Skip to content

Virtual Server Preparation

HTTP access

Basic domain name

loc.io - the basic domain of location.

To create HTTP access, the user needs to perform the following steps:

  1. Order a service in Compute (for example, CentOS 8.3).

  2. Set up VPN access in the VPN service.

  3. Connect to the virtual machine, for example, via SSH (ssh root@1.1.1.1).

  4. Install a web server:

    • Install a web server (example: apache):
    sudo yum install -y httpd
    • Start the web server:
    sudo systemctl enable httpd —now
    • Check if the web server is running:
    sudo systemctl status httpd

    Command Output Example

    httpd.service - The Apache HTTP Server
    Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
    Active: active (running) since Wed 2022-05-25 10:34:11 +03; 7s ago
    Docs: man:httpd.service(8)
Main PID: 103004 (httpd)
    Status: "Started, listening on: port 80"
    Tasks: 213 (limit: 23512)
    Memory: 26.4M
CGroup: /system.slice/httpd.service
            ├─103004 /usr/sbin/httpd -DFOREGROUND
            ├─103005 /usr/sbin/httpd -DFOREGROUND
            ├─103006 /usr/sbin/httpd -DFOREGROUND
            ├─103007 /usr/sbin/httpd -DFOREGROUND
            └─103008 /usr/sbin/httpd -DFOREGROUND

May 25 10:34:11 alb-demo1.pt35.cmp.loc.io systemd[1]: Starting The Apache HTTP Server...
May 25 10:34:11 alb-demo1.pt35.cmp.loc.io systemd[1]: Started The Apache HTTP Server.
May 25 10:34:11 alb-demo1.pt35.cmp.loc.loc.io httpd[103004]: Server configured, listening on: port 80

    • Auxiliary commands for running a web server

    • Reload configuration (when changing configuration files): 

    sudo systemctl reload httpd
    • Restart the web server: 
    sudo systemctl restart httpd

    • Check web server operation:
      Add any text to the /var/www/html/index.html file, for example: “Hello from alb-demo1.pt35.cmp.loc.icdc.io”:

      Example

      [root@alb-demo1 ~]# curl http://localhost
Hello from alb-demo1.pt35.cmp.loc.io

  5. Setting up the system Firewall.
    By default, the system Firewall blocks all HTTP and HTTPS traffic that comes from the outside on ports 80 and 443. To disable blocking, you need to add the HTTP and HTTPS services to the firewall rules. For that you need to run the commands:

    sudo firewall-cmd —permanent —zone=public —add-service=http
sudo firewall-cmd —permanent —zone=public —add-service=https
In order for the rules to apply, you need to reload the firewall configuration:
sudo firewall-cmd —reload

    Check that the rules are set:

    sudo firewall-cmd —list-all

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client http https ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

  6. Create a public route in the Load Balancer service.

    To do this, click Create Route and fill in the parameters (example):

  7. After creating a public route, for correct operation, the user needs to specify in the DNS Domains tab that the Hostname alb-demo1.pt35.cmp.loc.io refers to the public host (or IP address) of the account balancer, which is indicated on the page with all web routes.
    In this case, it is pt35.alb.loc.io:

    To add an entry to DNS, go to the DNS domains tab.
    Select the required DNS Domains (pt35.cmp.loc.io):

    Create a CNAME record in it:

    Check that the public route is working. In the address bar of your browser, enter http://alb-demo1.pt35.cmp.loc.io

HTTPS access

HTTPS access can be implemented in various ways depending on where TLS connection termination occurs:

  • Edge termination – uses a Let’s Encrypt certificate by default and does not require a certificate on the destination VM. However, traffic between the ALB instance and the destination VM is unencrypted (HTTP).

  • Re-encrypt termination – similar to edge termination, but the traffic between the ALB instance and the destination VM is also encrypted (HTTPS).

  • Passthrough termination – the TLS connection is not terminated on the ALB; instead, it is passed directly to the destination VM, which handles the TLS termination.

Edge Termination

  1. When creating a route, the user needs to check the Secure Route checkbox and select the type of TLS Termination - Edge.

  2. Insecure Traffic:

    • Allow - automatic redirection from HTTP to HTTPS will not occur. The route will be available via both HTTP and HTTPS.
    • Redirect - all HTTP requests will be automatically redirected to HTTPS.
    • None (empty value) – HTTP traffic is completely blocked. The route is available only via HTTPS, and any requests over the insecure protocol will be rejected.

  3. TLS Certificate:
    By default, the route uses an automatically generated Let’s Encrypt certificate. The user may also select a custom certificate from the list of available ones.

  4. Check that the public route is working.
    In the address bar of your browser, enter http://alb-demo1.pt35.cmp.loc.io

Re-encrypt Termination

If HTTPS is used on the destination virtual server, then this option must be selected.

  1. When creating such a route, the user needs to check the Secure Route checkbox and the type of TLS Termination - Re-encrypt.

  2. Insecure Traffic:

    • Allow - automatic redirection from HTTP to HTTPS will not occur. The route will be available via both HTTP and HTTPS.
    • Redirect - all HTTP requests will be automatically redirected to HTTPS.
    • None (empty value) – HTTP traffic is completely blocked. The route is available only via HTTPS, and any requests over the insecure protocol will be rejected.

  3. TLS Certificate:
    By default, the route uses an automatically generated Let’s Encrypt certificate. The user may also select a custom certificate from the list of available ones.

Passthrough Termination

  1. When creating a route, the user must check the Secure Route checkbox and select the type of TLS Termination - Passthrough.

  2. Insecure Traffic:

    • Allow - automatic redirection from HTTP to HTTPS will not occur. The route will be available via both HTTP and HTTPS.
    • Redirect - all HTTP requests will be automatically redirected to HTTPS.
    • None (empty value) – HTTP traffic is completely blocked. The route is available only via HTTPS, and any requests over the insecure protocol will be rejected.

HTTPS access using your own certificates

Upload your certificate in the certificate upload dialog box.

When creating a route, you can specify the added certificate in the TLS Certificate field. Within 90 seconds, it will be added to the route.