Posted by attiks on August 6, 2010 at 2:33pm
All my site files inside vhost.d contain the following <VirtualHost 127.0.0.1:80>
for the moment I change it by hand to <VirtualHost *:80>
I changed my server node to contain both 127.0.0.1 and 192.168.0.156 but it didn't help.
Do I have to reverify all sites to fix this?
Comments
yes.
Yes. you need to rebuild all your site config files. / reverify all your sites / platforms.
The one you want all your non-ssl sites to be on should be first.
ie: you most likely want to specify the 192.168.x.x address before the 127.0.0.1 one.
not working
I tried it, but still the same problem
1/ added 192.168.0.156 and 127.0.0.1 to the server node
2/ verified server
3/ verified all platforms
4/ verified all sites
result: all are bound only to 127.0.0.1
what/where can i troubleshoot?
Manuel restart of apache gives me
[Sat Aug 07 00:08:11 2010] [warn] NameVirtualHost 192.168.0.156:80 has no VirtualHosts... waiting [Sat Aug 07 00:08:12 2010] [warn] NameVirtualHost 192.168.0.156:80 has no VirtualHosts
BTW: all sites are non-ssl
I was confused by the server settings as well.
I had to try several settings until I found one that worked. I think this is confusing because I didn't know what they were being used for ultimately.
I settled on:
* domU-12-31-39-0F-7D-C5 as the server name (amazon EC2 hostname)
* 184.73.223.104 as the external IP address - having 127.0.0.1 did NOT work for me even as the second address
Note that I also had to change my MYSQL grants to give aegir@domU-12-31-39-0F-7D-C5.compute-1.internal and aegir_root@domU-12-31-39-0F-7D-C5.compute-1.internal the same permissions required in the documentations. They used to have aegir@localhost and aegir_root@localhost settings.
After I reverified, everything worked.
Update on my observations re AMAZON EC2
I am on Amazon EC2 and have set an elastic IP address of 184.73.223.104, which I had used incorrectly as the server IP address. It worked because my vhost files all had a *:80 binding.
When I verified sites today, the vhost file was rewritten from "VirtualHost *:80" to "VirtualHost 184.73.223.104:80", and then my sites did not work. (I don't remember what update I did to change this behaviour from *:80 to IP:80)
The challenge with EC2 and elastic IP addresses is that there may be TWO IP addresses for the server:
* the elastic IP address
* the resolved IP address for the instance
The website DNS settings are all set to my elastic IP address by manual configuration. This is because my EC2 IP address could change in the future.
Even so, the correct server IP address in Aegir is the resolved IP address - 10.193.X.X in my case.
Now my sites all verify with "VirtualHost 10.193.X.X:80" in the vhost file, and they work. I understand we don't want the *:80 because of the upcoming DNS controls. If you are an EC2 user, then beware of this distinction in IP addresses.
Also, to reverify all of my sites on the command line and avoid manually reverifying them, I created a simple command line script:
su aegircd ~/.drush
for alias in `ls | grep drushrc | grep -v ^platform* | grep -v ^server* | sed 's/.alias.drushrc.php//'`; do drush @$alias provision-verify -v; done
I'm sure there's a better script that can be written, however it suited my purpose. I'll need it in case I restart my EC2 instance and have a different IP address, and need to recover in a hurry!
question
1/ is it possible to use * as IP so it binds to all IP's?
2/ is it possible to bind to 2 IP's?
3/ what are the consequences for the mysql account, i like to have my mysql users only bound to 127.0.0.1
i cheched the code at
i cheched the code at http://git.aegirproject.org/?p=provision.git;a=blob;f=http/http.drush.in...
so i'll try without an ip address, to be continued ...
// We assign this generic catch all for standard http.// The SSL based services will override this with the
// correct ip address.
if (sizeof($this->server->ip_addresses)) {
// Use the first IP address for all standard virtual hosts.
$data['ip_address'] = $this->server->ip_addresses[0];
}
else {
// If no external ip addresses are defined, we fall back on :port
// There will be no SSL , so that's fine.
$data['ip_address'] = '';
}
never mind, if i leave the
never mind, if i leave the field blank, it does a lookup and fills the ip automatically
in the new system
You HAVE to use an ip address.
don't try to trigger the *:80 format, that will only get used when something goes really wrong.
without the ip address other things will break (especially dns support soon).
Adrian, I'm trying to
Adrian,
I'm trying to understand how it works, but looking at the code above, it's not possible to use 2 IP's for the webserver?
I also don't see the problem in using *:80 for http, I can see a problem with using https
If I only specify the 192.168.x.x address it means that mysql also has to listen on this IP, if possible I rather bind mysql (and other local services in general) only to 127.0.0.1
ip addresses, bind-address and grants
We now make use of the ip address version of the virtual host exclusively, because of the complexity involved when SSL get enabled.
We handle this as follows :
A server node has an optional set of ip_addresses. We take the first defined IP address as the default, and hand it out to all the non-ssl sites. When a site has ssl-enabled, we assign an ip address to that certificate, and the SSL and NON-SSL vhost use that IP address.
We default the ip addresses, to the results returned by a lookup of the server's hostname. But we need an ip address version of the site, not just to ensure that the correct virtual hosts always get loaded, but also because in the near future we will be managing DNS too.
How we handle grants and bind-address :
Grants are not dependent on the ip addresses specified, and operate entirely based on the server's hostname.
When we generate the grant, we do a command line call 'mysql -uINVALID -pINVALUD -h$hostname'.
The error message returns the valid IP address. This way we can make sure that we are getting the IP address
that the database server is seeing the connection coming from.
We initially tried to make it so that you did not have to make mysql listen on all IP addresses, but to make it possible
to use external database servers, this needs to be done. Even then we originally tried to document how to configure
mysql to only listen on 127.0.0.1, but we ran into edge cases that would stop it from always working, depending on
what type of VPS technology is used.
To attempt to only use localhost, you may change the server hostname to localhost or to set up the 'uname -n' / hostname
so that it returns a hostname that resolves 127.0.0.1.
Keep in mind once you do this, it will be unlikely that you will be able to use multiple servers in the future without
re-generating all of your grants.
Keep on mind however that any grants that aegir will generate are incredibly incredibly specific, as we know enough
about the server the requests need to come from that we can generate the right grants. Your mysql daemon should
also have a 'deny all' rule by default.
Another option is to just use iptables or similar to firewall the mysql port from any ip's you dont want accessing it.
in closing
the virtualhost rule isnt really what you have a problem with, and it's completely separately handled to the grant system.
change the server's hostname to resolve to localhost and that should solve your issues, but might come back to haunt
you later.
Thanks
Adrian, thanks for the clarification, it all makes sense
I'll try binding to only the external IP and keep your information at hand whenever I install my other servers.