I have an ISPconfig Multiserver setup, running 2 nameservers dns. The domain I want to use is managed by ISPconfig DNS. I have setup a new VM machine and installed Tactical RMM which needs to use port 80 and 443 and is a prerequisite to create 3 subdomains api,rmm & mesh .example.com and run a LetsEncrypt cert on the subdomains as well. Now my question is, how can I make rmm.example.com to redirect to the internal ip of the vm machine, when the whole example.com domain is pointing on the virtual host of ISPconfig?
Create a website in ISPConfig and set it up as proxy to the internal server. You can use the Apache directives under the 'Options' tab for the site in ISPConfig to set up the proxy.
Ok makes sense, but I already have a website site for the domain I am using. I only need subdomains api,rmm and mesh to point to the internal server running apache
I am not sure what this Tactical RMM really does but I do use Team Viewer and Chrome Remote Desktop, which do not need any specific port by the way. Anyway, using proxy is the best solution I know for single public IP, so I would agree with @Th0m on that. You can also use other proxy manager software like NPM (Nginx Proxy Manager). The point to remember is the proxy manager will be managing everything for port 80 and 443, so it should be in front, while other servers that are also using that port should be behind it.
You have the option to incorporate reverse proxy settings by accessing the Options tab for each respective subdomain. Here's an example. Please be aware that I prioritize access restrictions to the greatest extent possible. This is reflected in the utilization of "Require all denied" and "Require ip" directives. It is essential to append the specific IP addresses to which access is granted. Additionally, it is crucial to tailor IP addresses according to your specific environment. api.{..} Code: SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPreserveHost On SSLUseStapling off RewriteEngine on RewriteCond %{HTTP:Upgrade} =websocket [NC] RewriteCond %{HTTP:Connection} upgrade [NC] RewriteRule ^/?(.*) "wss://192.168.100.200/$1" [P,L] #Don't proxy Let's Encrypt ProxyPass /.well-known/acme-challenge/ ! ProxyPass / https://192.168.100.200/ timeout=30 retry=2 ProxyPassReverse / https://192.168.100.200/ #Header always add Access-Control-Allow-Origin "*" Header always add Access-Control-Allow-Method "*" BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 mesh.{..} Code: <Location /> <RequireAny> Require all denied Require ip 192.168.100.0/24 </RequireAny> </Location> <LocationMatch "(/.well-known/acme-challenge/.*)"> Require all granted </LocationMatch> <LocationMatch "(/agent.ashx)"> Require all granted </LocationMatch> <LocationMatch "(/meshrelay.ashx)"> Require all granted </LocationMatch> SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPreserveHost On SSLUseStapling off RewriteEngine on RewriteCond %{HTTP:Upgrade} =websocket [NC] RewriteCond %{HTTP:Connection} upgrade [NC] RewriteRule ^/?(.*) "wss://192.168.100.200/$1" [P,L] #Don't proxy Let's Encrypt ProxyPass /.well-known/acme-challenge/ ! ProxyPass / https://192.168.100.200/ ProxyPassReverse / https://192.168.100.200/ #Header always add Access-Control-Allow-Origin "*" Header always add Access-Control-Allow-Method "*" BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 rmm.{..} Code: <Location /> <RequireAny> Require all denied Require ip 192.168.100.0/24 </RequireAny> </Location> <LocationMatch "(/.well-known/acme-challenge/.*)"> Require all granted </LocationMatch> SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPreserveHost On SSLUseStapling off RewriteEngine on RewriteCond %{HTTP:Upgrade} =websocket [NC] RewriteCond %{HTTP:Connection} upgrade [NC] RewriteRule ^/?(.*) "wss://192.168.100.200/$1" [P,L] #Don't proxy Let's Encrypt ProxyPass /.well-known/acme-challenge/ ! ProxyPass / https://192.168.100.200/ ProxyPassReverse / https://192.168.100.200/ #Header always add Access-Control-Allow-Origin "*" Header always add Access-Control-Allow-Method "*" BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0
Wow, that's great. The only problem is that under options tab of each domain, there's nothing I can input code to. Nor it showed anything. Do I have to enable any else first?
Yes. A website is a apache or Nginx vhost and you need a vhost to use it as a proxy, so you must create either a website. Alternatively, you can create a subdomain (vhost), which can be enabled under System > interface > main config if you do not see it in the menu of the sites module. But creating a website for the subdomain is perfectly fine.
Thanks for the fast response. I like the auto creation of subdomains as websites. 2 small questions on that. a. After enabling I need to recreate the subdomains or does it find the existing and create. b. My current subdomains are currently redirects. Are these going to be broken and require a different config through vhosts?
If you added these subdomains already, then you must delete them and add them as vhost subdomain again as a subdomain may exist only once in the web server configuration. I thought you wanted to implement what 30uke posted above, which is using a proxy. You can not use a redirect together with a proxy, it makes no sense as the proxy replaces the redirect.
I ve got other subdomains on the current domain which I use for easy, like admin to point to ispconfig gui and webmail to webmail
As Till has highlighted, redirects won't operate in this scenario. The crucial necessity here is the reverse proxy facility to efficiently leverage web sockets. I made a transition to the MPM Worker module, disabling either MPM Event or MPM Prefork first, and then enabling MPM Worker. Fine-tuning the settings is essential. Below is the configuration I currently employ in the mpm_worker.conf file: Code: ServerLimit 16 StartServers 10 MinSpareThreads 128 MaxSpareThreads 512 ThreadLimit 128 ThreadsPerChild 128 MaxRequestWorkers 2048 MaxConnectionsPerChild 1000000 Note: the value 'MaxConnectionsPerChild' is extremely high (typically in the range of hundreds or a few thousand). This might be a typo in my config... but it works, so I didn't change it. I recommend monitoring the scoreboard. Utilize the following command, requiring the 'watch' utility: Code: watch -c -n 0.1 apachectl status To stop the `watch` command, Use 'CTRL' + 'C' (or 'CTRL' + 'BREAK').
I managed to get the sub domains proxied from apache2 as stated above. My issues are now: The subdomains do not resolve the local ip (when pinged) Do I have to run another DNS server for the local zones? If yes can it be run on my current nameservers of I will require a new setup?
What might help is to look into split-DNS. This means the public IPv4 for the A record is configured in public DNS and the A record locally points to the LAN IPv4 in local DNS, e.g. via a host or domain override. The local clients need to resolve via the local DNS server.
That's great, I managed to get it working but with some workarounds. Main thing is the local DNS, and I was wondering, I currently have a multiserver setup of ISPc, is it possible to add a new nameserver for local dns?
Certainly, but ISPConfig may not be able to handle split-DNS, so it would have to be separate name server. Or another ISPConfig setup with name service for only the intranet.
