Running a "normal" web page in parallel on the UCS 4.4-1 errata 186 - Parallelbetrieb einer "normalen" Webseite

Hi forum,
(german version below)

the situation: for a club UCS 4.4.-1 is installed on a rented root server. For the work of the volunteers the system must be accessible from the Internet. The domain configuration is carried out as follows (no real data is yet in operation, in case of a wrong configuration the system could also be completely reinstalled). The names are examples
FQN: server.intern.club-example.de. certificates are generated for club-example…, www.club-example…, intern.club-example… and server.intern.club-example… and https works throughout. When calling club.example… and intern.club-example…, the UCS portal is displayed. (Sorry for the “…” but there are only 2 links allowed in topics.)

The challenge: the UCS portal (an upstream login for anonymous visitors has been set up) should only be accessible under intern.club-example… The domains club-example… and www.club-example… should point to a normal website, which should run parallel on the UCS under /var/www.

The question: how is Apache2 best configured to prevent unwanted side effects? A reference to the apache documentation wouldn’t help me, since I don’t only want to put the public website into operation, but also want to keep the UCS system functioning at the same time ;-).

die Situation: für einen Verein ist auf einem angemieteten Root-Server UCS 4.4.-1 installiert. Für die Arbeit der ehrenamtlichen Mitarbeiter muss das System aus dem Internet erreichbar sein. Der Server ist noch nicht im Echtbetrieb und kann notfalls neu aufgesetzt werden. Die Domänenkonfiguration ist wie folgt: (die Namen bezeichnungen sind Beispiele
FQN: server.intern.verein-beispiel.de, Zertifikate sind für verein-beispiel…, www.verein-beispiel…, intern.verein-beispiel… und server.intern.verein-beispiel… generiert und https funktioniert durchgängig. Bei Aufruf von verein-beispiel… und intern.verein-beispiel… wird das UCS-Portal wie erwartet angezeigt.

Die Herausforderung: das UCS-Portal (mit einem vorgelagerten login für anonyme Besucher) soll nur unter intern.verein-beispiel… erreichbar sein. Die Domänen verein-beispiel… und www.verein-beispiel… hingegen sollen auf eine ganz normale Webseite zeigen, die ebenfalls auf dem UCS unter /var/www laufen soll.

Nun die Frage: wie ist der Apache2 am geeignetsten zu konfigurieren, um ungewollte Seiteneffekte (das Nichtfunktionieren von UCS-Inhalten) zu verhindern? Ein Verweis auf die apache-Dokumentation würde mir nicht helfen, da ich ja nicht nur die öffentliche Webseite in Betrieb nehmen möchte, sondern auch gleichzeitig das Funktionieren des UCS-System sicherstellen möchte ;-). Das Zusammenspiel der einzelnen .conf-Dateien unter UCS ist für mich leider nicht transparent.

english or german answers welcome
Thx a lot

Without having implemented the following: this should be easy if you know how Apache decides which virtual host configuration to use when a request comes in. The algorithm is rather simple: it iterates over each virtual host configuration for the request’s port number in the order they were found in the configuration. The first virtual host whose server name or server alias matches the request’s host name wins. If no such virtual host is found, the very first virtual host definition wins.

In UCS all virtual host configurations can be found in /etc/apache2/sites-enabled. The files are read in alphabetical order — meaning that the virtual host from 000-default.conf is the very first one from Apache’s point of view. The virtual host configuration most of UCS’s services use is the one in default-ssl.conf, though.

Your solution might be to create a virtual host configuration that reacts to all of the the host names you do not want the UCS services to be reachable under: club-example.com, www.club-example.com etc. Additionally all requests to intern.club-example.com should end up in the virtual host in default-ssl.conf. As default-ssl.conf does not contains neither ServerName nor ServerAlias directives, this can only be achieved if it remains the first virtual host configuration for port 443. This can be achieved by naming your new configuration file in a way that sorts after default-ssl.conf alphabetically, e.g. zzz-custom.conf.

Moin,

Thanks @Moritz_Bunkus for the helpful explanations. By default, the main domain “club-example.com” refers to /univention via redirect after a UCS installation. This can easily be changed. The only thing I unfortunately can’t estimate is if “removing” the main domain as UCS entry will cause side effects in the UCS installation and certain services or modules won’t work correctly anymore (because e.g. somewhere it is referenced to the main domain instead of the /univention directory or ssl configurations become inconsistent or whatever).

Best,
Jörg

There are several apps in the app center which try to connect to themselves during their installation process using the server’s fully-qualified domain name. If your server’s name is www, you will run into problems with such apps. You may also run into more cosmetic issues, e.g. the links on the domain portal page might point to a host name for which the /univention portion isn’t valid anymore. Those entries can be changed via the UMC, though.

sounds good because I’ve installed the UCS with FQN “server.intern.club-example.com”. I guess “try out” is the strategy of the day…

With that name you shouldn’t run into problems as long as requests to that FQDN end up with the vhost from default-ssl.conf as I said above. Just don’t include that name in ServerName/ServerAlias in your custom configuration file should suffice.