Help with making webserver on a third interace (DMZ) visible to internet.

[zimbodel]

I have a raq550 with Strongbolt and bluequart on a separate interface from my lan as webserver.
My firewall is working great and both lan and a browser on the machine with the webserver can browse the internet through Zentyal firewall.
I forwarded port 80 on the firewall to the webserver address, but the webserver is not visible from the internet.
The webserver works perfectly on it's network in front of the firewall, but I have npo clue what the problem can be as my default gateway of the webserver is set to the zentyal internal interface ip connected to the webserver.

Any ideas what I can look at?

Or, if there is somewhere a complete example with zentyal set up as a firewall for a lan and DMZ on two different network cards with two different networks, I will appreciate it.

Thanks.

[christian]

You have to investigate a bit more but it may append that your issue is not with network (firewall, default route etc...) but with HTTP.
Be sure that your request reaches your web server (have a look at log files). In such a case, look at reverse proxy based solution if this appears to be your issue.
It has already been discussed a bit in this forum.

[zimbodel]

I already did that, and monitored ip traffic with snort.
Zentyal forwards port 80 as I could see on the webserver with snort and I could see it reponds and send treplies back to zentyal, but obviously zentyal receives drops the reply. The problem is somewhere with zentyal not accepting the replies.

[christian]

hummm, unless I don't understand, reply should not be sent back to Zentyal but sent back to initial request. Well, obviously through Zentyal acting as firewall.
However, again, this may not work if your internal server exposes URL based on non public domain, reason why reverse proxy might be needed here.

[zimbodel]

What I meant was that the webserver's gateway address was set to point to the interface ip of the firewall(Zentyal), and I could verify with snort that it was sent to zentyal.
I noticed now that I do get a response from the internet and the url changed to the hatname and domainname of the webserver .
I dont care about exposing the internal hostname ( localhost1 localdomain)  as it is non routable on the web, so if it can work like that without having to use squid it will be great as it eliminates having to deal with squid config.

But, it does not serve the website page content.
The url is that what my webserver is located at, but the page content is blank.

what is the reason the content is not loading from the internet, but loads on the DMZ?

[christian]

Because you may need to set up reverse proxy...   
I really don't know how to explain this in a different way 
In order to figure this out, try to publish a static page on this server and access it directly from internet.

BTW, the point with reverse proxy is not to expose or hide your internal host name or domain but to make your web site or internal application working when accessed from outside.

[zimbodel]

Can you give me a few starting pointers where I can read up to install proxy on zentyal.
I guess I can download squid and read the man pages, but I first need to know if zentyal has a proxy server and if it is documented somewhere or an example how to use it for a dmz or third nic.

[vshaulsk]

Christian,
I am not sure that Zimbodel problem of not loading a webpage has to do with reverse proxy. 

Before you pointed to Nginx.... I tried forwarding port 80 to my xbmc running on my lan.  I was able to load the page and run the web application.  Perhaps because the xbmc is using a very simple webpage that it worked.... I am not sure. 

Zimbodel :
Have you tried to port forward to any other service you might have running on your lan.... (in my case I used XBMC on a window7 pc as my port forwarding test rig)

Now as far as setting up a DMZ.... it is all in the firewall rules which you use.  You have rules of internal clients to zentyal and also rules between client networks. 
To setup your DMZ you will have to create the right set of rules.  Allow the right traffic directly to your DMZ, but control the traffic flowing between lans and access to services directly on zentyal.  I currently have 5 Vlan's running with one of them as external DMZ.  I setup rules which do not allow any connection from the DMZ to any of my other Vlans.... also created rules to not allow access to certain services running on my firewall/zentyal box (samba. ebox administration.....SSH...groupware....etc...)

For reverse proxy I use Nginx... if you look it up on this form you will see about a 5 page post about it.  There Chrisitan plus someone else explain to me how to use it.  I have it working currently....

[christian]

I'm not sure neither, reason why I suggested to launch simple "flat" page just to be sure that everything works from network standpoint.

[zimbodel]

Christian,
the page that is not loading is just the bluequartz default placeholder page, vanilla html, it cant get simpler.
All you mention has been achieved. All I need is for the page to load.  That's all and it would be great if I can find the reason why it does this and if I dont have to use a proxy.
You can see the blank yourself
 at 70.90.83.249.
It looks exactly like this one (I searched for someone running bluequartz that did not have their website configured yet.)
It might change soon when they upload their site, but foir now it is the best example. As you can see simple.
"http://www.blue-quartz.co.uk/"

Vshaulk.
I installed the http proxy, configured it, but when I go to modules I cannot tick the box for http proxy... wont allow it.
I can tick and untick all that was already ticked....weird!
Do yo0u know why it does that? as proxy cannot be activated without starting the daemon.
I made sure after I installed proxy, configured it, I saved it, but still the modules section does not allow me to switch it on. Tickbox is disabled. Bandwidth Monitor.
The last three boxes in particular are completely disabled.     
Logs     
File Sharing    
HTTP Proxy

To both of you:
What may happen is that the webserver responds as the url indicates, but in order to load the html page reverselookup of localdomain is done for some reason and therefore redirects loading the page to /null.
It is easy to test if I was allowed to use my ip address as domain in bluequartz, but bluequartz doesnt allow it which I find silly!
So I cant test that. I am not sure if what I say above is correct. If so I would need a proxy or some form of masquerade at least to avoid the client on the web to do a dns lookup and redirect to /null .
If not, then I dont need a proxy and something else is amiss.

[zimbodel]

I took Christian's advice and configured a webserver on my lan (2nd nic).
I changed the port forward to forward :80 to that server.
It worked perfectly this time and I could load the webpage from the internet AND it was masqueraded !
I then want to see what the effect of squid is, and I completely uninstalled squid. For good measure I rebooted Zentyal.
It came back up and still forwarded the lan website masqueraded !

So squid is not needed (it seems pending the following caveat which might need it)
1) Opening a browser from within zentyal which is the firewall, I can browse both website by entering their ip address in the url.

Now I am bamboozled.
If I can browse both from within zetyal then why does the port forward work for only lan  but not DMZ!!?
Both Lan and DMZ has completely the same rules! (DMZ is only DMZ if port forward is used) and both can be browsed on zentyal, but a port forward works for one but not the other.

Any ideas?



 

[half_life]

The reply here was

Oops! Google Chrome could not find raq550.localdomain.

I am pretty sure the hostname is not routeable.  Taking a step back to explain what a reverse proxy is.  When you type http://www.google.com  in to the browser and hit enter a series of things happen in the background.
1) www.google.com is a easy to remember name but is not the address of google.  The browser hits DNS to get an IP address for google.
2) The initial handshake packet is sent to the destination.
3) The destination responds back with an ack(nowledgement) signal.
4) A TCP/IP connection is formed.
5)The packet is analysed to figure out what you were asking to see.
6)The packet is sent back to the originating machine.
7)Packets go back and forth until all of the data is delivered.
The two machines say goodbye and disconnect

Above is a simplified explaination.  You are getting stuck on step 3.  The packet appears to be coming from your Zentyal server which didn't ask for anything so ignores the packets. 
A reverse proxy intercepts the incoming packet and handles the re-writing of the packet to establish a two way communication between the two machines.  Nginx is one such proxy and has been discussed here at some length.  I hope that makes it a little clearer for you.

[christian]

he he there is really a mix of concept in all directions  and, Zimbodel, you have the answer in your explanation:

What may happen is that the webserver responds as the url indicates, but in order to load the html page reverselookup of localdomain is done for some reason and therefore redirects loading the page to /null.
It is easy to test if I was allowed to use my ip address as domain in bluequartz, but bluequartz doesnt allow it which I find silly!
So I cant test that. I am not sure if what I say above is correct. If so I would need a proxy or some form of masquerade at least to avoid the client on the web to do a dns lookup and redirect to /null .
If not, then I dont need a proxy and something else is amiss.

Second point I would like to add: we do not discuss about need for proxy (I mean the Zentyal one) but need for reverse proxy.
Look at half_life explanation, then come back to post #4 where I told you that ability to resolve internal domain might be required. Port forwarding is only on part of the set up.

[zimbodel]

What I dont understand is why the webserver works on Lan but not DMZ.
On lan it loads pages, does not need proxy or reverse proxy and masquerades the ip all perfect.
There seems to be something different with zentyal as soon as you add a third interface.
All internal interfaces should be handled the same until you make changes to differentiate them.

Clearly the example of sucessfully deploying a webserver on lan but fails on dmz proves that neither is squid or anything extra needed, but that there is a problem with the third interface in the default rules in zentyal.

[christian]

1 - How are your interfaces defined on Zentyal box (I mean all of them)?
2 - Could you please clarify this "reverse lookup" stuff and explain network configuration on your Strongbolt server (especially what is the DNS used there)?