problems setting up webserver

Discussion in 'Tech Talk' started by David_G17, Apr 20, 2005.

  1. David_G17

    David_G17 /\/\/\/\/\/\/\/

    Messages:
    2,046
    Likes Received:
    7
    Joined:
    Oct 7, 2002
    I had posted about this before, and I thought I had it figured out, but I'm still having problems.

    OS: Fedora Core 3
    Server: latest Apache
    connection: DSL through Century-tel

    situation: I can type the IP into a browser running on the same machine as the server and the browser pulls up the site fine (also works for 127.0.0.1). However, when i'm on a remote computer (at work or at friend's house) I can't pull up the site. I can SSH into the server, but can't open a web page.

    I believe I have to enable port forwarding on my router, and I've tried setting it so that incoming data on port 80 goes to port 1337 and adjusting Apache config files accordingly. Then browsing to http://<ip address>:1337 but it results in the same situation above (I can reach it from the computer with Apache, but not from other locations).

    is it possible my ISP is preventing me from hosting a site? or is it likely I don't know what I'm doing with my router, and that is causing my anguish?

    thanks, any ideas / suggestions appreciated.
     
  2. bohr

    bohr rm -rf /

    Messages:
    52
    Likes Received:
    0
    Joined:
    Apr 11, 2003
    Location:
    FL
    Two things:

    1. Check your SE Linux settings

    2. Try changing ports. (Post your http.conf file)
     

  3. HerrGlock

    HerrGlock Scouts Out CLM

    Messages:
    23,804
    Likes Received:
    263
    Joined:
    Dec 28, 2000
    On the apache box, go to one of those sites that portscans, like:
    https://grc.com/x/ne.dll?bh0bkyd2

    Run the scan and see if port 80 is closed, open, or stealth. If it other than open, you may have the DSL company blocking it.

    Also check iptables and see if port 80 or 1337 is open to the world.

    DanH
     
  4. David_G17

    David_G17 /\/\/\/\/\/\/\/

    Messages:
    2,046
    Likes Received:
    7
    Joined:
    Oct 7, 2002
    how? I've only read about SE Linux in the installation documentation, and I don't really know enough about it.
    http.conf file:
    Code:
    #
    # Based upon the NCSA server configuration files originally by Rob McCool.
    #
    # This is the main Apache server configuration file.  It contains the
    # configuration directives that give the server its instructions.
    # See <URL:[url]http://httpd.apache.org/docs-2.0/[/url]> for detailed information about
    # the directives.
    #
    # Do NOT simply read the instructions in here without understanding
    # what they do.  They're here only as hints or reminders.  If you are unsure
    [root@ar15dsktop conf]# head -100 httpd.conf
    #
    # Based upon the NCSA server configuration files originally by Rob McCool.
    #
    # This is the main Apache server configuration file.  It contains the
    # configuration directives that give the server its instructions.
    # See <URL:[url]http://httpd.apache.org/docs-2.0/[/url]> for detailed information about
    # the directives.
    #
    # Do NOT simply read the instructions in here without understanding
    # what they do.  They're here only as hints or reminders.  If you are unsure
    # consult the online docs. You have been warned.
    #
    # The configuration directives are grouped into three basic sections:
    #  1. Directives that control the operation of the Apache server process as a
    #     whole (the 'global environment').
    #  2. Directives that define the parameters of the 'main' or 'default' server,
    #     which responds to requests that aren't handled by a virtual host.
    #     These directives also provide default values for the settings
    #     of all virtual hosts.
    #  3. Settings for virtual hosts, which allow Web requests to be sent to
    #     different IP addresses or hostnames and have them handled by the
    #     same Apache server process.
    #
    # Configuration and logfile names: If the filenames you specify for many
    # of the server's control files begin with "/" (or "drive:/" for Win32), the
    # server will use that explicit path.  If the filenames do *not* begin
    # with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
    # with ServerRoot set to "/etc/httpd" will be interpreted by the
    # server as "/etc/httpd/logs/foo.log".
    #
    
    ### Section 1: Global Environment
    #
    # The directives in this section affect the overall operation of Apache,
    # such as the number of concurrent requests it can handle or where it
    # can find its configuration files.
    #
    
    #
    # Don't give away too much information about all the subcomponents
    # we are running.  Comment out this line if you don't mind remote sites
    # finding out what major optional modules you are running
    ServerTokens OS
    
    #
    # ServerRoot: The top of the directory tree under which the server's
    # configuration, error, and log files are kept.
    #
    # NOTE!  If you intend to place this on an NFS (or otherwise network)
    # mounted filesystem then please read the LockFile documentation
    # (available at <URL:[url]http://httpd.apache.org/docs-2.0/mod/mpm_common.html#lockfile[/url]>);
    # you will save yourself a lot of trouble.
    #
    # Do NOT add a slash at the end of the directory path.
    #
    ServerRoot "/etc/httpd"
    
    #
    # PidFile: The file in which the server should record its process
    # identification number when it starts.
    #
    PidFile run/httpd.pid
    
    #
    # Timeout: The number of seconds before receives and sends time out.
    #
    Timeout 120
    
    #
    # KeepAlive: Whether or not to allow persistent connections (more than
    # one request per connection). Set to "Off" to deactivate.
    #
    KeepAlive Off
    
    #
    # MaxKeepAliveRequests: The maximum number of requests to allow
    # during a persistent connection. Set to 0 to allow an unlimited amount.
    # We recommend you leave this number high, for maximum performance.
    #
    MaxKeepAliveRequests 100
    
    #
    # KeepAliveTimeout: Number of seconds to wait for the next request from the
    # same client on the same connection.
    #
    KeepAliveTimeout 15
    
    ##
    ## Server-Pool Size Regulation (MPM specific)
    ##
    
    # prefork MPM
    # StartServers: number of server processes to start
    # MinSpareServers: minimum number of server processes which are kept spare
    # MaxSpareServers: maximum number of server processes which are kept spare
    # ServerLimit: maximum value for MaxClients for the lifetime of the server
    # MaxClients: maximum number of server processes allowed to start
    # MaxRequestsPerChild: maximum number of requests a server process serves
    <IfModule prefork.c>
    StartServers       8
    StartServers       8
    MinSpareServers    5
    MaxSpareServers   20
    ServerLimit      256
    MaxClients       256
    MaxRequestsPerChild  4000
    </IfModule>
    
    # worker MPM
    # StartServers: initial number of server processes to start
    # MaxClients: maximum number of simultaneous client connections
    # MinSpareThreads: minimum number of worker threads which are kept spare
    # MaxSpareThreads: maximum number of worker threads which are kept spare
    # ThreadsPerChild: constant number of worker threads in each server process
    # MaxRequestsPerChild: maximum number of requests a server process serves
    <IfModule worker.c>
    StartServers         2
    MaxClients         150
    MinSpareThreads     25
    MaxSpareThreads     75
    ThreadsPerChild     25
    MaxRequestsPerChild  0
    </IfModule>
    
    #
    # Listen: Allows you to bind Apache to specific IP addresses and/or
    # ports, in addition to the default. See also the <VirtualHost>
    # directive.
    #
    # Change this to Listen on specific IP addresses as shown below to
    # prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
    #
    #Listen 12.34.56.78:80
    #Listen 80
    
    [COLOR=green][b]### what I added ###
    Listen 1337
    ### end of what I added ###[/b][/COLOR] 
    
    #
    # Dynamic Shared Object (DSO) Support
    #
    # To be able to use the functionality of a module which was built as a DSO you
    # have to place corresponding `LoadModule' lines at this location so the
    # directives contained in it are actually available _before_ they are used.
    # Statically compiled modules (those listed by `httpd -l') do not need
    # to be loaded here.
    #
    # Example:
    # LoadModule foo_module modules/mod_foo.so
    #
    LoadModule access_module modules/mod_access.so
    LoadModule auth_module modules/mod_auth.so
    LoadModule auth_anon_module modules/mod_auth_anon.so
    LoadModule auth_dbm_module modules/mod_auth_dbm.so
    LoadModule auth_digest_module modules/mod_auth_digest.so
    LoadModule ldap_module modules/mod_ldap.so
    LoadModule auth_ldap_module modules/mod_auth_ldap.so
    LoadModule include_module modules/mod_include.so
    LoadModule log_config_module modules/mod_log_config.so
    LoadModule env_module modules/mod_env.so
    LoadModule mime_magic_module modules/mod_mime_magic.so
    LoadModule cern_meta_module modules/mod_cern_meta.so
    LoadModule expires_module modules/mod_expires.so
    LoadModule deflate_module modules/mod_deflate.so
    LoadModule headers_module modules/mod_headers.so
    LoadModule usertrack_module modules/mod_usertrack.so
    LoadModule setenvif_module modules/mod_setenvif.so
    LoadModule mime_module modules/mod_mime.so
    LoadModule dav_module modules/mod_dav.so
    LoadModule status_module modules/mod_status.so
    LoadModule autoindex_module modules/mod_autoindex.so
    LoadModule asis_module modules/mod_asis.so
    LoadModule info_module modules/mod_info.so
    LoadModule dav_fs_module modules/mod_dav_fs.so
    LoadModule vhost_alias_module modules/mod_vhost_alias.so
    LoadModule negotiation_module modules/mod_negotiation.so
    LoadModule dir_module modules/mod_dir.so
    LoadModule imap_module modules/mod_imap.so
    LoadModule actions_module modules/mod_actions.so
    LoadModule speling_module modules/mod_speling.so
    LoadModule userdir_module modules/mod_userdir.so
    LoadModule alias_module modules/mod_alias.so
    LoadModule rewrite_module modules/mod_rewrite.so
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
    LoadModule proxy_connect_module modules/mod_proxy_connect.so
    LoadModule cache_module modules/mod_cache.so
    LoadModule suexec_module modules/mod_suexec.so
    LoadModule disk_cache_module modules/mod_disk_cache.so
    LoadModule file_cache_module modules/mod_file_cache.so
    LoadModule mem_cache_module modules/mod_mem_cache.so
    LoadModule cgi_module modules/mod_cgi.so
    
    #
    # Load config files from the config directory "/etc/httpd/conf.d".
    #
    Include conf.d/*.conf
    
    #
    # ExtendedStatus controls whether Apache will generate "full" status
    # information (ExtendedStatus On) or just basic information (ExtendedStatus
    # Off) when the "server-status" handler is called. The default is Off.
    #
    #ExtendedStatus On
    
    ### Section 2: 'Main' server configuration
    #
    # The directives in this section set up the values used by the 'main'
    # server, which responds to any requests that aren't handled by a
    # <VirtualHost> definition.  These values also provide defaults for
    # any <VirtualHost> containers you may define later in the file.
    #
    # All of these directives may appear inside <VirtualHost> containers,
    # in which case these default settings will be overridden for the
    # virtual host being defined.
    #
    
    #
    # If you wish httpd to run as a different user or group, you must run
    # httpd as root initially and it will switch.
    #
    # User/Group: The name (or #number) of the user/group to run httpd as.
    #  . On SCO (ODT 3) use "User nouser" and "Group nogroup".
    #  . On HPUX you may not be able to use shared memory as nobody, and the
    #    suggested workaround is to create a user www and use that user.
    #  NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
    #  when the value of (unsigned)Group is above 60000;
    #  don't use Group #-1 on these systems!
    #
    User apache
    Group apache
    
    #
    # ServerAdmin: Your address, where problems with the server should be
    # e-mailed.  This address appears on some server-generated pages, such
    # as error documents.  e.g. [email]admin@your-domain.com[/email]
    #
    ServerAdmin root@localhost
    
    #
    # ServerName gives the name and port that the server uses to identify itself.
    # This can often be determined automatically, but we recommend you specify
    # it explicitly to prevent problems during startup.
    #
    # If this is not set to valid DNS name for your host, server-generated
    # redirections will not work.  See also the UseCanonicalName directive.
    #
    # If your host doesn't have a registered DNS name, enter its IP address here.
    # You will have to access it by its address anyway, and this will make
    # redirections work in a sensible way.
    #
    #ServerName new.host.name:80
    
    #
    # UseCanonicalName: Determines how Apache constructs self-referencing
    # URLs and the SERVER_NAME and SERVER_PORT variables.
    # When set "Off", Apache will use the Hostname and Port supplied
    # by the client.  When set "On", Apache will use the value of the
    # ServerName directive.
    #
    UseCanonicalName Off
    
    #
    # DocumentRoot: The directory out of which you will serve your
    # documents. By default, all requests are taken from this directory, but
    # symbolic links and aliases may be used to point to other locations.
    #
    DocumentRoot "/var/www/html"
    
    #
    # Each directory to which Apache has access can be configured with respect
    # to which services and features are allowed and/or disabled in that
    # directory (and its subdirectories).
    #
    # First, we configure the "default" to be a very restrictive set of
    # features.
    #
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    
    #
    # Note that from this point forward you must specifically allow
    # particular features to be enabled - so if something's not working as
    # you might expect, make sure that you have specifically enabled it
    # below.
    #
    
    #
    # This should be changed to whatever you set DocumentRoot to.
    #
    <Directory "/var/www/html">
    
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    
    
    
    that's not the whole file (too long to fit into a post). if there is something else that may give a clue in the file, let me know and i'll post it.
     
  5. David_G17

    David_G17 /\/\/\/\/\/\/\/

    Messages:
    2,046
    Likes Received:
    7
    Joined:
    Oct 7, 2002
    ok, i ran a scan and it said that of ports 0-1055, only SSH port is open. The rest are "stealth ". I also ran 1337 and it turned up as stealth. could this be my router? is it likely my ISP?

    I like that site, good utility.


    still reading the man pages on iptables, but here is what I got:
    Code:
    [root@ar15dsktop conf]# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    RH-Firewall-1-INPUT  all  --  anywhere             anywhere
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    RH-Firewall-1-INPUT  all  --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain RH-Firewall-1-INPUT (2 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     icmp --  anywhere             anywhere            icmp any
    ACCEPT     ipv6-crypt--  anywhere             anywhere
    ACCEPT     ipv6-auth--  anywhere             anywhere
    ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
    
     
  6. HerrGlock

    HerrGlock Scouts Out CLM

    Messages:
    23,804
    Likes Received:
    263
    Joined:
    Dec 28, 2000
    Sounds like your ISP is blocking them.

    For testing, until you get to know what's what with this:

    iptables -P INPUT ACCEPT
    iptables -F
    iptables -X

    This leaves you wide open, but also takes iptables out of the equation for testing.

    BTW, your default chain for the INPUT should be DENY when you put your firewall back up.

    DanH
     
  7. grantglock

    grantglock /dev/null

    Messages:
    219
    Likes Received:
    0
    Joined:
    Feb 20, 2004
    Location:
    Iowa
    service iptables stop

    service iptables start
     
  8. HerrGlock

    HerrGlock Scouts Out CLM

    Messages:
    23,804
    Likes Received:
    263
    Joined:
    Dec 28, 2000
    I would take out all references to IPV6 unless you actively use it right now.
    You have port 80 open (ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http), but if you had the webserver on another port, it was not open by this printout.

    Any reason to have icmp available?

    DanH
     
  9. HerrGlock

    HerrGlock Scouts Out CLM

    Messages:
    23,804
    Likes Received:
    263
    Joined:
    Dec 28, 2000
    My assumption is always that the server is remotely being admin'd. ;f

    That would work unless you have an ssh session into the server and it defaults to INPUT DENY.

    Yes, I've done that to myself entirely too many times.

    DanH
     
  10. David_G17

    David_G17 /\/\/\/\/\/\/\/

    Messages:
    2,046
    Likes Received:
    7
    Joined:
    Oct 7, 2002
    thanks, I tried it but still can't connect.

    So, does that eliminate the OS as a cause?
     
  11. David_G17

    David_G17 /\/\/\/\/\/\/\/

    Messages:
    2,046
    Likes Received:
    7
    Joined:
    Oct 7, 2002
    oooh, good idea. I ran "service iptables restart" but still no web connection.
     
  12. David_G17

    David_G17 /\/\/\/\/\/\/\/

    Messages:
    2,046
    Likes Received:
    7
    Joined:
    Oct 7, 2002
    no reason. I was about to google that b/c it looked odd to me. I never intentionally set it like that. It could have been from some option I selected during installation.
     
  13. HerrGlock

    HerrGlock Scouts Out CLM

    Messages:
    23,804
    Likes Received:
    263
    Joined:
    Dec 28, 2000
    No, it does eliminate iptables blocking it, though.

    Rescan the box after you turn the iptables off and if the same ports are open/closed/stealth then the odds are it's the ISP.
     
  14. David_G17

    David_G17 /\/\/\/\/\/\/\/

    Messages:
    2,046
    Likes Received:
    7
    Joined:
    Oct 7, 2002
    I'm sshing into it, but not too worried b/c I'm only a quarter of a mile from the box :)

    did mine default to INPUT ACCEPT?

    Code:
    [root@ar15dsktop conf]# /sbin/service iptables restart
    Flushing firewall rules:                                   [  OK  ]
    Setting chains to policy ACCEPT: nat filter                [  OK  ]
    Unloading iptables modules:                                [  OK  ]
    Applying iptables firewall rules:                          [  OK  ]
    [root@ar15dsktop conf]#
    
     
  15. HerrGlock

    HerrGlock Scouts Out CLM

    Messages:
    23,804
    Likes Received:
    263
    Joined:
    Dec 28, 2000
    icmp is ping, traceroute, etc. To check if your machine is there, ping is nice but if you already know it's there and it's a server of some sort then just hit the service and you'll know as well.

    Generally, icmp is not necessary. It can give away network information and is a bit of a tattletale for information. I don't like it much after the original set up is done.

    DanH
     
  16. HerrGlock

    HerrGlock Scouts Out CLM

    Messages:
    23,804
    Likes Received:
    263
    Joined:
    Dec 28, 2000
    iptables -L
     
  17. David_G17

    David_G17 /\/\/\/\/\/\/\/

    Messages:
    2,046
    Likes Received:
    7
    Joined:
    Oct 7, 2002

    oh yeah, that makes sense. I'll try it on my lunch break. appreciate the help.;c
     
  18. David_G17

    David_G17 /\/\/\/\/\/\/\/

    Messages:
    2,046
    Likes Received:
    7
    Joined:
    Oct 7, 2002
    doh!

    yes, it is.
     
  19. David_G17

    David_G17 /\/\/\/\/\/\/\/

    Messages:
    2,046
    Likes Received:
    7
    Joined:
    Oct 7, 2002
    after executing those commands, and going to the "Shields Up" site, when scanning ports 0-1055, ports 80, 111, 135, 139, 161, 445, 593, and 707 are still stealth, however the rest are now marked "closed".

    If I understand this correctly, the ports marked stealth are probably hidden by my wonderful ISP, and perhaps those marked closed would be marked open if i had a service running that accepted incoming requests on those ports.



    someone please correct me if i'm wrong.
     
  20. David_G17

    David_G17 /\/\/\/\/\/\/\/

    Messages:
    2,046
    Likes Received:
    7
    Joined:
    Oct 7, 2002
    IT WORKS!!!

    using port 8080 it works.

    thanks guys for all of your help.