Multi-IP per User & Domain

Hi,

I must be doing something wrong here, because it doesn't work at all. I've appointed 2 IP's to a (fictional) hostname and tried to communicate with apache with telnet, but I didn't get a proper responds.

At the admin level I added a new IP with the IP manager and I assigned it to admin. At the reseller level I shared it. After that I modified a user and added the IP as additional IP to the user.
The IP manager now says it has 1 user at that IP.

I then telneted to the ip's and
Using the same command

GET /index.html HTTP/1.1
host: www.test.cat

On the first IP, I get the normal responds, I get the contents of index.html. On the second IP, I get
"This IP is being shared among many domains.
To view the domain you are looking for, simply enter the domain name in the location bar of your web browser."

So I went looking in the config files of the user, and I noticed that the httpd.conf doesn't have a VirtualHost directive with the second IP in it. The only file with an entry of the second ip is the user_ip.list.

Am I doing something wrong here?


Rogier
 
Hello

when we changed ip to user, old ip is still in file domains/domain.ip_list
and when we try to create a subdomain - it add 2 A records: with old and new ip

can we just disable this feature ?
 
Adding additional ip to user does nothing,
GET /test.html
HOST: test.com (where test.com resolves additional ip)
return default Apache is functioning normally page
 
Logins for FTP are inserted in wrong ftp.passwd

I've come across an issue with this feature:

A user has the server IP as primary IP and an extra IP for a specific domain.
When creating an ftp account for this specific domain, the logins are inserted in /etc/proftpd.passwd instead of /usr/local/directadmin/data/users/<username>/ftp.passwd .

As a result, an ftp connection to the users domain will fail.
A connection to the primary IP with the same credentials will work, however.
 
I've come across an issue with this feature:

A user has the server IP as primary IP and an extra IP for a specific domain.
When creating an ftp account for this specific domain, the logins are inserted in /etc/proftpd.passwd instead of /usr/local/directadmin/data/users/<username>/ftp.passwd .

As a result, an ftp connection to the users domain will fail.
A connection to the primary IP with the same credentials will work, however.
I encountered the same problems a few days ago, user with multiple IP's, proftpd listening on both IP's, but can only connect to "server IP", and connecting to "user IP" fails with an error that login credentials are wrong.

Main domain of the user has only the user IP, so it can use HTTPS.

Detailed setup:
x.x.x.227 -> server.company.com
x.x.x.237 -> userdomain.com

user has both IP's, userdomain.com uses only .237. FTP connection to userdomain.com fails, connection to server.company.com (with the same credentials) succeeds.
 
Hello,

Thanks for the report regarding the /etc/proftpd.passwd vs /usr/local/directadmin/data/users/username/ftp.passwd

I've confirmed this effect and will be trying to come up with a solution.

Right now, it's somewhat of a nightmare to sort out, since DA has previously determined either file based on a per-DA-User basis, for either the proftpd.passwd or ftp.passwd file. With the new multi-ip setup, it can now be both, so essentially the entire ftp codebase needs a rewrite. For example a basic task like counting up how many ftp accounts a client has used to be fairly simple. Now one domain could in theory have both an owned and shared IP status on it, so DA won't really know which one to check (something I'm going to need to re-work)

One simple option (workaround) would be to set the IP as shared before assigning it to the User as an "additional ip", to ensure all IPs assigned to the User are shared.

or inversely, so that all IPs assigned to the user are owned. This won't be a be a quick fix.

However, these are not great solutions, since the whole point of having owned IPs is for SSL.

I may need to enforce having all IPs of one type per domain.. so both shared and owned IPs cannot exist on the same domain.


AndriesLouw: If both your hostname and domain resolve to the same thing, then the logins will be exactly the same. FTP is not name based, so if you connect to the same IP, then there is no difference. If you do get a difference, then likely your domain isn't resolving to the same thing as your hostname.


John
 
The domain isn't resolving to the same IP as the hostname of my server, reason is SSL. But I can't login through FTP to the domain of the user, but I can to the hostname of my server. I expected to be able to login at both IP's, or at least to the user his IP.

In short: I can't connect to the user his owned IP with the user his login credentials over FTP. FTP is listening, but the login fails. I, however, can connect to the shared IP of the same server, with the same login credentials. Like proftpd won't allow user logins on the user his IP, only on the shared IP of the server.
 
Hello,

I created this entry yesterday:
http://directadmin.com/features.php?id=1134

I'm likely going to go with the "simplest" option, whereby I'll just have any owned IP use the type of the User's main IP.

So if his main IP is a shared IP, then the "additional" IPs will use the /etc/proftpd.passwd file.
If his main IP is owned, then the additiional IPs will use the user ftp.passwd file.

So for you right now, the workaround is to change the path of the IP in the /etc/proftpd.vhosts.conf to go to /etc/proftpd.passwd for his IP.

John
 
Ok, So I'm confused by this...

I see that I can easily add another IP to a user, great. Did that.

How do I (or the user) assign that second IP to one of his domains (so that domain "owns" that IP) so he can generate a CSR for an SSL cert?

What am I missing here?
 
Hello,

I think the testing on this has been limited, but as long as the IP was "free" when you add it to the User, it should become owned.. and it *should* let you create a crt. (this is the theory)

Then with the "Domain Setup" at the User level, assign the owned IP, and remove the shared IP.

I'm still working on the rules for this as there are some issues, eg:
http://www.directadmin.com/features.php?id=1134

There is always the option to use the sni feature, which is basically just a bypass to allow you to add a cert to any VH:
http://www.directadmin.com/features.php?id=1100

even if the cilent doesn't use SNI.. as long as the IP is owned in DA.. if there is a bug somehwere, using SNI would let you bypass it.

John
 
Thanks John

I see now where the client assigns the IP to their domain. (in domain setup, duh)

I changed the IP there but it doesn't seem to have restarted named. The zone file seems to have the new IP address in it and the httpd.conf file seems to be right as well. I can indeed create a CSR now.

One minor problem: named and httpd do not seem to have been restarted. I had to restart them manually.

In addition, pulling up the site via the IP address yielded the "This IP is being shared among many domains. To view the domain you are looking for, simply enter the domain name in the location bar of your web browser." message. Shouldn't that not be the case given that this IP in only pointing to that ONE domain?
 
Hello,

Thanks, I'll check out the restart issues with the multi-IP.

If the IP is owned, then you should be seeing the User's website when viewing the IP.
Since there was a recent IP change, likely the value of the new IP has not yet propogated to your computer. Give it a few hours to see if it fixes itself.

Related:
http://help.directadmin.com/item.php?id=242

John
 
If the IP is owned, then you should be seeing the User's website when viewing the IP.
Since there was a recent IP change, likely the value of the new IP has not yet propogated to your computer. Give it a few hours to see if it fixes itself.

Related:
http://help.directadmin.com/item.php?id=242

Still saying that IP is shared. According to the page at CMD_ALL_USER_SHOW?sort1=7 that IP only appears once and is on the domain in question.

How can I be sure that the IP is "owned" by that user?...

I found the IP address in the ips.conf file. It has a VirtualHost stanza for it. I'm guessing that shouldn't be there...
 
Last edited:
Hello,

If it's owned, the only place that IP will show up will be in the User's httpd.conf file.

Any VH's that area loaded with that IP before the User's' would be causing issues.

Since it's showing the normal "shared" message, check:
/etc/httpd/conf/ips.conf

and see if there is a VH there with the IP in question.

If there is, then check:
Admin Level -> IP Manager

to see if it's owned.

If it's not owned in the IP Manager.. then it's not owned and would need to be changed by removing it from the User and re-adding.

If it is owned, but does have a VH in the ips.conf, then that's a sync issue (rare).. but you can type:
Code:
echo "action=rewrite&value=ips" >> /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d200
to rewrite the ips.conf with the correct setup.

John
 
When you change or add user ips, the script user_modify_post.sh does not execute!!! :mad:

Is there any way to execute a script every time you change httpd.conf that I had the opportunity to change the configuration of the frontend?
 
bug report:

DA version 1.36.2
OS: CentOS 5 64-bit

Additional IP was assigned to an existing user with multiple domains
The user assigned the IP to a domain, and removed shared IP from that domain
The user enabled SSL and installed SSL cert using DA

SSL site was not working because there was still a 443 SSL virtualhost for that IP in /etc/httpd/conf/ips.conf

IP Management showed status=owned for the IP in question

Problem was manually fixed by running echo "action=rewrite&value=ips" >> /usr/local/directadmin/data/task.queue
 
I'm having an issue where I can't add IP's to users in version 1.37

I added an extra IP to a user after I upgraded to 1.36 no worries no I don't see the same options, has this feature been removed cause I've looked everywhere.
 
Back
Top