# Xwiki in a jail



## molofishy (Feb 2, 2017)

Jails have confused me. My ultimate goal is to setup xwiki in a jail (after installing tomcat and MySQL). I have sucessfully created the jail with:
_ iocage create tag=xwiki ip4_addr="ue0|[URL='http://192.168.1.10/24']192.168.1.[/URL]8_
started it: `iocage start xwiki`
and accessed it: `iocage console xwiki`

Now the output of `ifconfig` on the host (not in the jail) is:

```
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128 
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
inet 127.0.0.1 netmask 0xff000000 
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo 

pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
groups: pflog 

ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80008<VLAN_MTU,LINKSTATE>
ether 8c:ae:4c:ff:81:94
inet 192.168.1.7 netmask 0xffffff00 broadcast 192.168.1.255 
inet 192.168.1.8 netmask 0xffffff00 broadcast 192.168.1.255 
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
```
Internet is working in the jail so that's sorted. On my router, I have already port forwarded port 80 to 192.168.1.7 for a basic web server. Do I now forward to 192.168.1.8 in addition? I have found (these) instructions and am confused by step 4: the suggested contents of /etc/pf.conf. What is the purpose of this step? I had setup pf a while ago, the contents in my pf.conf being:

```
table <sshguard> persist
block in quick on ue0 from <sshguard> label "SSH Guard"
```
I am also unsure of the purpose of the suggested contents in /etc/resolv.conf in step 5. Are these steps to ensure my jail has network access, which it already has? Perhaps I could jump to step 6 to "redirect packets to the jailed webserver"?

Very confused... and I haven't even started with tomcat, MySQL, xwiki.


----------



## SirDice (Feb 2, 2017)

molofishy said:


> On my router, I have already port forwarded port 80 to 192.168.1.7 for a basic web server. Do I now forward to 192.168.1.8 in addition?


No, you forward to 192.168.1.8 directly. No need to forward to the host first. This is going to be a problem because a port can only be forwarded once. Which means you're going to have to use a different port on the outside.



> I have found (these) instructions and am confused by step 4: the suggested contents of /etc/pf.conf. What is the purpose of this step?


It's something you use when you only have one external IP address. This is not the case for you, you can add as many address to the interface as you like.



> I am also unsure of the purpose of the suggested contents in /etc/resolv.conf in step 5. Are these steps to ensure my jail has network access, which it already has?


resolv.conf(5) is for DNS name resolving. It has, strictly speaking, nothing to do with the actual connectivity. It's used for resolving hostnames (like www.google.com for example) to an IP address.


----------



## molofishy (Feb 2, 2017)

SirDice said:


> No, you forward to 192.168.1.8 directly. No need to forward to the host first. This is going to be a problem because a port can only be forwarded once. Which means you're going to have to use a different port on the outside.


Forwarding the host is for a regular web server which I would like in addition to Xwiki. 



> It's something you use when you only have one external IP address. This is not the case for you, you can add as many address to the interface as you like.


I do only have one public ip address, do I not?



> resolv.conf(5) is for DNS name resolving. It has, strictly speaking, nothing to do with the actual connectivity. It's used for resolving hostnames (like www.google.com for example) to an IP address.


Ok.


----------



## SirDice (Feb 2, 2017)

molofishy said:


> Forwarding the host is for a regular web server which I would like in addition to Xwiki.


This is going to be a problem because you can only forward port 80 once. One solution is to run a proxy on the host that can proxy requests based on the HTTP host headers. Outside connections will go to the proxy and based on the host header it will forward the requests to one jail or the other. Or simply run the XWiki site on port 81.



> I do only have one public ip address, do I not?


Yes, but you can assign multiple IP addresses to the "external" interface of the host. So for you there's no need to resort to using lo1 and tricky PF NAT.


----------



## molofishy (Feb 2, 2017)

I have forwarded port 81 to 192.168.1.8. Before I set up xwiki I am quickly trying apache24 in the jail with:

`pkg install apache24`
Then added the server name to /usr/local/etc/apache24/extra/httpd.conf:

```
ServerName domainname.ddns.net:81
```

After `service apache24 onestart`, I see nothing when I browse to http://domainname.ddns.net:81

I hope to see "It works!" as I do when browsing to http://domainname.ddns.net (the web server on the host).


----------



## SirDice (Feb 3, 2017)

Just leave Apache running on port 80. You can forward the external port 81 to an internal port 80.


----------



## molofishy (Feb 4, 2017)

That works. On the router, I have mapped external port 81 to internal port 80 and host 192.168.1.8. I now see "It works!" when browsing to http://domainname.ddns.net:81, but only from another public ip address.

In relation to my post here: https://forums.freebsd.org/threads/58131/ accessing the new site (the one in the jail) using the domainname does not work from the LAN, even after adding 192.168.1.8 and domainname.ddns.net:81 to the "LAN domain" page of the "Advanced" tab in my router (it does however work from within the LAN when using 192.168.1.8 in the browser instead of the domainname). Doing this was the solution for accessing the web server on the host from a machine within the LAN.

The field in the router looks like this: http://m.setuprouter.com/router/huawei/hg658c/general-49561-large.htm


----------

