Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #21  
Old 9th April 2013, 07:09
markc markc is offline
Member
 
Join Date: Dec 2012
Posts: 57
Thanks: 6
Thanked 9 Times in 9 Posts
Default

It seems your problem is solved and you can now access your ubuntu servers default web pages from the outside world so my advice would not be necessary.

I use nginx and it's sites-enabled/100-mysite.vhost listen directive is "listen *:80;" so it's listening on my 127.0.0.1 and 192.168.xx.xx IPs by default. From the inside of my LAN I have no problem bringing up a page for the domainname associated with the EXTERNAL IP of my router, but I am using a DMZ from the router to my internal server.

What I did have a problem with is using this server as a DNS slave and for the life of me it would not transfer the /etc/bind/slave records and I think it finally worked after this tweak which means I may not have disabled apparmor on this Ubuntu raring server.
Code:
~ cat /etc/apparmor.d/local/usr.sbin.named
# Site-specific additions and overrides for usr.sbin.named.
# For more details, please see /etc/apparmor.d/local/README.

/etc/bind/slave/ lrw,
Reply With Quote
The Following User Says Thank You to markc For This Useful Post:
danhansen@denmark (9th April 2013)
Sponsored Links
  #22  
Old 9th April 2013, 13:24
danhansen@denmark danhansen@denmark is offline
Senior Member
 
Join Date: Mar 2013
Posts: 255
Thanks: 55
Thanked 4 Times in 4 Posts
Exclamation /etc/hosts, listen *:80; & DMZ

Quote:
Originally Posted by markc View Post
It seems your problem is solved and you can now access your ubuntu servers default web pages from the outside world so my advice would not be necessary.

I use nginx and it's sites-enabled/100-mysite.vhost listen directive is "listen *:80;" so it's listening on my 127.0.0.1 and 192.168.xx.xx IPs by default. From the inside of my LAN I have no problem bringing up a page for the domainname associated with the EXTERNAL IP of my router, but I am using a DMZ from the router to my internal server.

What I did have a problem with is using this server as a DNS slave and for the life of me it would not transfer the /etc/bind/slave records and I think it finally worked after this tweak which means I may not have disabled apparmor on this Ubuntu raring server.
Code:
~ cat /etc/apparmor.d/local/usr.sbin.named
# Site-specific additions and overrides for usr.sbin.named.
# For more details, please see /etc/apparmor.d/local/README.

/etc/bind/slave/ lrw,

Hi Markc,

Thanks for that and yes it works now! But there is a couple of things that still would like to fix

1. As you write you have "...got no problem bringing up a page for the domainname associated with the EXTERNAL IP of my router"
But I still do and you gave me this advice earlier on: "...and on your linux desktop add "192.168.xx.xx yourdomainname.tld" to /etc/hosts to force your browser to go directly to the webserver on the LAN IP."
To this I ask: Do I have to do this for all my domains/websites that I want to go directly to? (myfirstdomain.tld, myseconddomain.tld, mythirddomain.tld etc.) And, do I have to make both "192.168.xx.xx myfirstdomain.tld" and "192.168.xx.xx www.myfirstdomain.tld" if I want to reach domains/websites with and without "www" in the browser - or is this "handled" in ISPconfig's "subdomain" function!?! Sorry for that!

2. Regarding: "...listen *:80;" so it's listening on my 127.0.0.1 and 192.168.xx.xx IPs by default..." and "...When you configure the webserver, tell it to listen on the INTERNAL LAN IP..." I am not sure if my system "ISPconfig3 Single Server System - Ubuntu Server 10.04" have anything listening on any ports default - I haven't seen this in any of the 3 files I posted. So I ask, do you think that there is this "listening on port 80" anywhere in this default setup? Or, do you think I need it now that the websites is working from the outside?
It's just that I don't know exactly how this controlpanel works, I haven't "activated" anything "virtual", but maybe there is several "virtual" functions that I just dont understand. Back in the days we used 1 public IPnumber per clients domain/website which we had the nameservers point at. Simple and easy. And he keeps on going! Sorry about that too.

3. Regarding the DMZ you told about, I to use the DMZ function now, after having my modem/router reset and knocked back into the stoneage. I thought about it after reading your post and decided that I too wanted to use this to function. There is all kind of security installed on the ISPconfig system and a firewall to be activated. Normally, and back in the days where I as an ISP used (with Microsoft IIS Servers" I had all servers on the public/unsecure side of a router. That was the way to do it then and this is the way to do it now, I se that. To have some security on my workdesktop which is also on this Internet connection, I configured another router (DLink DIR-655) to run DHCP on another subnet with full protection and everything. So from here on there is only "finetuning of the system" to do and some adapting too.

Thanks for everything - looking forward to hear from you.

Kind Regards,
Dan
Reply With Quote
  #23  
Old 9th April 2013, 14:34
markc markc is offline
Member
 
Join Date: Dec 2012
Posts: 57
Thanks: 6
Thanked 9 Times in 9 Posts
Default

So when you say "it works" I presume you mean you can surf to your control panel on your DMZ server from the outside world but you can't get to the same site directly from another machine on your internal LAN?

My "solution" of hardwiring IPs and domainnames on each internal workstation should not be needed and is just a workaround in some bizarre situation. The domain I point to my external IP is the same as when I ping it from the inside on my laptop so when I surf to mydomain.tld my browser goes to my router and that passes it back into my internal LAN on the DMZ so in other words it doesn't matter if I ping my domain from inside or outside of my router it will still go the server on my DMZ. The nginx listen directive for ports 80 and 443 listen to everything on that server which is 127.0.0.1 and 192.168.xx.xx. If I type 192.168.xx.xx into my browser I still get the same vhost that I see by going to mydomain.tld from outside or inside my router.

I have my ISOConfig CP listen to port 443 so if I go to https://mydomain.tld I get my CP from inside or outside my router. If I use https://192.168.xx.xx then I still get the CP. You should be able to do the same or similar to this.
Reply With Quote
  #24  
Old 9th April 2013, 15:59
danhansen@denmark danhansen@denmark is offline
Senior Member
 
Join Date: Mar 2013
Posts: 255
Thanks: 55
Thanked 4 Times in 4 Posts
Exclamation

So when you say "it works" I presume you mean you can surf to your control panel on your DMZ server from the outside world but you can't get to the same site directly from another machine on your internal LAN?
Exactly!

My "solution" of hardwiring IPs and domainnames on each internal workstation should not be needed and is just a workaround in some bizarre situation. The domain I point to my external IP is the same as when I ping it from the inside on my laptop so when I surf to mydomain.tld my browser goes to my router and that passes it back into my internal LAN on the DMZ so in other words it doesn't matter if I ping my domain from inside or outside of my router it will still go the server on my DMZ. The nginx listen directive for ports 80 and 443 listen to everything on that server which is 127.0.0.1 and 192.168.xx.xx. If I type 192.168.xx.xx into my browser I still get the same vhost that I see by going to mydomain.tld from outside or inside my router.


I have my ISOConfig CP listen to port 443 so if I go to https://mydomain.tld I get my CP from inside or outside my router. If I use https://192.168.xx.xx then I still get the CP. You should be able to do the same or similar to this.
From the outside I just use my https://myfixedipnumber:8080 - from the inside https://192.168.x.xx:8080 . Have you changed the port ISPconfig listens to then? I'm not sure about this, which is why I have posted a thread with a question regarding the use of the servername from the outside. The name we gave it during installation was server1.domain.tld and was set up as a hostname and in the ISPconfig APP you are also told to enter "server1.example.tld" This is why I am a little confused. Well, don't use any mor time trying to explain me this, you are many steps ahead of me I must read the 373 pages for the third time

Kind Regards,
Dan

Last edited by danhansen@denmark; 9th April 2013 at 16:02. Reason: Ups.... Wrong botton.. Closed it before I had finished writing...
Reply With Quote
  #25  
Old 9th April 2013, 16:28
markc markc is offline
Member
 
Join Date: Dec 2012
Posts: 57
Thanks: 6
Thanked 9 Times in 9 Posts
Default

Yes, I use port 443 instead of 8080 for my CP. So what happens when you go to https://myfixedipnumber:8080 from inside your LAN?

If that works the same as https://192.168.x.xx:8080 then all is well and you are only missing a domainname and DNS resolution for it.

Have you got a registered domainname you can point to your external IP?

If not then you could try to emulate it with either Bind and use, say, one.lan two.lan three.lan kind of hostnames with lan as your private top level domain (TLD) or use "ip hostname" mappiings in /etc/hosts on your server and workstation. But, this won't work from the outside world so of limited use.
Reply With Quote
  #26  
Old 9th April 2013, 18:03
danhansen@denmark danhansen@denmark is offline
Senior Member
 
Join Date: Mar 2013
Posts: 255
Thanks: 55
Thanked 4 Times in 4 Posts
Exclamation

Yes, I use port 443 instead of 8080 for my CP.
Ahhh, I see..

So what happens when you go to https://myfixedipnumber:8080 from inside your LAN? If that works the same as https://192.168.x.xx:8080 then all is well and you are only missing a domainname and DNS resolution for it.
Absolutely nothing other than:
The connection has timed out
The server at myfixedipnumber is taking too long to respond.


Have you got a registered domainname you can point to your external IP?
Yes, I've got several And I am a little lost here, but I'm quite qurious exactly what it is you are using this trick for. Sorry for being slow

"use "ip hostname" mappiings in /etc/hosts"
Yes, this is what I'm trying to do right now. Been installing VIM-NOX on my desktop to ba able to VI /etc/hosts. But I've been reading a lot about troubles with "read only" rights and about server1.example.tld where server1 is the hostname and with example.tld being the domainname you have FQDM the fully qualified domainname. But, yes, I would like to be able to reach some of the websites I'm hosting on the ISPconfig3 server. And from my windowsbased notebook I know about editing the host-file. I'm just not sure about the way to do it on the Ubuntu Desktop 12.04 - Here's my "/etc/hosts" output with my suggestion. Please correct me. And when the file is rewritten, do I need to restart the service (would hate to restart the desktop) He's back!!!

127.0.0.1 localhost
127.0.1.1 Blackbird (mydesktoppcbutyoualreadyknowthisimsure)
192.168.1.200 mydomain1.tld
192.168.1.200 www.mydomain1.tld
192.168.1.200 mydomain2.tld
192.168.1.200 www.mydomain2.tld

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
~
~


Kind Regards,
Dan
Reply With Quote
  #27  
Old 9th April 2013, 18:49
markc markc is offline
Member
 
Join Date: Dec 2012
Posts: 57
Thanks: 6
Thanked 9 Times in 9 Posts
Default

If you can't get to your CP via the external IP from within your LAN, but you can from the outside, then something is obviously weird. This problem needs to be fixed first and it may be something to do with firewall rules on either your desktop or server. If you are using a DMZ on your router than perhaps make sure any previous port forwarding rules are removed. This may make no difference but you need to nudge a few things to try and get access from your desktop to the server via the external IP of your router. Running tcpdump on the server is invaluable but there can be a lot of RTFM involved using it... usually something like tcpdump -i eth0 not port 22 on the server will reveal what traffic is or is not hitting the server.

As for the /etc/hosts "trick", it should not be necessary if you have real registered domains that you can use. But for the sake of testing, something like this...
Code:
# desktop
192.168.1.201 blackbird.mydomain1.tld blackbird

# server
192.168.1.200 www.mydomain1.tld www.mydomain2.tld mydomain1.tld mydomain2.tld
needs to be added to both /etc/hosts (or windows equiv) so that both machines know about each others temporary domainnames for testing. "192.168.1.201" is a placeholder for whatever your desktop IP is.

You might find nano a friendlier editor unless you actually prefer vi. I use this alias in my ~/.bashrc...
Code:
alias e='nano -t -x -c'
Reply With Quote
  #28  
Old 11th April 2013, 02:26
danhansen@denmark danhansen@denmark is offline
Senior Member
 
Join Date: Mar 2013
Posts: 255
Thanks: 55
Thanked 4 Times in 4 Posts
Exclamation server1.myispserver.tld & to see websites in browser using domains within LAN

Hi Markc,

If you can't get to your CP via the external IP from within your LAN, but you can from the outside, then something is obviously weird. This problem needs to be fixed first and it may be something to do with firewall rules on either your desktop or server. If you are using a DMZ on your router than perhaps make sure any previous port forwarding rules are removed. This may make no difference but you need to nudge a few things to try and get access from your desktop to the server via the external IP of your router. Running tcpdump on the server is invaluable but there can be a lot of RTFM involved using it... usually something like tcpdump -i eth0 not port 22 on the server will reveal what traffic is or is not hitting the server.
I will try that command and maybe post the result for you!? I have seen this problem before, not to be able to reach websites/domains on a server from a workstation within the LAN - and the solution was to add ipnumber and domain to /etc/hosts or at least I think it was (were*).

As for the /etc/hosts "trick", it should not be necessary if you have real registered domains that you can use. But for the sake of testing, something like this... Code: # desktop 192.168.1.201 blackbird.mydomain1.tld blackbird
I'm sorry, have been looking at this several times now and I'm not sure about the reason for doing this. Why use the desktop as a subdomain? If this is what it is. Is it to be able to reach the desktop using the subdomain from the outside?

# server 192.168.1.200 www.mydomain1.tld www.mydomain2.tld mydomain1.tld mydomain2.tld
This is what thought should be on the desktop /etc/hosts file, to be able to reach a website/domain on the ispserver within the LAN.!? Making a request for mydomain1.tld in the desktop browser, them via the /etc/hosts file it is being directed directly to myispserver 192.168.1.200 . Because, making a request for the domain1.tld it will directed to the outside fixed ipnumber by the primary nameserver.
Again, I'm sorry. I'm not quite sure what to do yet or how these tvinge works exactly.

needs to be added to both /etc/hosts (or windows equiv) so that both machines know about each others temporary domainnames for testing. "192.168.1.201" is a placeholder for whatever your desktop IP is.
Placeholder, I'm not sure what this is. Maybe I should go back in the thread and read a little. I will do that


You might find nano a friendlier editor unless you actually prefer vi. I use this alias in my ~/.bashrc... Code: alias e='nano -t -x -c'
What does the alias do? Is it some kind of variable* you set so that you only need to ype "e" in front of a filename? I "vim-nox'e" the vi so that it behaves a little better, but I'm very qurious so please tell me more Do you "apt-get" or "aptitude" ? I noticed that "aptitude" not is default in the ubuntu desktop 12.04 but has to be installed.

(* not sure about the word and how it's spelled)
(Funny words is the result of danish spellchecking* on a smartphone)

By the way, which timezone are you in? So that I can try to answer during your daytime instead of in the middel of the night

Kind Regards
Dan
Reply With Quote
  #29  
Old 11th April 2013, 06:14
markc markc is offline
Member
 
Join Date: Dec 2012
Posts: 57
Thanks: 6
Thanked 9 Times in 9 Posts
Default

My timezone is +10. Yes, the e alias just makes it easier to "e filename". I also use a "se" alias that just prepends a sudo to easily edit root owned files.

Trying to add temporary domainname mapping to your desktop and server is not really necessary. You should try to solve the basic networking problem of being able to "see" your DMZ server by going to your external IP from your desktop machine.

Run the tcpdump command on your server and then try to surf to your external router IP on your desktop and see what tcpdump says, or not. It should be obvious whether you see any sign of network traffic, coming from your desktop, on your server. We just need a yes or no answer.
Reply With Quote
The Following User Says Thank You to markc For This Useful Post:
danhansen@denmark (11th April 2013)
  #30  
Old 11th April 2013, 12:12
danhansen@denmark danhansen@denmark is offline
Senior Member
 
Join Date: Mar 2013
Posts: 255
Thanks: 55
Thanked 4 Times in 4 Posts
 
Exclamation TCPdump from ispserver - Trying to reach fixed IP from desktop - part1,2 & 3

Hi Mark,

I sent you a private message containing the info - There is some "private" stuff in it

Kind Regards,
Dan
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig3 Installation MySQL Login Failure PC Networks HOWTO-Related Questions 0 27th March 2013 05:31
amavis rejects all inbound emails aclhkaclhk Installation/Configuration 5 28th February 2010 05:24
Can all the installation and configuration be automated (Kickstart) gabby Installation/Configuration 0 30th January 2010 20:47
ISPConfig 2.2.14 released till General 48 20th July 2007 00:46
Problem with the apache (I can't start ist) M.Behrens Installation/Configuration 11 31st March 2006 11:48


All times are GMT +2. The time now is 16:24.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.