Another 'can't access from web' thread [SOLVED]

[tymanthius]

I have read most, but not all, of the threads on this basic subject, but nothing has helped so far. So, here we go again.

First, my configuration:

Internet - server(running Zentyal(acts as router/firewall/proxy,etc), with Sab/couchpotato/Sickbeard/others installed) - lan

From the lan side, everything works fairly well. Chrome does spit out some python/cherry.py errors, but firefox works.

From the wan side, meaning from the internet, I can access couchpotato & sickbeard & others just fine. But not Sab. Note that I did not have to do any specific port forwarding to get CP & SB etc. to work. I just had to allow http traffic thru.

But Sab still just gives time out errors. [edit] Although I have specifically tried firewall rules and port forwading rules for sab, still no-go.

The only thing I have not tried is changing the port Sab uses, although as far as I know, my ISP (cox communications LA) doesn't port filter. And I used to work there, so I SHOULD know. lol.

Please don't suggest that I move to IPv6, as that's a later project that I'm not ready to tackle yet.

Thanks so much for taking the time to read this and trying to help!

[Handyman1984]

What's the listening address that sab is configured to?

[tymanthius]

What's the listening address that sab is configured to?

0.0.0.0

[Handyman1984]

That works for me in virtually the same setup.

Use IPv6 VPN.
Just kiddin, but still both great solutions. However you might benefit from using something like nginx to reverse proxy your lan-sided services, it takes away the ugly port numbers and allows you to use your domain name (fairly certain you have one) eg sab.yourhost.com

[tymanthius]

That works for me in virtually the same setup.

Use IPv6 VPN.
Just kiddin, but still both great solutions. However you might benefit from using something like nginx to reverse proxy your lan-sided services, it takes away the ugly port numbers and allows you to use your domain name (fairly certain you have one) eg sab.yourhost.com

IPv6 will be after I get everything happy. Right now Zentyal doesn't support it w/o a hack, which is annoying as Ubuntu, which it is based on, does. And my wireless access point is a wrt120n, which doesn't support ipv6 either. So not sure what to do about it yet as I don't have the $ to replace it.

I do have a host. A neat feature of Zentyal is free basic cloud services. So I point my browser at <zentyal.hostname>:port and everything works nicely. Except for Sab.

And technically, my services aren't just lan-sided. That's the nice thing about having zentyal as my router/server.

Did I make any sense there?

[sander]

Internet - server(running Zentyal(acts as router/firewall/proxy,etc), with Sab/couchpotato/Sickbeard/others installed) - lan

From the lan side, everything works fairly well. Chrome does spit out some python/cherry.py errors, but firefox works.

From the wan side, meaning from the internet, I can access couchpotato & sickbeard & others just fine. But not Sab. Note that I did not have to do any specific port forwarding to get CP & SB etc. to work. I just had to allow http traffic thru.

But Sab still just gives time out errors. [edit] Although I have specifically tried firewall rules and port forwading rules for sab, still no-go.

The only thing I have not tried is changing the port Sab uses, although as far as I know, my ISP (cox communications LA) doesn't port filter. And I used to work there, so I SHOULD know. lol.

So I conclude that your Zentyal has a public IP address? Can you confirm that with "ifconfig"? Otherwise I would not understand your "no forwarding needed for CP & SB".

And most easy first step: put SAB on some unkown port 8899 or so, and check if you can reach it.

BTW: Now that you mention it yourself: activating IPv6 on Linux is as easy as installing and start "miredo" (on some Linuxes: miredo-client). On Ubuntu/Debian "sudo apt-get install miredo", and no configuration, and you probably have IPv6 working ...

[sander]

BTW: nice tool to scan your ports: http://www.whatsmyip.org/port-scanner/ Especially see the custom port at the bottom of that page.

[Handyman1984]

Did I make any sense there?

Yep very much, and I understand that you want sab working on the specified port.

[tymanthius]

So I conclude that your Zentyal has a public IP address? Can you confirm that with "ifconfig"? Otherwise I would not understand your "no forwarding needed for CP & SB".

And most easy first step: put SAB on some unkown port 8899 or so, and check if you can reach it.

BTW: Now that you mention it yourself: activating IPv6 on Linux is as easy as installing and start "miredo" (on some Linuxes: miredo-client). On Ubuntu/Debian "sudo apt-get install miredo", and no configuration, and you probably have IPv6 working ...

Yes, I have a public facing IP. It's dynamic, thus I use zentyal's free cloud service to have an easy address.

I'll have to try configuring sab w/ another port when I get home, as I can't change it remotely (ssh ports are apparently blocked from work).

As the the IPV6 issue - It probably is that simple mostly, but there are some neat custom bits about Zentyal that I want to work with ipv6. Thus the hack. I'll get that working soon, I'm sure. I can't stand to have things unworking.

[tymanthius]

I just used this tool: http://www.t1shopper.com/tools/port-scan/

And port 8080, which is where sab lives, is not responding. But it also lists 8080 as a common firewall remote login. So maybe I do need to just change ports. Here's hoping. I'll let everyone know once I get home & can test.

But please feel free to post any further suggestions.

[sander]

I just used this tool: http://www.t1shopper.com/tools/port-scan/

And port 8080, which is where sab lives, is not responding. But it also lists 8080 as a common firewall remote login. So maybe I do need to just change ports. Here's hoping. I'll let everyone know once I get home & can test.

But please feel free to post any further suggestions.

Yep: 8080 is a "well-known port" for proxy's or secondary http services. So it might be used by your modem itself, or blocked, or rerouted, or ... etc. So that's why advised you to use some unknown port like 8899 ...

[Handyman1984]

If you are on your work there's a big chance they tried to prevent proxy usage indeed as sander says, ssh being blocked increases that chance.
If thats the case I'd be happy to provide some urls explaining how to get rid of the port numbers for all your browser-based services.

[tymanthius]

Found a way to ssh into my home box via web here: http://sshterm.com

Used that to change the port # & restart sab.

Now I can get into it via web browser by specifying ports.

Handyman: I'd be interested in getting rid of port #s so I could just sab.<zentyal.hostname> as that's easier to remember.

BTW, thanks all for the handy help.

[Handyman1984]

I'll post how I did it:

Since your box is ubuntu based, which is debian based I assume you can use apt.

"NGINX™ is a high performance edge web server with the lowest memory footprint and the key features to build modern and efficient web infrastructure"

I use it in production on all servers where a webserver is needed.
It's especially good in serving static content and has lots of caching options.
My switch from apache (about 1,5 year ago) took me about 15 minutes.
If you still want/need apache it's fairly easy do a setup using exactly the technique described below. The only thing changed would be apache's listening port.

First we install nginx http://nginx.org/
(alternatively: use dotdeb.org repository for younger releases)

Code: Select all

$ apt-get update && apt-get install nginx

If you do not already run a webserver you don't need to do the following.

Assuming you have apache:

Code: Select all

$ /etc/init.d/apache2 stop
$ nano /etc/apache2/ports.conf

This will show you your listening port for apache, something like:

Code: Select all

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz

NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

Change the port into something logical:

Code: Select all

NameVirtualHost *:81
Listen 81

Save the document (nano: control+o, enter) and close it (nano: control+x)

You'll need to edit the ports of the viritual hosts that you already have.
Use this command to view enabled sites:

Code: Select all

$ ls /etc/apache2/sites-enabled

You should change every line like: <VirtualHost *:80> into the port you used above: <VirtualHost *:81>
restart apache and confirm everything is working by visiting your site on the new port ( http://localhost:81 ).

Code: Select all

$ /etc/init.d/apache2 restart

continue here of you did not have a webserver.

Adding proxies to nginx:

open the default site:

Code: Select all

$ nano /etc/nginx/sites/enabled/default

This will look something like:

Code: Select all

server {
	#listen   80; ## listen for ipv4; this line is default and implied
	#listen   [::]:80 default ipv6only=on; ## listen for ipv6

	root /usr/share/nginx/www;
	index index.html index.htm;

	# Make site accessible from http://localhost/
	server_name localhost;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to index.html
		try_files $uri $uri/ /index.html;
		# Uncomment to enable naxsi on this location
		# include /etc/nginx/naxsi.rules
	}

	location /doc/ {
		alias /usr/share/doc/;
		autoindex on;
		allow 127.0.0.1;
		deny all;
	}

	# Only for nginx-naxsi : process denied requests
	#location /RequestDenied {
		# For example, return an error code
		#return 418;
	#}

	#error_page 404 /404.html;

	# redirect server error pages to the static page /50x.html
	#
	#error_page 500 502 503 504 /50x.html;
	#location = /50x.html {
	#	root /usr/share/nginx/www;
	#}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	#location ~ \.php$ {
	#	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	#	# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
	#
	#	# With php5-cgi alone:
	#	fastcgi_pass 127.0.0.1:9000;
	#	# With php5-fpm:
	#	fastcgi_pass unix:/var/run/php5-fpm.sock;
	#	fastcgi_index index.php;
	#	include fastcgi_params;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}

Now I'll assume you'll just use it as proxy (since I might have already gone out of scope here hehehe)
Edit it to fit something like this:

Code: Select all

server {
	listen   80;
	root /var/www/public;
	index index.html;

	server_name sab.yourdomain.com;

	location / {
		resolver 8.8.8.8;
		
		proxy_buffering off;
		proxy_set_header  X-Real-IP  $remote_addr;
		
		proxy_pass        http://127.0.0.1:8080;
	}

}
server {
	listen   80;
	root /var/www/public;
	index index.html;

	server_name sick.yourdomain.com;	

	location / {
		resolver 8.8.8.8;
		
		proxy_buffering off;
		proxy_set_header  X-Real-IP  $remote_addr;
		
		proxy_pass        http://127.0.0.1:8081;
	}

}

resolver: this is needed to resolve domain names, normally used if you use domain names as proxy pass address. it should work without.
I've used google's dns server (8.8.8. here.
proxy pass: the address / port of the webserver you're trying to reach.

You can have multiple server blocks in 1 file.
Alternatively also add a proxy pass to your apache server on the port you configured it for.

Save the file and restart nginx

Code: Select all

$ /etc/init.d/nginx restart

The last thing to do is actually add the dns records to your zone.
you can either do the quick and dirty fix:
Use an asterix to have any unspecified subdomain forwarded to your ip:
*.yourdomain.com A yourip

or make nice seperate entries:
sab.yourdomain.com A yourip
sick.yourdomain.com A yourip

Thats it.

Note:
It is highly unlikely that you'll break your system using this small tut. Nevertheless I won't accept any form of responsibility.
If you need help or run into problems I'd be happy to help though.

[tymanthius]

Thanks for the post Handyman. I'll look it over and see how much I want to implement it.