Changed local IP address but vhost config files still use old one

My server is currently 192.168.0.202 on my LAN, with my gateway router doing a bunch of port forwards to map my public IP address to the private one.  This has been working very happily for years.  But now I want to move the server to a different LAN segment and give it address 192.168.1.202, so I edited /etc/sysconfig/network-scripts/ifcfg-p7p1, changed the IPADDR and GATEWAY settings and did ifdown p7p1; ifup p7p1.  All good, I could ssh to the server on the new address and access the CWP console through https://192.168.1.202:2031.  BUT ... none of my hosted domain web servers were accessible.

Digging around in the Dashboard, I went to the Navigation panel on the left and selected Webserver Settings > Webservers Conf Editor and selected /usr/local/apache/conf.d/vhosts and had a look at a few.  The all began "<VirtualHost 192.168.0.202:80>" (okay, the HTTPS ones had port 443).

Digging some more, Webserver Settings > Webservers Template Editor > Httpd has default.tpl and default.stpl which begin "<VirtualHost %ip%:%apache_port%>".  This looked promising - the IP address was picked up from a template generator variable.

Going into Webserver Settings > Webservers Main Conf, at the bottom of the page is a checkbox "Rebuild all vhosts on save" so I checked that and clicked Save Changes.  The timestamp on all my vhost config files changed so I guess something happened, but they still contained the old address.

Going back to the Dashboard, the CWP Info panel shows "Your IP: 192.168.1.202" so it definitely knows what the address is.

So what do I need to do to change the address properly and get CWP to autogenerate the vhost config files with the new address?  And are there other files that I didn't find?

Thanks for your help

Why are you not using DMZ instead of port forwarding?

If your vhost files are using the IP that you had before, then it means that your "Shared IP" aka public IP was set to 192.168.0.202, but I think this is the wrong way doing it.
You should make your now new local IP a DMZ, then tell the panel the NAT Local IP is now 192.168.1.202 and the Shared IP to be your public IP (https://whatismyipaddress.com) and put a check in "Active NAT-ed network configuration".

Here: CWP Settings - Edit Settings
then remember to rebuild all your vhost files with the new IP by putting a check in "Rebuild All WebServers vHosts with the new IP changes" and Save Changes

Here's one more thing:
tell your server to use auto DHCP so the router decides the IP. Then tell the router to assign the IP you want for the MAC address of the server. This way, you don't end up editing server network files and complicate things.

When using DMZ, all port configurations should be done within the server's firewall.

Hi @iraqiboy90, many thanks for the pointer - the Navigation > CWP Settings > Edit Settings page was the place I needed to be - not sure how I missed it as it's at the very top of the list after Dashboard!

It wasn't entirely straightforward to correct the vhost configurations.  The "NAT Local IP" setting was already showing 192.168.1.202 (I guess it picked it up from the "ifconfig" info for the active ethernet port) so rebuilding the web server configs still had no effect.  In the end I unticked "Activate NAT-ed network configuration", rebuilt the config files (so they now had my external public IP address), then re-ticked the box and rebuilt the configs again.  This time they had the correct IP address - 192.168.1.202.  Many thanks!!

To answer you're question about using Port Forwarding instead of DMZ, the latter is essentially a NAT rule that redirects ALL incoming requests arriving at the public interface of your broadband router (other than the ones explicitly Port-Forwarded) to a nominated server on your LAN, so really it's a massive catch-all Port-Forward rule.  It's dangerous to redirect all external requests to a server because that leaves it wide open to attack from outside, protected only by its own internal firewalls rules, which might be buggy or not present at all.  It's much safer to forward just the requests you're expecting the server to receive as there's less scope for surprises.  Furthermore, selective redirection means you can redirect other traffic to other servers on your LAN - for example, you could have separate machines running email, video conferencing, etc.  The DMZ setting is only really safe to use when you point it at a dedicated firewall/router, which it how my own LAN is set up.

As for setting the server to auto-DHCP its address from the router, this is a very bad idea.  It means your server could be allocated a new IP address at the whim of the router, moving it away from the DMZ or Port-Forward address configured in your router and totally breaking your CWP's ability to receive incoming requests.  No, you must fix the local address in the server configuration and use that fixed address in your router's Port-Forward settings (and not the DMZ settings because that's unsafe).

Hi @iraqiboy90, many thanks for the pointer - the Navigation > CWP Settings > Edit Settings page was the place I needed to be - not sure how I missed it as it's at the very top of the list after Dashboard!

It wasn't entirely straightforward to correct the vhost configurations.  The "NAT Local IP" setting was already showing 192.168.1.202 (I guess it picked it up from the "ifconfig" info for the active ethernet port) so rebuilding the web server configs still had no effect.  In the end I unticked "Activate NAT-ed network configuration", rebuilt the config files (so they now had my external public IP address), then re-ticked the box and rebuilt the configs again.  This time they had the correct IP address - 192.168.1.202.  Many thanks!!

Glad I could help.

To answer you're question about using Port Forwarding instead of DMZ, the latter is essentially a NAT rule that redirects ALL incoming requests arriving at the public interface of your broadband router (other than the ones explicitly Port-Forwarded) to a nominated server on your LAN, so really it's a massive catch-all Port-Forward rule.  It's dangerous to redirect all external requests to a server because that leaves it wide open to attack from outside, protected only by its own internal firewalls rules, which might be buggy or not present at all.  It's much safer to forward just the requests you're expecting the server to receive as there's less scope for surprises.  Furthermore, selective redirection means you can redirect other traffic to other servers on your LAN - for example, you could have separate machines running email, video conferencing, etc.  The DMZ setting is only really safe to use when you point it at a dedicated firewall/router, which it how my own LAN is set up.

As for setting the server to auto-DHCP its address from the router, this is a very bad idea.  It means your server could be allocated a new IP address at the whim of the router, moving it away from the DMZ or Port-Forward address configured in your router and totally breaking your CWP's ability to receive incoming requests.  No, you must fix the local address in the server configuration and use that fixed address in your router's Port-Forward settings (and not the DMZ settings because that's unsafe).

Yeah, I know how DMZ works. All servers not hosted on local home routers (i.e. Blue Host), they are running on the same "DMZ" principle. So, saying that DMZ is dangerous is only true if you don't know what you are doing. A linux server's firewall should not be buggy or "not present" if configured correctly.

But, you have a point regarding port forwarding other ports to other IP addresses. I've thought of this point while writing my previous post, but I thought it to be irrelevant since I understood from your first post that you were using a simple home router, but it seems like you have yourself a custom router/firewall setup. Are you running everything with just one public IP address?

In regards to Auto DHCP; That's not true. I said that if you tell your router to manually assign a specific IP address (which in your case is 192.168.1.202) to your server and lock it, then the router wont have a whim to change it. I'm afraid with your way, the router may try to assign a new IP address to the server when the Lease Time has expired, but the server won't accept it because you told the server to not use anything else.

Yeah, I know how DMZ works. All servers not hosted on local home routers (i.e. Blue Host), they are running on the same "DMZ" principle. So, saying that DMZ is dangerous is only true if you don't know what you are doing. A linux server's firewall should not be buggy or "not present" if configured correctly.

The use of a DMZ isn't dangerous, the practice of passing unfiltered traffic to a server when it isn't needed is dangerous.  Even if you've configured the server firewall perfectly, you're still wasting CPU cycles and internal network bandwidth carrying and processing all those probes and attack attempts from all the hackers across the face of the planet.  If you get your broadband/edge router to filter that stuff out by using selective port forwarding then everything inside your network will run a whole lot more smoothly.

But, you have a point regarding port forwarding other ports to other IP addresses. I've thought of this point while writing my previous post, but I thought it to be irrelevant since I understood from your first post that you were using a simple home router, but it seems like you have yourself a custom router/firewall setup. Are you running everything with just one public IP address?

Yes, I only have a single public IP address with my business broadband package so I have to multiplex services based on port.  Originally I just had the CWP server and, as you suggested, it was set as the DMZ host in my router.  But then I got a bit more sophisticated/paranoid and switched to using port forwarding from a security point of view.  And in the iteration I'm currently working on I'm hanging a second router off the broadband router, set as the DMZ host.  The reason for changing the CWP server IP address is that I wanted to plug it into the new DMZ router, requiring a change in the LAN subnet, and that's where you were so helpful!  This will give me a double-NAT on the way to the server, but it can't be helped as I can't switch the broadband router to Modem Mode - my public IP address is at the other end of a proprietary GRE tunnel and the broadband router is the only thing that knows how to talk to the PoP server, which it won't do if it's running as a dumb modem.  Pity.

In regards to Auto DHCP; That's not true. I said that if you tell your router to manually assign a specific IP address (which in your case is 192.168.1.202) to your server and lock it, then the router wont have a whim to change it. I'm afraid with your way, the router may try to assign a new IP address to the server when the Lease Time has expired, but the server won't accept it because you told the server to not use anything else.

Yes, you're right.  I misunderstood what you meant by "auto".  You could certainly set the server to accept an IP from the router using DHCP, then use Address Reservation in the router to tie a fixed IP address to the server's MAC address.  That wouldn't help with the CWP configuration, though - you'd still need to go into the CWP Settings screen, change the IP and rebuild the vhost files.

My configuration is fine, though - I don't use DHCP, just a fixed address in the /etc/sysconfig/network-scripts/ifcfg-p7p1 file, so there is no lease to expire and no danger that the router will attempt to override my static assignment.

Thanks again for your help - my network is now much better because of you.

Good read. You got some points there. Something new to learn

...