Help Adding Another Website

Help Adding Another Website

Post by Mark Antonso » Fri, 18 Jul 2003 05:44:54



Hello,
    I am the systems administrator for a small law firm.  We host our own
website/email on a FreeBSD 4.5 machine using Apache 1.3 and Sendmail (we
have a Win2K server that takes care of all other networking duties).  We
have a Cox Business cable modem with 1 IP connected to a Cisco PIX 506
firewall.  This has worked great for serving one domain name, but now we are
staring another company, and need to host another website. Since we're
already hosting our own on this server (and it's not even close to being
fully utilized), it would be nice if we could use our existing equipment.  I
know we'll definately need to get another IP from Cox and have the domain
name point to that, but i'm not sure what to do from there.  My best guess
was I'd need to get another Cisco firewall, and set it up as follow:

Cable Modem -> Hub -> Firewall 1    -> Rest of network including NIC 1 on
FreeBSD server
                                    -> Firewall 2    -> NIC 2 on FreeBSD
server

I assume Apache and Sendmail would be ok in this situation?  Any information
on how best to accomplish all this is greatly appreciated!

 
 
 

Help Adding Another Website

Post by Ken Kauffma » Fri, 18 Jul 2003 06:06:27



| Hello,
|     I am the systems administrator for a small law firm.  We host our own
| website/email on a FreeBSD 4.5 machine using Apache 1.3 and Sendmail (we
| have a Win2K server that takes care of all other networking duties).  We
| have a Cox Business cable modem with 1 IP connected to a Cisco PIX 506
| firewall.  This has worked great for serving one domain name, but now we
are
| staring another company, and need to host another website. Since we're
| already hosting our own on this server (and it's not even close to being
| fully utilized), it would be nice if we could use our existing equipment.
I
| know we'll definately need to get another IP from Cox and have the domain
| name point to that, but i'm not sure what to do from there.  My best guess
| was I'd need to get another Cisco firewall, and set it up as follow:
|
| Cable Modem -> Hub -> Firewall 1    -> Rest of network including NIC 1 on
| FreeBSD server
|                                     -> Firewall 2    -> NIC 2 on FreeBSD
| server
|
| I assume Apache and Sendmail would be ok in this situation?  Any
information
| on how best to accomplish all this is greatly appreciated!
|
|

Given that you are going to use the same box and its Cox Business Cable
modem....

I would setup the new DNS record to point to the **same IP** and use Name
Based resolution in Apache.  Apache will make differentiation of the named
server being accessed and pull content from the appropriate doc root
directory.

If you are planning to run OTHER services besides www, then you should split
them out.  You would still need to configure apache to respond to requests
on a certain IP/name.  Check out the docs on apache.org regarding virtual
hosting.

You might check the sendmail docs on hosting multiple domains. Also, quite a
few people have posted things in the newsgroups.  Use groups.google.com.

ken k

 
 
 

Help Adding Another Website

Post by Barry Margoli » Fri, 18 Jul 2003 05:58:27




>Hello,
>    I am the systems administrator for a small law firm.  We host our own
>website/email on a FreeBSD 4.5 machine using Apache 1.3 and Sendmail (we
>have a Win2K server that takes care of all other networking duties).  We
>have a Cox Business cable modem with 1 IP connected to a Cisco PIX 506
>firewall.  This has worked great for serving one domain name, but now we are
>staring another company, and need to host another website. Since we're
>already hosting our own on this server (and it's not even close to being
>fully utilized), it would be nice if we could use our existing equipment.  I
>know we'll definately need to get another IP from Cox and have the domain
>name point to that, but i'm not sure what to do from there.  

No you don't.  You can usually use the same IP address for both websites,
and this is generally preferred.  Just have both DNS entries point to your
IP.

In the Apache documentation, look up "VirtualHost" for information on how
to configure multiple virtual hosts.  If you have questions about
configuring Apache, comp.infosystems.www.servers.unix is the right group.

--

Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

 
 
 

Help Adding Another Website

Post by Jeff Cochr » Fri, 18 Jul 2003 21:36:25




Quote:>    I am the systems administrator for a small law firm.  We host our own
>website/email on a FreeBSD 4.5 machine using Apache 1.3 and Sendmail (we
>have a Win2K server that takes care of all other networking duties).  We
>have a Cox Business cable modem with 1 IP connected to a Cisco PIX 506
>firewall.  This has worked great for serving one domain name, but now we are
>staring another company, and need to host another website. Since we're
>already hosting our own on this server (and it's not even close to being
>fully utilized), it would be nice if we could use our existing equipment.  I
>know we'll definately need to get another IP from Cox and have the domain
>name point to that, but i'm not sure what to do from there.  My best guess
>was I'd need to get another Cisco firewall, and set it up as follow:

>Cable Modem -> Hub -> Firewall 1    -> Rest of network including NIC 1 on
>FreeBSD server
>                                    -> Firewall 2    -> NIC 2 on FreeBSD
>server

>I assume Apache and Sendmail would be ok in this situation?  Any information
>on how best to accomplish all this is greatly appreciated!

Why the post to the NT Admin group for a BSD/Apache question?

Apache can run two sites just fine on one IP.  Sendmail may need a
second static IP.  In either case, you don't need a second
firewall/NIC/connection/etc. unless you need it for business reasons
and not technical ones.

Jeff
===================================
Jeff Cochran (IIS MVP)

I don't get much time to respond to direct email,
so posts here will have a better chance of getting
an answer.  Besides, everyone benefits here.

Suggested resources:
http://www.iisfaq.com/
http://www.iisanswers.com/
http://www.iistoolshed.com/
http://securityadmin.info/
http://www.aspfaq.com/
http://support.microsoft.com/
====================================

 
 
 

Help Adding Another Website

Post by Xyer » Fri, 18 Jul 2003 23:12:23





> >Hello,
> >    I am the systems administrator for a small law firm.  We host our own
> >website/email on a FreeBSD 4.5 machine using Apache 1.3 and Sendmail (we
> >have a Win2K server that takes care of all other networking duties).  We
> >have a Cox Business cable modem with 1 IP connected to a Cisco PIX 506
> >firewall.  This has worked great for serving one domain name, but now we are
> >staring another company, and need to host another website. Since we're
> >already hosting our own on this server (and it's not even close to being
> >fully utilized), it would be nice if we could use our existing equipment.  I
> >know we'll definately need to get another IP from Cox and have the domain
> >name point to that, but i'm not sure what to do from there.  

> No you don't.  You can usually use the same IP address for both websites,
> and this is generally preferred.  Just have both DNS entries point to your
> IP.

> In the Apache documentation, look up "VirtualHost" for information on how
> to configure multiple virtual hosts.  If you have questions about
> configuring Apache, comp.infosystems.www.servers.unix is the right group.

Indeed. Name based virtual hosting means you can have 100 web sites,
each with totally different names all being served from 1 box with 1
IP address.

What you may also like to do is bind another IP address to the NIC in
your webserver, that way you can use the firewall to assign levels of
security on a per-site basis. (Eg. maybe out of your 100 websites, 1
of them should be HTTPS only). You can then used IP based virtual
hosting.

Love,
Me :)

 
 
 

Help Adding Another Website

Post by Mark Antonso » Sat, 19 Jul 2003 23:29:22


Thanks to everyone who has replied so far.  I talked with my boss this
morning, and for business reasons, he's decided he wants a seperate server
now.  Now in this situation, I'm assuming it'll end up something like I had
before:

Cable Modem -> Hub -> Firewall 1 -> Network and Old Server
                                   -> Firewall 2 -> New Server

What kind of firewall would you guys reccommend for the new server?  Do I
really need another PIX 506 or could I get by with a 501 or something less?

Thanks,
Mark


Quote:> Hello,
>     I am the systems administrator for a small law firm.  We host our own
> website/email on a FreeBSD 4.5 machine using Apache 1.3 and Sendmail (we
> have a Win2K server that takes care of all other networking duties).  We
> have a Cox Business cable modem with 1 IP connected to a Cisco PIX 506
> firewall.  This has worked great for serving one domain name, but now we
are
> staring another company, and need to host another website. Since we're
> already hosting our own on this server (and it's not even close to being
> fully utilized), it would be nice if we could use our existing equipment.
I
> know we'll definately need to get another IP from Cox and have the domain
> name point to that, but i'm not sure what to do from there.  My best guess
> was I'd need to get another Cisco firewall, and set it up as follow:

> Cable Modem -> Hub -> Firewall 1    -> Rest of network including NIC 1 on
> FreeBSD server
>                                     -> Firewall 2    -> NIC 2 on FreeBSD
> server

> I assume Apache and Sendmail would be ok in this situation?  Any
information
> on how best to accomplish all this is greatly appreciated!

 
 
 

Help Adding Another Website

Post by Joe Beanfis » Sun, 20 Jul 2003 02:28:51



> Thanks to everyone who has replied so far.  I talked with my boss this
> morning, and for business reasons, he's decided he wants a seperate server
> now.  Now in this situation, I'm assuming it'll end up something like I had
> before:

> Cable Modem -> Hub -> Firewall 1 -> Network and Old Server
>                                    -> Firewall 2 -> New Server

Do you really need the servers isolated from each other by firewall?
You could do this (which is probably more common)

 Cable Modem -> Firewall -> Hub -> Network and Old Server
                                   New Server

Personally though I would replace "Hub" with "Switch".

 
 
 

Help Adding Another Website

Post by Bit Twiste » Sun, 20 Jul 2003 03:27:41



>> Cable Modem -> Hub -> Firewall 1 -> Network and Old Server
>>                                    -> Firewall 2 -> New Server

> Do you really need the servers isolated from each other by firewall?
> You could do this (which is probably more common)

It would help keep malware installed on the New Server from
getting easy access to boxes on the Old server network.
 
 
 

Help Adding Another Website

Post by Mark Antonso » Sun, 20 Jul 2003 04:13:43


After some more thought (and talking with another Unix/Linux guy I know),
I'm thinking now that I'll just put the new BSD machine out there on it's
own.  Unfortunately, the PIX 506 doesn't support more than 2 interfaces, and
the boss wants seperate IP addresses for both websites.  So I think I'll end
up with something like this:

Cable Modem -> Switch -> Cisco PIX and existing network
                                       -> New BSD server

I think this should be ok, and I plan on locking the new BSD machine down as
much as possible and keeping it patched religiously (FreeBSD 5.1, Apache 2,
and Qmail are all I plan on running on it, besides SSH for admin, etc.  No
ftp or telnet).



> >> Cable Modem -> Hub -> Firewall 1 -> Network and Old Server
> >>                                    -> Firewall 2 -> New Server

> > Do you really need the servers isolated from each other by firewall?
> > You could do this (which is probably more common)

> It would help keep malware installed on the New Server from
> getting easy access to boxes on the Old server network.

 
 
 

Help Adding Another Website

Post by Jeff Cochr » Tue, 22 Jul 2003 21:54:07


At least use one of the open source firewall methods on the system,
and probably an ID system such as Snort would eb a good idea.

Jeff



>After some more thought (and talking with another Unix/Linux guy I know),
>I'm thinking now that I'll just put the new BSD machine out there on it's
>own.  Unfortunately, the PIX 506 doesn't support more than 2 interfaces, and
>the boss wants seperate IP addresses for both websites.  So I think I'll end
>up with something like this:

>Cable Modem -> Switch -> Cisco PIX and existing network
>                                       -> New BSD server

>I think this should be ok, and I plan on locking the new BSD machine down as
>much as possible and keeping it patched religiously (FreeBSD 5.1, Apache 2,
>and Qmail are all I plan on running on it, besides SSH for admin, etc.  No
>ftp or telnet).




>> >> Cable Modem -> Hub -> Firewall 1 -> Network and Old Server
>> >>                                    -> Firewall 2 -> New Server

>> > Do you really need the servers isolated from each other by firewall?
>> > You could do this (which is probably more common)

>> It would help keep malware installed on the New Server from
>> getting easy access to boxes on the Old server network.

 
 
 

Help Adding Another Website

Post by Joe Beanfis » Wed, 23 Jul 2003 02:09:35






> > >> Cable Modem -> Hub -> Firewall 1 -> Network and Old Server
> > >>                                    -> Firewall 2 -> New Server

> > > Do you really need the servers isolated from each other by firewall?
> > > You could do this (which is probably more common)

> > It would help keep malware installed on the New Server from
> > getting easy access to boxes on the Old server network.

> I'm thinking now that I'll just put the new BSD machine out there on it's
> own.  Unfortunately, the PIX 506 doesn't support more than 2 interfaces, and
> the boss wants seperate IP addresses for both websites.  So I think I'll end
> up with something like this:

> Cable Modem -> Switch -> Cisco PIX and existing network
>                                        -> New BSD server

> I think this should be ok, and I plan on locking the new BSD machine down as
> much as possible and keeping it patched religiously (FreeBSD 5.1, Apache 2,
> and Qmail are all I plan on running on it, besides SSH for admin, etc.  No
> ftp or telnet).

Unless you're using "interface" to mean "ip" you don't need multiple
interfaces.
An "interface" is generally an ethernet port or such. Just plug the
cable modem
into the firewall's incoming port and plug the firewall's outgoing port
into
into the hub/switch. Then plug as many other devices as desired into the
hub/switch.
Then all devices are protected from the outside (but not from each
other).

Also, don't be fooled into thinking there's anything particularly more
secure
about ssh rather than telnet. That's only true in the case of packet
sniffing.
You're more likely to get broken into because of flaky software. ssh is
equally
vulnerable to such attacks.

 
 
 

Help Adding Another Website

Post by Mark Antonso » Thu, 24 Jul 2003 00:03:25


I said interface because my boss wants to use seperate IP addresses, and (I
may be wrong) but i'm under the assumption that you can't bind multiple IP
addresses to a single interface on the Cisco PIX.  That would mean I would
need another interface to support another external IP.  But I think the way
i'm doing it will be easy and secure enough, I'll definately look into Snort
and use complex passwords.  Thanks for all the help though group!

Mark






> > > >> Cable Modem -> Hub -> Firewall 1 -> Network and Old Server
> > > >>                                    -> Firewall 2 -> New Server

> > > > Do you really need the servers isolated from each other by firewall?
> > > > You could do this (which is probably more common)

> > > It would help keep malware installed on the New Server from
> > > getting easy access to boxes on the Old server network.

> > I'm thinking now that I'll just put the new BSD machine out there on
it's
> > own.  Unfortunately, the PIX 506 doesn't support more than 2 interfaces,
and
> > the boss wants seperate IP addresses for both websites.  So I think I'll
end
> > up with something like this:

> > Cable Modem -> Switch -> Cisco PIX and existing network
> >                                        -> New BSD server

> > I think this should be ok, and I plan on locking the new BSD machine
down as
> > much as possible and keeping it patched religiously (FreeBSD 5.1, Apache
2,
> > and Qmail are all I plan on running on it, besides SSH for admin, etc.
No
> > ftp or telnet).

> Unless you're using "interface" to mean "ip" you don't need multiple
> interfaces.
> An "interface" is generally an ethernet port or such. Just plug the
> cable modem
> into the firewall's incoming port and plug the firewall's outgoing port
> into
> into the hub/switch. Then plug as many other devices as desired into the
> hub/switch.
> Then all devices are protected from the outside (but not from each
> other).

> Also, don't be fooled into thinking there's anything particularly more
> secure
> about ssh rather than telnet. That's only true in the case of packet
> sniffing.
> You're more likely to get broken into because of flaky software. ssh is
> equally
> vulnerable to such attacks.