More than 1 webserver behind DD-WRT

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Author Message
fseka
DD-WRT User


Joined: 02 Dec 2009
Posts: 75

PostPosted: Wed Mar 24, 2010 8:35    Post subject: Reply with quote
redhat27 wrote:
Since I would be doing this only over port 80 (not 443) I would not need write_cert() and write_https_listener()... Right?

And I would need to forward 80 to 8443?

This is because of 443 -> 22 has to be present for tunneling (see attached picture):

My work environment just allows connection over very few ports: 20-21, 80 and 443


Yes, you don't need those 2 fonctions.
And you need to redirect 80 to the internal port you've chosen (personnaly, I took 8443 because it's 8000 + 443, for 80, the standard is 8080).

bye

_________________
E3000 running DD-WRT v24-sp2(Build 14929) mega
Netgear R7000 running DD-WRT v3.0-r27858)
Sponsor
redhat27
DD-WRT Novice


Joined: 20 Jan 2010
Posts: 41

PostPosted: Fri Apr 02, 2010 23:09    Post subject: Reply with quote
Okay, I have pound up and running (5 instances shows on ps)
Unfortunately I did not do something right...

When I try
<server1>.us.to
<server2>.us.to
<server3>.us.to
all requests are served by the DD-WRT httpd (control panel page) as was the behavior before running pound. I tried killing httpd on the dd-wrt, but then I get a 404 error.

Here is my setup:

Primary router:
Netgear WNR854T (stock firmware) static IP 192.168.1.1
DHCP server 192.168.1.100 to 192.168.1.150
Port forwards 80 to 192.168.1.2 (WTR54Gv1.1)
Port forwards 443 to 192.168.1.2 (WTR54Gv1.1)

DD-WRT router:
Linksys WTR54Gv1.1 (mega build 13525) static IP 192.168.1.2
Configured as access point
DHCP off
dnsmasq (tried both enable and disable)
local dns (tried both enable and disable)
Uses 443 for sshd (tunnelling works fine)
Port forwards 80 to 8080 (see attached)

Have free dns account (freedns.afraid.org) as us.to
with subdomain setup as:
<server1>.us.to
<server2>.us.to
<server3>.us.to

Also tried with no-ip.org

A little confused: Do I need wildcard subdomains or a limited number of subdomains (like from freedns.afraid.org will work)?
I used DNS Host (Type 'A') (is that correct?)
other options [DNS alias (CNAME)] [Port 80 redirect] [Web redirect]



startup.JPG
 Description:
Startup scripts, the ones supplied by fseka
 Filesize:  35.46 KB
 Viewed:  19558 Time(s)

startup.JPG



portfwd.JPG
 Description:
Port forward setup
 Filesize:  20.56 KB
 Viewed:  19558 Time(s)

portfwd.JPG


PaqAttack
DD-WRT Novice


Joined: 14 Aug 2009
Posts: 11

PostPosted: Fri Apr 30, 2010 19:20    Post subject: Reply with quote
Hi,
Does someone could explain how to configure the parameter HeadRequire? I want to access my home server that the host 'testhosts' by mydyndns/testhosts
How can I do?

With service pound in optwaire right way, i've this in my conf file:
ListenHTTP
Address 0.0.0.0
Port 8080

Service "testhosts"
HeadRequire "^Host:[\t ]*testhosts$"
Backend
Address 192.168.1.10
Port 80
end
end

Service "Default"
BackEnd
Address 192.168.1.254
Port 80
End
End
End

Thank you in advance
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Sat May 01, 2010 7:41    Post subject: Reply with quote
Pound is an agent which decides to which server the http-traffic should go. Every http-client from the outside sends a header which is intended for your http-server.
This client is not talking to your server but to pound. Pound will look into the header to see what the client would like to see.

You can use "regular expression" to look into these headers and if the header corresponds with this regular expression it will send that data to the appropriate server.

The requests of a http-client will be split into seperate headers. The "Host:" header is the most often used as it tells pound which host (domain) the client would like to see. It's everything between "http://" and the next slash. This specific header is mandatory in HTTP 1.1 but optional in HTTP 1.0. (You really don't want to accept requests for clients without a "Host:" header so you can get rid of them immediately at the proxy).

A "wget http://wd.mirmana.com/prep_optware" will result into (among other things):

Code:
GET /prep_optware HTTP/1.1
Host: wd.mirmana.com
User-Agent: Wget


A part of my pound-config looks like this:
Code:
        Service "WD"
                HeadRequire "^Host:[\t ].*wd\.mirmana\.com$"
                HeadRequire "Wget"
                BackEnd
                        Address 192.168.10.210
                        Port 80
                End
        End


This means all requests to the domain wd.mirmana.com will be handled by my Worldbook which is running virtual-hosting as well. It also needs a header Wget. If it doesn't contain the header Wget the request will go to the section which accepts it. In my case it's my apache-server running on an Ubuntu-server. That server doesn't contain the files I publish.

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Sun May 02, 2010 8:06    Post subject: Reply with quote
PS:

A good way to test your service is by putting the address as proxy in your webbrowser with port 80.

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
PaqAttack
DD-WRT Novice


Joined: 14 Aug 2009
Posts: 11

PostPosted: Sun May 02, 2010 11:50    Post subject: Reply with quote
I understand the principle of Pound, and that is why I want to use to access and secure my internal servers (hosts).
But I do not quite understand ...
Here is a diagram representing my infrastructure:
(Local)
Host1 Host2 Host3
192.168.1.10 192.168.1.20 192.168.1.30
\ | /
DD-WRT (Pound)
192.168.1.1
(External) |
Web
In my internal network, I just use the hostname of the host to access its web interface. With 'Optware Right Way', Pound service fetches information from my file /etc/hosts to create web services.
My pound.cfg:
User "pound"
Group "nobody"
TimeOut 120
Alive 30
Control "/var/run/pound.ctl"

ListenHTTP
Address 0.0.0.0
Port 9090


Service "dd-wrt"
HeadRequire "^Host:[\t ]*dd-wrt$"
Backend
Address 192.168.1.1
Port 80
end
end

Service "host1"
HeadRequire "^Host:[\t ]*host1$"
Backend
Address 192.168.1.10
Port 80
end
end

Service "host2"
HeadRequire "^Host:[\t ]*host2$"
Backend
Address 192.168.1.20
Port 80
end
end

Service "host3"
HeadRequire "^Host:[\t ]*host3$"
Backend
Address 192.168.1.30
Port 80
end
end
End

Iptables rules is right, and when pound service run, I try to access for exemple in my local network with this url:
192.168.1.1:9090/dd-wrt,
I've this message:
The service is not available. Please try again later.

What's wrong ??

Thank you for support !
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Sun May 02, 2010 13:59    Post subject: Reply with quote
PaqAttack wrote:
I understand the principle of Pound

No, you don't!....

I can conclude this from the example you gave.
You say you access pound with http://192.168.1.1/ddwrt and expect it to go to the host "ddwrt".

As I already wrote in my explanation it's the part between 'http://' and the next slash which results in the 'host'. In your case it's:

Host: 192.168.1.1

The trick in all this to have all kind of domains pointed to your IP.
For instance the domain 'wd.mirmana.com' points to my WAN-IP and so does 'www.mirmana.com'.

Pound will direct wd.mirmana.com to another host than www.mirmana.com.

Code:
http://wd.mirmana.com
Host: wd.mirmana.com

Code:
http://www.mirmana.com
Host: www.mirmana.com

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Sun May 02, 2010 16:42    Post subject: Reply with quote
You can use the URL when you use "UrlGroup" and "EndGroup". I have no experience nor use with this parameters, so I can't give you proper examples.
You do need to be able to work with regular expressions.

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
redhat27
DD-WRT Novice


Joined: 20 Jan 2010
Posts: 41

PostPosted: Sun May 02, 2010 22:59    Post subject: Reply with quote
Can pound be configured on a non-gateway router? The gateway router (192.168.1.1) forwards port 80 to this non-gateway router (192.168.1.2) where pound is installed.

In this 192.168.1.2 router, the following is defined:

pound.cfg:
ListenHTTP
Address 0.0.0.0
Port 8080
:

Firewall:
iptables -I INPUT 1 -p tcp --dport 8080 -j ACCEPT

and NAT port fwd...
Port from: 80
Protocol: TCP
IP address: 0.0.0.0
Port to: 8080
Enable: checked

But when the gateway router forwards port 80 to the router where pound is running, all I get is the response from the applicaiton that is running on 80 on the non-gateway router (which is currently pixelserv)

Help please?
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Mon May 03, 2010 5:09    Post subject: Reply with quote
redhat27 wrote:
Can pound be configured on a non-gateway router? The gateway router (192.168.1.1) forwards port 80 to this non-gateway router (192.168.1.2) where pound is installed.

Yes.
Pound is not a full transparent proxy and all incoming traffic will appear to come from the proxy.
Only if the proxy would try to be fully transparent it has to be run on the gateway.

pixelserv has nothing to do with it. You also need to do a normal port forward (in the webif of the gateway router) translating port 80 to 192.168.1.2 port 8080.

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
redhat27
DD-WRT Novice


Joined: 20 Jan 2010
Posts: 41

PostPosted: Tue May 04, 2010 19:11    Post subject: Reply with quote
Thanks much, frater.

Guess I'm stuck, as the gateway router does not do port address translations, just port forwards. I'll look into replacing it with one that does.
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Sun May 23, 2010 5:56    Post subject: Reply with quote
Using this service https://startssl.com I'm now able to run https for 2 servers using the same certificate.

Based on the URL it will either get you to my real MTA or my Zarafa-server that are running on different machines.

Code:
cd /opt/etc
wget https://www.startssl.com/certs/ca.pem
wget https://www.startssl.com/certs/sub.class1.server.ca.pem


cat /opt/etc/pound/pound.tail
Code:
ListenHTTPS
        Address 0.0.0.0
        Port    4443
        Cert       "/opt/etc/ssl.crt"
        CAList     "/opt/etc/ca.pem"
        VerifyList "/opt/etc/sub.class1.server.ca.pem"
        Service "zarafa"
          URL "/(zarafa-webaccess|Microsoft-Server-ActiveSync).*"
          BackEnd
            Address 192.168.10.125
            Port 80
          End
        End
        Service "Worldclient"
          BackEnd
            Address 192.168.10.25
            Port 80
          End
        End
End

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
wificom
DD-WRT Novice


Joined: 26 Jun 2010
Posts: 1

PostPosted: Sat Jun 26, 2010 9:53    Post subject: Reply with quote
Wanted to say thank you a lot for this Forum Post.

I have the same Problem here now too.

Have two Web Servers behind a DDWRT Router (Very Proud User btw of DDWRT. Have tried a lot of other Router Distros but DDWRT beat all of them by Professionalism and easy setup) and need somehow a easy solution to redirect the Wan Traffic based on the Hostnames to the Web Servers in the Lan.

My Question is how well does this Solution works really. How is the speed and so on ? I guess a Site with say 1000 Host Request could slow down the Loading of the Page heavy or i am wrong ? From my thinking i guess this is not really a good solution as it cant handle really big loads or i am wrong here ?

I have found this page here that describe a Solution for my Problem and it looks that is much better but i am asking me if this exist maybe somehow also for ddwrt ?

Having some kind of a Loadbalancer inbuild in ddwrt would be awesome !

http://www.howtoforge.com/high_availability_loadbalanced_apache_cluster
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2450
Location: Third Rock from the Sun

PostPosted: Sat Jun 26, 2010 22:40    Post subject: Reply with quote
dd-wrt is not built for speed, it's built for functionality.
_________________
Peacock Thread-FAQ -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
fseka
DD-WRT User


Joined: 02 Dec 2009
Posts: 75

PostPosted: Wed Oct 27, 2010 20:02    Post subject: Reply with quote
Thanks frater, it's so easy Laughing

And what is the recommended procedure for upgrading the optware installation?

Thanks
--
fSeka

_________________
E3000 running DD-WRT v24-sp2(Build 14929) mega
Netgear R7000 running DD-WRT v3.0-r27858)
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next Display posts from previous:    Page 5 of 8
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum