Some questions about a specific setup

Oriso

New member
Joined
Jan 9, 2004
Messages
2
Hi,

We're in the middle of testing out various control panels for a hosting solution we're putting up. We've hit a few bugs concerning our network/systems design decisions and DirectAdmin.

Basically, we want to be running e-mail and web hosting on seperate servers. Is this easily doable with DirectAdmin ? We'd basically split off Web to one side, and put the DirectAdmin panel / E-mail on the other server. Now, i'm asking if it's easy to do, because the way I see it, i'm going to have to trick DirectAdmin into thinking web hosting is installed and it's server, while the real apache server is going to run elsewhere. Luckily, both servers will be link via a 2nd network interface and i'll export NFS shares from there for the web config files and customer sites so that DirectAdmin can see them and modify them. I'll then compile a custom Apache installation on the second server with the proper values for sysconfdir and the modules which will be installed. The only trouble I see with this solution is the Linux NFS server headaches and restarting Apache from the DirectAdmin panel won't work anymore.

Also, I see that we can't put the servers in a DMZ. This is a possible show stopper, as I don't really want to put the servers directly on the Internet. Initially, our network design called for a PIX firewall which would have a DMZ interface, and using one-to-one mappings, I would have assigned a single external adresse to each server. Since we can't really install DirectAdmin on a server using internal addresses, this seems to be out of the question. Are there going to be modifications to the licensing schemes so that this becomes possible in the future, even if the cost is more than a normal unlimited license ?

Finally, we want to make the panel be served through a HTTPS connection. This implies that we'll procure a SSL Certificate. However, the certificate will be assigned to a specific hostname. This causes problems with the fact that DirectAdmin publicizes to customers that they can access the panel from https://www.theirdomain.com:2222/ when in fact, they'll have to use https://panel.oriso.com:2222/ as the correct addresse to match the certificate and not get a popup about the certificate being invalid. Is there a way to make DirectAdmin publicize only this address ? And more, is there a way, other than manually adding a redirect from the user's virtual host to our own panel to make DirectAdmin only accept connection on this hostname (Bind it to a named base virtual host with the default behavior on port 2222 being to simply redirect to this host) ?

Sorry for the long post and the probably impossible to answer questions. We like the product a lot more than the other offerings (Ensim, Cpanel or Plesk) and I wouldn't be asking if we weren't strongly considering it.
 
Hello,

Thanks for considering DirectAdmin.

Firstly, for your question of multiple servers, normally this isn't easy with a standard DA setup, but you've mentioned that you've got the 2 hooked together with a NFS, this is now a different story. If you setup the partitions such that DA wouldn't have any idea that there are 2 servers, then there wouldn't be a problem. The only issue (as you mentioned) is the restarting of services. If you put email on the non-DirectAdmin server, that might work, because exim doesn't ever need to be restarted. Changes through DA will write the email setup files, and exim reads the instantly, without any restart. Even if system restarts were required across multiple systems, you could modify the boot scripts that DA uses to control the programs to run code, which can access the other server via our API, which can then restart the service remotely. It's also important to note that we'll be adding multi server support in the future. At the moment, it's in it's design phase, but we're pushing to implement the multi server control with user transfers, distributed services and things like that.

The DMZ is an issue which may not be resolved for some time. We're considering adding MAC addresses to the licensing systems, but it's implementation and conversion would take a fair amount of resources to satisfy a small percentage group. The issue is large enough that we move it up on the priority list, but not enough that it get implemented soon.


DirectAdmin can work just fine through an https connection by just changing one setting in the directadmin.conf file. It would be up to you to change the welcome emails (easily changed) to point the use to your hostname and to let them know to use the hostname instead. DA just binds to all IPs and doesn't care what the hostname is.

John
 
Thanks for the answers!

Is there a timeframe on multiple server support ? Because if not and the NFS hack proves to be a bit too clumsy or unmanageable, i'll check for a different option, maybe setting up a Windows hosting solution on the second server to provide customers who want IIS specific functionality on their webhost. This isn't a show stopper and going with a more expensive package just for this functionnality is not a route i'm going to take.

The licensing issue with the DMZ remains the most troubling part of all this. I read the different threads and opinions, and I have to say, if the DirectAdmin people are looking into MAC Address based licensing, they might as well just provide Private IP Based licensing right now and save themselves some headaches. Changing the MAC Address is trivial at best (ifconfig intX hw ether XX:XX:XX:XX:XX:XX for those that are wondering), so this rules out the single server that a public IP based license provides. I could still just give out my license to other people with the MAC Address needed, and since they would be on their own network, they could simply use my MAC Address without any problems (since MAC addresses only really need to be unique inside the same physical network for ARP to work).

Heck, with MAC Address based licensing, if someone wanted multiple different Direct Admin hosts, they'd just give 'em all the same MAC, and put 40$ NAT Boxes in front of each of them and use the "DMZ" features of those boxes to prevent the MAC collisions. Much cheaper than the unlimited 300$ licensing for 1 DirectAdmin server.

So unless DirectAdmin manages to read the PROM directly on the adapter, bypassing the Kernel, I don't see how this is as effective as the Public Address scheme. Sorry if I just messed it up for those you that wanted the MAC Address scheme for your DMZs.

The only way this could work would be a dual MAC Address based validation on the local side, and a remote activation based on the public IP. That is, maybe each time you query the directadmin.com domain for an update from the server, it valides that the request comes from your public ip and the server transmists it's MAC Address in order to valide it. If the packet's src IP / MAC Address combo matches the an existing license, you get your updates, if not, the license is revoked. To prevent people from doing the MAC duplication thing and just never updating afterwards, you require an initial activation before the server can be used. I think this is the easiest way to prevent piracy and allow for DMZs to be used.

Anyway, this doesn't solve my problem, and I don't really want to go and change the network design and security policies (these servers are going to talk to the inside LAN through services that shouldn't be allowed on the public network, I really want them isolated and mostly unable to communicate to the outside world except for the public services). I'll see if we can come up with something else to transfer our internal data to our own website (which will be migrated to this solution as soon as it's ready).
 
Hello,

Sorry, no timeframe as of yet, as development hasn't really begun.

Thanks for the info on the MAC addresses :) The only *real* way to do the licensing is to have the program call out and ask us if it's allowed to run, but that's risky in case our server ever goes down.

John
 
DirectAdmin Support said:
The only *real* way to do the licensing is to have the program call out and ask us if it's allowed to run, but that's risky in case our server ever goes down.

Here are few suggestions on how to make it more reliable:
1. Have a licensing domain (like licenses.directadmin.com) to resolve to 3 or 4 different IPs, which would be assigned to geographically and topologically dispersed servers.
You can have, say, 4 sharing hosting accounts at different companies, which would make it pretty reliable.

2. The program doesn't necessarily need to stop working on the first failure. Once it detects a failure it can make recurring attempts every 15 mins and also send out notification to a site administrator which would have, say,1 hour to enter the code manually (after contacting DA support).
The only problem with that approach is having a good algorithm to automatically expire current auth. code and generate the new one.
 
There is already a 5 day grace period on licensing, in theory a month license will last for a month and 5 days - to be honest I dont think the licensing server would go 5 days down without anyone noticing!

Chris
 
Hello,

We've considered the "calling home" method. We might switch to it later in DA's life, but right now the expense and complexity of such a system is a bit much. We like to keep it simple :) It wouldn't be *too* hard, but we'll leave it as is for now.

John
 
For what it's worth, here's how Plesk does it:

Each license phones home. Not for permission to run, but rather with the IP# it's running on.

If Plesk notices (automated) that the same license is calling home from more than one IP they notify the customer for clarification.

I don't know if they've got a method of turning it off or not, but they (or DA) certainly could.

John, we could easily let you use one or more of our geographically dispersed servers to run licensing systems on, if you'd like.

Jeff
 
Back
Top