Re: [vox-tech] Apache2 problems

2010-08-12 Thread Peter Salzman
On Thu, Aug 12, 2010 at 5:56 AM, Ryan  wrote:

> On Tuesday August 10 2010 12:50:00 Peter Salzman wrote:
> > From the lack of entries in the log file, it looks like Apache isn't
> seeing
> > the incoming request.  However, tcpdump seems to be showing otherwise.
> > Port 80 is forwarded to the Linux box by the router.
> >
> > In sites.enabled:
> >
> > 
> >ServerAdmin p...@dirac.org
> >ServerName  www.dirac.org
> >ServerAlias dirac.org
> >
> ># Indexes + Directory Root.
> >DirectoryIndex index.html
> >DocumentRoot /var/www/
> >
> ># Logfiles
> >ErrorLog  /var/log/apache2/dirac.org.error
> >CustomLog //var/log/apache2/dirac.org.access combined
> > 
>
> --snip--
>
> > Any ideas what could be preventing this from working?
>
> I'm going assume that your router is doing some form of NAT given that you
> appear to be connected with a dynamic IP cable internet service.
>
> Unless you are port forwarding to an internal box that actually has an
> interface configured with the IP address 24.189.162.69, this is not going
> to
> work. The connection will hit your router on port 80, get rewritten to
> whatever internal address your web server has, and then hit Apache.  Apache
> will look at the ip address on the local side of the socket and fail to
> match
> those vhosts since it doesn't see the 24.189.162.69 address anywhere.
>
> Another thing to note - cable internet providers often block inbound port
> 80 -
> and it looks like yours is doing so.
>
> http://www.google.com/search?q=optonline+block+port+80
>
> However, they seem to be doing it by blocking the return SYN+ACK packet
> which
> is a completely asinine way to accomplish the block which manages to make
> troubleshooting extra annoying (as you've discovered).  You can check this
> by
> running tcpdump on both the client and server.
>
> Fun fact - these port blocks are usually done on the subscriber's modem by
> a
> policy pushed down in the config file from the CMTS.
>
> Finally, a general Apache note - unless you actually do need to serve
> different sites based on what IP address is hit, you probably should use
> .  It'll save headaches if your ip addresses change.
>
> -Ryan
>


Hi Ryan!

I actually got it working.  It turned out to be a router issue.   I
forwarded the port using the "port forward" page, whereas apparently I
should have forwarded the port using the "application forward" page.   I'm
not too sure what the difference is, but there you go.   I works!

Optonline has different classes of service.  I have the super-duper
dluxe service with static ip and no blocked ports (as you'll see if you
point a browser to dirac.org).

Thanks for the tip on virtual name host.   I definitely will keep that in
mind.  It's a real headache tracking down "named host has no virtual
servers" warnings...

Thanks!
Pete
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] Apache2 problems

2010-08-12 Thread Ryan
On Tuesday August 10 2010 12:50:00 Peter Salzman wrote:
> From the lack of entries in the log file, it looks like Apache isn't seeing
> the incoming request.  However, tcpdump seems to be showing otherwise. 
> Port 80 is forwarded to the Linux box by the router.
>
> In sites.enabled:
>
> 
>ServerAdmin p...@dirac.org
>ServerName  www.dirac.org
>ServerAlias dirac.org
>
># Indexes + Directory Root.
>DirectoryIndex index.html
>DocumentRoot /var/www/
>
># Logfiles
>ErrorLog  /var/log/apache2/dirac.org.error
>CustomLog //var/log/apache2/dirac.org.access combined
> 

--snip--

> Any ideas what could be preventing this from working?

I'm going assume that your router is doing some form of NAT given that you 
appear to be connected with a dynamic IP cable internet service.

Unless you are port forwarding to an internal box that actually has an 
interface configured with the IP address 24.189.162.69, this is not going to 
work. The connection will hit your router on port 80, get rewritten to 
whatever internal address your web server has, and then hit Apache.  Apache 
will look at the ip address on the local side of the socket and fail to match 
those vhosts since it doesn't see the 24.189.162.69 address anywhere.

Another thing to note - cable internet providers often block inbound port 80 - 
and it looks like yours is doing so.

http://www.google.com/search?q=optonline+block+port+80

However, they seem to be doing it by blocking the return SYN+ACK packet which 
is a completely asinine way to accomplish the block which manages to make 
troubleshooting extra annoying (as you've discovered).  You can check this by 
running tcpdump on both the client and server.

Fun fact - these port blocks are usually done on the subscriber's modem by a 
policy pushed down in the config file from the CMTS.

Finally, a general Apache note - unless you actually do need to serve 
different sites based on what IP address is hit, you probably should use 
.  It'll save headaches if your ip addresses change.

-Ryan
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] Apache2 problems

2010-08-10 Thread Chanoch (Ken) Bloom
On Tue, 2010-08-10 at 16:49 -0400, Peter Salzman wrote:
> Interesting -- I didn't know that the sites were read in alpha order.
> Also, I guess the wildcard for the NameVirtualHost is a better idea.
> 
> Unfortunately, didn't fix the problem, but more weirdness came up.   I
> can't telnet to dirac.org port 80, which would explain why the logs
> aren't being touched.   But then I'm at a loss as to how tcpdump
> apparently sees the connection:
> 
>  tcpdump -i eth0 tcp port 80
> 
> 16:40:32.104293 IP ny-131.foo.com.10096 > satan.www: Flags [S], seq
> 1653467397, win 64512, options [mss 1460,nop,nop,sackOK], length 0
> 
> 16:40:32.104314 IP satan.www > ny-131.foo.com.10096: Flags [S.], seq
> 329481650, ack 1653467398, win 5840, options [mss
> 1460,nop,nop,sackOK], length 0

You're running tcpdump on your server. The first packet is the SYN that
ny-131.foo.com sends to request the connection. The second packet is
satan.www's response. I'm not familiar with tcpdump output, but this
looks like satan.www's is a valid SYN -ACK packet agreeing to open the
connection, and acknowledging ny-131.foo.com's request. The next packet
is missing: that's supposed to be a packet from ny-131.foo.com ACKing
satan.www's response and starting to send data.

If you have those three packets, then a connection was never started,
and telnet would quite reasonably think it can't reach the port.

> It looks like the packets are getting forwarded correctly, but nobody
> is listening.  The port is set correctly in /etc/apache2/ports.conf
> and I verified that apache2 is indeed running.   It's such a
> mystery!  :-(

Why not take a look at it with Wireshark and see if that sheds any light
on the matter -- the Wireshark GUI can show much more information abut
these packets including their data, and it can dissect individual
packets for you, or show you the text content of a TCP connection.

--Ken
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] Apache2 problems

2010-08-10 Thread Peter Salzman
On Tue, Aug 10, 2010 at 4:19 PM, Chanoch (Ken) Bloom wrote:

> On Tue, Aug 10, 2010 at 03:50:00PM -0400, Peter Salzman wrote:
> > I set up Apache2 on home Kubuntu box.   I defined one named virtual host
> in
> > addition to "default" that came with the installation.  When I try to
> access
> > the server from work, Firefox responds with "The connection timed out".
> >
> > When I run tcpdump -i eth0 tcp port 80, I see the incoming request from
> work
> > to http://www.dirac.org:
> >
> > 14:30:42.219003 IP ny-131.foo.com.33188 > satan.www: Flags [S], seq
> > 3646786876, win 64512, options [mss 1460,nop,nop,sackOK], length 0
> >
> > I also see (what looks to be) the outgoing packets from satan to work:
> >
> > 14:30:42.219027 IP satan.www > ny-131.foo.com.33188: Flags [S.], seq
> > 2741002130, ack 3646786877, win 5840, options [mss 1460,nop,nop,sackOK],
> > length 0
> >
> > However, *nothing* is getting written to the logs:
> >
> > -rw-r- 1 root root   0 2010-08-10 12:21 access.log
> > -rw-r- 1 root root   0 2010-08-10 12:21 dirac.org.access
> > -rw-r- 1 root root   0 2010-08-10 12:21 dirac.org.error
> > -rw-r- 1 root root 330 2010-08-10 12:21 error.log
> >
> >
> > The file error.log doesn't have anything interesting in it:
> >
> >
> > [Tue Aug 10 12:21:00 2010] [notice] Apache/2.2.12 (Ubuntu)
> > PHP/5.2.10-2ubuntu6.4 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.0
> > configured -- resuming normal operations
> > [Tue Aug 10 12:21:00 2010] [info] Server built: Mar  9 2010 21:20:44
> > [Tue Aug 10 12:21:00 2010] [debug] prefork.c(1013): AcceptMutex: sysvsem
> > (default: sysvsem)
> >
> >
> > From the lack of entries in the log file, it looks like Apache isn't
> seeing
> > the incoming request.  However, tcpdump seems to be showing otherwise.
>  Port
> > 80 is forwarded to the Linux box by the router.
>
> First, we *need* to know the names of the files involved, since the
> alphabetical order of the files determines which is the default host
> (the first host is default, so you should have
> sites-enabled/000-default and sites-enabled/001-dirac).
>
> > In sites.enabled:
>
> Did you verify that this is the correct IP address? (You probably want
> to use "*:80" instead.)
>
> > 
> >ServerAdmin p...@dirac.org
> >ServerName  www.dirac.org
> >ServerAlias dirac.org
> >
> ># Indexes + Directory Root.
> >DirectoryIndex index.html
> >DocumentRoot /var/www/
> >
> ># Logfiles
> >ErrorLog  /var/log/apache2/dirac.org.error
> >CustomLog //var/log/apache2/dirac.org.access combined
> > 
> >
> > The default enabled site starts off as:
>
> You don't have a ServerName for the default site. Is it
> possible that the default is catching all of the requests since it has
> no name? Give it a name. Since it's the default (its configuration
> file comes first alphabetically), it will still respond
> to any unknown hostnames passed in the host header.
>
> The link I quote below says:
> "ServerName should always be set for each vhost. Otherwise A DNS lookup
> is required for each vhost."
>
> > 
> >ServerAdmin p...@dirac.org
> >DocumentRoot /var/www
> >. . .
> > 
> >
> >
> > Any ideas what could be preventing this from working?
>
> For more information about Apache virtual host ordering, see
> http://httpd.apache.org/docs/2.2/vhosts/details.html
>
> --Ken
>

Interesting -- I didn't know that the sites were read in alpha order. Also,
I guess the wildcard for the NameVirtualHost is a better idea.

Unfortunately, didn't fix the problem, but more weirdness came up.   I can't
telnet to dirac.org port 80, which would explain why the logs aren't being
touched.   But then I'm at a loss as to how tcpdump apparently sees the
connection:

 tcpdump -i eth0 tcp port 80

16:40:32.104293 IP ny-131.foo.com.10096 > satan.www: Flags [S], seq
1653467397, win 64512, options [mss 1460,nop,nop,sackOK], length 0

16:40:32.104314 IP satan.www > ny-131.foo.com.10096: Flags [S.], seq
329481650, ack 1653467398, win 5840, options [mss 1460,nop,nop,sackOK],
length 0

It looks like the packets are getting forwarded correctly, but nobody is
listening.  The port is set correctly in /etc/apache2/ports.conf and I
verified that apache2 is indeed running.   It's such a mystery!  :-(

Pete
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


Re: [vox-tech] Apache2 problems

2010-08-10 Thread Chanoch (Ken) Bloom
On Tue, Aug 10, 2010 at 03:50:00PM -0400, Peter Salzman wrote:
> I set up Apache2 on home Kubuntu box.   I defined one named virtual host in
> addition to "default" that came with the installation.  When I try to access
> the server from work, Firefox responds with "The connection timed out".
> 
> When I run tcpdump -i eth0 tcp port 80, I see the incoming request from work
> to http://www.dirac.org:
> 
> 14:30:42.219003 IP ny-131.foo.com.33188 > satan.www: Flags [S], seq
> 3646786876, win 64512, options [mss 1460,nop,nop,sackOK], length 0
> 
> I also see (what looks to be) the outgoing packets from satan to work:
> 
> 14:30:42.219027 IP satan.www > ny-131.foo.com.33188: Flags [S.], seq
> 2741002130, ack 3646786877, win 5840, options [mss 1460,nop,nop,sackOK],
> length 0
> 
> However, *nothing* is getting written to the logs:
> 
> -rw-r- 1 root root   0 2010-08-10 12:21 access.log
> -rw-r- 1 root root   0 2010-08-10 12:21 dirac.org.access
> -rw-r- 1 root root   0 2010-08-10 12:21 dirac.org.error
> -rw-r- 1 root root 330 2010-08-10 12:21 error.log
> 
> 
> The file error.log doesn't have anything interesting in it:
> 
> 
> [Tue Aug 10 12:21:00 2010] [notice] Apache/2.2.12 (Ubuntu)
> PHP/5.2.10-2ubuntu6.4 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.0
> configured -- resuming normal operations
> [Tue Aug 10 12:21:00 2010] [info] Server built: Mar  9 2010 21:20:44
> [Tue Aug 10 12:21:00 2010] [debug] prefork.c(1013): AcceptMutex: sysvsem
> (default: sysvsem)
> 
> 
> From the lack of entries in the log file, it looks like Apache isn't seeing
> the incoming request.  However, tcpdump seems to be showing otherwise.  Port
> 80 is forwarded to the Linux box by the router.

First, we *need* to know the names of the files involved, since the
alphabetical order of the files determines which is the default host
(the first host is default, so you should have
sites-enabled/000-default and sites-enabled/001-dirac).

> In sites.enabled:

Did you verify that this is the correct IP address? (You probably want
to use "*:80" instead.)

> 
>ServerAdmin p...@dirac.org
>ServerName  www.dirac.org
>ServerAlias dirac.org
> 
># Indexes + Directory Root.
>DirectoryIndex index.html
>DocumentRoot /var/www/
> 
># Logfiles
>ErrorLog  /var/log/apache2/dirac.org.error
>CustomLog //var/log/apache2/dirac.org.access combined
> 
> 
> The default enabled site starts off as:

You don't have a ServerName for the default site. Is it
possible that the default is catching all of the requests since it has
no name? Give it a name. Since it's the default (its configuration
file comes first alphabetically), it will still respond
to any unknown hostnames passed in the host header.

The link I quote below says:
"ServerName should always be set for each vhost. Otherwise A DNS lookup
is required for each vhost."

> 
>ServerAdmin p...@dirac.org
>DocumentRoot /var/www
>. . .
> 
> 
> 
> Any ideas what could be preventing this from working?

For more information about Apache virtual host ordering, see
http://httpd.apache.org/docs/2.2/vhosts/details.html

--Ken

-- 
Chanoch (Ken) Bloom. PhD candidate. Linguistic Cognition Laboratory.
Department of Computer Science. Illinois Institute of Technology.
http://www.iit.edu/~kbloom1/
___
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech