So I've got an odd situation here. I work in a Marketing office at a good sized university. I want to set up a FreeBSD 7.0 host system with multiple Apache/PHP Jails for each of our websites (13 and counting). The problem I'm running into is the unique IP requirement for each Jail.

Our current setup is an xserve running Apache name-based virtual hosts. The University's network services department assigns our server a static IP and points whatever domains at it that we want.

I'm trying to avoid asking network services to give us 13 static IP's, because I don't want to use up more than our share of local IPv4 addresses (and the less I have to deal with them the better).

I was thinking I could set up a PF box that forwards packets to a small private network where the Jail system sits and I can define whatever IP's I want. But the question is then, how do I set up the PF box to forward the right packets to the right Jail/IP? Is there an easier solution I'm missing?

I've been searching all over for a good solution and I haven't found one. I appreciate any help you can give me (even if it's "jails aren't the solution here").

Quick Question:

"I can define whatever IP's I want". Are you referring to only allowing certain IP's access to Apache/websites?

Quick Question:

"I can define whatever IP's I want". Are you referring to only allowing certain IP's access to Apache/websites?

No, I want all these websites to be open and available over the web. Sorry if I'm not explaining it very well. We want to separate the sites so that if one gets compromised they all don't.

What I was referring to when I said "I can define whatever IP's I want" I meant we could then define private IP's, like 192.168.0.*** for each of the jails. Then we would only (hopefully) need one static IP from network services, which would point to a PF box that could redirect traffic to the appropriate jail/IP.

I'm messing around with some things right now to test, I'll let you know if I figure anything out.

Simple answer: you can't do what you want, the way you want. You can hide multiple private IPs behind one public IP, but only for outgoing connections. You can't do it in the reverse like you want to.

Simple answer: you can't do what you want, the way you want. You can hide multiple private IPs behind one public IP, but only for outgoing connections. You can't do it in the reverse like you want to.

*Sigh, I figured that would be the answer, but I wanted to make sure. Thanks Phoenix! I'll try and figure something else out.

So I think I found a way to do what we want. We're going to try setting up a reverse proxy with Squid (http://wiki.squid-cache.org/SquidFaq/ReverseProxy) that acts as a gateway to the private LAN where our Jail servers reside. I haven't gotten it working yet, but if it works I'll definitely let you know.

You may want to check out Varnish (http://varnish.projects.linpro.no/) if you are going the reverse-proxy route. From their FAQ (http://varnish.projects.linpro.no/wiki/FAQ):
Why bother with Varnish - why not use Squid?

Varnish was written from the ground up to be a high performance caching reverse proxy. Squid is a forward proxy that can be configured as a reverse proxy. Besides - Squid is rather old and designed like computer programs were supposed to be designed in 1980. Please see ArchitectNotes for details.

You may want to check out Varnish (http://varnish.projects.linpro.no/) if you are going the reverse-proxy route. From their FAQ (http://varnish.projects.linpro.no/wiki/FAQ):

Thanks phoenix I'll have to look into that.

So we ended up using the Pound reverse proxy:

http://www.apsis.ch/pound/

It's working great too with our ezjails :D

This has been such a crazy couple weeks, I'm hoping to write up a blog post on everything I had to do to set this up. I'll post again here if I ever get the time to do that.