Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: zimbodel on October 31, 2011, 01:34:16 am
-
I have a raq550 with Strongbolt and bluequart on a separate interface from my lan as webserver.
My firewall is working great and both lan and a browser on the machine with the webserver can browse the internet through Zentyal firewall.
I forwarded port 80 on the firewall to the webserver address, but the webserver is not visible from the internet.
The webserver works perfectly on it's network in front of the firewall, but I have npo clue what the problem can be as my default gateway of the webserver is set to the zentyal internal interface ip connected to the webserver.
Any ideas what I can look at?
Or, if there is somewhere a complete example with zentyal set up as a firewall for a lan and DMZ on two different network cards with two different networks, I will appreciate it.
Thanks.
-
You have to investigate a bit more but it may append that your issue is not with network (firewall, default route etc...) but with HTTP.
Be sure that your request reaches your web server (have a look at log files). In such a case, look at reverse proxy based solution if this appears to be your issue.
It has already been discussed a bit in this forum.
-
I already did that, and monitored ip traffic with snort.
Zentyal forwards port 80 as I could see on the webserver with snort and I could see it reponds and send treplies back to zentyal, but obviously zentyal receives drops the reply. The problem is somewhere with zentyal not accepting the replies.
-
hummm, unless I don't understand, reply should not be sent back to Zentyal but sent back to initial request. Well, obviously through Zentyal acting as firewall.
However, again, this may not work if your internal server exposes URL based on non public domain, reason why reverse proxy might be needed here.
-
What I meant was that the webserver's gateway address was set to point to the interface ip of the firewall(Zentyal), and I could verify with snort that it was sent to zentyal.
I noticed now that I do get a response from the internet and the url changed to the hatname and domainname of the webserver .
I dont care about exposing the internal hostname ( localhost1 localdomain) as it is non routable on the web, so if it can work like that without having to use squid it will be great as it eliminates having to deal with squid config.
But, it does not serve the website page content.
The url is that what my webserver is located at, but the page content is blank.
what is the reason the content is not loading from the internet, but loads on the DMZ?
-
Because you may need to set up reverse proxy... :o
I really don't know how to explain this in a different way ::)
In order to figure this out, try to publish a static page on this server and access it directly from internet.
BTW, the point with reverse proxy is not to expose or hide your internal host name or domain but to make your web site or internal application working when accessed from outside.
-
Can you give me a few starting pointers where I can read up to install proxy on zentyal.
I guess I can download squid and read the man pages, but I first need to know if zentyal has a proxy server and if it is documented somewhere or an example how to use it for a dmz or third nic.
-
Christian,
I am not sure that Zimbodel problem of not loading a webpage has to do with reverse proxy.
Before you pointed to Nginx.... I tried forwarding port 80 to my xbmc running on my lan. I was able to load the page and run the web application. Perhaps because the xbmc is using a very simple webpage that it worked.... I am not sure.
Zimbodel :
Have you tried to port forward to any other service you might have running on your lan.... (in my case I used XBMC on a window7 pc as my port forwarding test rig)
Now as far as setting up a DMZ.... it is all in the firewall rules which you use. You have rules of internal clients to zentyal and also rules between client networks.
To setup your DMZ you will have to create the right set of rules. Allow the right traffic directly to your DMZ, but control the traffic flowing between lans and access to services directly on zentyal. I currently have 5 Vlan's running with one of them as external DMZ. I setup rules which do not allow any connection from the DMZ to any of my other Vlans.... also created rules to not allow access to certain services running on my firewall/zentyal box (samba. ebox administration.....SSH...groupware....etc...)
For reverse proxy I use Nginx... if you look it up on this form you will see about a 5 page post about it. There Chrisitan plus someone else explain to me how to use it. I have it working currently....
-
I'm not sure neither, reason why I suggested to launch simple "flat" page just to be sure that everything works from network standpoint.
-
Christian,
the page that is not loading is just the bluequartz default placeholder page, vanilla html, it cant get simpler.
All you mention has been achieved. All I need is for the page to load. That's all and it would be great if I can find the reason why it does this and if I dont have to use a proxy.
You can see the blank yourself
at 70.90.83.249.
It looks exactly like this one (I searched for someone running bluequartz that did not have their website configured yet.)
It might change soon when they upload their site, but foir now it is the best example. As you can see simple.
"http://www.blue-quartz.co.uk/"
Vshaulk.
I installed the http proxy, configured it, but when I go to modules I cannot tick the box for http proxy... wont allow it.
I can tick and untick all that was already ticked....weird!
Do yo0u know why it does that? as proxy cannot be activated without starting the daemon.
I made sure after I installed proxy, configured it, I saved it, but still the modules section does not allow me to switch it on. Tickbox is disabled. Bandwidth Monitor.
The last three boxes in particular are completely disabled.
Logs
File Sharing
HTTP Proxy
To both of you:
What may happen is that the webserver responds as the url indicates, but in order to load the html page reverselookup of localdomain is done for some reason and therefore redirects loading the page to /null.
It is easy to test if I was allowed to use my ip address as domain in bluequartz, but bluequartz doesnt allow it which I find silly!
So I cant test that. I am not sure if what I say above is correct. If so I would need a proxy or some form of masquerade at least to avoid the client on the web to do a dns lookup and redirect to /null .
If not, then I dont need a proxy and something else is amiss.
-
I took Christian's advice and configured a webserver on my lan (2nd nic).
I changed the port forward to forward :80 to that server.
It worked perfectly this time and I could load the webpage from the internet AND it was masqueraded !
I then want to see what the effect of squid is, and I completely uninstalled squid. For good measure I rebooted Zentyal.
It came back up and still forwarded the lan website masqueraded !
So squid is not needed (it seems pending the following caveat which might need it)
1) Opening a browser from within zentyal which is the firewall, I can browse both website by entering their ip address in the url.
Now I am bamboozled.
If I can browse both from within zetyal then why does the port forward work for only lan but not DMZ!!?
Both Lan and DMZ has completely the same rules! (DMZ is only DMZ if port forward is used) and both can be browsed on zentyal, but a port forward works for one but not the other.
Any ideas?
-
The reply here was
Oops! Google Chrome could not find raq550.localdomain.
I am pretty sure the hostname is not routeable. Taking a step back to explain what a reverse proxy is. When you type http://www.google.com in to the browser and hit enter a series of things happen in the background.
1) www.google.com is a easy to remember name but is not the address of google. The browser hits DNS to get an IP address for google.
2) The initial handshake packet is sent to the destination.
3) The destination responds back with an ack(nowledgement) signal.
4) A TCP/IP connection is formed.
5)The packet is analysed to figure out what you were asking to see.
6)The packet is sent back to the originating machine.
7)Packets go back and forth until all of the data is delivered.
8) The two machines say goodbye and disconnect
Above is a simplified explaination. You are getting stuck on step 3. The packet appears to be coming from your Zentyal server which didn't ask for anything so ignores the packets.
A reverse proxy intercepts the incoming packet and handles the re-writing of the packet to establish a two way communication between the two machines. Nginx is one such proxy and has been discussed here at some length. I hope that makes it a little clearer for you.
-
he he there is really a mix of concept in all directions ;D and, Zimbodel, you have the answer in your explanation:
What may happen is that the webserver responds as the url indicates, but in order to load the html page reverselookup of localdomain is done for some reason and therefore redirects loading the page to /null.
It is easy to test if I was allowed to use my ip address as domain in bluequartz, but bluequartz doesnt allow it which I find silly!
So I cant test that. I am not sure if what I say above is correct. If so I would need a proxy or some form of masquerade at least to avoid the client on the web to do a dns lookup and redirect to /null .
If not, then I dont need a proxy and something else is amiss.
Second point I would like to add: we do not discuss about need for proxy (I mean the Zentyal one) but need for reverse proxy.
Look at half_life explanation, then come back to post #4 where I told you that ability to resolve internal domain might be required. Port forwarding is only on part of the set up.
-
What I dont understand is why the webserver works on Lan but not DMZ.
On lan it loads pages, does not need proxy or reverse proxy and masquerades the ip all perfect.
There seems to be something different with zentyal as soon as you add a third interface.
All internal interfaces should be handled the same until you make changes to differentiate them.
Clearly the example of sucessfully deploying a webserver on lan but fails on dmz proves that neither is squid or anything extra needed, but that there is a problem with the third interface in the default rules in zentyal.
-
1 - How are your interfaces defined on Zentyal box (I mean all of them)?
2 - Could you please clarify this "reverse lookup" stuff and explain network configuration on your Strongbolt server (especially what is the DNS used there)?
-
Ok I will write it up and post it.
But, it is clear to me that there is one of two problems.
1) a DNS issue on Strongbolt/bluquartz, although I doubt it as zentyal dont masquerade the webserver on DMZ bot does on LAN, clearly the same DNS error cannot give those two different results.
2) The default Iptables on zentyal is different for two internal nics creating the discrepancy.
Iptables is a pain and errors are easy to make, i wont be surprised if that is the case and it sure looks like, but it will be nice if it is just a simple DNS error.
-
Before thinking that Zentyal generates some erroneous IPtables, tell us more about your settings.
e.g. if third interface is described as external, then you behaviour can be somewhat strange, if you see what I mean ;)
-
The ip addresses are bogus but originals were batch replaced so there will nt be any errors.
removed as it is not needed anymore.
-
BTW, there seems to be a bug in the Zentyal interface,
If I go to Zentyal Software Management, then Components and select View-Basic-Mode, and then highligh Proxy for installation, it clearly installs Users and Groups rather tan proxy !!
That is why I couldnt activate proxy in the checkbox to start it as I reported earlier.
I repeated it twice here and it still does it.
See for yourself.
-
To add further:
If you dont use basic mode, then and only then Squid will install.
Clearly a bug, but not serious at all as it is onl;y interface related.
Another question.
Since I have squid installed, where is the reverse proxy? I cannot find it in the squid setup as suggested.
-
Sorry if I was not enough clear with my previous statements.
From technical standpoint, reverse proxy might be required in order to access internal (or on DMZ) web servers. This doesn't mean however (and unfortunately) that it can be achieved using Zentyal "out-of-the-box".
Reverse proxy service doesn't exist with Zentyal. You will have to configure it manually. For this you have multiple choices:
- using Apache
http://httpd.apache.org/docs/1.3/mod/mod_proxy.html#forwardreverse (http://httpd.apache.org/docs/1.3/mod/mod_proxy.html#forwardreverse)
- adding another component like Nginx
http://tumblr.intranation.com/post/766288369/using-nginx-reverse-proxy (http://tumblr.intranation.com/post/766288369/using-nginx-reverse-proxy)
http://www.cyberciti.biz/faq/rhel-linux-install-nginx-as-reverse-proxy-load-balancer/ (http://www.cyberciti.biz/faq/rhel-linux-install-nginx-as-reverse-proxy-load-balancer/)
- configuring Squid
http://wiki.squid-cache.org/SquidFaq/ReverseProxy (http://wiki.squid-cache.org/SquidFaq/ReverseProxy)
This has been discussed in some other posts:
http://forum.zentyal.org/index.php/topic,8452.msg35025.html#msg35025 (http://forum.zentyal.org/index.php/topic,8452.msg35025.html#msg35025)
http://forum.zentyal.org/index.php/topic,8227.0.html (http://forum.zentyal.org/index.php/topic,8227.0.html)
-
I decided to drop Bluequartz/Strongbolt as there is no service or support from either, even though I bought and paid for service.
As I can use a standard linux server with domainname as ip address on the DMZ and do not need reverse proxy in that case it is the way to go.
I will keep zentyal as firewall.
I agree that the inability of Strongbolt/bluequartz to use ip as domainname will require reverse proxy, but only in that case, as I proved for myself that a webserver works perfectly on DMZ without proxy if the domainname is the ip address and could browse it.
Thanks for all the help it is appreciated.
I will delete the network details post thanks.