Don,

It can be a bit confusing if you don't do this every day.  I have 6 websites on my i that all listen on port 443 on the same IP (because I only have one public IP).  So I use a reverse proxy to handle the traffic.  On of my http instances, cleverly called "Rev_Proxy", routes traffic to the different websites.  Granted, those websites are listening on different ports (eventually) but in "Reverse_Proxy" they all listen on 443.  I'll try to simplify the example but you may want to do some reading on Apache reverse proxies.  HTTP server on i has a few quirks but the basic structure on a "regular" Apache server will match what HTTP Server on i has.

SO, the Rev_Proxy instance has this:

Listen 10.0.10.140:80
Listen 10.0.10.140:443

So the "main" IP listens on both 80 and 443, mainly so I can catch the 80 traffic and reroute it to 443...

Each virtual instance follows this pattern:


#
## Petes Workshop Stuff ##
#

<VirtualHost 10.0.10.140:80>

ServerName www.petesworkshop.com

DocumentRoot /www/petes/htdocs

<Directory /www/petes/htdocs>
    Require all granted
</Directory>

Redirect permanent / https://www.petesworkshop.com/

</VirtualHost>


<VirtualHost 10.0.10.140:443>
ServerName www.petesworkshop.com
ServerAlias petesworkshop.com *.petesworkshop.com

SSLEngine On
SSLAppName QIBM_HTTP_SERVER_PETES
DocumentRoot /www/petes/htdocs


SSLServerCert petesworkshop

Notice the port 80 redirect to 443 and also pay attention to the ServerName, Server Alias, SSLServerCert and SSLAppName directives.  This uniquely identifies the server URL (basically) that the virtual host "looks" for in order to properly direct the traffic.

I won't give you all 6 examples but here is a complete one for a second virtual host.  Note that it ALSO listens on port 80 and 443 on the SAME IP:

#
## OSSGARDEN  ##
#

<VirtualHost 10.0.10.140:80>

ServerName www.ossgarden.org

Redirect permanent / https://www.ossgarden.org/

</VirtualHost>


<VirtualHost 10.0.10.140:443>
ServerName www.ossgarden.org
ServerAlias ossgarden.org
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_OSSGARDEN

DocumentRoot /www/ossgarden/htdocs

SSLServerCert ossgarden

<Directory /www/ossgarden/htdocs>
    Require all granted
</Directory>

SSLProtocolDisable SSLv3 TLSv1 TLSv1.1

ProxyTimeout 300

ProxyPreserveHost on

RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"

ProxyPass / http://10.0.10.140:5580/
ProxyPassReverse / http://10.0.10.140:5580/

</VirtualHost>

Note in this case I included the ProxyPass directives which point the traffic to the REAL web instance running on a different port. So the basic recipe I use is:

1)    Create an instance for a website using a different port (whether it is a different IP or the same doesn't matter

2) Create a virtualhost entry for that website in the reverse proxy instance which is listening for the port 80 and 443 traffic.

3) In that virtualhost add the ServerName, ServerAlias, SSLAppName, SSLServerCert and the other SSL directives for that virtualhost.

4) In that virtualhost also add the ProxyPass directives that point to your "real" website/port/ip

Rinse and repeat for all your sites.....

The only downside to this approach is that you have to bounce the reverse proxy when you update your certificates.  I use LetsEncrypt so I have to bounce at least every 90 days.  Someday IBM will add a "graceful restart" option to the HTTP server, like other Apache implentations have.

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
GIAC Cloud Penetration Tester
AWS Certified Cloud Practitioner
Microsoft Certified: Azure Fundamentals

On 5/19/2024 8:38 AM, Javier Sanchez wrote:
Right Brad. This is just an example for Don.

El dom, 19 de may de 2024, 7:10 a. m., Brad Stone <bvstone@xxxxxxxxx>
escribió:

I never use * for IP address. You can easily set up one specifically for
each server as mentioned before.

You can specify more than one IP in an HTTP config as well as multiple
ports.

On Sat, May 18, 2024 at 10:59 PM Javier Sanchez <
javiersanchezbarquero@xxxxxxxxx> wrote:

Hey Don,

As I said, if you have time, you will have to dig in with this:

https://www.ibm.com/support/pages/http-server-i

The Apache Server configuration for a virtual server needs previous
knowledge of Apache, not necessarily expert level, but reading a bit and
following related links, you can find your way out. You have to know
where
the Apache's config file is in your IFS and add the <VirtualHost> entries
that you need. An additional information source could also help a bit
more
with this link:

https://httpd.apache.org/docs/2.4/es/vhosts/examples.html

The above gives you a simple example:

# Ensure that Apache listens on port 80
Listen 80
<VirtualHost *:80>
DocumentRoot "/www/example1"
ServerName www.example.com

# Other directives here
</VirtualHost>

<VirtualHost *:80>
DocumentRoot "/www/example2"
ServerName www.example.org

# Other directives here
</VirtualHost>

Dig in a bit more and you'll get it. It's not that hard.

If not, then you "can" always assign a new IP address to your network
interface.

Try it out! You can!

JS

El sáb, 18 may 2024 a las 21:25, Javier Sanchez (<
javiersanchezbarquero@xxxxxxxxx>) escribió:

Don, what Jack is saying is that "you do not need to assign a different
IP
address" to your IBMi for your tests. You "can" do it. You can
administer
the new IP Address with the CFGTCP command and then follow what you
need
to
do. It's a simple thing to do.

But the essence is, you could configure a virtual server in the Apache
server's configuration file. If you do not know how to do that, you
can
do
the above, yes, assign a different IP address to your network card's
resource. If you have time, the latter is recommended. Choose your
flavor.
HTH.

JS

You can do either one.

El sáb, 18 may 2024 a las 21:04, Don Brown via MIDRANGE-L (<
midrange-l@xxxxxxxxxxxxxxxxxx>) escribió:

Hi Jack,

Thank you for your reply but I do not see how I can have 2 different
HTTP
servers both listening on port 443 without assigning a different IP
address to each ?

So I currently have HTTP Server ZENDPHP7 listening on port 443.

I am migrating the applications to run with Sieden's Community PHP
and I
have a new server APP01 that I also want to listen on port 443

I don't see how I can achieve that with virtual servers or am I not
understanding ?

Thanks

Don



From: "Jack Woehr" <jack.woehr@xxxxxxxxxxx>
To: "midrange-l@xxxxxxxxxxxxxxxxxx" <
midrange-l@xxxxxxxxxxxxxxxxxx>
Cc: "Don Brown" <DBrown@xxxxxxxxxx>
Date: 19/05/2024 12:31 PM
Subject: Re: Assigning IP address to HTTP Server



you don't need separate ip addresses for separate servers
your server software (e.g., Apache) has the notion of virtual servers
or you can configure the instances on different ports if you wish
it's all in the server configuration


From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> on behalf of
Don
Brown via MIDRANGE-L <midrange-l@xxxxxxxxxxxxxxxxxx>
Sent: Saturday, May 18, 2024 7:05 PM
To: midrange-l@xxxxxxxxxxxxxxxxxx <midrange-l@xxxxxxxxxxxxxxxxxx>
Cc: Don Brown <DBrown@xxxxxxxxxx>
Subject: Assigning IP address to HTTP Server

CAUTION: This email originated from outside of the organization. Do
not
click links or open attachments unless you recognize the sender and
know
the content is safe.
I would like to do some testing internally with different versions of
PHP.
Currently the HTTP Server configuration is listening on all IP
Addresses
(EG *:443)

If I want to have two servers listening on say 443 they would have to
be
assigned different addresses (EG 192.168.1.1:443 and 192.168.1.2:443)

I am presuming that where I have two or more HTTP servers listening on
the
same port then all the servers would need to have an IP address
assigned
that listen on, in this case port 443 ?

Or what happens if we have two servers set up as

Server #1 *:443
Server #2 192.168.1.1:443

I am thinking the results would be unpredictable ?

Is there a better way to do this for internal access ? (External I
could
simply redirect to any port I wanted)

Thanks

Don





--
This email has been scanned for computer viruses. Although MSD has
taken
reasonable precautions to ensure no viruses are present in this email,
MSD
cannot accept responsibility for any loss or damage arising from the
use of
this email or attachments..
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related
questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.