.\n";
       $OUT .= "    Redirect / http://support.foo.com/\n";
   }
#####
{
    return "    # skipping SSL directives\n" unless $port eq "443";

    return "" unless $modSSL{'status'} eq 'enabled';

    $OUT =  <<SSL_END;
    # SSL Directives
    SSLEngine on
SSL_END
}
Expand template and restart httpd-e-smith

Code: [Select]

# expand-template /etc/httpd/conf/httpd.conf

# /etc/rc.d/init.d/httpd-e-smith restart
Hoping it will help,

Michel-André