Iptables – Tomcat and Apache on one machine with two IP’s

apache-2.2iptablestomcat

I have a simple static website (foo.com) served with Apache2. The static website has a link to get to an application served using tomcat. To do so, the link just points to foo.com:8080/app

The end goal is to avoid having the port number. I also want to avoid using mod_proxy or mod_jk because the two contents (the static pages and app) are fairly unrelated, so I think it would be an overkill. The common use case is static page->app [never come back]

Here are some options I have considered:

Run the app on a different machine, and map its IP to a subdomain (s1.foo.com). Then on this machine, use iptables to forward the 80 port to 8080, so that s1.foo.com/app works as expected.
Get an additional IP address for the one server. Have a subdomain point to that IP address, then use iptables to forward IP:8080 to IP:80.

My questions are 1) Are these sensible? 2) What steps should I follow so that I don't mess up my rule chains? 3) Are there better alternatives?

Thank you,

Best Answer

Your best option is to get a second IP for the server, set it up as an IP alias. The first IP is set on network interface eth0, the next one on eth0:0 (a third would be eth0:1, and so on).

Here's a general guide, but it might be easier to look for recent instructions for your Linux distro specifically:

http://www.cyberciti.biz/faq/linux-creating-or-adding-new-network-alias-to-a-network-card-nic/

Once you've done that, you set Apache up to bind to the first IP (as it is now) and Tomcat to bind to the new IP, e.g.

eth0   - 192.168.0.1 - Apache
eth0:0 - 192.168.0.2 - Tomcat

Then set your DNS up something like:

example.org        - 192.168.0.1
tomcat.example.org - 192.168.0.2

No need to use :8080 at all, or any redirection/IP Tables forwarding. The links just point to http://tomcat.example.org/whatever/

Note that it is a new network interface, so you will want to check your IPTables rules and:

a) Close port 8080 on your first interface when you are no longer using it

b) Make sure you check / set IPTables to lock down the new IP address so only port 80 is allowed in.

Related Solutions

Tomcat – Running Tomcat on an Apache Alias Or Map Port numbers to Hostnames

Your hosts file is for address lookups, not forcing routing to a specific port.

You haven't specified your platform here, so these are general possible solutions:

Add a second IP address to your computer and bind apache to one and tomcat to another. Then you could use hosts to specify which one was which.
Setup an Alias in apache to forward to the other URL.
Setup your virtual hosts in apache so that it recognized different names (that you set in your hosts file) and forwards or proxies requests to tomcat if they are for the other host.

Multiple Apache servers on one IP, using port 80

technically it's not possibly unless your router has a built in reverse proxy or some layer 7 routing which none that I know of do. If you want to really do it this way and want to make it scalable, then you will need to have a reverse proxy which has maps of site names and where to proxy it to.

<VirtualHost *:80>
  ServerName www.domain-a1.com
  ProxyRequests Off
  ProxyPass http://servera1/
  ProxyPassReverse http://servera1/
</VirtualHost>

<VirtualHost *:80>
  ServerName www.domain-a2.com
  ProxyRequests Off
  ProxyPass http://servera2/
  ProxyPassReverse http://servera2/
</VirtualHost>

This will not work for SSL sites as the SSL negotiations happen before knowing which site it's for, but then switch SSL certs to pass to them (chicken and the egg), etc.

Best Answer

Related Solutions

Tomcat – Running Tomcat on an Apache Alias Or Map Port numbers to Hostnames

Multiple Apache servers on one IP, using port 80

Related Topic