What's the best practice to configure the /etc/hosts file in a multiserver configuration?

Discussion in 'Installation/Configuration' started by Sergio W., Mar 4, 2022.

  1. Sergio W.

    Sergio W. Member

    Hi people,
    I'm thinking on 3 possible options to configure the hosts file in a multiserver configuration and I'm not real sure on what's the best option, actually I'm working with the first type of configuration but I'm just figuring out if this could have some limitations / issues:

    1)
    Code:
    127.0.0.1               localhost.localdomain   localhost
    127.0.1.1               third.example.tld         third
    2)
    Code:
    127.0.0.1               localhost.localdomain   localhost
    10.0.0.3                third.example.tld         third
    3)
    Code:
    127.0.0.1               localhost.localdomain   localhost
    212.2.2.2               third.example.tld         third
    In these examples 212.2.2.2 is the remote IP, 10.0.0.3 is the LAN IP.

    Thanks for your support!
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You wrote you are now using alternative 1), but I can not see how that hosts file could work. The hosts in the multiserver setup can not connect to each other.
    If you have dual homed hosts I would put the local LAN ip in the hosts file, so hosts contact each other using the local LAN.
     
  3. Sergio W.

    Sergio W. Member

    Thanks for your reply!
    The complete first solution I'm adopting is this one:
    Code:
    127.0.0.1               localhost.localdomain   localhost
    127.0.1.1               third.example.tld         third
    
    10.0.0.1                 master.example.tld      master
    Actually the current configuration works pretty good, I connect to the master server via LAN (master hostname). I just have a problem with this configuration, when I add a new website on the IP selection I just have *. It works pretty good until I try to install a second website where acquiring a new certificate the second website redirects on the first website. Is this a bug or a consequence of the hosts configuration I'm using?

    What configuration do you suggest? Please feel free to add a new option :)
    Thanks again!
     
  4. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    as @Taleman states.
    assume your master server is server1.example.com (private ip 10.0.0.1, public ip 80.40.70.1) , you have a 2nd server on the same lan (server2) (private ip 10.0.0.2, public ip 80.40.70.2), and you have a third server remotely located at another datacenter (server3) (private ip 192.168.1.1, public ip 212.2.2.2) over the internet

    hosts file on server1:
    Code:
    127.0.0.1    localhost
    127.0.1.1    server1.example.com     server1
    10.0.0.2     server2.example.com     server2
    212.2.2.2    server2.example.com     server3
    
    hosts file on server2:
    Code:
    127.0.0.1    localhost
    10.0.0.1     server1.example.com     server1
    127.0.1.1    server2.example.com     server2
    212.2.2.2    server2.example.com     server3
    
    hosts file on server3:
    Code:
    127.0.0.1    localhost
    80.40.70.1   server1.example.com     server1
    80.40.70.2   server2.example.com     server2
    127.0.1.1    server2.example.com     server3
    
    depending on your vps hosting provider, the /etc/hosts file may already contain an entry with the ip 127.0.1.1 for the hostname, in which case keep using that, as above, otherwise use that vps's private ip instead of 127.0.1.1
    eg for server1:
    Code:
    127.0.0.1    localhost
    10.0.0.1     server1.example.com     server1
    10.0.0.2     server2.example.com     server2
    212.2.2.2    server2.example.com     server3
    
     
  5. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    when adding websites, just use * for all of them, you can just use a specific ip for a particular site, but it's an uncommon requirement these days. don't mix the use of * and specific ip's for websites on the same server.

    if you're enabling https on sites, if the site doesn't have a certificate, or doesn't have a valid certificate, then the webserver will display the first website (alphabetically) that does. the best option here is to have the default sites enabled, as 000-default and 000-default-ssl and have the ssl vhost configuration point to that webservers own ispconfig certificate. then put your own html/php holding page / redirect etc in /var/www/html. this way anyone trying to visit a domain that points to your server, that either doesn't actually exist, or doesn't have a certificate will get the holding page / redirect you want everyone to get, rather than someone else's website.

    if you've enable letsencrypt on a second site, and visiting it displays another site, it may have failed to get a certificate, try working through the FAQ to find out why... https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
     
  6. Sergio W.

    Sergio W. Member

    Thanks! So since that the two servers are on the same datacenter my hosts file should work good, right?
    At this point, as you are explaining, for the problem returning the first site maybe this is because i disabled the default website!
    Anyway configuring all via remote IP addresses works good, also for obtaining certificates, I could think to use this way (third configuration in my examples), do you see any contraindications?
    Thanks :)
     
  7. Sergio W.

    Sergio W. Member

    I'm also discovering that I don't have a default-ssl webiste configured, just the default one running on port 80.
    I installed ISPConfig via autoinstaller on Ubuntu 20.04.
     
  8. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    only use the remote (public) ip addresses in the hosts file, if your servers only have public ips, or for servers that are located on different networks, if servers are on the same network, and have private ip's, always use the private ip's.

    no, it's returning the first site, because for some reason the new site didn't successfully get a letsencrypt certificate.
    if the 000-default-ssl site was enabled, it would have shown that webpage instead.
    the 000-default and 000-default-ssl sites are so that you can ensure visitors see what you want them to see if the site doesn't exist, or doesn't have a certificate.
     
  9. Sergio W.

    Sergio W. Member

    Ok, good, I will try getting a certificate setting * on twice websites.
    About 000-default-ssl I don't have it, neither on /sites-available/, how can I create it?
    Thanks!
     
  10. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    it might just be default-ssl or default-ssl.conf, it will be in sites-available.
    it won't have the certificate info in it though, it'll point to ssl-cert-snakeoil.pem/key
    you'll need to change that info to point to the /usr/local/ispconfig/ssl/ispserver.* files
    probably a good idea to disable all the SSL protocols below TLSv1.2 in there as well.
    then rename it, adding the prefix 000-, this is the part that ensures it gets loaded before any other ssl sites

    then 'a2ensite 000-default-ssl' to enable it.
     
  11. Sergio W.

    Sergio W. Member

    I don't have that file :\ also 000 is apps, default doesn't have any number.
    It's a Ubuntu 20.04 + Nginx autoinstallation.
     
  12. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    ah, ok, i can't help with that one, i use apache, i've got virtually no experience with nginx, i have no idea what vhost config is available by default on an nginx ispconfig install.
    you'll need to wait for an nginx user on here to answer that, or use the search on here to look for it, i know it's been asked/answered several times for apache, someone's bound to have asked about in on nginx before.
     
  13. ahrasis

    ahrasis Well-Known Member

    Create that vhost in available folder and create symlink in enabled folder to that vhost.
     
  14. Sergio W.

    Sergio W. Member

    Thanks to everybody!!! Eventually I know how to enable it, I should create a copy of the default in sites-available, then change the port to 443 in the file and adding the symlink for the certificate folders. In the end I should symlink that vhost in sites-enabled, test nginx with nginx -t and if everything is ok restart nginx with service nginx restart. What I'd like to know is why in my case the default configuration is not available. I think it's for a reason. It's not available in both servers I installed, so maybe that yes with Nginx is different. And at this point it's not necessary to manually add it.
     

Share This Page