![\"XenCenter\"](\"https:\/\/asdfghjkl.me.uk\/blog\/wp-content\/uploads\/xencenter.png\")
<\/a><\/p>\nProblem is, the provider only gives us a limited number of IPv4 addresses, so we have to share. Since we're using XenServer, I've set up a tiny router VM for the other VMs to connect to. This bit was simple - I set up an external network bound to the external IP address, and an internal network for the VMs. Here's what my \/etc\/network\/interfaces<\/em>\u00a0looks like:<\/p>\n I then created a set of\u00a0iptables<\/a>\u00a0rules to forward all traffic from the VMs to the outside world:<\/p>\n Like on a home router, port forwarding is used to direct traffic to the relevant VM.<\/p>\n To apply the firewall rules on startup, I added the script to \/etc\/rc.local<\/em>.<\/p>\n For hosting game servers, this is all well and good, as different games tend to use different ports. But for webhosting, everyone wants port 80 - addresses like http:\/\/asdfghjkl.me.uk:1234 look unprofessional! To achieve this, I set up apache on the router to proxy requests for specific domains to their relevant VM. Here's an example VirtualHost directive:<\/p>\n This will redirect traffic for asdfghjkl.me.uk and all subdomains to my VM. Without ProxyPreserveHost, the Host: line passed to the VM would always be set to 192.168.1.1, which would make name-based virtual hosting (e.g. for subdomains) impossible. The other issue with this setup is that the VM's access log will only contain the router's address for every request. Luckily the originating IP is sent in the X-Forwarded-For header, and an apache module is available to log this instead. On the VM:<\/p>\n Add the following lines (where\u00a0192.168.1.254 is the router's address):<\/p>\n ...and run sudo invoke-rc.d apache2 restart\u00a0<\/em>to apply the changes.\u00a0It's worth noting that requests without a Host: line will be sent to the first site available (alphabetical if you have each VirtualHost directive in a separate file, or first in the list if you don't). I set up a dummy site with a bit of HTML to avoid this.<\/p>\n This all works fine for HTTP traffic, but HTTPS is slightly more involved. The name-based virtual hosts which we're using here will give certificate errors, as the SSL handshake takes place before the Host: line is sent. You either need a unique IP or a unique port for each site. Luckily, most browsers (a notable exception being IE8 or below on Windows XP) support Server Name Indication<\/a>, which sends the hostname at the start of the handshaking process. We enable mod_ssl on the server with sudo a2enmod ssl<\/em>, then configure each site with a VirtualHost directive as before:<\/p>\n Disabling SSLStrictSNIVHostCheck means the first site in the list will be used if no hostname is specified, or if the browser doesn't support SNI. There'll still be a certificate error in the latter case, but it's better than nothing! As before, I've set up a small dummy site explaining that a browser upgrade is necessary.<\/p>\n# loopback\r\nauto lo\r\niface lo inet loopback\r\n\r\n# external network\r\nallow-hotplug eth0\r\niface eth0 inet static\r\n address EXTERNAL_IP\r\n netmask 255.255.255.255\r\n broadcast EXTERNAL_IP\r\n dns-nameservers 8.8.8.8\r\n dns-search asdfghjkl.me.uk\r\n\r\n# internal network\r\nauto eth1\r\niface eth1 inet static\r\n address 192.168.1.254\r\n netmask 255.255.255.0<\/pre>\n
# clear existing rules:\r\niptables --flush\r\niptables -t nat --flush\r\niptables --delete-chain\r\n# forward all internal traffic (eth1) to the external network (eth0):\r\niptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\r\niptables -A FORWARD -i eth1 -o eth0 -j ACCEPT<\/pre>\n
# tcp traffic:\r\niptables -t nat -A PREROUTING -p tcp -i eth0 --dport 1234 -j DNAT --to-destination 192.168.1.1:1234\r\niptables -A FORWARD -p tcp -d 192.168.1.4 --dport 1234 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT\r\n\r\n# udp traffic:\r\niptables -t nat -A PREROUTING -p udp -i eth0 --dport 1235 -j DNAT --to-destination 192.168.1.2:1235\r\niptables -A FORWARD -p tcp -d 192.168.1.2 --dport 1235 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT\r\n\r\n# multiple ports:\r\niptables -t nat -A PREROUTING -p tcp -i eth0 --dport 1236:1240 -j DNAT --to-destination 192.168.1.3\r\niptables -A FORWARD -p tcp -d 192.168.1.3 --match multiport --dports 1236:1240 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT<\/pre>\n
<VirtualHost EXTERNAL_IP:80>\r\nServerName asdfghjkl.me.uk\r\nServerAlias asdfghjkl.me.uk *.asdfghjkl.me.uk\r\nRewriteEngine on\r\nProxyRequests off\r\nProxyPreserveHost on\r\nProxyPass \/ http:\/\/192.168.1.1:80\/\r\nProxyPassReverse \/ http:\/\/192.168.1.1:80\/\r\n<\/VirtualHost><\/pre>\n
sudo apt-get install libapache2-mod-rpaf
sudo a2enmod rpaf
sudo nano \/etc\/apache2\/mods-available\/rpaf.conf<\/pre>\nRPAFenable On
RPAFsethostname On
RPAFproxy_ips 192.168.1.254<\/pre>\n<IfModule mod_ssl.c>\r\nSSLStrictSNIVHostCheck off\r\n\r\n<VirtualHost EXTERNAL_IP:443>\r\nDocumentRoot \/var\/www\/nohostname-ssl\r\nServerName subdomain.asdfghjkl.me.uk\r\n\r\nSSLEngine on\r\nSSLCertificateFile \/etc\/ssl\/certs\/certificate1.crt\r\nSSLCertificateKeyFile \/etc\/ssl\/private\/certificate1.key\r\nSSLCertificateChainFile \/etc\/ssl\/certs\/chain.pem\r\nSSLCACertificateFile \/etc\/ssl\/certs\/ca.pem\r\n<\/VirtualHost>\r\n\r\n<VirtualHost EXTERNAL_IP:443>\r\nServerName asdfghjkl.me.uk\r\nServerAlias asdfghjkl.me.uk *.asdfghjkl.me.uk\r\nRewriteEngine on\r\nProxyRequests off\r\nProxyPreserveHost on\r\nProxyPass \/ http:\/\/192.168.1.1:80\/\r\nProxyPassReverse \/ http:\/\/192.168.1.1:80\/\r\n\r\nSSLEngine on\r\nSSLCertificateFile \/etc\/ssl\/certs\/certificate2.crt\r\nSSLCertificateKeyFile \/etc\/ssl\/private\/certificate2.key\r\nSSLCertificateChainFile \/etc\/ssl\/certs\/chain.pem\r\nSSLCACertificateFile \/etc\/ssl\/certs\/ca.pem\r\n<\/VirtualHost>\r\n<\/IfModule><\/pre>\n