AW: AW: AW: Problem with Apache in Jail

Ian Smith smithi at nimnet.asn.au
Fri Nov 20 12:31:35 UTC 2009 

On Fri, 20 Nov 2009, Scheithauer, Lars (FH) wrote:
 > > So are you sure that (from outside your environment) the vhost
 > hostname 
 > > resolves to its IP address ok?  Does it have a unique public IP
 > address?
 > > If so, does reverse resolution of that address point to that hostname?
 > 
 > Yes:
 >   # host campus2.fh-heidelberg.de
 >   campus2.fh-heidelberg.de is an alias for www2.fh-heidelberg.de.
 >   www2.fh-heidelberg.de has address 193.197.74.48
 >   # host 193.197.74.48
 >   48.74.197.193.in-addr.arpa domain name pointer www2.fh-heidelberg.de.

Hi Lars.  Same results from here.

 > > From (right) outside your net, does that IP address respond to pings?
 > > By IP address as well as by hostname?
 > 
 > Yes.

NOT from here, but I can ping its neighbouring DNS server, noticed from:
;; ADDITIONAL SECTION:
dns1.belwue.de.         25303   IN      A       129.143.2.10
dns3.belwue.de.         65090   IN      A       131.246.119.18
dnsfh.fh-heidelberg.de. 81442   IN      A       193.197.74.49

smithi on sola% ping 193.197.74.48
PING 193.197.74.48 (193.197.74.48): 56 data bytes
^C
--- 193.197.74.48 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss

smithi on sola% ping 193.197.74.49
PING 193.197.74.49 (193.197.74.49): 56 data bytes
64 bytes from 193.197.74.49: icmp_seq=0 ttl=44 time=359.907 ms
64 bytes from 193.197.74.49: icmp_seq=1 ttl=44 time=365.433 ms
64 bytes from 193.197.74.49: icmp_seq=2 ttl=44 time=363.339 ms
^C
--- 193.197.74.49 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 359.907/362.893/365.433/2.278 ms

So it's not clear that any outside traffic is reaching .48, or if so, 
that its responses are getting out, given there's no local firewall.  
Which could be the whole problem - this might have nothing to do with 
apache at all?

HTTP requests to .48 IP send setup packets which are not acknowledged, 
so it's never getting far enough to care which hostname was requested.

Is .49 on the same box?  Same interface?  Maybe a netstat -nr outside 
and inside the jail might indicate something?  Where's your gateway?

So .. upstream firewall?  Improper routing, either upstream or return 
route from that box (or the jail?) for that IP?  Stabs in the dark ..

 > > Does your apache config specify name-based and/or IP-based virtual 
 > > hosts?  There can lurk some dragons ..
 > 
 > I did try name-based, but it's currently just a catch-all (see below).

On the face of it, it should answer for either hostname, and likely will 
when it gets packets through and/or gets responses back :)

 > > If this is a jail issue I've no idea at all, but if the DNS results 

I'd best stress that; I've never setup a jail, though I've been lurking.

 > > obtained from inside and outside your network perimeter differ, that
 > may 
 > > explain some of what you're seeing.  I guess an outside DNS query 
 > > followed by an attemped HTTP connect tracked on tcpdump, perhaps in 
 > > verbose packet-display mode (eg -nXs0) should provide more solid
 > clues?
 > 
 > Ooooookay, now this really makes sense. 
 > Sending packets to the URL don't even reach the jailhost (I can't
 > directly dump the jail's packages), but sending to its IP do... And I
 > can see packets leaving my client... This is persistent across different
 > browsers. Any ideas how that is possible?

No.  http://193.197.74.48/ is just the same from here of course, and all 
I see is setup packets leaving and no response.  No upstream firewall/s?

You can't run tcpdump inside a jail as root?

 > > Make sure that you're logging both the vhost concerned and the
 > 'default' 
 > > config used if no vhost entry is satisfied, perhaps you'll see
 > something 
 > > there?  I specify error.log to catch any of these during vhost setup.
 > 
 > I do, see below.

Sure.  It's not getting that far, seen from here at least.

Sorry, I'm out of ideas, and have to go out.  I'll leave the tail alone 
in case somebody else might catch a clue from it.

Good luck, Ian

 > > You may need to share more of your apache configuration in the hope
 > that 
 > > someone may spot something, once you confirm there are no DNS issues.
 > 
 > ---------->>> /usr/local/etc/apache22/httpd.conf <<<----------
 > ServerRoot "/usr/local"
 > Listen 80
 > 
 > ## modules
 > # [...]
 > 
 > ## MAIN CONFIG
 > ServerAdmin support at fh-heidelberg.de
 > ServerName www2.fh-heidelberg.de:80
 > DocumentRoot "/usr/local/www/apache22/data"
 > 
 > ## disable all access, then allow specific services
 > <Directory />
 >     AllowOverride None
 >     Order deny,allow
 >     Deny from all
 > </Directory>
 > 
 > ## main site, currently just with a testpage
 > <Directory "/usr/local/www/apache22/data">
 >     Options Indexes FollowSymLinks
 >     AllowOverride All
 >     Order allow,deny
 >     Allow from all
 > </Directory>
 > 
 > <IfModule dir_module>
 >     DirectoryIndex index.html
 > </IfModule>
 > 
 > ## prevent htaccess to be read
 > <FilesMatch "^\.ht">
 >     Order allow,deny
 >     Deny from all
 >     Satisfy All
 > </FilesMatch>
 > 
 > 
 > 
 > ## LOGGING
 > ErrorLog "/var/log/httpd-error.log"
 > logLevel debug
 > 
 > <IfModule log_config_module>
 >     LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
 > \"%{User-Agent}i\"" combined
 >     LogFormat "%h %l %u %t \"%r\" %>s %b" common
 > 
 >     <IfModule logio_module>
 >         LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
 > \"%{User-Agent}i\" %I %O" combinedio
 >     </IfModule>
 > 
 >     CustomLog "/var/log/httpd-access.log" combined
 > </IfModule>
 > 
 > ## aliases and redirects
 > <IfModule alias_module>
 >     ScriptAlias /cgi-bin/ "/usr/local/www/apache22/cgi-bin/"
 > </IfModule>
 > 
 > ## cgi-bin
 > <Directory "/usr/local/www/apache22/cgi-bin">
 >     AllowOverride None
 >     Options None
 >     Order allow,deny
 >     Allow from all
 > </Directory>
 > 
 > DefaultType text/plain
 > 
 > <IfModule mime_module>
 >     TypesConfig etc/apache22/mime.types
 > 
 >     AddType application/x-compress .Z
 >     AddType application/x-gzip .gz .tgz
 > 
 >     #AddHandler cgi-script .cgi
 >     #AddHandler type-map var
 > </IfModule>
 > 
 > ## Virtual hosts
 > #Include etc/apache22/extra/httpd-vhosts.conf
 > Include etc/apache22/vhosts/*
 > Include etc/apache22/Includes/*.conf
 > 
 > 
 > ----->>> /usr/local/etc/apache22/vhosts/campus2.fh-heidelberg.de
 > <<<-----
 > ## catch all
 > NameVirtualHost *:80
 > 
 > <VirtualHost *:80>
 >         ServerAdmin  support at fh-heidelberg.de
 >         DocumentRoot "/usr/local/www/apache22/campus2.fh-heidelberg.de"
 >         ServerName   campus2.fh-heidelberg.de
 >         ErrorLog
 > "/var/log/apache2/campus2.fh-heidelberg.de_error.log"
 >         CustomLog
 > "/var/log/apache2/campus2.fh-heidelberg.de_access.log" common
 > </VirtualHost>
 > 
 > 
 > 
 > Best Regards,
 > Lars
 >

More information about the freebsd-jail mailing list