All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Proxmox - Running Multiple NAT Webservers
I've done a fair share of Googling but haven't seen anything that explains how to forward browsers from the proxmox host to various NAT containers?
www.proxmoxhost.com (the proxmox host)
|
|_ centos-vm (192.168.0.100 Apache running port 80)
|
|_ ubuntu-vm (192.168.0.102 Apache running port 80)
Assuming that I point the DNS correctly, what do I need to do on the proxmox host to allow the browser to utilize the NATed VMs where 'centos-vm.proxmoxhost.com' brings up the CentOS VM's web page and 'ubuntu-vm.proxmoxhost.com' brings up the Ubuntu VM's web page?
Note: I figured out about how to get the individual VMs to get on the internet through NAT and how to use iptables to port forward things like ssh. But I'm hoping to avoid the whole ugly port forwarding for hitting the web servers.
Comments
Looking for this too, not only for the web server but just to point it to the NAT ip.
You could setup an SRV record.
I've done a this with a web server with openvz a few times but with less iptables work and no port forwarding necessary. What I did was apache virtual hosts on the node with mod_proxy pushing requests to each virtual host to the internal IP of the openvz container which had its own web server listening. This allows it all on the proper port and uses proper virtual hosts to route the request based on the domain name.
Actually rather simple. Could share config details later tonight if you need.
Try this for reference, sorry for the mobile url:
https://confluence.atlassian.com/plugins/servlet/mobile#content/view/173685
Does this help:
http://www.ameir.net/blog/archives/55-running-proxmox-behind-a-single-ip-address.html/comment-page-1
You can forward ports to specific VMs.
Haproxy or Nginx installed on Proxmox with records for each domain pointing to your NATed IP. Make sure you set the "forwarded for" header or your logging won't work.
that's essentially how lowendspirit works, you just need haproxy installed on the host node, bind the external IP on port 80 add the forwarding rules and your done.
I've been doing this successfully for a while, based on the technique in the link by @nimdy. If you use mod_rpaf on Apache you'll be able to get the XFF header reported as the IP as well.
So if I boil this down, the two suggestions seam to be use the existing proxmox Apache to let it run virtual hosts as a proxy or to install something like haproxy. Both sound fairly easy to setup and run with. Any real advantage going one way or the other? It seams to me that the haproxy route has the slight advantage in following up on if for no other reason than I end up with learning about something that can do load balancing as well.
If I go the haproxy route and bind it to port 80, will it conflict with the proxmox installed version of Apache? I'm not much of an apache expert as I've only had to deal with it only through control panels up to this point. But trying to sort through the config files, it doesn't seem that proxmox binds to port 80 but only its control panels port.
Thanks for all the help with solutions to this!
haproxy is not a web server so it will not affact proxmox as proxmox does not listen on port 80 to begin with I believe.
Another advantage of haproxy is the webui for extra stats
@geodirk Proxmox doesn't ship with Apache, so that isn't an option in the first place. I personally prefer to install the proxy within a container and not on the host node since it's cleaner and more flexible, but no biggie.
If you ever need SSL, I'd recommend nginx since it does SSL termination from the get go.
Hmmm...the Online.net dedi that I'm using has Apache installed as part of their image. It is bound to port 8006. I still could use Apache for the normal 80/443 ports on this box since they are not in use. But I think nginx won't work together with apache from what I read...but then again maybe that is only when they both are trying to use port 80.
I do need SSL - In fact, I want to always force SLL, but I can do that on the node using .htaccess configs. I'm assuming that haproxy will be able to forward on any SSL certificates. My production server is a big beast but fortunately I picked up one of these Dell Nano's with them (http://www.online.net/en/dedicated-server/dedibox-scg2) to just be able to play around with for things like this until I get something that I want.
@AnthonySmith - I'm assuming that haproxy shouldn't have any worries with SSL using my scenerio above where each node has their own certificate? https://centos-vm.proxmoxhost.com uses the SSL cert loaded on that node without any issues? I'm probably also assuming that I could do the force http: to https: in haproxy as well?
You will need to install all SSL certs (for all your nodes) on the proxmox host and nginx/haproxy will be doing the encryption for you. Nginx supports SSL by default, haproxy versions above 1.5-dev also have support (but I haven't tested it myself). Somebody can correct me if I am wrong, but neither nginx nor haproxy can handle host-based redirect if your SSL is set with .htaccess on each individual VM. The reason is because when traffic gets to haproxy it will be already encrypted and haproxy can't tell where to redirect the request. Thus, it can't "forward on your SSL certificates", they have to be installed on haproxy itself and the traffic between haproxy & your VM will be unencrypted.
To have SSL on the VMs you will need to use what is called SNI proxy: https://github.com/dlundquist/sniproxy
This will be able to inspect the HTTPS headers and forward the request to the correct NAT IP. But keep in mind not all browsers support this version of the SSL protocol.
From experience: Avoid. Use Nginx. Haproxy does not scale well and SSL is broken.
Frankly SSL is not straight forward with haproxy but it is very much supported.
SSL+NAT just sounds like more trouble than coming up with the money for more IPs. I still refuse to consider SNI to be reliable. In every case where I've used it I've just been unhappy with the number of visitors defaulting to the first virtual host on the IP/port while requesting a different domain. Perhaps a testament to how many people refuse to ditch XP.
I am using the nginx method, using a container to point different websites to different containers. It works okay, but then again configuring each and every time is not optimal. I would like to try the other method, searched in Google and returned here with empty hands. So, anyone got links to any tutorials regarding setting up HA proxy?
On a related note, is there a way to automate the hostname resolution? My idea is to have wildcard match for all hostnames in the domain and nginx would resolve the hostname to the corresponding NAT IP. But I don't know how to get the proxmox static IPs to automatically map to hostnames on the host node.
Which version of Proxmox are you using? Older versions shipped with Apache, but in 2.x or 3.x they just shipped their own web server (pveproxy) instead.
Can't you accomplish this with haproxy?
I'm using version 3 of proxmox. Apache is definitely running by default. It may just be an online.net thing with their auto installer.
So if I understand all this right with the new wrinkle of the SSL certificates, would something like this work?
www.proxmoxhost.com (the proxmox host)
with port forwarding on to the nginx-vm both port 80 & 443
|
|_ nginx-vm (192.168.0.10 Apache running port 80)
configured to have the SSL certificates for both the centos & ubuntu websites and forward on the to calls to the internal ips for each
|
|_ centos-vm (192.168.0.100 Apache running port 80)
|
|_ ubuntu-vm (192.168.0.102 Apache running port 80)
Also, am I correct that all I really care about with this proxy is the inbound data and that the returned data goes just out through the NAT? Or does the returned data have to go back through the nginx-vm?
I'm really thinking that @Jar comment about just paying for the extra IP addresses might be the way to go.
This will work, yes. Outbound traffic goes through the NAT. You don't need the "nginx-vm" you can run nginx directly on the proxmox host (that's what I do and it's working fine). Note that you can run any number of services on the same host, as long as they are on different ports (Haproxy on 80, Nginx on 443 & Proxmox Apache on 8006 can all be installed on your host).
You don't really need extra IPs in this case, the setup above is not hard to configure.
I'd have nginx listening on both 80 and 443; there's no need for another Apache to proxy traffic. That'd be a good bit of extra admin headache.
But yes, in short, you've got the idea. Ports 80 and 443 are forwarded to nginx, and nginx will reverse proxy all traffic to the respective VMs, based on the DNS host header. ALL traffic will ultimately pass through nginx, so keep that in mind. The overhead is quite minimal, though, and reverse-proxying sites is a common setup. You just need to ensure that you have enough file descriptors, socket connections, etc. available to the nginx container (or host node). You can also configure nginx to cache if that's important to you.