Multiple Websites with Single IP address?

You absolutely need DNS set up properly here, as it's not the IP address that matters when connecting to a web server, it's the DNS name that the client selects. The client web browser gets the IP address, and it then passes the name of the target web server — the web client passes the name of the target web site — to the server, and the server then selects and displays the associated web site. The IP address is used for IP routing — the

connection from the client to the server, but is not particularly relevant — unless the client browser user enters the IP address in the browser, and then that string — like the string containing the domain name, in this case that string is the IP address — is used to select the target web server.

Some related reading...

Now as to setting up proper DNS, you'll likely want or need that on your local network, if you're using NAT. You'll also need public DNS set up for any names you want externally known, and configure those for port-forwarding through whatever you're using as a firewall. If you're at public addresses and not using NAT, then you can configure and use just public DNS servers.

To add virtual hosts — what Apple calls "sites" or "web sites" with 10.7 and later using Server.app > connect to the server > select Websites > click the + at the bottom of the Websites box to add web sites.

When there's one IP address, SSL/TLS certificates have to include all of the domains involved with that IP address in one certificate; what's called a multiple-domain certificate.

I may receive some form of compensation, financial or otherwise, from my recommendation or link.

<Edited by Host>

Add the new site into your public DNS as a CNAME (alias) in the public DNS (set the TTL fairly short — maybe an hour, since you're testing), and specifying the same IP address as the other web site; your public IP address. Add the new site into Server.app, as well. Test.

You're going to have to figure out if that Comcast router is a router, or a bridge, or some hybrid. If you tell Comcast support you want to set up the router as a bridge, to allow you to configure your own firewall — the Time Capsule, here — they'll generally be able to help you with the Comcast part of that.

If your Time Capsule and your Comcast are both providing NAT, problems can arise — double-NAT is not a desirable configuration, and you really don't want to deal with that.

To disable or to avoid TLS/SSL, set up a test site without it using Server.app, referencing the same directory that the TLS/SSL site is using.

You're probably going to have to set up forwarding here from HTTP port 80 to HTTPS port 443 too, as it appears you want to get folks over onto 443, and that doesn't happen by default for all browsers. That's usually done by an Apache rewrite rule — I don't have details of that rewrite rule off-hand, but it's a pretty common requirement and it's definitely been posted around the 'net.

Beyond getting this working, you're also going to be dealing with backups and cleanups. A server security breach — content management systems can get breached, weak passwords, some other hole — can sometimes be extended into your OS X Server environment and into your local network. You're potentially exposing all of the contents of the server. The gremlins are always probing the Internet-connected servers for weaknesses.

Francis Drouillard wrote:

I'll just get the certificates.

The question now is how to obtain a certificate signing request (CSR) for a multiple-domain SSL certificate? Do I simply configure my DNS and additional websites correctly, then try to generate a request? (This forum and the Help files don't address the issue.)

Thanks again for all of your excellent help.

OK; there might be an easier (and cheaper) way available now — request certificates for each of the domains, not the UCC / multiple-domain certificate. Server.app now accepts multiple certificates, which makes this easier. Create a CSR for each domain you want, and get those loaded into the Certificates section of Server.app, and then configure the different HTTPS sites to use the associated certificates.

8 July 2015

Dear Mr. Hoffman:

I have just finished reading all of your communique between Francis Drouillard and yourself re: One IP Address being used with multiple websites. I selected this subject matter because I am in the process of Purchasing OS X Server Software for a MACBook Pro; however, I am concerned about a few security issues because of all that I have had the mis-fortune of learning about the serious state of the Internet itself, via the unbelievably awful Windows environment with all of it's terrible and scary vulnerability issues, with simply way too many opportunities for all of the intense cyber-crime, everyone copying everybody else's exact same, ridiculous programming languages to use as the code in order to simply be able to learn code itself. This situation, for myself, has given me great pause as I now have a true Unix based operating system; once again, after being away from the entire business community, and everything computer-wise since 1993 when I was using my stand-alone 286 PC-clone computer running original Unix with an entire Accounting System with all of the modules that I needed as a dealer for a company, which I won't name (as they have unfortunately switched the most well-written accounting programs which I had the privilege of using to earn a very good living selling all of their packages to my clients in the beginning of the PC revolution). I am writing from the perspective as an Accountant with a degree and a lot of experience in public accounting training everyone from middle-aged female bookkeepers, with a minimum of doing that particular job manually, for at least twenty years; all the way up to CPA's who were terrified of letting go of their manual spreadsheets. As a young person in her mid-twenties when I just happened to be in the right place at the right time, I had to be extremely diplomatic in my approach in which I conducted my very serious business; and all of the wonderful clients' whom I sold to, trained, and supported through out all of their fears, sensitivities, and their newly found frontiers. I am NOT a programmer! Not, in anyway, form, or fashion. But, I know this much...Only since, May of 2012, when I was only able to afford a Bill Gates computer with all of the distressing nuances that went along with the God-awfully huge, and most insecure operating system on the planet. Anyone, and I mean anyone, can go into Microsoft TechNet and claim to be a "developer"; in order to be able to change whatever they are able to change in the operating system with whatever little know how they may possess, and make programming code changes. As long as they give the proper credit, with their change according to the proper and legal copyright laws, a two-year old is allowed in; in order to wreak havoc, in what ever way they deem to decide to. It's a nightmare to me. I literally broke three computers in two years; in my rage at the reality in which I found this new-fangled world, and the Internet Monster. I was very pleased to read what you wrote about Comcast; as, one of my MAIN concerns is the fact that, I too, have a cable company proving me with my internet service. My question, as a novice to Server, is this: How do I protect myself, company, and my few workers' from the use of what my cable company refers to as a router/modem combination, with my one IP address which comes directly from them? My reason for wanting to add Server software to my computer is to have firstly the VPN; in order for my IP to be hidden, where ever I go over the air. I need to know how to create many different IP addresses; in order to host our own company system, as if initiating anywhere in the world, both internally, and externally to clients' who need to be able to connect to a host. And, not for any improper, nor illegal reasons, but simply to keep ourselves, and our company's secrets' private for both copyright, and trademarked reasons, and because of all of the cyber crime and corporate espionage. How do I connect with a cable company, and even hide ourselves from them? At least until, we are able to have a whole bunch of land in order to erect our own good old-fashioned satellite dish; or dishes? Please, whoever can answer these questions, please let me know ASAP. Thank you, in advance, Mr. Hoffman; and whosoever will!

Respectfully:

Alexandra M.

LOTW

Francis Drouillard wrote:

I'm a bit puzzled by the Reverse Zone and how it works with catfunplaces.com or test.frank.

The DNS A (IPv4) or AAAA (IPv6) record — also known as the machine record — is the primary name for the server. For what you're doing here, all host names other than the primary host name are what are referred to as aliases; CNAME entries. CNAME entries do not have reverse translations.

renee mariefromwilson wrote:

8 July 2015

Dear Mr. Hoffman:

I have just finished reading all of your communique between Francis Drouillard and yourself re: One IP Address being used with multiple websites.

I'd ask that you please start your own thread for what are unrelated questions — I tend to get confused by these mixed threads, and unrelated comments and replies and suggestions end up all interspersed.

I selected this subject matter because I am in the process of Purchasing OS X Server Software for a MACBook Pro;

It's not common to run OS X Server on a laptop, as servers are usually powered up and running continuously, and are generally connected to the same network and not roaming around networks. With OS X, it's more typical to have OS X Server on an iMac, Mac Mini or Mac Pro.

however, I am concerned about a few security issues because of all that I have had the mis-fortune of learning about the serious state of the Internet itself, via the unbelievably awful Windows environment with all of it's terrible and scary vulnerability issues, with simply way too many opportunities for all of the intense cyber-crime, everyone copying everybody else's exact same, ridiculous programming languages to use as the code in order to simply be able to learn code itself.

The word "Cyber" is used to instill specific reactions in the audience, often seeking to incite uncertainty, panic, numbness, deference or submission to potentially inappropriate or draconian policy proposals or decisions, or — worst of all — sheer wallet-opening cash-flinging panic. If you were to replace "Cyber" with "Scary Cloud", you might understand the use of that word in the current vernacular.

Internet-connected servers will get probed several times a minute and sometimes much more often, based on what I've read in various server logs. All operating systems are attacked. Some are bigger targets, and the shenanigans are continuous. Breaches and configuration mistakes can arise, too. For better or worse, you either end up learning how to deal with the dreck, or you will want to acquire hosting or will want to outsource this to somebody that deals with this stuff on your behalf.

As for learning to code or not, that's your call. It's a whole lot easier to understand what's going on with at least a little familiarity with some programming and some experience with networking — this thread is centrally about three of the most fundamental parts of the Internet, DNS and HTTP/HTTPS and IP — and coding quite helps when automating tasks by creating tools to deal with specific circumstances and requirements.

I was very pleased to read what you wrote about Comcast; as, one of my MAIN concerns is the fact that, I too, have a cable company proving me with my internet service.

Various common services want and need static IP — a fixed and unchanging IP address — and most ISPs can provide that as part of a business tier of service. Comcast is no different, here. With Comcast, you'd likely end up with a business account and the business-class service tier.

My question, as a novice to Server, is this: How do I protect myself, company, and my few workers' from the use of what my cable company refers to as a router/modem combination, with my one IP address which comes directly from them?

This is a deceptively complex and open-ended question, and something I could wrote a book or three about. (Well past this jargon-filled wall-of-text reply, too.)

...There are the remote schmucks that are probing the servers remotely looking for weaknesses, directly and also via networks of compromised systems. This is most commonly dealt with through network separation — what's called a DMZ, through keeping backups and keeping at least some backups separate from the server, through understanding what good passwords are (now), through watching the logs for unusual activities, and through keeping the server and network software current. This is a large topic area.

...There are also your own folks behind your firewall, and who can be causing as many problems for you through their own authorized (and sometimes unauthorized) remote access — receiving and opening files, downloading tools, errant backups, being targeted — I see a couple of booby-trapped resumés a week, sharing passwords across services — etc.

Security is also an evolving area. The sorts of attacks that are commonplace can and do evolve and change, and wholly new attacks can arise.

My reason for wanting to add Server software to my computer is to have firstly the VPN; in order for my IP to be hidden, where ever I go over the air.

There's little point in trying to hide your IP address — it takes a few minutes to scan the whole of the active IPv4 address space, and find all of the connected hosts. That scan is from one server with limited resources, and a moderate-sized network connection. Some of the folks on the net have vastly more computing power and bandwidth, too. I'm increasingly skeptical around trying to mask the address, too — you're inherently going to have some ports open, after all. Assume your IP address is public.

If all you want is an inbound VPN, you can get firewalls that have that capability. I tend to use ZyXEL ZYWALL USG series, which are quite powerful devices. They're capable and flexible, but they're definitely not devices that are intended for nor oriented toward inexperienced users. Some understanding of IP networking, routing, firewalls, VPNs and related topics and terminology are presumed.

I need to know how to create many different IP addresses; in order to host our own company system, as if initiating anywhere in the world, both internally, and externally to clients' who need to be able to connect to a host.

I'm not sure where you're headed with this — your clients have their own IPv4 or IPv6 addresses. You have one address, or maybe a small range of addresses. Other sites have their own addresses.

IPv4 addresses are getting scarce and correspondingly more expensive. IP (particularly IPv4) addresses are not something that an end-user can create on the open Internet, either — they're provided by and coordinated with your ISP.

And, not for any improper, nor illegal reasons, but simply to keep ourselves, and our company's secrets' private for both copyright, and trademarked reasons, and because of all of the cyber crime and corporate espionage.

You're going to have to figure out who might be interested in attacking you, and work out a budget and potentially dedicated staffing. Security is much like insurance. You probably want and need some insurance and some security, but having too much is a just waste of money. Or — worse — just a waste of time and effort and money, in the case of security.

How do I connect with a cable company, and even hide ourselves from them?

You don't hide from your cable company. If they — or an intelligence agency or nation-state security entity or other well-funded attacker is after you — you're probably toast.

What you can do is secure yourself against remote probes and remote sniffing and remote shenanigans and common breaches. That means learning how IP, DNS, certificates, encryption and authentication work, as well as how to keep a network compartmented and how to to detect and identify problems on your own internal network and your own clients. Keeping your servers and content management systems and the rest current. Or it means having somebody deal with IT and security on your behalf, of course.

Much like accounting has become specialized, so too have computers and networking and security.

Please, whoever can answer these questions, please let me know ASAP.

I didn't really see specific questions that I could answer — well, not questions I could answer in less than a few pages of text and research, and probably not without some questions around requirements and budgets and expectations.

Most of what's here is also generic networking and network security, as well. These are not topics specific to OS X and OS X Server.

If what you want involves "private" encrypted connections to your network or to a server on your network, that's VPNs into a firewall, and some form of authentication into the server. Details here vary widely, depending on the security requirements and the budgets and the numbers of folks accessing the server, among other details. I'd use a DMZ for the remote-access services where possible, and would get local and off-LAN or off-site backups going. This involves setting up the local network, the firewall and the VPN server, getting DNS working, documenting the VPN client(s) for the remote sites, setting up and issuing the access credentials, and various other details.

But I'm also somewhat hesitant to describe a VPN-based setup, as you might do just fine with HTTPS and web services and a private or hosted web server, or some other technology or some other configuration.

Probably the least understood part of all of these options involves the on-going costs — keeping servers and firewalls current, re-issuing credentials, monitoring the networks and the servers and the users and the backups for problems, cleaning up after any breaches that might arise, etc.

But this is not related to DNS and virtual hosting with OS X Server from this thread, so I'd again encourage either contacting somebody that specializes in this stuff for at least some discussions, or — this if you really want to get into providing IT services for yourself, and I'd infer that you don't — learning more about IT and IP and VPNs and digital certificates and the rest, and that's no small investment of time and effort.

To get the virtual host working, click the + at the bottom of the list of web sites in the web configuration, and add one that matches whatever domain name you're going to be using. Since you're using your own DNS server and your own testing configuration, you could add a host foo to catfunplaces.com zone in the DNS server configuration here, and then set up a site for foo.catfunplaces.com over in the web server configuration. Your local web clients — local clients, and not those out on the Internet — that are exclusively using your local DNS server should then have a site foo.catfunplaces.com available. Do not mix your DNS servers; everything on your network should only reference your local DNS server, and should make no references to any other DNS servers anywhere else; no ISP DNS server, no "DNS server" references to your router, no Google DNS server references, none. Only reference your LAN-local DNS servers.

Check this out and see if it's helpful at all

http://www.osxgroup.com/support/solutions/folders/6000123721