Difference between revisions of "Ubuntu Virtual Servers"

From VistApedia
Jump to: navigation, search
(Changing the SSH port)
(Added a glossary link to Configuration~)
 
(44 intermediate revisions by one other user not shown)
Line 1: Line 1:
(This entire section is under construction.)
+
The idea is to use a URL (such as ''www.exampledomain.org'' or ''vistaserver1.exampledomain.org'') for your site (that is registered on an Internet [http://en.wikipedia.org/wiki/Domain_Name_System DNS] (Domain Name Server)) to access the VistA server, instead of using the actual IP address of the server. Most [[configuration~|Configuration]]s involve a LAN, and usually the registered URL will not point to the (LAN) IP address of the VistA server itself (within the LAN), but to the (WAN, or Internet) IP address of the '''router''' for the LAN. Therefore, communications arriving at the '''router''' must be forwarded from the router (connected to the Internet) to the VistA server (within the LAN) properly.
  
The idea is to use a URL (such as ''worldvista.myoffice.org'') for your site (that is registered on an Internet DNS (Domain Name Server)) to access the VistA server, instead of using the actual IP address of the server. Most configurations involve a LAN, and usually the registered URL will point not to the (LAN) IP address of the server itself (within the LAN), but to the (WAN, or Internet) IP address of the router. Therefore, communications arriving at the router must be forwarded from the router (connected to the Internet) to the server (within the LAN) properly.
+
=== NAT ===
 +
Consumer-grade routers generally use [http://en.wikipedia.org/wiki/Network_address_translation NAT] port-forwarding to send traffic that arrives at the router to a specific server within the LAN (such as the one hosting the VistA server). Certain types of traffic can be designated as flowing over "ports" and (in the simplest scenario) a specific server can be designated as the destination on the LAN to which all the traffic over a specific port will be sent.  
  
=== NAT ===
+
Your router's [[configuration~|Configuration]] utility (often accessible from a web browser) allows you to configure "NAT port forwarding" so that traffic arriving at a certain port (such as port 22) will be "forwarded" to a specific server on the LAN (which will have its own unique IP address within the LAN).
Consumer-grade routers generally use NAT port-forwarding to send traffic that arrives at the router to a specific server within the LAN (such as the one hosting the VistA server). Certain types of traffic can be designated as flowing over "ports" and (in the simplest scenario) a specific server can be designated as the destination on the LAN to which all the traffic over a specific port will be sent.
+
 
 +
With Astronaut, all communications are sent through a secure [http://en.wikipedia.org/wiki/Secure_Shell SSH] tunnel. By convention, SSH communications are usually sent on port 22 (but that [[Changing_the_Astronaut_SSH_port|can be changed]]). If you only have one SSH server on your LAN, using port 22 will be fine. However, if there is more than one SSH server on your LAN, or if you want a modicum of greater security, then a [[Changing_the_Astronaut_SSH_port|different port can be used for SSH]] for each host.)
 +
 
 +
Make sure the [http://ubuntuguide.org/wiki/Ubuntu:Karmic#Firewall firewall] (if any) on the Ubuntu Server OS (in which the VistA server is installed) does not block port 22 (or whichever port you have decided to use for SSH traffic)!
  
Your router's configuration utility (often accessible from a web browser) allows you to configure "NAT port forwarding" so that traffic arriving at a certain port (such as port 22) will be "forwarded" to a specific server on the LAN (which will have its own unique IP address within the LAN).
+
== Using virtual hosts for the Ubuntu server ==
 +
Unlike Apache, OpenSSH does not allow true virtual hosts.
 +
 
 +
However, most large networks will often have more than one server listening for SSH connections. In general, I recommend merely [[Changing_the_Astronaut_SSH_port|changing the SSH port]] number for the VistA server and forwarding that specific port to the VistA server. Then the [[configuration~|Configuration]] is simple. The URL used for SSH remains the same URL that is used for the entire LAN. Only the port changes.
  
With Astronaut, all communications are sent through a secure SSH tunnel. By convention, SSH communications are usually sent on port 22 (but that can be changed). If you only have one SSH server on your LAN, using port 22 will be fine. However, if there are more than one SSH servers on your LAN, or if you want a modicum of greater security, then a [[#Changing the SSH port|different port can be used for SSH]].)
+
To reiterate, if you have multiple SSH hosts on your network (e.g. for multiple VistA servers), then each SSH host will need to have a unique port.
  
== Edit the virtual hosts file in the Ubuntu server ==
+
Each host will need to have its unique SSH port specified in the sshd-config file found in the /etc/ssh folder on that host. The router will have the job of forwarding each port appropriately.
The virtual host file tells the server to expect traffic arriving with the URL (''worldvista.myoffice.org''), and that it is indeed meant for server communications through port 22.  
 
  
This step is not strictly necessary if the computer hosting the VistA server has no other servers on it, and there are no other SSH servers or VistA servers on the LAN.  
+
<!--->However, you can also have a unique URL for the exclusive use of your VistA Server. It would also be associated with the (WAN) IP address of your LAN (/router), but within the LAN it would advertise itself as the server to which ant traffic sent to that unique URL should be forwarded.
  
But most networks eventually grow and eventually it is more likely than not that there will be other SSH servers on the LAN, so setting this up in the beginning will save headaches later.
+
For example, let's say that your network has a registered domain name (URL) on the Internet of ''www.exampledomain.org''.  If you were to use the [[Changing_the_Astronaut_SSH_port|first method]], you would merely assign port 22144 to be the SSH port for the VistA server on the network and have the router forward port 22144 to the VistA server (whose OpenSSH server has presumably been configured to be listening on that port).
+
<--->
*Copy and edit a configuration file in the Apache2 sites-available folder.
+
<!--->
 +
I am wrong. There are no virtual hosts for SSH.
 +
Alternatively, the VistA server can have its own registered URL on the Internet, such as ''vistaserver1.exampledomain.org''. The SSH port can remain at port 22 in this scenario. Even if there are other SSH servers on the network using port 22, the router will shop around for the one advertising itself (through a "virtual host" file) as ''vistaserver1.exampledomain.org'' and forward traffic to it.
 +
 
 +
=== Edit the Ubuntu Server Apache2 virtual hosts file ===
 +
*Copy and edit a [[configuration~|Configuration]] file in the Apache2 sites-available folder.
 
  cd /etc/apache2/sites-available
 
  cd /etc/apache2/sites-available
  sudo cp default worldvista
+
  sudo cp default vistaserver1
  sudo kate worldvista
+
  sudo kate vistaserver1
 +
<--->
 
<!--->
 
<!--->
 
*Edit the virtual host file so that it looks like:
 
*Edit the virtual host file so that it looks like:
 
  <VirtualHost *:9260>
 
  <VirtualHost *:9260>
  ServerAdmin webmaster@''worldvista.myoffice.org''
+
  ServerAdmin webmaster@''www.exampledomain.org''
 
  DocumentRoot /opt/worldvista/EHR
 
  DocumentRoot /opt/worldvista/EHR
  ServerName ''worldvista.myoffice.org''
+
  ServerName ''vistaserver1.exampledomain.org''
  ServerAlias www.''worldvista.myoffice.org'' ''worldvista.myoffice.org''
+
  ServerAlias www.''vistaserver1.exampledomain.org'' ''vistaserver1.exampledomain.org''
 
  </VirtualHost>
 
  </VirtualHost>
 
<--->
 
<--->
 +
<!--->
 
*Edit the virtual host file so that it looks like:
 
*Edit the virtual host file so that it looks like:
 
  <VirtualHost *:22>
 
  <VirtualHost *:22>
  ServerAdmin webmaster@''worldvista.myoffice.org''
+
  ServerAdmin webmaster@''worldvista.exampledomain.org''
 
  DocumentRoot /opt/worldvista/EHR
 
  DocumentRoot /opt/worldvista/EHR
  ServerName ''worldvista.myoffice.org''
+
  ServerName ''vistaserver1.exampledomain.org''
  ServerAlias www.''worldvista.myoffice.org'' ''worldvista.myoffice.org''
+
  ServerAlias www.''vistaserver1.exampledomain.org'' ''vistaserver1.exampledomain.org''
 
  </VirtualHost>
 
  </VirtualHost>
where ''worldvista.myoffice.org'' is an example URL for your server (use your own, of course)
+
where ''vistaserver1.exampledomain.org'' is an example URL for your VistA server (use your own, of course). If using OpenVistA instead of WorldVistA, then set the DocumentRoot as /opt/openvista/EHR.
  
 
*Restart Apache2:
 
*Restart Apache2:
 
  sudo /etc/init.d/apache2 restart
 
  sudo /etc/init.d/apache2 restart
 +
<--->
 
<!--->
 
<!--->
 
*Make sure your router forwards port 9260 to the (static) IP address (on your LAN) at which the computer (or virtual machine) hosting the VistA server resides.
 
*Make sure your router forwards port 9260 to the (static) IP address (on your LAN) at which the computer (or virtual machine) hosting the VistA server resides.
 
<--->
 
<--->
*Make sure your router forwards port 22 to the (static) IP address (on your LAN) at which the computer (or virtual machine) hosting the VistA server resides.
+
<!--->
 +
*Troubleshooting
  
==== Changing the SSH port ====
+
:*Make sure your router forwards port 22 to the (static) IP address (on your LAN) at which the computer (or virtual machine) hosting the VistA server resides during testing. If this works then try turning off the port forwarding to see if the virtual host method is functioning.
(Under construction).
+
<--->
 
 
* See [http://ubuntuguide.org/wiki/Ubuntu:Karmic#Setup_an_SSH_server Ubuntuguide's section on SSH] in the meantime.
 
 
 
This is not a trivial task, but for production systems may be worthwhile. (I have done it on all my systems).
 
 
 
* Change the SSH port in PuTTY.
 
 
 
* Change the SSH port in the Apache2 virtual hosts file (if present).
 
 
 
* Change the SSH port in the OpenSSH configuration file.
 

Latest revision as of 19:32, 17 December 2012

The idea is to use a URL (such as www.exampledomain.org or vistaserver1.exampledomain.org) for your site (that is registered on an Internet DNS (Domain Name Server)) to access the VistA server, instead of using the actual IP address of the server. Most Configurations involve a LAN, and usually the registered URL will not point to the (LAN) IP address of the VistA server itself (within the LAN), but to the (WAN, or Internet) IP address of the router for the LAN. Therefore, communications arriving at the router must be forwarded from the router (connected to the Internet) to the VistA server (within the LAN) properly.

NAT

Consumer-grade routers generally use NAT port-forwarding to send traffic that arrives at the router to a specific server within the LAN (such as the one hosting the VistA server). Certain types of traffic can be designated as flowing over "ports" and (in the simplest scenario) a specific server can be designated as the destination on the LAN to which all the traffic over a specific port will be sent.

Your router's Configuration utility (often accessible from a web browser) allows you to configure "NAT port forwarding" so that traffic arriving at a certain port (such as port 22) will be "forwarded" to a specific server on the LAN (which will have its own unique IP address within the LAN).

With Astronaut, all communications are sent through a secure SSH tunnel. By convention, SSH communications are usually sent on port 22 (but that can be changed). If you only have one SSH server on your LAN, using port 22 will be fine. However, if there is more than one SSH server on your LAN, or if you want a modicum of greater security, then a different port can be used for SSH for each host.)

Make sure the firewall (if any) on the Ubuntu Server OS (in which the VistA server is installed) does not block port 22 (or whichever port you have decided to use for SSH traffic)!

Using virtual hosts for the Ubuntu server

Unlike Apache, OpenSSH does not allow true virtual hosts.

However, most large networks will often have more than one server listening for SSH connections. In general, I recommend merely changing the SSH port number for the VistA server and forwarding that specific port to the VistA server. Then the Configuration is simple. The URL used for SSH remains the same URL that is used for the entire LAN. Only the port changes.

To reiterate, if you have multiple SSH hosts on your network (e.g. for multiple VistA servers), then each SSH host will need to have a unique port.

Each host will need to have its unique SSH port specified in the sshd-config file found in the /etc/ssh folder on that host. The router will have the job of forwarding each port appropriately.