Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: pj on December 12, 2009, 10:34:06 pm
-
Hello,
could anyone please help here?
I wanted to change the admin port of eBox to allow for later use of the port by other web pages. I added a new https service port at 443 for secure http, added a new admin port at 7443 under the eBox Administration Service (I did not remove the original 443 port, thinking that if it didn't work, it would still connect with 443...oh well), and changed the port under Services ->General to 7433. Added the new https service to allow external connections in the firewall, and added the port to the external router, and saved changes. Hum.
I do have ssh, so I can alter the config files as necessary.
There are no other secure pages set up as yet. Firefox gives an "Unable to connect" page for https://www.website.com:7443/ebox, and https://www.website.com/ebox.
What have I missed? ???
Kind regards
-
You don't have to add a new service in order to change the port. Anyway, if you can't access now, you can try to execute "dpkg-reconfigure ebox", it should ask you for the administration port.
-
Thanks for the prompt answer. Did that in the eBox Admin platform beforehand, and now your suggestion in a terminal, but no difference I'm afraid. Still get : https://www.website.com:7443/ebox - "Unable to connect".
I have tried changing the port back to 443 with dpkg-reconfigure ebox - also no connection. At a loss here... any further help appreciated! I hadn't made any more changes than those in my original post.
Kind regards
-
Forgot to add that when configuring ebox, it shows "It seems that the port you have selected is already being used. You can continue anyway or enter a new port." on changing the port to 7443.
Does this help?
-
Also, I tried changing to another unused port - didn't work either. I also stopped the firewall just in case that was the problem. Didn't make any difference.
-
Maybe your ebox apache is down.
Try this to restart it:
/etc/init.d/ebox apache restart
Then you could try agian. Anyway to see if it is up and in what port it listens you can use this command:
netstat -tlnp | grep apache2
(If you have the webmail or the user corner modules enabled it will be additional instances used by those modules)
-
Hello Javier,
no, the server was up - I could always get port 80 "It works". I can still log in to SquirrelMail, but it uses non-secure IMAP.
The netstat shows:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 19356/apache2
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 20551/apache2
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 23226/apache2
8443 is the port for ebox...
I don't remember putting in port 8888... I do not have that port open on the router.
Where has port 443 gone?
Any ideas please?
Kind regards
-
8888 is the default port for ebox-usercorner.
Another thing we could try is to use a text based browser with HTTPS support (like links) from inside eBox to try to connect to the administrative interface in https://127.0.0.1:8433. If it works we will know that is a problem with outside connections and not with apache itself..
-
Hello Javier
(port id 8443)
in eBox:
wget https://127.0.0.1:8443
--20:46:44-- https://127.0.0.1:8443/
=> `index.html'
Connecting to 127.0.0.1:8443... connected.
ERROR: Certificate verification error for 127.0.0.1: self signed certificate
ERROR: certificate common name `eBox Server' doesn't match requested host name `127.0.0.1'.
To connect to 127.0.0.1 insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
I can also get to the port from another computer on the same LAN 192.168.0.1:8443 - shows certificate problem, but connects.
Checked the router configuration for the umpteenth time (probably 8 :)), and the port 8443 as well as 7443 is open.
I do not understand where the problem could be. Is it possible that the eBox firewall is stopping the connection?
Kind regards
-
The firewall may be stopping the connection. Try running "/etc/init.d/ebox firewall stop" and attempt to connect again.
-
Oh dear jjm1982 (how are you doing? :)), not doing well here :(, but thanks for the post. I am coming round to the thought that it might just be a bug.
Stopping the firewall does not help. Still no connection from the outside world. A right to-do!
I have a feeling it is something to do with me not removing port 443 from the ebox admin service. Perhaps it doesn't like having 2 ports. I do not understand why the netstat doesn't show port 443 as well. I added a https service with that port, as in my first post. Where would one check that, do you know please?
Kind regards
-
You could try unconfiguring the modules, there's a script in the "/usr/share/ebox" directory call "ebox-unconfigure-module". I've used it to unconfigure samba an number of times... long story.
If you issue the command:
sudo /usr/share/ebox/ebox-unconfigure-module {module-name}
I'm not quite sure what the module would be, I believe its the apache module, Javier may be able to provide the correct one. I would hate to see you have to start from scratch.
-
I will unconfigure the apache module so it could listen again in 443.
Maybe you need too to unconfigure the firewall and services modules but first try to unconfigure only the apache moduke
-
Thanks to you both.
I have issued the command sudo /usr/share/ebox/ebox-unconfigure-module apache. It just returns to the prompt.
Do you know which scripts I could edit to add port 443 to apache2? I tried out "listen 80, 443" (don't know if the syntax was correct) a week ago, but it made no difference. I also added 443 to the ports.conf file - no change either. I removed both these alterations afterwards.
Kind regards
-
You could try updating the apache2.conf file in "/etc/apache2" directory and then restarting apache.
I'm not sure where else you can go from here.
-
Thanks jjm. OK - added:
Listen 443
Listen 8443 to ports.conf
Restarted apache - no difference over WAN.
Stopped the firewall - no difference over WAN.
However, I now have:
wget https://127.0.0.1:8433
--21:42:41-- https://127.0.0.1:8433/
=> `index.html'
Connecting to 127.0.0.1:8443... failed: Connection refused.
(same for 443)
???
So, something has changed. The only thing I can think of is running the unconfigure module line (I took out the extra port lines just in case, but that made no difference).
It would then appear to be an internal problem.
Another thing we could try is to use a text based browser with HTTPS support (like links) from inside eBox to try to connect to the administrative interface in https://127.0.0.1:8433. If it works we will know that is a problem with outside connections and not with apache itself..
Do you think it is apache Javier?
Kind regards
-
The wget output looks as that either apache isnt running, dont listen in the port or there is a firewall between. Since is the 127.0.0.1 we can discard this last option.
Have you tried to execute '/etc/init.d/ebox apache restart' after unconfiguring the apache module?
-
Hello Javier,
yes, restarted apache - no difference. The web server is working OK - http over WAN works with port 80, http://www.website.com:5222/ for Jabber returns a page over WAN . 5222 is not in ports.conf. Added 8080, 8443 and 443 into ports.conf. Re-started Apache:
Here is the latest:
wget http://127.0.0.1
--23:05:43-- http://127.0.0.1/
=> `index.html'
Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45 [text/html]
100%[=================================================================================>] 45 --.--K/s
23:05:43 (5.36 MB/s) - `index.html' saved [45/45]
wget http://127.0.0.1:8080
--23:05:55-- http://127.0.0.1:8080/
=> `index.html.1'
Connecting to 127.0.0.1:8080... failed: Connection refused.
wget http://127.0.0.1:8443
--23:06:13-- http://127.0.0.1:8443/
=> `index.html.1'
Connecting to 127.0.0.1:8443... connected.
HTTP request sent, awaiting response... 200 No headers, assuming HTTP/0.9
Length: unspecified
[ <=> ] 450 --.--K/s
23:06:13 (43.41 MB/s) - `index.html.1' saved [450]
wget https://127.0.0.1:8443
--23:06:28-- https://127.0.0.1:8443/
=> `index.html.2'
Connecting to 127.0.0.1:8443... connected.
ERROR: Certificate verification error for 127.0.0.1: self signed certificate
ERROR: certificate common name `eBox Server' doesn't match requested host name `127.0.0.1'.
To connect to 127.0.0.1 insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
wget http://127.0.0.1:443
--23:24:28-- http://127.0.0.1:443/
=> `index.html.4'
Connecting to 127.0.0.1:443... failed: Connection refused.
wget https://127.0.0.1:443
--23:06:45-- https://127.0.0.1/
=> `index.html.2'
Connecting to 127.0.0.1:443... failed: Connection refused.
HTTP and HTTPS over port 8443 return a page over the LAN now, ??? Over WAN, still can't connect.
It should connect over 8080 though, without problem. Stopping the firewall makes no difference.
Include ports.conf is in the apache2.conf file, but it seems to me that apache is not listening or only partly listening.
Which files were changed by me adding a new service https on port 443?
Do you think that re-installing Apache will make a difference perhaps?
Kind regards
-
Hello,
not heard from you for a while.
the latest is:
sudo /etc/init.d/ebox apache stop
* Stopping eBox module: apache [ OK ]
sudo /etc/init.d/ebox apache start
* Restarting eBox module: apache [ OK ]
sudo netstat -tlnp | grep apache2
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 9637/apache2
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 29683/apache2
Apache has stopped listening on post 80!!! Haven't made any changes since the last post whatsoever.
ports.conf reads:
Listen 80
Listen 8080
Listen 443
Listen 8443
At a loss here...
Feliz Navidad!
-
Have you try connect to https://<ebox-ip>:8443 ?
-
oh yes! :) Many, many times! Now http doesn't connect either...
-
Hello Javier,
Don't know if you are working over the holiday period - perdona las molestias!
Do you think it would be better to reinstall apache by apt-get or eBox, or install another web server in its place? I am not in the same place as the server, but contact with ssh has been no problem.
Kind regards
-
Over 2 weeks now and no admin...
Here is a result of a nmap probe:
Not shown: 990 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp open ssh
25/tcp open smtp
110/tcp open pop3
143/tcp open imap
2323/tcp open unknown
5222/tcp open unknown
5903/tcp filtered vnc-3
5904/tcp filtered unknown
8080/tcp filtered http-proxy
So, what is apache doing?
Could you please tell me whether I could install say nginx as well as apache, and try to take over the serving of the http ports? Even better, remove apache, if we can't find the reason?
Kind regards
-
Have you tried the following?
dpkg-reconfigure ebox
Then when it asks you for the eBox HTTPS port, try to enter a different one.
-
Hello,
did dpkg-reconfigure ebox again - changed the port back to 443. No difference, but as I wrote, apache has in the meantime refused to accept http requests at port 80 and Squirrelmail too, so it's not surprising really.
I am at a loss.
In the case that you too are at a loss, would you please let me know if I can install another web server by the side of apache without making a mess of eBox, or if I can replace apache with gninx, and if so, could you please let me have any removal code for apache under eBox to do this?
Kind regards and Prospero Nuevo Ano!
-
I don't see any problem installing another different web server, as long as you configure it in a different unused port.
-
Hello,
OK, I am now a little further. The following error is shown by FireFox IF I add Listen 443 to ports.conf (otherwise, just a "cannot connect page"):
Secure Connection Failed
An error occurred during a connection to website.com.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
* The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
* Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
Does that help? Presumably apache is doing the same job twice.
Kind regards
-
Hello
Bump.
Really looking for an answer to this now - it has been a month now. I would like to open 2 ports in the firewall, but cannot as there is no access to the admin. I have looked in the /ebox/80firewall.conf, but there is nowhere to add the ports there.
Is there a file I can edit to add the ports in the ebox firewall please?
Kind regards
-
You don't need access to ebox to add access to the firewall. Try this...
sudo iptables -A INPUT -p TCP --dport 443 -j ACCEPT
sudo iptables -A INPUT -p TCP --dport 8443 -j ACCEPT
This will open the ports on the firewall. But when you restart the firewall, these entries will be removed and the original put back in its place.
-
Hello jjm!
Thanks very much for your input, but the code hasn't opened the ports. I am not an expert with iptables, but I did think that ebox would anyway overwrite them on re-start. That is why I could do with the admin!
The ports I need to open are to allow external connections into the eBox. Is the iptable code the same for those? It is for tor, so I also need to allow connections coming through those ports to open connections outwards as well.
Hope you can help here!
Kind regards
p.s. nmap shows 8443/tcp open https-alt, 443/tcp open https, but I still get this security certificate error... ???
-
There is away to add the ports after the firewall restarts. In the directory /etc/ebox/hooks, there is a file "firewall.postservice". You can add the iptables (without sudo) command I provided, within the if statement.
You mentioned tor, are you using this as your proxy to connect to the internet? Are you using squid as a proxy as well?
-
Hello jjm,
Thanks for the reply. I will try your advice out later for firewall.postservice.
The server will not be used for connecting to the Internet using tor - only as a relay or bridge. At present, I do not use a proxy server. Do you have any advice here too please?
Kind regards
-
I was going down the road that squid may have been conflicting with tor. Have you tried accessing ebox with tor disabled?
-
Hello jjmm,
I installed tor today - no chance that this is causing the problem. Doing some reseach on the ssl problem, it could be that there is another web server trying to answer port 443. I have ruby on rails installed. Nginx was on the machine, but I removed that and purged it too, so it can't be that.
Kind regards
-
Hello jjm (sorry for the extra "m" last time!),
I have added your lines (without sudo) to open the two tor ports, restarted the firewall for good measure - no change.... nmap 127.0.0.1 doesn't show them at all.
I even added eth0 and eth1 to check if it was working with the wrong NIC.
???
Kind regards
-
Is it possible that there was something changed/deleted/added on the ssl side (certificate perhaps?), when I changed the port for ebox administration? This would explain the web page error.
How should I delete the existing ssl certificate(s) and make new ones, if this is the case?
Kind regards
-
Bump! :)