scnr.net

It's not possible? Says who?

Binding Apache 2.2 to a dynamic IP (Debian)

without comments

Situation

I have a private network with a Debian box called “Sentinel” as NAT router to the Internet. The external IP address of Sentinel is dynamic, i.e. changes with each reconnect. The private network is 10.0.0.0/8. Sentinel’s private IP address is 10.0.0.1 on interface eth0. The Internet is accessed through interface ppp0.

I want Sentinel to serve 2 different HTTPS sites (each with its own SSL certificate), both listening on the standard port (443). One should be accessible from the local network, the other one from the Internet.

Problem

How do I configure Apache?

1
2
Listen 10.0.0.1:443    # private service
Listen ??.??.??.??:443 # public service

I can’t set an IP address, because it’s unknown and can change. Also I can’t leave it blank to let Apache listen on all interfaces because that would include 10.0.0.1 and create a conflict.

I looked through the Apache 2.2 docs but didn’t find a solution for this.

Workaround

So, if Apache only wants to bind to all interfaces or an interface with a fixed IP address, why shouldn’t I give it a fixed IP address and do DNAT for connections coming from the Internet?

First Sentinel needs a new IP address. I picked one from a yet unused private address space, 172.16.0.99 (btw. NAT to a loopback address like 127.0.0.1 is not possible) and assigned it as an additional address to Sentinel’s loopback interface via /etc/network/interfaces.

1
2
3
iface lo inet loopback
        post-up  ip addr add 172.16.0.99/32 dev lo
        pre-down ip addr del 172.16.0.99/32 dev lo

I restarted the interface with ifdown lo; ifup lo and adjusted Apache’s configuration files:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# /etc/apache2/ports.conf
Listen 10.0.0.1:443   # private service
Listen 172.16.0.99:443 # public service
 
# /etc/apache2/sites-available/sentinel-ssl-private
<VirtualHost 10.0.0.1:443>
    SSLEngine On
    [...]
</VirtualHost>
 
# /etc/apache2/sites-available/sentinel-ssl-public
<VirtualHost 172.16.0.99:443>
    SSLEngine On
    [...]
</VirtualHost>

And finally, DNAT with iptables:

1
2
3
4
iptables        -A INPUT       -i ppp0 -p tcp --dport 443 -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0                    -j MASQUERADE
iptables -t nat -A PREROUTING  -i ppp0 -p tcp --dport 443 -j DNAT \
                                           --to-destination 172.16.0.99

If you know a better way or see a problem with this workaround, please share your knowledge.

Written by johnLate

April 13th, 2009 at 8:00 pm

Posted in Uncategorized

Leave a Reply