Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: midnightferret on August 20, 2008, 04:10:24 PM
-
Hi, sorry for the lengthy post.
I've used SME 7.3 as my server for a while, but I've never asked it to do anything apart from its built-in functions before. All I want is to pass any incoming http requests (from the internet) to a machine on my internal LAN but outside my dhcp ip range. (for example, dhcp range = 192.168.100-189, forwarded machine ip = static: 192.168.1.203).
I have tried solutions both from http://wiki.contribs.org/SME_Server:Documentation:FAQ#Proxy_Pass (http://wiki.contribs.org/SME_Server:Documentation:FAQ#Proxy_Pass) and http://forums.contribs.org/index.php?topic=19306.0 (http://forums.contribs.org/index.php?topic=19306.0).
After the second solution, browsing to 192.168.1.1 stopped giving me the "under construction" default web page for the address of my server on port 80, but it does not show the index page of the machine to which port 80 is forwarded (ie. 192.168.1.20). Also, when I browse to 192.168.1.1:8080, I do get the default webpage, but when I try to access the server-manager (ie. 192.168.1.1:8080/server-manager) the browser returns an error "192.168.2.2 has sent an incorrect or unexpected message. Error code -12263." (Https SSL error).
I must me missing a step or not understanding something. Can someone please point me in the right direction, or better yet, give me explicit instructions? This must be a simple operation but I cannot figure it out. Thanks so much for any help.
-christine
-
I've used SME 7.3 as my server for a while, but I've never asked it to do anything apart from its built-in functions before. All I want is to pass any incoming http requests (from the internet) to a machine on my internal LAN ...
Use the port forwarding panel.
-
thank you, but I *have* forwarded port 80 to the machine. I am sorry I forgot to mention that.
-
thank you, but I *have* forwarded port 80 to the machine. I am sorry I forgot to mention that.
Yeah, but you've done other stuff as well. Undo that other stuff.
-
OK, I undid the modifications to httpd.conf, which gave me my server-manager back. Here's another question to betray my ignorance: how do I undo the solution found here: http://wiki.contribs.org/SME_Server:Documentation:FAQ#Proxy_Pass (http://wiki.contribs.org/SME_Server:Documentation:FAQ#Proxy_Pass)?
Incidentally, the domain that was supposedly created in that solution never showed up in my domain control panel under server-manager.
So far, when I try to access the webserver from the external IP, it no longer shows the default sme "under construction" page, but times out. However, I probably need to undo the Proxypass solution?
Thanks again for your help.
-
midnightferret
Incidentally, the domain that was supposedly created in that solution never showed up in my domain control panel under server-manager.
Perhaps you entered the commands incorrectly.
Show us by cutting and pasting the actual commands you entered (from Putty).
To get the usage syntax for the db command, at the command prompt type
db
This command should totally delete that entry and reconfigure your server
db domains delete proxypassdomain.com
signal-event post-upgrade
reboot
-
db domains delete proxypassdomain.com
signal-event
reboot
I believe you mean:
db domains delete proxypassdomain.com
signal-event post-upgrade
signal-event reboot
although this should also work (without the reboot):
db domains settype proxypassdomain.com domain-deleted
signal-event domain-delete proxypassdomain.com
db domains delete proxypassdomain.com
-
Charlie
Oops a typo, yes I did mean that, corrected now.
Thanks for the other command pointers
-
So far, when I try to access the webserver from the external IP, it no longer shows the default sme "under construction" page, but times out.
If you mean "I try to access the webserver from the Internet" then it means your port forwarding is not functioning. Either your internal webserver is not functioning on the LAN, or it isn't configured correctly with its default gateway set to the internal IP of the SME server.
If you are trying to access the webserver's external IP address from your local network, then you shouldn't expect that to work. Port forwarding can only work for incoming traffic from the Internet. You cannot port forward from one host on the LAN to another.
-
I have set everything back to the way it was originally. Now the only "special" setting I have is port 80 forwarded to the web server machine, as you instructed.
The web server is serving pages inside the LAN, but times out when I try to see it from the internet. Therefore, as you say, the port forwarding must not be functioning.
The machine the web server is on has its default gateway set to the internal IP address of the SME server. Would I also need to configure something in Apache that sets the default gateway?
Thanks again for everyone's help.
-
midnightferret
The web server is serving pages inside the LAN, but times out when I try to see it from the internet.
All I want is to pass any incoming http requests (from the internet) to a machine on my internal LAN but outside my dhcp ip range. (for example, dhcp range = 192.168.100-189, forwarded machine ip = static: 192.168.1.203).
Is that machine on 192.168.1.203 actually physically accessible from your sme server ?
ie on the command line of sme server can you successfully ping that IP
ping 192.168.1.203
-
Mary, yes, it pings the machine just fine.
-
midnightferret
How are you physically accessing the domain ?
ie are you using an external internet service/connection (ie external to your LAN), because as Charlie says, port forwarding only works from the external interface to an internal IP.
What URL are you using ?
With port 80 forwarded then all http requests for the main domain on your sme server will be forwarded, so you need to access using
http://www.yourdomain.com
-
Would I also need to configure something in Apache that sets the default gateway?
No.
-
At this point I would try another router, perhaps an appliance such as a consumer-grade Linksys or D-Link, to see if the problem is with SME's port forwarding or the target's Apache or TCP/IP setup.
-
An external port scan to see if the port forwardings work. (And if there is some other frewalls or restrictions.)
https://www.grc.com/x/ne.dll?bh0bkyd2
-
Based on current info given...
Since my crystal ball has a (50 mile range limit) please select
1 - SME server only mode (no firewall ahead)
2 - SME server only mode (external firewall ahead, SME on DMZ)
3 - SME server only mode (external firewall ahead, SME on LAN) (Firewall PF 80 to SME, NO PF on SME)
4 - SME server-gateway mode (no firewall ahead)
5 - SME server-gateway mode (external firewall ahead, SME on DMZ)
6 - SME server-gateway mode (external firewall ahead, SME on LAN) (Firewall PF 80 to SME, NO PF on SME)
From info given assume # 3 or 6 ???
While 2 or 5 are optimal.
What Firewall is currently ahead of SME.....brick (i.e. linksys etc.) or FOSS (i.e. smoothwall etc.)??
Assume FOSS...?
Is the NEW Host on SME LAN or External Firewall LAN..??
Can we see the results of....
db domains show
Then we can see if the proxy is setup as it should be.
After the second solution, browsing to 192.168.1.1 stopped giving me the "under construction" default web page for the address of my server on port 80
Did you set that P.F. on SME or the firewall or both..?? (NO PF should be required ON SME)
Clear indication something is a foobar, the SME does not need the Fort Porword for #'s 3 & 6 above.
Port Forward ON SME will forward ALL 80 requests (including 'www.mySMEserver.xxx' and 'www.mySMEserver.xxx/server-manager')
Don't think that is what your looking to do here..?
Your looking to create a Virtual Host i.e.
example.mySMEserver.xxx and direct that (not a redirect) to a remote host (same/different subnet).
If the New Host requires external (wan) access via SME you need Step 3,..... internal subnet access only - omit Step 3.
These steps accomplish that and should not effect/redirect in any way...
mySMEserver.xxx or mySMEserver.xxx/server-manager or xxx.xxx.xxx.xxx/server-manager
or their www counter parts that are reflected in the DNS records.
Step 1 >> Test/Verify New Host
Download superscan 3 (windoze) and port scan your new host, port 80 should be open.
http://www.foundstone.com/us/resources/proddesc/superscan3.htm
That will tell you the new host is ping-able and port 80 is open on the new host (both required).
Step 2 >> Setup Hostnames and addresses select 'remote' option.
Incidentally, the domain that was supposedly created in that solution never showed up in my domain control panel under server-manager.
The new host should appear under Server-Manager > Review configuration
Test new host via NewHostName.mySMEserver.xxx without www. prepended and while on SME's local subnet.
That confirms local access is working.
then
(only if external (wan) access via SME is required to the New Virtual Host)
Step 3 >> Provide for external (wan) virtual host access via SME's proxy
db domains set proxypassdomain.com domain
db domains setprop proxypassdomain.com Nameservers internet
db domains setprop proxypassdomain.com ProxyPassTarget http://xxx.xxx.xxx.xxx/
db domains setprop proxypassdomain.com TemplatePath ProxyPassVirtualHosts
signal-event domain-create proxypassdomain.com
Post here the above lines you used so we can see what you setup and also the Hostnames and addresses setup.
It's very hard to offer advice without that imperative info...(shooting in the dark)
The above steps assume you have no special requirements.
Since the host is on a different subnet you will more then likely need a DNS record, if you are accessing the New Host externally via SME Server.
Side Note:
Set-ups # 4-6 above may be a preferred setup to better control access to the New Host via SME, which is in fact the purpose of the proxy (Hide Me) concept.
Sending the proxy to another subnet adds that subnet to the Hacker's subnet list (which you indicate your doing).
Hack SME and you have two subnet's for the Hacking price of one. (that's 510 possible IP's) when you only need to expose 255 IP's.
That's SME's subnet and the subnet you proxy to, which = 2 subnet's in the sys config on SME.
Proxy to a Client LAN and that's Hacker's Heaven.
Server's and Client Lan all in one shot....bam.
So.... # 5 suddenly becomes the winner.
If your external firewall can proxy then you would proxy to SME and proxy to New Host (different subnets) which provides subnet isolation.
Keep in mind any "Port Forwards" or "Pin Holes" may violate the subnet isolation.
Set-ups # 3 & 6 may not give much joy in the future (your mileage may vary) & (some re-assembly will be required).
Download & install the 4099.funlove virus and you won't fall in love nor have fun, however you will learn about subnet isolation.
In less then a blink of an eye your network clients are wiped out and you won't know it ...until.... it's tooooooooo late.
A good virus want's to propagate itself (in background) by seeding client's on the network, 510 or 255 is your choice...your config.
Hackers & Viruses EAT what YOU feed them....like Bear's.
So don't feed the Bear's..!!!
192.168.1.1:8080/server-manager
***** Why is that on 8080..??????
192.168.1.1/server-manager #Should just work.
Primary domain/server-manager #Should just work.
Both are port 80 to start, SME will redirect 80 to ssh from there (SME default).
Is your ISP blocking 80 and/or your trying to spoof it..????
I must me missing a step or not understanding something.
Possibly...however I see in my crystal ball (50 mile range limit) that you will see great networking joy in the near future..!!
Follow the yellow brick road...!!
hum...interesting....
HTH
Have a good day....
-
At this point I would try another router, perhaps an appliance such as a consumer-grade Linksys or D-Link, to see if the problem is with SME's port forwarding or the target's Apache or TCP/IP setup.
I think it's more of a case of "Faulty Operator".
There's clear road signs to that possibility.
I think once you get it all working, you'll be patting your self on the back and kicking yourself at the same time.
So... just hang in there and forge on.... your almost there...!!
Forget brick router and (Apache)... listen to Charlie.... "The Great OZ".
You will pay dearly for not listing to Charlie.
Surprised you haven't learned that lesson already.
Have you every heard the line
I told you so...
Try this one
"The Great OZ has spoken"
Ring any bells
-
Thank you all for your input.
I have been listening to CharlieBrady's posts. He said that I should be able to simply forward port 80 to the webserver machine. He told me to UNDO the virtual host.
There is nothing ahead of SME, except a cable modem. Besides, it seems to be working now, thanks to Charlie. And I didn't do anything except follow his instructions.
The port forwarding now works for anyone who isn't inside my lan. I can get to the server-manager by going to my server's IP address. This is perfectly fine for me. Thanks.