jails General question for using a jail

HL1234

Active Member

Reaction score: 11
Messages: 157

I'm new to jails, but like to try them. I read different solutions, but can not find a answer for my questions. Maybe jails not working for me, because of my configuration settings. One of the question is:
I run a internet server and got only one real Internet-IP from the provider.
I use the apache IP-based with this "Internet-IP" for https and namebased for some own domain names (http://www.<domain>.<tld>).
When putting the webserver into the jail, its has been told that the jail should get its own IP form a private IP address (192.168. / 10.0.0 / 172.16 etc)

But the domains are registered with the Internet-IP, like for the A record like:
"Internet-IP" www.<domain1>.<tld>
"Internet-IP" www.<domain2>.<tld>
"Internet-IP" www.<domain3>.<tld2>

How can the webserver get the namebased http-request to the "Internet-IP" when it runs on the private IP, i.e. 192.168.0.16, in a jail?

And more - for the https request the webserver has to Listen on the real "Internet-IP", which is not available in the jail with a private IP.
Can this be solved or is that configuration not possible for a jail?

(I know if I would got a own "Internet-IP-2" for the webserver, then there is no problem to do it - but I get no second one. I read some about NAT but don't understand how the Internet-IP is put thru to the jail with his private IP and how can the webserver with his private IP answer the https request with the Internet-IP - as firewall I use ipfw not pf / this also could be the same problem with sendmail SMTP and bind as real name server)
 

cmoerz

Member

Reaction score: 15
Messages: 44

You will need a firewall that does some NATing for your webserver - both ways: outbound and reverse. There are multiple tutorials for setting this up. If you have never done this before, you may want to check out the usual suspects that help manage these kinds of setups: i.e. sysutils/ezjail or sysutils/iocage.

There are also at least two different firewall options: pf and ipfw, which you can choose from for setting up your Network Address Translation (NAT). This will then allow the outside world to talk to your jails.

If you have multiple jails with multiple web servers, you'll need a reverse proxy. I'd recommend using www/nginx for that, though there's likely a bunch of other options here as well.

One such tutorial that I found with a quick lookup here on the forum:

Hope this hints you in the right direction.
 
OP
HL1234

HL1234

Active Member

Reaction score: 11
Messages: 157

There are multiple tutorials for setting this up.
Yes, I've read some - also with the NAT example. But I do not understand how this can work for Port 443, https:, mod_ssl when Apache need the Internet-IP for resolving the request and I do a Network Address Translation to another IP in a jail?
In httpd-ssl.conf is defined:
Code:
Listen 95.23.136.12:443
Listen [2a05:aed0:1:1:4ad1:37ee:aea3:782c]:443
For creating the certificates (belong others for httpd-ssl.conf) I have to give the hostname in an openssl command. The hostname is associated about DNS servers on internet with the Internet-IP, not the IP from the jail (maybe 10.0.0.1). Because that I do not understand how this can work above Network Address Translation?

(sure - name based webserver on port 80 will work over NAT, because the Apache will, because of the domain name, decide what dir/file.html to response - than with the IP for https. remark: that is also the point you can not have more then one https web server with the same Internet-IP)
 

cmoerz

Member

Reaction score: 15
Messages: 44

I'm not 100% sure, if I completely get your question. Port 443 reverse NAT works the same as port 80. HTTPS simply is encrypted.

If you implement a reverse proxy on your host, you can have multiple different HTTP (or HTTPs)-based file servers in your jails (on different, internal IPs). The host then basically "translates" incoming requests to your internal web servers. The reverse proxy holds all certificates and uses a technique called SNI to route requests to the right server.
See https://en.wikipedia.org/wiki/Server_Name_Indication for more details on SNI.

It appears to me, that you probably want to operate different applications in different jails? Then you're probably better of with a reverse proxy like www/nginx because - as you kind of pointed out yourself - HTTPS cannot be "split" by the firewall because it operates on a different OSI layer (see https://en.wikipedia.org/wiki/OSI_model).

Something like this might do the trick:
Code:
                         --- jail 2: webmin
                       /
HOST (nginx) --------------- jail 1: apache
                       \
                         --- jail 3: ruby

In another thread, SirDice recommended using www/haproxy. Have not used that yet, but might also be worth trying out.
See https://forums.freebsd.org/threads/nginx-on-several-jails-or-on-host.77816/#post-485300
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,563
Messages: 37,878

HTTPS cannot be "split" by the firewall because it operates on a different OSI layer
You can't "split" HTTP either for the same reason.

NAT/redirections allow you to redirect an external port only once. So this will work for one website only (regardless if it's HTTP or HTTPS). If you want to have multiple websites on that single external IP and port combination you're going to need to use a different technique to accomplish that. This is what a reverse proxy can do for you. You can set up a reverse proxy so it'll 'forward' the traffic to a different host based on the HTTP Host: header as this determines which website you're actually trying to access. A reverse proxy works at layer 7, so it can base its policy on the same level as a webserver. A firewall will only work up to layer 3/4 (IP/TCP/UDP level).

My preferred reverse proxy is net/haproxy but you could set up a reverse proxy with www/nginx or www/apache24 too.
 

facedebouc

Member

Reaction score: 7
Messages: 46

I am using a VPS with only one public IP and my websites are served by Apache + vhosts in a jail behind NAT.
All is working flawlessly.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,563
Messages: 37,878

I am using a VPS with only one public IP and my websites are served by Apache + vhosts in a jail behind NAT.
All is working flawlessly.
Yes, but all those websites run on the same Apache instance in that same jail. Things get a bit more complicated if you have multiple sites on different Apache (or nginx) instances running in different jails.
 

facedebouc

Member

Reaction score: 7
Messages: 46

Yes, but all those websites run on the same Apache instance in that same jail. Things get a bit more complicated if you have multiple sites on different Apache (or nginx) instances running in different jails.
The question is : does OP need more than one Apache jail ?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,563
Messages: 37,878

Rereading the original question, probably not. Got a little side-tracked by the various other responses.
 
OP
HL1234

HL1234

Active Member

Reaction score: 11
Messages: 157

The question is : does OP need more than one Apache jail ?
No, only one. The Question here is about, is https behind NAT working, in a jail with a private IP, when got only one Internet-IP for the host and configure that Internet-IP with the https domainname in mod_ssl.conf.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,563
Messages: 37,878

The Question here is about, is https behind NAT working, in a jail with a private IP
Yes. The SSL certificate isn't bound the IP address but to the website's hostname. The actual IP address of the webserver is irrelevant.
 
OP
HL1234

HL1234

Active Member

Reaction score: 11
Messages: 157

I find that description:
As a rule, it is impossible to host more than one SSL virtual host on the same IP address and port. This is because Apache needs to know the name of the host in order to choose the correct certificate to setup the encryption layer. But the name of the host being requested is contained only in the HTTP request headers, which are part of the encrypted content. It is therefore not available until after the encryption is already negotiated. This means that the correct certificate cannot be selected, and clients will receive certificate mismatch warnings and be vulnerable to man-in-the-middle attacks.
and my note
SSL: Name-based virtual hosting cannot be used w
because of the nature of the SSL protocol.
I.E.: my www.domain.tld is bound to 40.112.72.205 (Internet-IP)
some browser request https://www.domain.tld -> the DNS give the address 40.112.72.205 -> that goes to my Server with 40.112.72.205:443 -> the NAT in the firewall send that to the address 192.16.1.1:443 -> this Privat-IP belongs to a jail with inside is a apache webserver -> the apache webserver ist configurated to Listen to 192.16.1.1:443. The SSL modul is configurated for www.domain.tld. But www.domain.tld is bound to 40.112.72.205 not 192.16.1.1.
And above is written "Apache needs to know the name of the host in order to choose the correct certificate to setup the encryption layer." The name of the host / my server ist also bound to 40.112.72.205 not 192.16.1.1
I'm confused about how that can work?
Maybe for this way I can not used jails.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,563
Messages: 37,878

But www.domain.tld is bound to 40.112.72.205
This is only relevant for clients that visit your website. It makes sure that if they type www.domain.tld they'll connect to the correct IP address. That's all.

And above is written "Apache needs to know the name of the host in order to choose the correct certificate to setup the encryption layer."
In your vhost configuration you have a ServerName and maybe a ServerAlias. It only looks at that. The actual IP address of the host that runs Apache is irrelevant.
 
OP
HL1234

HL1234

Active Member

Reaction score: 11
Messages: 157

Than you for your advice. I will give it a trial. But first I encounter other problems with setting up to version 13.
 
Top