Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: purzel on January 12, 2016, 07:05:43 PM
-
Hi there!
some months ago I configured my SME Server (9.0 at that time) for partially public access - which worked fine. But I did not use that access a long time. I made my updates sometimes - last some days ago. Someday my Server became to 9.1, I cannot say the exact day.
Now I wanted to use my remote access, but it's not working anymore. So I had a look:
[root@sme ~]# config show httpd-e-smith
httpd-e-smith=service
SSLv2=disabled
SSLv3=disabled
TCPPort=80
access=private
status=enabled
Huh?? I tried
[root@sme ~]# config setprop httpd-e-smith access public ; signal-event post-upgrade ; signal-event reboot && logout
But after reboot:
[root@sme ~]# config show httpd-e-smith
httpd-e-smith=service
SSLv2=disabled
SSLv3=disabled
TCPPort=80
access=private
status=enabled
What's my mistake? Or is it a bug that I should report?
TIA
purzel
{later}
I figured out that my setting
config setprop httpd-e-smith access publicis set back to "private" by doing
signal-event post-upgradeWHY??
I've found a file "/etc/e-smith/db/configuration/defaults/httpd-e-smith/access" - which contains "public".
Stange things...
-
Your server is configured for 'server and gateway private'. Change it to 'server and gateway'.
-
Thanks, I will try it in the evening.
Just to understand it: Back in time, when installing SME 9.0 I selected "Router/Gateway" and I never changed that setting with intent - now I have to change it. Is this need caused by some update, e.g. 9 -> 9.1 ?
-
Thanks, I will try it in the evening.
No, don't.
Just to understand it: Back in time, when installing SME 9.0 I selected "Router/Gateway" and I never changed that setting with intent ...
Then you should report your problem via the bug tracker.
-
Thanks, I will try it in the evening.
No, don't.
Why not? Why did you revise your 1st suggestion?
I can't remember surely whether I selected 'server and gateway private' or 'server and gateway' while installing.
I'm relatively sure NOT changing the initial setting ever, at least not with intent.
Currently, my setting is really 'server and gateway private'. Shall I change it to get my remote access back or do you think it is a bug?
Maybe I set up in 'server and gateway' mode (I think so because I posted this last summer).
But I spent much time in closing all ports and services I did/do not want or need manually (via `config setprop ...`), e.g. mail and ftp.
Is it possible, that as a result of much closed ports/services manually, my config became '... private'?
Or is 'private' the default in 9.1? My initial setup was 9.0 as mentioned above (I did NOT reinstall but made updates in irregular intervals)
TIA
-
I can't remember surely whether I selected 'server and gateway private' or 'server and gateway' while installing.
OK, I misinterpreted what you said.
Currently, my setting is really 'server and gateway private'. Shall I change it to get my remote access back or do you think it is a bug?
You should change the setting. IMO, the 'server and gateway private' setting should be removed. It doesn't offer any added security, and as you have discovered, it can cause confusing problems.
-
OK, I'll try it tomorrow - now I#m too tired ...
-
IMO, the 'server and gateway private' setting should be removed. It doesn't offer any added security, and as you have discovered, it can cause confusing problems.
well, you'd open a bug for it :-)
nevermind, I'll do it for you ;-)
-
Hello!
I changed my setting from 'server and gateway private' to 'server and gateway' and configured my "historic" remote access as good as I could remember. Most ist working now - hooray!
And thanks, of course.
The only thing NOT working is: server-manager from "outside", strictly from my PC at work. This means, I only want my office PC doing server-manger, no one else!
I tried both settings 'public' and 'private' for httpd-admin, but neither works.
[root@sme ~]# config show httpd-admin
httpd-admin=service
AllowHosts=aa.bb.cc.dd
PermitPlainTextAccess=no
TCPPort=980
TKTAuthSecret=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ValidFrom=aa.bb.cc.dd/255.255.255.255
access=public
status=enabled
where aa.bb.cc.dd is the static IP of my office computer.
SSH and "normal" https (httpd-e-smith) from office -> home is working.
For server-manager from my office computer, I get "socket timed out" or similar.
Any suggestions?
edit: tried to eliminate missunderstandings basically :-)
-
yes..
connect via ssh and then, simnply, do
elinks
you have your server manager there, no external http access needed
-
yes..
connect via ssh and then, simnply, do
elinks
you have your server manager there, no external http access needed
Cool, it's working - many thanks!
BTW: where to post an idea for improvement?
-
Cool, it's working - many thanks!
BTW: where to post an idea for improvement?
bugzilla -> NFR (new feature request) is the right place.. anyway, you'd post also (after filling a NFR in BZ) in development forum
-
Any suggestions?
Stefano's suggestion of connecting to the server via SSH and using elinks is probably the simplest solution. Another would be to connect via VPN, using, e.g., http://wiki.contribs.org/OpenVPN_Bridge.
-
purzel
Did you enter that IP in the server manager Remote Access panel, in Remote Management section ?
The IP must be a publicly accessible/identifiable IP (not a LAN IP) ie an Internet address, or otherwise the public IP of your office (but that last one will allow any office computer to access server manager if they know the password).
The way you say it, it sounds like the computers local IP.
If you want the GUI server manager rather than the elinks text based server manager, you can also setup a ssh tunnel connection & then open your browser to https://localhost/server-manager.
The only thing NOT working is: server-manager from "outside", strictly from my PC at work. This means, I only want my office PC doing server-manger, no one else!
I tried both settings 'public' and 'private' for httpd-admin, but neither works.
[root@sme ~]# config show httpd-admin
httpd-admin=service
AllowHosts=aa.bb.cc.dd
PermitPlainTextAccess=no
TCPPort=980
TKTAuthSecret=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ValidFrom=aa.bb.cc.dd/255.255.255.255
access=public
status=enabled
where aa.bb.cc.dd is the static IP of my office computer.
-
Did you enter that IP in the server manager Remote Access panel, in Remote Management section ?
Yes of course I did. I believe but not sure that it worked some months (!) ago. If I delete that entry in Remote Management section the line ValidFrom... disappears.
The IP must be a publicly accessible/identifiable IP (not a LAN IP) ie an Internet address
Yes it is. `iptables -L` on SME server gave me even the DNS name of my office computer, not only the IP. At work, we have an official class B network.
Do I need to open port 980 (iptables) on my office computer? In my opinion - no. For outgoing traffic nothing is blocked.
-
Do I need to open port 980 (iptables) on my office computer? In my opinion - no. For outgoing traffic nothing is blocked.
I tried it and had no success as expected.
Then I had the idea to look into /var/log/iptables/current and saw: every try from office to home ended up into iptables' chain denylog!
So I tried 1st entering manually (again: aa.bb.cc.dd = office PC)
[root@sme ~]# iptables -A InboundTCP_22934 -s aa.bb.cc.dd -p tcp -m tcp --dport 980 -j ACCEPT
Unfortunatly no success. 2nd I deleted that rule an tried another:
[root@sme ~]# iptables -A InboundTCP_22934 -s aa.bb.cc.dd -p tcp -m tcp --sport 980 -j ACCEPT
And ... drumroll please ... it worked!!!
Seems to be a bug: If one enters a host into Remote Management, it should be appended to iptables' rules - but will NOT. Shall I report a bug?
-
Seems to be a bug: If one enters a host into Remote Management, it should be appended to iptables' rules - but will NOT. Shall I report a bug?
Anything which doesn't work correctly should be reported as a bug.