Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: erotavlas on June 12, 2019, 04:42:14 pm
-
Hi,
I discovered that starting from Zentyal 4.0, the GUI manager does not provide Web server feature. I know how to setup an apache Web server with virtual hosting in order to have more Web sites. Can I change the apache Web server configuration files without worrying about Zentyal strange behaviour? I mean, could Zentyal change some configuration files by itself? I'm asking this because I found some particular/strange behaviour of Zentyal compared to standard ubuntu server regarding mySQL configuration.
Thank you
-
Hi!
Zentyal webadmin runs on nginx so you can configure Apache at your will. (However take note on that SOGo runs on Apache server and all the Zentyal module configurations use "Stubs". So read this: https://doc.zentyal.org/en/appendix-c.html (https://doc.zentyal.org/en/appendix-c.html)).
Cheers!
-
Hi!
Zentyal webadmin runs on nginx so you can configure Apache at your will. (However take note on that SOGo runs on Apache server and all the Zentyal module configurations use "Stubs". So read this: https://doc.zentyal.org/en/appendix-c.html (https://doc.zentyal.org/en/appendix-c.html)).
Cheers!
Thank you for the fast reply. I know that zentyal run on nginx, but I do not how to setup virtual hosting by using it. I read your link about stubs. I cannot find something related to Web server. I only found nginx.conf.max that is the template for Web administration under core folder:
ls /usr/share/zentyal/stubs
antivirus ca core css ftp ips network openvpn software squid
So can I use virtual hosting with apache without caring about overwriting configuration files?
-
Hi,
I finally managed to restore the Web server configuration https://wiki.zentyal.org/wiki/Apache_web_server (https://wiki.zentyal.org/wiki/Apache_web_server) with virtual hosting of my previous zentyal 3.4.
My Web server has a static IP address provided by the ISP and I have an external DNS services that associated that static IP to the corresponding URL. I changed the configuration into the Web interface for static interface and the gateway even if not all the changes are reflected in the file /etc/network/interfaces
(gateway is not added, why?).
Now I'm facing the last issue. If I manually change the file /etc/hosts
and I add a line with IP and URL, I will reach my Web sites. However, is this the right way or is better to install DNS server on zentyal and configure it for this purpose as described here https://www.tecmint.com/install-and-configure-web-services-on-zentyal/?
Thank you
-
Hi!
You can use the public IP and external DNS if you want. You have simply to configure a port forwarding rule on the zentyal firewall module. So, you public IP and port will be linked to an internal IP and port. If you have only an external interface it should be sufficient.
If you have more of one public interface you have to configure the correspondent SNAT rules inte firewall module.
Cheers!
-
Hi,
of course, this is what I did. However, it does not work.
The traffic is arriving to the Web server.
sudo tcpdump -n -tttt -i eth0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
2019-06-28 12:42:21.008986 IP externalIP.54154 > myIP.80: Flags [S], seq 4266973636, win 14000, options [mss 1310,nop,wscale 8,nop,nop,sackOK], length 0
The port for HTTP traffic is open.
nmap myIP
Starting Nmap 7.60 ( https://nmap.org ) at 2019-06-28 12:47 CEST
Nmap scan report for myURL (myIP)
Host is up (0.00011s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
8443/tcp open https-alt
and iptables
sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
premodules all -- anywhere anywhere
DNAT tcp -- anywhere myURL to:myIP
DNAT tcp -- anywhere myURL tcp dpt:http to:myIP
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
postmodules all -- anywhere anywhere
SNAT tcp -- anywhere myURL ctstate DNAT to:myIP
SNAT tcp -- anywhere myURL tcp dpt:http ctstate DNAT to:myIP
Chain postmodules (1 references)
target prot opt source destination
Chain premodules (1 references)
target prot opt source destination
The system can surf Internet and locally the Web servers work well. What could be the problem?
Thank you
-
:) Hi erotavlas!
Do you have configured port forwarding on Zentyal webadmin? (It seems to me bizarre that you haven't stablished any rule for UDP protocol, for instance) or manually?.
nmap shows that the 80 and 8443 ports are open but not 443. So, if your web runs on HTTPS it will be unreached. Could be this a problem?
In order to check if port forwarding is running correctly you should configure tcpdump for listening in the internal network interface not in the external interface.
What do you see on your browser when you connect to the server? The Apache default page? Nothing?...
How many webs your Apache serves ? Do you have configured rightly your virtual hosts?.
I look forward hearing for you!
Cheers!
-
Hi,
yes of course. I enabled under network->services->any source port, 80 and 443 destination ports for HTTP & HTTPS then under firewall->packet filter->rules from external networks to Zentyal->Accept and any source for both HTTP & HTTPS. Finally, under firewall->port forwarding->two rules for HTTP and HTTPS (interface->eth0, original destination->Zentyal, protocol->tcp, original destination port->80 and 443, destination IP->myIP, port->same, replace source address->yes ).
I did not set up any rule for UDP since Web traffic uses TCP. At the moment the Web sites are using HTTP and virtual hosting. If I connect to URL (a due to /etc/hosts rows) or localhost both the Web sites work well from the server machine.
Finally, my zentyal machine has only one interface eth0.
-
Hi,
I made further test and I'm sure that the problem is on firewall. If I disabled it, I'm able to surf my Web site both with HTTP and HTTPS. Whereas with firewall enabled I can only connect to GUI interface and via SSH.
The nmap command executed from the zentyal server:
sudo nmap -sT -O -Pn myURL
Starting Nmap 7.60 ( https://nmap.org ) at 2019-07-01 10:50 CEST
Nmap scan report for myURL (myIP)
Host is up (0.00011s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
8443/tcp open https-alt
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.8 - 4.9
Network Distance: 0 hops
while the same nmap command executed from a different machine:
sudo nmap -sT -O -Pn myURL
Starting Nmap 7.01 ( https://nmap.org ) at 2019-07-01 10:52 CEST
Nmap scan report for myURL (myIP)
Host is up (0.070s latency).
Not shown: 931 filtered ports, 66 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
8443/tcp open https-alt
Device type: general purpose|WAP|specialized|storage-misc|printer
Running (JUST GUESSING): Linux 3.X|4.X|2.6.X (94%), Asus embedded (90%), Crestron 2-Series (89%), HP embedded (89%), Ubiquiti embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel cpe:/h:asus:rt-ac66u cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:2.6.32 cpe:/h:ubnt:airmax_nanostation
Aggressive OS guesses: Linux 3.10 - 3.19 (94%), Linux 3.2 - 4.0 (91%), Linux 3.13 (90%), Asus RT-AC66U WAP (90%), Linux 3.10 (90%), Linux 3.11 - 3.12 (90%), Linux 3.18 (90%), Crestron XPanel control system (89%), HP P2000 G3 NAS device (89%), Linux 2.6.32 (88%)
No exact OS matches for host (test conditions non-ideal).
Finally, the same nmap command executed from a different machine with zentyal firewall disabled:
sudo nmap -sT -O -Pn myURL
Starting Nmap 7.01 ( https://nmap.org ) at 2019-07-01 10:53 CEST
Nmap scan report for myURL (myIP)
Host is up (0.059s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
443/tcp open https
8443/tcp open https-alt
Aggressive OS guesses: Linux 3.10 - 3.19 (95%), Linux 3.18 (93%), Linux 3.2 - 4.0 (93%), Linux 3.13 (92%), Asus RT-AC66U WAP (92%), Linux 3.10 (92%), Linux 3.11 - 3.12 (92%), HP P2000 G3 NAS device (91%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (90%), Linux 2.6.18 - 2.6.22 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 15 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds
So the Web server ports (80-443) are not open. I configured port forwarding from the zentyal firewall GUI and it seem quite straightforward. I do not see any error.
sudo iptables -t nat -v -x -n -L
Chain PREROUTING (policy ACCEPT 6911 packets, 417031 bytes)
pkts bytes target prot opt in out source destination
7036 424495 premodules all -- * * 0.0.0.0/0 0.0.0.0/0
29 1740 DNAT tcp -- eth0 * 0.0.0.0/0 myIP tcp dpt:443 to:myIP
96 5724 DNAT tcp -- eth0 * 0.0.0.0/0 myIP tcp dpt:80 to:myIP
Chain INPUT (policy ACCEPT 338 packets, 20208 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1307 packets, 80122 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1307 packets, 80122 bytes)
pkts bytes target prot opt in out source destination
1307 80122 postmodules all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 SNAT tcp -- * * 0.0.0.0/0 myIP tcp dpt:443 ctstate DNAT to:myIP
0 0 SNAT tcp -- * * 0.0.0.0/0 myIP tcp dpt:80 ctstate DNAT to:myIP
Chain postmodules (1 references)
pkts bytes target prot opt in out source destination
Chain premodules (1 references)
pkts bytes target prot opt in out source destination
sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
preinput all -- anywhere anywhere
idrop all -- anywhere anywhere state INVALID
iaccept all -- anywhere anywhere state RELATED,ESTABLISHED
inospoof all -- anywhere anywhere
iexternalmodules all -- anywhere anywhere
iexternal all -- anywhere anywhere
inoexternal all -- anywhere anywhere
imodules all -- anywhere anywhere
iglobal all -- anywhere anywhere
iaccept icmp !f anywhere anywhere icmp echo-request state NEW
iaccept icmp !f anywhere anywhere icmp echo-reply state NEW
iaccept icmp !f anywhere anywhere icmp destination-unreachable state NEW
iaccept icmp !f anywhere anywhere icmp source-quench state NEW
iaccept icmp !f anywhere anywhere icmp time-exceeded state NEW
iaccept icmp !f anywhere anywhere icmp parameter-problem state NEW
idrop all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
preforward all -- anywhere anywhere
fdrop all -- anywhere anywhere state INVALID
faccept all -- anywhere anywhere state RELATED,ESTABLISHED
fnospoof all -- anywhere anywhere
fredirects all -- anywhere anywhere
fmodules all -- anywhere anywhere
ffwdrules all -- anywhere anywhere
fnoexternal all -- anywhere anywhere
fdns all -- anywhere anywhere
fglobal all -- anywhere anywhere
faccept icmp !f anywhere anywhere icmp echo-request state NEW
faccept icmp !f anywhere anywhere icmp echo-reply state NEW
faccept icmp !f anywhere anywhere icmp destination-unreachable state NEW
faccept icmp !f anywhere anywhere icmp source-quench state NEW
faccept icmp !f anywhere anywhere icmp time-exceeded state NEW
faccept icmp !f anywhere anywhere icmp parameter-problem state NEW
fdrop all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
preoutput all -- anywhere anywhere
odrop all -- anywhere anywhere state INVALID
oaccept all -- anywhere anywhere state RELATED,ESTABLISHED
ointernal all -- anywhere anywhere
omodules all -- anywhere anywhere
oglobal all -- anywhere anywhere
oaccept icmp !f anywhere anywhere icmp echo-request state NEW
oaccept icmp !f anywhere anywhere icmp echo-reply state NEW
oaccept icmp !f anywhere anywhere icmp destination-unreachable state NEW
oaccept icmp !f anywhere anywhere icmp source-quench state NEW
oaccept icmp !f anywhere anywhere icmp time-exceeded state NEW
oaccept icmp !f anywhere anywhere icmp parameter-problem state NEW
odrop all -- anywhere anywhere
Chain drop (5 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 50/min burst 10 LOG level debug prefix "zentyal-firewall drop "
DROP all -- anywhere anywhere
Chain faccept (12 references)
target prot opt source destination
NFQUEUE all -- anywhere anywhere NFQUEUE num 0
ACCEPT all -- anywhere anywhere
Chain fdns (1 references)
target prot opt source destination
faccept udp -- anywhere one.one.one.one state NEW udp dpt:domain
faccept tcp -- anywhere one.one.one.one state NEW tcp dpt:domain
Chain fdrop (4 references)
target prot opt source destination
drop all -- anywhere anywhere
Chain ffwdrules (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fglobal (1 references)
target prot opt source destination
faccept all -- anywhere anywhere
Chain fmodules (1 references)
target prot opt source destination
Chain fnoexternal (1 references)
target prot opt source destination
Chain fnospoof (1 references)
target prot opt source destination
fnospoofmodules all -- anywhere anywhere
fdrop all -- myIPNetwork/24 anywhere
Chain fnospoofmodules (1 references)
target prot opt source destination
Chain fredirects (1 references)
target prot opt source destination
LOG tcp -- anywhere myURL state NEW tcp dpt:https limit: avg 50/min burst 10 LOG level debug prefix "zentyal-firewall redirect "
faccept tcp -- anywhere myURL state NEW tcp dpt:https
LOG tcp -- anywhere myURL state NEW tcp dpt:http limit: avg 50/min burst 10 LOG level debug prefix "zentyal-firewall redirect "
faccept tcp -- anywhere myURL state NEW tcp dpt:http
Chain ftoexternalonly (0 references)
target prot opt source destination
fdrop all -- anywhere anywhere
Chain iaccept (34 references)
target prot opt source destination
NFQUEUE all -- anywhere anywhere NFQUEUE num 0
ACCEPT all -- anywhere anywhere
Chain idrop (3 references)
target prot opt source destination
drop all -- anywhere anywhere
Chain iexternal (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
iaccept tcp -- anywhere anywhere tcp dpt:ssh state NEW
iaccept tcp -- anywhere anywhere tcp dpt:https state NEW
iaccept tcp -- anywhere anywhere tcp dpt:http state NEW
drop tcp -- anywhere anywhere tcp dpt:5900 state NEW
drop tcp -- anywhere anywhere tcp dpt:6900 state NEW
Chain iexternalmodules (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain iglobal (1 references)
target prot opt source destination
iaccept udp -- anywhere anywhere udp dpt:kerberos state NEW
iaccept tcp -- anywhere anywhere tcp dpt:kerberos state NEW
iaccept tcp -- anywhere anywhere tcp dpt:loc-srv state NEW
iaccept udp -- anywhere anywhere udp dpt:netbios-ns state NEW
iaccept udp -- anywhere anywhere udp dpt:netbios-dgm state NEW
iaccept tcp -- anywhere anywhere tcp dpt:netbios-ssn state NEW
iaccept udp -- anywhere anywhere udp dpt:ldap state NEW
iaccept tcp -- anywhere anywhere tcp dpt:ldap state NEW
iaccept tcp -- anywhere anywhere tcp dpt:microsoft-ds state NEW
iaccept udp -- anywhere anywhere udp dpt:kpasswd state NEW
iaccept tcp -- anywhere anywhere tcp dpt:kpasswd state NEW
iaccept tcp -- anywhere anywhere tcp dpt:ldaps state NEW
iaccept tcp -- anywhere anywhere tcp dpt:3268 state NEW
iaccept tcp -- anywhere anywhere tcp dpt:3269 state NEW
iaccept tcp -- anywhere anywhere tcp dpts:49152:65535 state NEW
iaccept udp -- anywhere anywhere udp dpt:ntp state NEW
iaccept udp -- anywhere anywhere udp dpt:domain state NEW
iaccept tcp -- anywhere anywhere tcp dpt:domain state NEW
iaccept tcp -- anywhere anywhere tcp dpt:5900 state NEW
iaccept tcp -- anywhere anywhere tcp dpt:6900 state NEW
iaccept tcp -- anywhere anywhere tcp dpt:ssh state NEW
iaccept tcp -- anywhere anywhere tcp dpt:8443 state NEW
iaccept tcp -- anywhere anywhere tcp dpt:ftp-data state NEW
iaccept tcp -- anywhere anywhere tcp dpt:ftp state NEW
Chain imodules (1 references)
target prot opt source destination
Chain inoexternal (1 references)
target prot opt source destination
Chain inointernal (0 references)
target prot opt source destination
Chain inospoof (1 references)
target prot opt source destination
inospoofmodules all -- anywhere anywhere
idrop all -- myIPNetwork/24 anywhere
Chain inospoofmodules (1 references)
target prot opt source destination
Chain log (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 50/min burst 10 LOG level debug prefix "zentyal-firewall log "
RETURN all -- anywhere anywhere
Chain oaccept (11 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain odrop (2 references)
target prot opt source destination
drop all -- anywhere anywhere
Chain oglobal (1 references)
target prot opt source destination
oaccept all -- anywhere anywhere state NEW
Chain ointernal (1 references)
target prot opt source destination
oaccept udp -- anywhere one.one.one.one state NEW udp dpt:domain
oaccept tcp -- anywhere one.one.one.one state NEW tcp dpt:domain
Chain omodules (1 references)
target prot opt source destination
oaccept tcp -- anywhere anywhere tcp dpt:http
Chain preforward (1 references)
target prot opt source destination
Chain preinput (1 references)
target prot opt source destination
Chain preoutput (1 references)
target prot opt source destination
-
Hi,
I solved, but the solutions is very strange. I have to change firewall rules on "Filtering rules from internal network to Zentyal" instead "Filtering rules from external network to Zentyal" without any port forwarding.
Now, with firewall enabled from an external machine.
sudo nmap -sT -O -Pn myURL
Starting Nmap 7.01 ( https://nmap.org ) at 2019-07-03 07:59 CEST
Nmap scan report for myURL (myIP)
Host is up (0.062s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
5900/tcp closed vnc
Aggressive OS guesses: Linux 3.10 - 3.19 (94%), Linux 3.18 (90%), Linux 3.2 - 4.0 (90%), Linux 3.13 (90%), Asus RT-AC66U WAP (90%), Linux 3.10 (89%), Linux 3.11 - 3.12 (89%), Crestron XPanel control system (88%), HP P2000 G3 NAS device (88%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (87%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.63 seconds
-
Hi erotavlas! :)
I fear I had done a mistake. I was posting in another thread about some HTTP servers running on machines of the LAN side and I have mixed both topics. :-[
I'm sorry. :P
-
Hi,
I discovered that starting from Zentyal 4.0, the GUI manager does not provide Web server feature. I know how to setup an apache Web server with virtual hosting in order to have more Web sites. Can I change the apache Web server configuration files without worrying about Zentyal strange behaviour? I mean, could Zentyal change some configuration files by itself? I'm asking this because I found some particular/strange behaviour of Zentyal compared to standard ubuntu server regarding mySQL configuration.
Thank you
Why don't you go for the managed web server. This way you don't have to deal with the maintenance and support of the server. As managed server provider will take care of all the issues letting you the hassle free hosting experience.
I have a website which is created on Magento framework and is hosted on Managed Magento hosting (https://www.cloudways.com/en/magento-hosting.php) and I have hardly faced any downtime till now.
-
Hi,
I discovered that starting from Zentyal 4.0, the GUI manager does not provide Web server feature. I know how to setup an apache Web server with virtual hosting in order to have more Web sites. Can I change the apache Web server configuration files without worrying about Zentyal strange behaviour? I mean, could Zentyal change some configuration files by itself? I'm asking this because I found some particular/strange behaviour of Zentyal compared to standard ubuntu server regarding mySQL configuration.
Thank you
Why don't you go for the managed web server. This way you don't have to deal with the maintenance and support of the server. As managed server provider will take care of all the issues letting you the hassle free hosting experience.
I have a website which is created on Magento framework and is hosted on Managed Magento hosting (https://www.cloudways.com/en/magento-hosting.php) and I have hardly faced any downtime till now.
I prefer a more flexible solution as a dedicated server. Moreover, it costs less and gives more.