Dev1 Galaxy Forum / Web server - a setting off somewhere ...

Re: Web server - a setting off somewhere ...

dummy@example.com (rbit) — Thu, 26 Jan 2023 03:50:01 +0000

A few questions, to help figure out where the problem lies...
The local-network address of the webserver is 192.168.50.3 ?
If so, can another computer on the network successfully open the site http://192.168.50.3/? It does appear that your web-server is listening for connections, but if this step isn't working then you may have a firewall that is blocking the connection. So... do you have a software firewall (such as ufw) installed? You may need to configure it to allow incoming traffic on ports 80 and 443.
Also, are you behind a NAT/router? If so, you'll probably need to set up port forwarding for TCP ports 80 and 443, if you haven't done so already. This would make your webserver accessible to the outside internet (http://www.realupnow.com). The process to do this varies, but it should be found somewhere on your router's admin page.

Re: Web server - a setting off somewhere ...

dummy@example.com (dcolburn) — Mon, 23 Jan 2023 20:56:48 +0000

chris2be8 wrote:

Having a quick look from outside:
$ host www.realupnow.com
www.realupnow.com has address 66.172.90.106
But I can't tell what 66.172.90.106 is. Could that be your router's external IP address? Or the server's external IP address?

That's my WAN IP/static IP address.

EDIT 1:

So, Traceroute gets to the WAN IP, and using SSH I can log into the server 192.168.50.3.

What, specifically (I'm hoping someone has a checklist for troubleshooting), would prevent connecting via html?

EDIT 2:

I can see /var/www/html/index.html via a browser on the server http://www.realupnow.com but not my laptop, on the same network.

EDIT 3:

Looking at the Answer halfway down this page https://unix.stackexchange.com/question … -nat-table might installing and using conntrack to reset things be advised (since I'm using nftables and I've copied over some things from my prior working setup)?

Re: Web server - a setting off somewhere ...

dummy@example.com (dcolburn) — Mon, 23 Jan 2023 17:44:38 +0000

I can SSH in.

Might I have a nftables problem?

I think this is supposed to show nf_tables_inet, nf_tables_ipv6, nf_tables_ipv4, nf_netlink, nf_chain ...

root@devuan1:~# lsmod | grep nf_tables
nf_tables             253952  0
libcrc32c              16384  1 nf_tables
nfnetlink              20480  1 nf_tables
root@devuan1:~#

Re: Web server - a setting off somewhere ...

dummy@example.com (chris2be8) — Mon, 23 Jan 2023 17:16:41 +0000

Having a quick look from outside:
$ host www.realupnow.com
www.realupnow.com has address 66.172.90.106

$ ping www.realupnow.com
PING www.realupnow.com (66.172.90.106) 56(84) bytes of data.
64 bytes from 66.172.90.106: icmp_seq=1 ttl=47 time=110 ms
64 bytes from 66.172.90.106: icmp_seq=2 ttl=47 time=109 ms

$ sudo traceroute -T www.realupnow.com
traceroute to www.realupnow.com (66.172.90.106), 30 hops max, 60 byte packets

13 168.182.127.17 (168.182.127.17) 114.734 ms 118.489 ms 116.881 ms
14 168.182.127.1 (168.182.127.1) 110.179 ms 110.515 ms 113.517 ms
15 168.182.127.98 (168.182.127.98) 118.143 ms 116.080 ms 117.728 ms
16 66.172.90.106 (66.172.90.106) 115.229 ms 109.814 ms 111.151 ms
17 66.172.90.106 (66.172.90.106) 3117.564 ms !H 3111.648 ms !H 3109.469 ms !H

But I can't tell what 66.172.90.106 is. Could that be your router's external IP address? Or the server's external IP address?

NB. traceroute -T uses a SYN packet as it's probe, to port 80 by default.

Re: Web server - a setting off somewhere ...

dummy@example.com (dcolburn) — Mon, 23 Jan 2023 15:01:51 +0000

OK. I have internal working - when I run realupnow.com I get https://realupnow.com and the default nginx welcome page displays.

If I try to force realupnow.com/index.html or info.php I get 404 Not Found

If I try from a different computer, on the same network, I get ...

Unable to connect

An error occurred during a connection to www.realupnow.com

I'll have a look at the router - I haven't changed anything on it since this was working a few weeks ago ...

Re: Web server - a setting off somewhere ...

dummy@example.com (xinomilo) — Mon, 23 Jan 2023 07:22:13 +0000

looks like network issue. http/https ports are filtered, not accessible from outside.
could be router/ISP or firewall issue. ping seems to work ok, but ports 22,80,443,631 look filtered.
so, resolve network issues first... then look at web server for possible issues... (might be fine just as is).

Re: Web server - a setting off somewhere ...

dummy@example.com (dcolburn) — Mon, 23 Jan 2023 01:22:52 +0000

Does the absence of a url in this output mean something isn't working?
Any suggestions as to where to look?
[Context: Devuan nginx php-fpm nftables]

root@devuan1:/etc# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN     
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:https           0.0.0.0:*               LISTEN     
tcp        0      0 localhost:4101          0.0.0.0:*               LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN     
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN     
tcp6       0      0 localhost:4101          [::]:*                  LISTEN     
tcp6       0      0 [::]:sane-port          [::]:*                  LISTEN     
udp        0      0 0.0.0.0:631             0.0.0.0:*                          
udp        0      0 0.0.0.0:mdns            0.0.0.0:*                          
udp        0      0 0.0.0.0:42163           0.0.0.0:*                          
udp6       0      0 [::]:mdns               [::]:*                             
udp6       0      0 [::]:52198              [::]:*                             
raw6       0      0 [::]:ipv6-icmp          [::]:*                  7

Re: Web server - a setting off somewhere ...

dummy@example.com (dcolburn) — Sun, 22 Jan 2023 22:54:44 +0000

Anything in either of these flag a problem?

root@devuan1:/etc/nginx# sudo netstat -plutn | grep nginx
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4991/nginx: master  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4991/nginx: master  
root@devuan1:/etc/nginx#

nftables.conf

# !/usr/sbin/nft -f

flush ruleset

# table inet filter {
#	chain input {
#		type filter hook input priority 0;
#	}
#	chain forward {
#		type filter hook forward priority 0;
#	}
#	chain output {
#		type filter hook output priority 0;
#	}
# }

table inet firewall {

	chain_inbound ipv4 {
	icmp type echo-request limit rate 5/second accept
	}

    chain inbound {
        type filter hook input priority filter; policy drop;
        ct state established,related accept
        ct state invalid drop
        iif "lo" counter packets accept
        ip protocol icmp accept
        ip6 nexthdr ipv6-icmp accept
        ip protocol igmp accept
#        iif "lo" counter packets 0 bytes 0 accept
#        ip protocol icmp limit rate 4/second accept
#        ip6 nexthdr ipv6-icmp limit rate 4/second accept
#        ip protocol igmp limit rate 4/second accept
        tcp dport { 22, 80, 443 accept
        log
    }

    chain FORWARD {
        type filter hook forward priority filter; policy drop;
    }

    chain OUTBOUND {
       type filter hook output priority filter; policy drop;

       # Allow traffic from established and related packets, drop invalid
            ct state vmap { established : accept, related : accept, invalid : drop }
   
       # Allow loopback
            oif "lo" accept

       # Accepted ports out (DNS / DHCP / TIME / WEB for package updates / SMTP)
            ct state new tcp dport {22, 80, 443} accept
            log prefix "DROP_output: " limit rate 3/second
   }
}

Web server - a setting off somewhere ...

dummy@example.com (dcolburn) — Sat, 21 Jan 2023 23:31:17 +0000

I'm not getting nginx errors and I can ping 127.0.0.1 and 192.168.50.3 from the server.

I can ping 192.168.50.3 from another computer on the same network.

I cannot ping 192.168.50.4 (for which I have a prior note that it may be the nginx internal ip)

I also can't access realupnow.com

Looking at the following is there anything obvious which I have incorrectly configured, please?

This is nginx.conf

user www-data;
error_log logs/error.log notice;
worker_processes auto;
pid /run/nginx.pid;
load_module modules/ndk_http_module.so;
load_module modules/ngx_http_lua_module.so;
# include conf.d/http;
# include conf.d/stream;
# include conf.d/exchange-enhanced;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}

#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

EDIT: realupnow.com in sites-available updated with corrections ...

This is realupnow.com in /etc/nginx/sites-available and symlinked to sites-enabled

##
# Virtual Host configuration for realupnow.com
#
# Be sure to symlink this to ~/sites-enabled/ to enable it.
# sudo ln -s /etc/nginx/sites-available/realupnow.com /etc/nginx/sites-enabled/realupnow.com
#

server {
    listen 80;
#    root /var/www/realupnow.com;
    root /var/www/html;
    index index.php index.html index.htm index.nginx-debian.html;
    server_name realupnow.com www.realupnow.com;

#    root /var/www/html/domain.com/public_html;

    listen 443 ssl;

	location / {
		try_files $uri $uri/ =404;
	}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
	}

    # RSA certificate
    ssl_certificate /etc/letsencrypt/live/realupnow.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/realupnow.com/privkey.pem;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

	include /etc/letsencrypt/options-ssl-nginx.conf;

    # Redirect non-https traffic to https
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    }
}

This is etc/hosts

127.0.0.1	localhost
127.0.1.1	devuan1.realupnow.com	devuan1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

/var/www/html contains two files index.nginx-debian.html and info.php