Server with NAT, what to use for IP?

Hi,

I have to enable SSL on a domain and therefore I need to assign an IP to that domain instead of the default "*". But my server is behind NAT. Let's say the internal address is 192.168.0.10 and the external address 123.123.123.123. What IP address do I use in menu "System - Server IP addresses" ? The internal or the external one?

Regards,
Paul

 

The dns A records for the domain will point to the IP of the domain (123.123.123.123)so you can still use the *.

Behind NAT you might have the facility to map 192.168.1.10 to 123.123.123.123 in a static dns configuration. EG: www.example.com ----->> mapped to 192.168.1.10.

Then all you have to do is make sure ports your common server ports are open to the internal IP.

Good Luck

 

Enabling NAT is not the issue, it works fine. But in several posts, for example http://www.howtoforge.com/forums/showpost.php?p=226338&postcount=3, I read that I have to specify an IP address at the domain I want to use SSL instead of the default "*". The question is, which of the two IP addresses do I use in menu "System - Server IP addresses"?

 

External redirecting vs Internal rewriting.

SSL's are associated with domain names and not with IP addresses - this is a good thing since IP addresses can change regularly which would make the cert useless.

I am thinking that you need a unique IP from your internal DHCP pool for an SSL enabled virtual host.

You can also set up SSL using the external IP but I remember reading somewhere it is not possible to have more than one SSL host behind nat.

Can anyone confirm this?

 

In the meantime I managed to get it working with "*" as IP address. But the certificate that I get presented in the browser when visiting the domain is different from the one that I created using ISPConfig. The certificate talks about "SomeOrganization" and "SomeOrganizationUnit" instead of the terms that I specified in ISPConfig. I've tried it with multiple domains but the certificate is still the same. Have a look at https://dikkeveter.nl/ to find the wrong certificate; it seems to be a standard one and it is definitely not mine.

 

Yes you have a self signed certificate there and we have to choose to accept or reject it (as you know). This is what my browser tells me:

(1) The server's name "dikkeveter.nl" does not match the certificate's name "server1.example.com". Somebody may be trying to eavesdrop on you.
(2) The certificate for "server1.example.com" is signed by the unknown Certificate Authority "server1.example.com". It is not possible to verify that this is a valid certificate.

I've replaced your machine hostname.servername.com with server1.example.com here. Your root address is visible.

Have you had a look at this howto in tips and tricks?

http://howtoforge.com/forums/showthread.php?t=42341

 

I had a look at it. I did not update the apache2_plugin.inc.php file as I do use the latest release and the update from 1024 to 2048 or higher has been made in there.

The vhost configuration files that are generated do contain the lines to include the public and private certificates. Module mod_ssl is installed and no changes were made to /etc/httpd/conf.d/ssl.conf.

I have enable debugging in apache. In the /var/log/httpd/ssl_error.log logfile I find messages like

Code:

[Mon May 24 14:42:19 2010] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

And in /var/log/ispconfig/httpd/dikkeveter.nl/error.log is

Code:

[Mon May 24 14:42:19 2010] [info] Loading certificate & private key of SSL-aware server
[Mon May 24 14:42:19 2010] [debug] ssl_engine_pphrase.c(469): unencrypted RSA private key - pass phrase not required
[Mon May 24 14:42:19 2010] [info] Configuring server for SSL protocol
[Mon May 24 14:42:19 2010] [debug] ssl_engine_init.c(406): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Mon May 24 14:42:19 2010] [debug] ssl_engine_init.c(730): Configuring RSA server certificate
[Mon May 24 14:42:19 2010] [debug] ssl_engine_init.c(769): Configuring RSA server private key
[Mon May 24 14:42:19 2010] [info] Loading certificate & private key of SSL-aware server
[Mon May 24 14:42:19 2010] [debug] ssl_engine_pphrase.c(469): unencrypted RSA private key - pass phrase not required
[Mon May 24 14:42:19 2010] [info] Configuring server for SSL protocol
[Mon May 24 14:42:19 2010] [debug] ssl_engine_init.c(406): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Mon May 24 14:42:19 2010] [debug] ssl_engine_init.c(730): Configuring RSA server certificate
[Mon May 24 14:42:19 2010] [debug] ssl_engine_init.c(769): Configuring RSA server private key

It seems to be doing something but how do I get apache to tell me what certificates it loaded?

 

Aha, I used the external IP address but when I replaced it with the internal one (192.168.0.xxx) it works.

So, for the records: My server with ISPConfig and Apache is a VM behind NAT. Traffic on certain ports is forwarded from the firewall to the VM. In systems - Server IP addresses add the internal address. Then use this address in Sites - your-domain - IP-Address. Finally, generate the certificate.

 

Thanks for the information which clarifies how SSL works on ISPConfig 3 - is great for noobies like me

The only other thing to say again is that the DNS A record for the virtual host must point to the public IP.

Cheers

 

Hmm, I have multiple domains on that single-behind-NAT-server. And when I create a certificate and enable SSL for a second domain, the browser gets presented the certificate of the first SSL domain. This seems to be the issue of having a single IP with multiple domains. The next challenge to solve.