Not sure why this is such a mystery, but it took the better part of the day to troubleshoot. The main issue with forum posts is that people have the right idea/intention, but the forum software mistreats the actual command line/short code. Spacing really really (did I say really) matters. I’m assuming that you’re using the default player definition that comes with the plugin. If you need to change it then make the appropriate change to this code as well. The code to get both RTMP and HLS working depends on defining both of those sources. In my case the source is my Wowza Server and I have two URI’s:

1) For HLS I use http://wowza.server.ip.address:1935/live/many/playlist.m3u8

2) For RTMP I use rtmp://wowza.server.ip.address:1935/live/many

Obviously as you can see my Wowza application is “live” and the stream instance name is “many”. So for this to work transparently in HTML (HLS) and Flash (RTMP) environments you need the following code inserted into a post or page in wordpress (make sure you do it in Text view, NOT Visual view):

[player sources="{ file: 'http://wowza.server.ip.address:1935/live/many/playlist.m3u8'},{ file: 'rtmp://wowza.server.ip.address:1935/live/many'}"]

NOTE: The above code intentionally starts with [player….Please replace it with jwplayer instead. I can’t seem to put the code in properly without the plugin — installed on this site — interpreting the code as shortcode.

Also, I can not be more clear…..SPACES DO MATTER HERE…..SO PAY ATTENTION!!!

NAB2014 Report

datePosted on 15:11, April 18th, 2014 by Many Ayromlou

DEKTEC: DekTec introduced the DTA-2180 low profile PCIe H.264 encoder. The DTA-2180 is a low latency — 150 to 600 ms — H.264 hardware encoder based on the Magnum chipset. It supports MPEG-2 and H.264 and up to 16 channels of audio. Audio can be encoded as AC-3, AAC or MPEG-1 Layer 2. The DTA-2180 offers a 10 bit 4:2:2 option for contribution encoding.The DTA-2180 has a 3G –SDI and HDMI input and an ASI output. The compressed stream output — TS encapsulated H.264 or mpeg-2 — is also available on the PCIe for real time streaming, processing and recording.1

NIMBUS: The WiMi6400T and WiMi6400R provides high quality Full HD encoding/decoding function with low latency of 40ms for encoding and decoding, each. It supports wide range of encoding rate from 1Mbps ~ 30Mbps for the high quality video for video broadcasting. WiMi6400T provides RTSP streaming server functionality. WiMi6400T also can be used as an real-time MPEG-2 TS/UDP streaming server with linear PCM audio for IPTV network. It supports one-to-many multicasting function over Ethernet LAN or IP network. So, there is no restriction on the numbers of receiver in Ethernet LAN or IP networks.2

VIOLIN MEMORY: Violin Memory’s 6000 Series flash Memory Arrays are all-silicon shared storage systems built from the ground up, harnessing the power of flash memory and delivering industry-leading performance and ultra-low data access latencies. A single 3U array delivers more than 1 million IOPS with consistent, spike-free latencies in microseconds. Violin Memory is uniquely positioned to deliver flash memory systems that can compete with performance disk from a cost for raw capacity perspective, even before taking into account the potential benefits of features like deduplication. This is possible because 6000 Series flash Memory Arrays are purpose built with flash components sourced through Violin Memory’s unique and strategic alliance with industry leader Toshiba. The core of the 6000 is the Flash Memory Fabric. The Flash Memory Fabric is a resilient, highly available deep mesh of thousands of flash dies that work in concert to continuously optimize performance, latency, and longevity. All of the active components of the Flash Memory Fabric are hot-swappable for enterprise grade reliability and serviceability. 6000 Series flash Memory Arrays connect natively to existing 8Gb/s Fibre Channel, 10GE iSCSI, and 40Gb/s Infiniband network infrastructures.3

TOSHIBA: ExaEdge™ by Toshiba is a next generation SSD-based edge streaming server with extra low power consumption. It allows you to stream large numbers of concurrent high quality video streaming sessions with low host CPU and memory resource utilization. ExaEdge™ adopts Toshiba’s NPEngine™, the world’s first direct SSD-to-IP embedded hardware technology. ExaEdge™ ExaEdge offers direct storage access from SSD as an embedded hardware solution, in 2RU compact-size server. The resulting performance is capable of sending up to 64,000 simultaneous sessions with the total host CPU usage at less than 12%. Modern video distribution over IP, like OTT streaming, leverage the existing HTTP-based caching functionalities. Unlike the traditional IPTV network which is basically adopting specialized network architectures, in adaptive bitrate scenarios HTTP chunks can be cached by traditional cache server at the edge to be then redistributed with lower latency.4 5

NHK: NHK was at NAB this week, quietly showing off footage shot with a Super Hi-Vision 8K camera, affectionately known as the Cube. The Cube camera is surprisingly compact  at 2 kg, since, it records to one of the only 8K HEVC real-time encoders in the world. It’s essentially a housing where the mammoth sensor and lens mount live, along with necessary connections. But even though it’s a simple design, it delivers an amazing resolution of 7680 x 4320 pixels. 8K is a great format that could rival IMAX and be excellent for big events that can be beamed around the world and give spectators who can’t make an event the opportunity to experience it in a way that all other formats before it could only dream to do. And NHK is planning on broadcasting the 2016 Summer Olympics in Rio in 8K.6 7

4EVER: 4Ever showed demos at NAB 2014 of MPEG DASH. The DASH demo featured a way to deliver content that’s adaptive, bit-rate streaming. It has four different HEVC encodes of original 4K content that it encoded at several bit rates, including a 14.5 and 11.5 Mbps for 4K content, 5.8 and 3.7 Mbps for a 1080 version, and a 720 version of that, which can stream at 2.9 or 1.8 megabits per second. The monitor runs a Chrome browser with HTML5 support which can only show a 4K/30 frame image. To show adaptive streaming, they randomly switched from one bit stream to the other, showing this data on the monitor.  The changes were seamless, but you do see a change in picture quality.8

VISION 3 IMAGING: Vision III Imaging demonstrated 4K 60p parallax scanned imagery and its Real Shot™ parallax induction technology. Parallax scanning is a technique for capturing three-dimensional depth information over time using one  camera and one lens. V3 imagery can be displayed on a standard display without 3D glasses or special screens. Real Shot is a parallax induction technique that also embeds three-dimensional parallax information into Internet or mobile digital advertising. Parallax scanning is accomplished using a digital parallax scanner (DPS). The DPS is a moving iris mechanism that is inserted into the optical path of a lens. When the iris is moved off the center of the lens, it records a different point of view at the plane of focus. The DPS iris scans in a circle around the center of the lens, making it possible to capture 360° of parallax information using a single lens.

RENEWED VISION: With its new Multiple Screen functionality, ProVideoPlayer 2 ($999) makes it easier than ever to create multi-screen presentations from a single computer with support for multiple graphics cards and easy mapping within each card and across multiple cards. Users can also add external graphics processors to each one of these graphics card outputs for even more screens, as well as add outputs that are not yet connected to a physical output, allowing shows to be pre-built off-site prior to the event. PVP 2 supports Multiple Layers, which afford the flexibility to create unique looks and allow the user to take full advantage of multiple screens. A layer is merely a video channel, so multiple layers are also great for a single screen environment where layering, textures, or PIPs are desired.10

THUNDERBOLT 2 Mobile 4K Workflow: HP showing 4K real-time streaming off a BMDC and 4K real-time playback from thunderbolt 2 little big disk all run through HP’s new Z series Laptops on a 21:9 screen.11

SILICON POWER: Silicon Power Thunder T11 is not only the lightest but also the smallest Thunderbolt™ SSD on the market. Featuring extremely small and featherweight design, Thunder T11 is half the size of ordinary storage devices and only weights 65g. Silicon Power’s Thunder T11, which enhances storage solution with Thunderbolt™ SuperSpeed I/O technology, is three times the speed of USB 3.0 HDD and delivers transfer rates up to Read/Write 380MB/340MB/sec.12

360HEROS: 360 degree shooting Hexacopter using 3-D printed Go-Pro3 mounts.13

ERICSSON: Showing 100 Mb/s (4x25Mb/s) live UHDTV broadcast using DVB-S2 extensions to broadcast true 4Kp60 over the air.35

LACIE: The LaCie 8Big Rack is the company’s first Thunderbolt 2 rackmount storage solution, featuring up to eight 6TB 7200RPM hard drives and delivering speeds of up to 1330 MB/s. The 8big Rack also features easy access to components and tool-free maintenance of the included power supplies units, fans, and disks, all while offering a cooling system with three fans that conducts heat away from vital components. The 8big Rack will be offered in 4-disk (12TB) or 8-disk (24TB and 48TB) configurations.16

SKYPE: Skype has been an essential tool in the production of podcasts and newscasts for years, and today Microsoft has announced a professional-grade version of the app designed specifically for the media industry. It’s called Skype TX and is intended to be used in studio environments; you won’t be using this to record a podcast in your bedroom. Skype TX is described as an “easy-to-use hardware and software combination that allows Skype video calls from anywhere in the world to be seamlessly integrated into any production.” It plays nice with industry standards by outputting calls in full-frame HD-SDI formats.

LIVESTREAM: Livestream announced a pair of production switchers: the HD510 and HD1710. The HD510 is a portable version with an integrated touch display, yet it’s still full featured with 5 SDI inputs. The rack mounted HD1710 is at the other end of the spectrum. It features up to 17 inputs and can drive 4 displays. They also announced Livestream Studio Control Surface a modular control surface with 5 assignable tracks, T-Bar and audio mixer and USB connection to Livestream Studio.19

AJA: CION™ is the new 4K/UHD and 2K/HD production camera from AJA. Record directly to Apple ProRes 422 and 444 at up to 4K 60fps or output AJA Raw at up to 4K 120fps.20

DIGITAL BOLEX: Digital Bolexs’ new monochrome 16mm camera, dubbed the D16M, has the same form factor as the original D16, but there’s a significant change under the hood. D16M sports a native black and white sensor for highest quality monochromatic capture without the need to debayer, retaining a higher sensativity to light and preserving the full dynamic range of the sensor.

Here are the technical specs:

  • Kodak native monochrome sensor
  • Same resolution options as D16: Super 16mm (2K), 16mm (HD), and Super 8 (720p)
  • No OPLF filter to further maximize fine details
  • ISO 100, 200, 400, 800
  • 500GB Hard Drive21 22

 

 

BLACKMAGIC: The new Blackmagic 4K URSA camera is weird, featuring a 4K Super 35mm global shutter sensor, real camera form factor, a built-in 10.1″ 1920 x 1200 fold out display, and two 5” 800 x 480 displays. Not only that, but it has both interchangeable lenses and sensors, meaning you’ll be able to upgrade to a better sensor at home removing a few screws when a better one is available. Here are the specs: 

  • 21.12mm x 11.88mm — Super 35mm Global Shutter 4K CMOS Sensor (Probably the same as current Blackmagic Production Camera 4K)
  • Interchangeable Lens Block
  • 3840 x 2160 — 24/25/60fps
  • 1920 x 1080 — 24/25/30/50/60fps
  • ProRes HQ and Lossless Compressed RAW
  • 12 Stops Dynamic Range
  • EF/PL/B4/ or No Mount
  • Two CFast 2.0 Slots for Media Recording
  • 1 x 10.1” 1920 x 1200 Fold Out Non-Touch Screen
  • 2 x 5” 800 x 480 Touch Screens
  • SDI Video Output: 1 x 12G-SDI 10-bit 4:2:2. 1 x 3G-SDI down converted for external monitoring
  • SDI Video Input: 1 x 12G-SDI
  • Ref Input: 1 x Reference Input
  • Timecode In/Out
  • 2 XLR Inputs
  • 2 SDI Audio Out
  • Headphone Jack
  • 1 x 2.5mm LANC for Rec Start/Stop, Iris Control and Focus.
  • Power: 12V 4-pin XLR In/Out (Can take battery plates for Gold Mount and V Mount)
  • Availability: July?
  • Price: $6,000 for EF, $6,500 for PL23 24

Blackmagic also seeks entry into the broadcast-camera market with its newly announced Studio Camera, available in Full HD and 4K (Ultra HD) models. Designed for live broadcast applications, the Blackmagic Studio Camera sports a unique design with a massive 10″ LCD screen, built-in 4 hour battery, and a set of features you’d expect to see in large studio cameras, such as built-in talkback and tally indicators. Intended to meet the needs of a variety of live broadcast applications, the Blackmagic Studio Camera provides the connections required to fit into those environments. Connections include SDI (3G on the HD version and 12G on the 4K version) and optical fiber video inputs/outputs, XLR audio connections, reference, LANC remote control, and a 4-pin XLR power input. The camera features an active Micro Four Thirds lens mount that is compatible with a wide range of lenses via third-party adapters, opening the door for the use of common DSLR lenses to PL-mount cinema lenses, and even B4 ENG lenses.25

SOLOSHOT: The surprisingly affordable soloshot 2 ($399) will follow a tracker that someone can wear or you can slap on something so you don’t have to do a thing. Put on the tracker, set up your camera with SOLOSHOT 2, and catch a wave with the perfect video. It features vertical tracking, automatic zoom, and the kit even includes a tripod for you to get started. It’s got a range up to 2,000 feet and 360 degree horizontal tracking.26

 

BRUSHLESSGIMBALS: Gimbi is a lightweight, easy to carry, simple to use, power-and-go, 2 axis handheld brushless gimbal for the GoPro. With Gimbi™, you can shoot videos and photos as smooth as the pros.
Key Features
- Adjustable cellphone stand permits use of cellphone as monitor
- Super-smooth tilt control with thumb pad (Controllable pitch 90 degrees)
- Increased auto leveling accuracy and battery efficiency due to built-in brushless motor encoders.
- 2 hour use time on one charge
- Includes four rechargeable batteries and battery charger27

 

JIGABOT: Jigabot’s AIMe is a pill-shaped tripod mount that automatically follows your subject—keeping it in frame—in case you’re shooting video by yourself. It uses infrared markers and swivels and tilts using complex algorithms powered by a quad-core ARM processor.28

 

CEREVO: Crevos’ LiveWedge ($999) provides easy control via smartphone/tablet app. The rotary control unique to the app enables slow transition, which is more difficult with a physical T-Bar. LiveWedge supports PiP and chroma key as well as all the basic transitions such as wipe, fade, cut and etc. Livewedge has a SD card slot and users can record 1080/30p (H.264) Full HD Video on it while switching! You can also use videos and images from the SD card as the video source. Streaming is built into LiveWedge. 720/30p HD Live streaming and 1080p HD video switching are available in one device! Supported streaming platforms include Ustream, Youtube Live and your own servers are all supported.29

 

PESA: PESA showed their brand new Xstream Live Streaming mobile solution, co-developed by Ryerson students. They also received the NewBay Media Best of Show Award at NAB.

36

COMREX: Comrex LiveShot™ delivers live video over a range of IP networks. LiveShot is used by TV stations and networks to deliver high quality, low latency (200ms) video from anywhere Internet access is available. LiveShot is especially optimized to perform well on challenging IP networks like 3G, 4G and satellite links. For optimal video quality, LiveShot encodes with H.264 HIGH profile. In addition to standard AAC audio coding, LiveShot utilizes HE-AAC and AAC-ELD audio coding, both reducing network bandwidth and lowering delay. LiveShot can encode and decode an audio/video stream with less than 200mS delay. LiveShot delivers full-duplex video and stereo audio between the field portable and studio rackmount systems. In addition, a full-duplex cue channel is available between the portable and studio units. On the portable, the return audio/video channel is delivered via output connectors. The cue channel is accessible on the portable via wired headset or Bluetooth audio to a wireless headset30

 

PANASONIC: The Lumix GH4 camera body and its 16MP CMOS Micro Four Thirds sensor will cost $1700, while the optional YAGH pro audio/video interface unit is available for an extra $2,000. The GH4 can shoot 4K at 30/25/24fps at 100Mbps using ALL-Intra compression. At 1080p that rises way beyond broadcast standard to 200Mbps. There are two 4K formats available too: the standard 3840 x 2160 resolution at 30/25/24p, or the cinema widescreen 4096 x 2160 resolution available at 24p only. When writing to SD card the camera captures 4K video with 8-bit colour and the data rate is limited to 100Mbps. Use an optional accessory – the Panasonic DMW-YAGH, which is about as big as the GH4 body – and its four SDI ports that can be used in tandem to extract uncompressed 4K at 10-bit colour. Power input, independent volume adjustment and twin XLR sockets ensure everything a broadcast pro is here – but only via the DMW-YAGH.31

The HX-A500 shoots a resolution of 3840×2160; so ultra HD. Sub 4K resolutions include 1080 up to 50p, and 720 up to 100p. Un surprisingly it shoots to an MPEG-4 AVC/H.264 codec in an .mp4 wrapper.

The camera has a perhaps slightly disappointing variable bit rate, half that of the GoPro Hero 3+. Here’s the breakdown:

  • 3840×2160/25p (Max. 72Mbps / VBR)
  • 1920×1080/50p (Max. 28Mbps / VBR)
  • 1920×1080/25p (Average 15Mbps / VBR)
  • 1280×720/50p (Average 15Mbps / VBR)
  • 1280×720/25p (Average 9Mbps / VBR)

The camera has a fixed focal, fixed f/2.8 aperture lens. It has a few different white balance presets including Auto / Indoor1 / Indoor2 / Sunny / Cloudy / White set. The shutter is listed as variable, from 1/25th-1/12000. The HX-A500 has an in-built image stabilizer, with an angle of view currently listed as only 160°.32

 

JVC: JVC has now also entered the large sensor market. And that this intriguing little camera covers super35mm on an MFT mount. In terms of specs the JVC GY-LSX2 has some really intriguing figures to offer. Not only is it very small and looks very ergonomic to handle, but it offers 4K with frame rates up to 30p as well as a slow motion feature at 2K resolution that will go up to 240fps. The footage is being recorded internally with an h.264 kind of codec. The JVC GY-LSX2 is announced with a price point “under $6000″ and to come at the end of 2014.33

 

The bigger brother, called GY-LSX1 will feature a higher framerate (60p) at 4K resolution, offer a shoulder-mount form factor and seems to come in at around twice the price of the small one.34

 

That’s it for now……This years buzz words: 4K, UHDTV, HEVC, H.265, OTT (Over The Top)….see you all next year :-)

Proxmox VPS for web development recipe….

datePosted on 17:17, March 10th, 2014 by Many Ayromlou

A little while ago our web developer asked me to look into proxmox containers and how we could take advantage of it to setup a development environment for him. The idea was to use the power of linux containers and enable him to develop fully functional/accessible sites in a private container. Here are the steps we will cover in this article:

  • Install proxmox on a machine with a single public IP address
  • Secure the machine with ufw to only allow connections from a specific IP address space
  • Setup a admin user other than root for proxmox admin interface
  • Setup proxmox to use the single IP address and the vmbridge for masquerading
  • Setup two Linux Ubuntu 12.04 containers with private addresses and enable the to access the internet via the bridge
  • Setup Apache on the proxmox host and configure it to do reverse proxy for the two ubuntu containers
  • Setup DNS (for the container instances) to point to proxmox host and test to make sure the “private” containers are accessible from Internet
  • Tighten up security on the reverse proxy on the proxmox host
  • Optionally only allow access to the proxy from specific IP address space

To do all this you need to download proxmox ISO file and burn it to a CD. Go through the installation of proxmox and set up the “host” with the single pubic IP address. This is simple enough so I’m not gonna cover it here. Once you have this setup you should be able to point your browser at the IP address (https://aaa.bbb.ccc.ddd:8006). NOTE: I will use aaa.bbb.ccc.ddd as the representation of the publicly available IP throughout.

Next we need to secure access to the host to only allow connections from a specific IP address space. In my case that’s the University network — 141.117.0.0/16 — this is optional. We need to make sure ufw is installed. We also need to make sure ufw is allowing incoming connections by default and then block everything except access from the University network:

ufw default allow incoming
ufw allow proto tcp from 141.117.0.0/16 to any port 8006
ufw deny proto tcp from any to any port 8006
ufw allow proto tcp from 141.117.0.0/16 to any port 3128
ufw deny proto tcp from any to any port 3128
ufw allow proto tcp from 141.117.0.0/16 to any port 111
ufw deny proto tcp from any to any port 111
ufw allow proto tcp from 141.117.0.0/16 to any port 22
ufw deny proto tcp from any to any port 22
ufw enable

Note that I’m assuming your ssh connection to the host is via the University network (141.117.0.0/16). Make adjustments to this if it’s not, otherwise you might lock yourself out. These basic rules will plug all the holes accessible publicly and only allow connections from our University network (141.117.0.0/16).

Setting up users in proxmox is a bit weird. You have to add a regular Unix user to the proxmox host environment and then add the user to proxmox later and give it permissions and roles. Here I will use a user “myadmin” to create something for our web developer to use.

useradd -m -s /bin/bash -U -G sudo myadmin

This will create a account “myadmin”,  join it to primary group “myadmin”, assign it /bin/bash as shell and make it part of the group “sudo” — which will allow the user to use the sudo command in the future. Next on the proxmox web interface we need to create a Admin group called “Admin”. In the proxmox interface we click on the Datacentre in the left pane and go to Groups and click the Create button. Call the group “Admin”. Now go to Permissions tab in the right pane. We need to create a Administrator Group Permission to assign to our “Admin” group. Click Add Group Permission (right below the tabs in this pane) and fill it in like below:

Screen Shot 2014-03-10 at 3.02.51 PM

 

In this window the path: / means the entire Datacentre (including the host and the containers/VM’s). You might want to adjust this. The Role “Administrator” is a predefined role that is pretty much the same as root. Now that our group “Admin” has the “Administrator” role for the entire Datacentre, we want to make the user “myadmin” — which is a unix account right now — be part of that, effectively creating another “root” account for our web developer. So back to the Users tab we click Add and create our new user (really just add the Unix user to proxmox):

Screen Shot 2014-03-10 at 3.15.42 PM

 

Okay, so now test and make sure you can access the host via ssh using myadmin as user, also make sure you can sudo to root on the host and check the web interface and ensure the myadmin account can login and see all the goodies in the data centre. Otherwise stop and fix.

At this point login/ssh to the host as root or myadmin (plus “sudo -i” to become root). We need to modify the networking config in /etc/network/interfaces to setup all the masquerading jazz. Make a back up of your interfaces file first and note the public IP address that is in there (I’m gonna use aaa.bbb.ccc.ddd as my public address here). Once you have a backup replace everything in the file with the following:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address  aaa.bbb.ccc.ddd
        netmask  255.255.255.0
        gateway  aaa.bbb.ccc.xxx

auto vmbr0
iface vmbr0 inet static
	address 10.10.10.1
	netmask 255.255.255.0
	bridge_ports none
	bridge_stp off
	bridge_fd 0

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
	post-up   iptables -A FORWARD -s '10.10.10.0/24' -o eth0 -j ACCEPT
	post-up   iptables -A FORWARD -d '10.10.10.0/24' -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
	post-down iptables -D FORWARD -s '10.10.10.0/24' -o eth0 -j ACCEPT
	post-down iptables -D FORWARD -d '10.10.10.0/24' -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT

So in the above I’m creating a separate private network (10.10.10.0/24) behind the publicly available IP address aaa.bbb.ccc.ddd and am doing some iptables commands to setup masquerading. This is sorta like setting up a home router to share a publicly available IP address you have at home. Once this is in place reboot the host and make sure you can log back into https://aaa.bbb.ccc.ddd:8006/ and get the proxmox interface. If you’re good to go, as next step spin off two Ubuntu containers (I won’t go into details on this…..lots of docs out there for this). Your OperVZ Container confirmation screen should look something like this:

Screen Shot 2014-03-10 at 4.25.05 PM

 

The only really important thing here is that you setup the networking under Network tab as Bridged mode and select vmbr0 as your bridge. Once that’s done ssh back to your host (aaa.bbb.ccc.ddd). Assuming you have two containers 100 and 101, enter one of them by using the vzctl command:

vzctl enter 100

Once inside the container you need to setup the networking. Again the file here is /etc/network/interfaces (assuming you’re container is Ubuntu/Debian flavoured). Backup this file first and replace the content with the following:

# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback

auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
        address  10.10.10.2
        netmask  255.255.255.0
        gateway  10.10.10.1
        dns-nameservers 8.8.8.8
        fns-search      your.real.domain.name.com

Note here that I’m using google’s name server. You can use that or substitute your own “real” name servers. Once you reboot the container and enter it again via the host, you should be able to ping just about any real host (www.google.com, www.yahoo.com or whatever). This gives us a basic NAT running on the host and you just need to increment the IP address (10.10.10.2 in the above case) in the setup of the second container. At this point you should be able to enter either containers and ping something outside.

So the rest of this article describes how to setup a secure reverse proxy using apache on the proxmox host (aaa.bbb.ccc.ddd). This way you can just point arbitrary DNS names at aaa.bbb.ccc.ddd and choose (via apache config) which one of your containers will answer the call. You can even get fancy and have multiple hostnames proxied to the same container and do standard “Name based” virtual hosting inside the container. I will just show the one-to-one proxied connection here. Start by installing apache on the host (apt-get install apache). First we need to activate the proxy module. If you don’t have time to finish this entire procedure DO NOT CONTINUE. Literally in the time it takes to install and configure the proxy, script kiddies will hit your site and use you as a proxy to attack other sites. DO THE PROXY INSTALL AND CONFIG/SECURING PROCEDURE IN ONE SHOT.

Assuming apache is installed go to http://aaa.bbb.ccc.ddd and ensure you’re getting the apache “hello” screen. Now you can enable the three modules needed by issuing the following:

a2enmod proxy
a2enmod proxy_http
a2enmod headers

Once that’s done you need to make some changes to your proxmox hosts default apache config which is in /etc/apache2/sites-available/default. For the sake of completeness I’ve included my entire file here. Compare it to yours and modify accordingly:

# IMPORTANT: YOU NEED THIS
LoadFile /usr/lib/x86_64-linux-gnu/libxml2.so.2

<VirtualHost *:80>
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# IMPORTANT: YOU NEED THIS
	ProxyRequests Off
	# Block all requests 
	<Proxy *>
	  Order deny,allow
	  Deny from all
	</Proxy>

</VirtualHost>

<VirtualHost *:80>
	ServerName hosta.domain.ca
	RequestHeader set hosta.domain.ca Accept-Encoding
	ProxyPreserveHost On
	ProxyPass / http://10.10.10.2/
	ProxyPassReverse / http://10.10.10.2/
	# IMPORTANT: YOU NEED THIS
	<Proxy *>
	    Order deny,allow
	    Allow from all
	</Proxy>
</VirtualHost>
<VirtualHost *:80>
	ServerName hostb.domain.ca
	RequestHeader set hostb.domain.ca Accept-Encoding
	ProxyPreserveHost On
	ProxyPass / http://10.10.10.3/
	ProxyPassReverse / http://10.10.10.3/
	# IMPORTANT: YOU NEED THIS
	<Proxy *>
	    Order deny,allow
	    Allow from all
	</Proxy>
</VirtualHost>

Pay particular attention to parts that have the comment (# IMPORTANT: YOU NEED THIS)……Guess what…..YOU NEED THIS. The first one loads libxml2 which is needed. The second block of code makes sure you are in reverse proxy mode (not in forward proxy) and makes sure the main apache instance can’t be used for proxing. The third and fourth block enable reverse proxy for a particular virtual host name. Now we need to reload apache on our proxmox host and do some testing. Reload apache with (service apache2 reload) and for sanity sake change the index.html file in both containers (under /var/www/index.html) to reflect hosta and hostb. I’ve basically just added the words hosta and hostb to the html file. Register hosta.domain.ca and hostb.domain.ca as “A” fields in your DNS and point them at the IP address of the proxmox host (aaa.bbb.ccc.ddd).

If everything is working properly you should be able to use your browser and point at http://hosta.domain.ca and get the index.html page specific to that container and the same for hostb. At this point you should be more or less good to go. If you need more containers addressable from internet, just keep adding this block of code to the proxmox hosts /etc/apache2/sites-available/default and change the hostname and increment the private IP addresses:


<VirtualHost *:80>
	ServerName hostc.domain.ca
	RequestHeader set hostc.domain.ca Accept-Encoding
	ProxyPreserveHost On
	ProxyPass / http://10.10.10.4/
	ProxyPassReverse / http://10.10.10.4/
	# IMPORTANT: YOU NEED THIS
	<Proxy *>
	    Order deny,allow
	    Allow from all
	</Proxy>
</VirtualHost>

Optionally you can now go back and add a couple more ufw rules to only allow access from a particular IP address space (in my case the university network 141.117.0.0/16)

ufw allow proto tcp from 141.117.0.0/16 to any port 80
ufw deny proto tcp from any to any port 80

Again with this setup — since we’re preserving the request header and are passing it through the proxy back and forth — you can have hostd, hoste, hostf, all point to the same private IP address in the proxy and do a named virtual serving on the apache instance in the particular container, just like a standard named virtual host based setup. Hope this helps…..

123... 211212213Next