Hottest Free Downloads - DownloadPipe.com Over 197,000 downloads! Bookmark Now!
DownloadPipe.com - New Downloads Every Minute
 SEARCH:
FAQFAQ    SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

monit_–_can't_connect_from_browser

  
   Linux (Home) -> Networking RSS
Next:  HELP DESK SOFT  
Author Message
Vwaju

External


Since: Dec 11, 2007
Posts: 48



(Msg. 1) Posted: Sat Nov 29, 2008 3:07 pm
Post subject: monit_–_can't_connect_from_browser
Archived from groups: comp>os>linux>networking (more info?)
I'm teaching myself networking by building an internet server. I am
running Debian Linux 3.1 on host jupiter.obliqueuniverse.org (a Dell
Dimension 4100 desktop). This host (192.168.2.2) is part of my LAN,
which is connected to the Internet through a Dell Truemobile 2300
Broadband Router (which does NAT). My domain is obliqueuniverse.org,
and I have the static IP address 207.237.37.110.

Many thanks to Chris Davies, Bit Twister, and a number of others who
have helped me get this far!

On jupiter, I have installed apache 2.0.54 and ISPConfig.

I installed and configured monit 4.5, and created the certificate
using this guide: http://howtoforge.com/server_monitoring_monit_munin_p2.
(For the moment, on my training server, I am committed to Debian 3.1,
and 4.5 is prescribed release of monit.)

From Firefox on the Windows XP host (192.16.2.3) on my LAN, I can
connect to the apache server:

http://192.168.2.2:80

and I can connect to ISPConfig:

http://192.168.2.2:81

However, when I try to connect to the Monit Server Manager

https://192.168.2.2:2812

I get the following error message:
- - - - - - - - - - - - - - - - - - - - - - - -
Server Connection Failed
192.168.2.2 uses an invalid security certificate
The certificate is not trusted because it is self-signed.
The certificate is valid only for jupiter.obliqueuniverse.org
(Error code: sec_error_ca_cert_invalid)
- - - - - - - - - - - - - - - - - - - - - - - -

There ia an "Alert!" pop-up that says:

The certificate is only valid for <a id="cert_domain_link"
title="jupiter.obliqueuniverse.org">jupiter.obliqueuniverse.org</a>

The Windows XP Firewall is disabled. I have configured the Dell
Truemobile Router to forward any traffic directed to port 2812 at
207.237.37.110 to port 2812 on 192.168.2.2. (However, on the LAN side
of my router, I don't think this should make any difference.)

ps and "monit status" indicates that monit is running, but that
"Connection failed" for apache:

monit status | sed –n '57,70p'

Process 'apache'
status Connection failed
monitoring status monitored
pid -1
parent pid -1
uptime 0m
childrens 0
memory kilobytes 0
memory kilobytes total 0
memory percent 0.0%
memory percent total 0.0%
cpu percent 0.0%
cpu percent total 0.0%
port response time -1.000s to www.obliqueuniverse.org:80/monit/token
[HTTP]

# monit validate

/etc/monit/monitrc:414: Warning: TOTALMEMORY statement does not work
properly on Linux
'MB'
HTTP error: Server returned status 404
'apache' failed protocol test [HTTP] at INET[www.obliqueuniverse.org:
80].
'apache' trying to restart
'apache' stop: /etc/init.d/apache2
'apache' start: /etc/init.d/apache2

# cat /etc/monit/monitrc | sed –n '414p'

if totalmem > 500 MB for 5 cycles then restart

Inspection reveals that there are 6 instances of apache2 running:

ps-aux | awk 'NR==1 || $11 ~/apache2/'

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 5291 1.6 2.5 23044 9776 ? Ss 21:03 0:00 /usr/
sbin/apache2 -k start -DSSL
www-data 5295 0.0 2.5 23044 9796 ? S 21:03 0:00 /usr/
sbin/apache2 -k start -DSSL
www-data 5296 0.0 2.5 23044 9796 ? S 21:03 0:00 /usr/
sbin/apache2 -k start -DSSL
www-data 5297 0.0 2.5 23044 9796 ? S 21:03 0:00 /usr/
sbin/apache2 -k start -DSSL
www-data 5298 0.0 2.5 23044 9796 ? S 21:03 0:00 /usr/
sbin/apache2 -k start -DSSL
www-data 5299 0.0 2.5 23044 9796 ? S 21:03 0:00 /usr/
sbin/apache2 -k start –DSSL

If I kill one of these processes another is spawned, keeping the total
at 6.

/var/log/syslog shows that monit tries to restart apache2 about every
60 seconds.

Nov 24 20:06:30 jupiter monit[2655]: 'apache' failed protocol test
[HTTP] at INET[www.obliqueuniverse.org:80].
Nov 24 20:06:31 jupiter monit[2655]: 'apache' trying to restart
Nov 24 20:06:31 jupiter monit[2655]: 'apache' stop: /etc/init.d/
apache2
Nov 24 20:06:32 jupiter monit[2655]: 'apache' start: /etc/init.d/
apache2
Nov 24 20:07:37 jupiter monit[2655]: 'apache' failed protocol test
[HTTP] at INET[www.obliqueuniverse.org:80].
Nov 24 20:07:37 jupiter monit[2655]: 'apache' trying to restart
Nov 24 20:07:37 jupiter monit[2655]: 'apache' stop: /etc/init.d/
apache2
Nov 24 20:07:38 jupiter monit[2655]: 'apache' start: /etc/init.d/
apache2
Nov 24 20:08:43 jupiter monit[2655]: 'apache' failed protocol test
[HTTP] at INET[www.obliqueuniverse.org:80].
Nov 24 20:08:43 jupiter monit[2655]: 'apache' trying to restart
Nov 24 20:08:43 jupiter monit[2655]: 'apache' stop: /etc/init.d/
apache2
Nov 24 20:08:44 jupiter monit[2655]: 'apache' start: /etc/init.d/
apache2
Nov 24 20:09:49 jupiter monit[2655]: 'apache' failed protocol test
[HTTP] at INET[www.obliqueuniverse.org:80].
Nov 24 20:09:49 jupiter monit[2655]: 'apache' trying to restart
Nov 24 20:09:49 jupiter monit[2655]: 'apache' stop: /etc/init.d/
apache2
Nov 24 20:09:50 jupiter monit[2655]: 'apache' start: /etc/init.d/
apache2
Nov 24 20:10:55 jupiter monit[2655]: 'apache' failed protocol test
[HTTP] at INET[www.obliqueuniverse.org:80].
Nov 24 20:10:55 jupiter monit[2655]: 'apache' trying to restart
Nov 24 20:10:55 jupiter monit[2655]: 'apache' stop: /etc/init.d/
apache2
Nov 24 20:10:56 jupiter monit[2655]: 'apache' start: /etc/init.d/
apache2
Nov 24 20:12:01 jupiter monit[2655]: 'apache' failed protocol test
[HTTP] at INET[www.obliqueuniverse.org:80].
Nov 24 20:12:01 jupiter monit[2655]: 'apache' trying to restart
Nov 24 20:12:01 jupiter monit[2655]: 'apache' stop: /etc/init.d/
apache2
Nov 24 20:12:02 jupiter monit[2655]: 'apache' start: /etc/init.d/
apache2
Nov 24 20:13:07 jupiter monit[2655]: 'apache' failed protocol test
[HTTP] at INET[www.obliqueuniverse.org:80].

A thread in the archives
http://www.nabble.com/-monit--Monit-%22connection-failure%22-for-apach...d133770
suggests that there is a bug in monit < 4.9: the error flag is not
cleared when monit restarts a process, even though the process is
restarted correctly. Hence, it keeps spawning the process (subject to
the constraints in monitrc, which I don't fully understand).

However, I don't see a suggested remedy. I can set apache to "mode
passive" in monitrc, but presumably that means that monit won't
restart apache when it *really needs* to be restarted.

I am guessing (hoping) that the 2 problems are related: I can't
connect to monit because monit thinks apache is not running.
(However, I *can* connect to ISPConfig and apache itself.)

Thanks for having read all of the above! As always, interested to
hear your thoughts.

Best Regards,
Vwaju
New York City
Back to top
Login to vote
Burkhard Ott

External


Since: Aug 13, 2008
Posts: 9



(Msg. 2) Posted: Sun Nov 30, 2008 1:16 am
Post subject: Re:_monit_– [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Am Sat, 29 Nov 2008 15:07:12 -0800 schrieb Vwaju:


> https://192.168.2.2:2812
^^^^^^^^^^^
> I get the following error message:
> - - - - - - - - - - - - - - - - - - - - - - - -
> Server Connection Failed
> 192.168.2.2 uses an invalid security certificate
> The certificate is not trusted because it is self-signed.
> The certificate is valid only for jupiter.obliqueuniverse.org
> (Error code: sec_error_ca_cert_invalid)
> - - - - - - - - - - - - - - - - - - - - - - - -

Your CN in the certificate doesn't match with the name in the addressbar
of your browser.
You can force the browser to accept it, you can change the CN in your
certificate or you connect to the valid name (juniper..)


> The Windows XP Firewall is disabled. I have configured the Dell
> Truemobile Router to forward any traffic directed to port 2812 at
> 207.237.37.110 to port 2812 on 192.168.2.2. (However, on the LAN side
> of my router, I don't think this should make any difference.)

It has nothing to do with the xp firewall.


> ps and "monit status" indicates that monit is running, but that
> "Connection failed" for apache:

How is your check for apache in monit.conf?


> # monit validate
>
> /etc/monit/monitrc:414: Warning: TOTALMEMORY statement does not work
> properly on Linux

there is obviously a error mit totalmemory in your config, remove it it.
It seems you use a old monit version, I haven't any trouble with mem
checks.


> HTTP error: Server returned status 404

You try to connect to a non existing file, place an index file in the
documentroot directory if you check only for /, otherwise you need to
write alos the filenam in your configfile.

> 'apache' failed protocol test [HTTP] at INET[www.obliqueuniverse.org:
> 80].
> 'apache' trying to restart
> 'apache' stop: /etc/init.d/apache2
> 'apache' start: /etc/init.d/apache2

Sure, the webserver works not correct (status 404) monit do the right
thing.


> if totalmem > 500 MB for 5 cycles then restart

see above and check your syslog
> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
> root 5291 1.6 2.5 23044 9776 ? Ss 21:03 0:00 /usr/

How much memory has your machine? You'are using 2.5% with one process,
ypu should check your apache conf, it depends on the modules you need but
usually I've never seen a parent process it's using more than 10 to 12 MB.

> If I kill one of these processes another is spawned, keeping the total
> at 6.

apache.conf prefork, works correctly. One child dies the parent process
open it again.


> /var/log/syslog shows that monit tries to restart apache2 about every
> 60 seconds.

If your check intervall is 1 minute, monit works correct.

> Thanks for having read all of the above! As always, interested to
> hear your thoughts.

Try the following:
Place an index.html in documentroot (apache) or enable Options +Index
in your apache.config.

Check your monitrc file should be similar like that:

check process apache2 with pidfile $PATH_TO_APACHAES_PID
start program = "/etc/init.d/apache2 start"
stop program = "/etc/init.d/apache2 stop"
if failed host $IP_APACHE_IS_LISTENING port $PORT
protocol http and request "/" then restart

You also could use protocol http and request "/YOURFILE" then restart
YOURFILE has to be in your documentroot.

cheers
Back to top
Login to vote
Vwaju

External


Since: Dec 11, 2007
Posts: 48



(Msg. 3) Posted: Sun Nov 30, 2008 11:42 am
Post subject: Re:_monit_–_can't_connect_from_browser [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Hi, Burkhard --

Thanks for your thoughtful observations!

> >https://192.168.2.2:2812

> > I get the following error message:
> > - - - - - - - - - - - - - - - - - - - - - - - -
> > Server Connection Failed
> > 192.168.2.2 uses an invalid security certificate
> > The certificate is not trusted because it is self-signed.
> > The certificate is valid only for jupiter.obliqueuniverse.org
> > (Error code: sec_error_ca_cert_invalid)
> > - - - - - - - - - - - - - - - - - - - - - - - -
>
> Your CN in the certificate doesn't match with the name in the addressbar
> of your browser.
> You can force the browser to accept it, you can change the CN in your
> certificate or you connect to the valid name (juniper..)

I can't connect with the canonical name:

https://jupiter.obliqueuniverse.org:2812

"Failed to Connect"
"Firefox can't established a connection to the server at
jupiter.obliqueuniverse.org:2812"

I notice that I *also* can't connect to the FTP server, Apache, or
ISPConfig using the FQDN.
I can connect *only* using the NAT address 192.168.2.2 (whether from
the Windows machine (192.168.2.3) or another computer running Linux
(192.168.2.5) on my LAN.)

This makes me think I have an underlying problem with domain name
resolution. However, if query the DNS servers using
DNSWatch http://www.dnswatch.info/ I find both the forward and reverse
queries give the right answer

Forward Query

Domain Type TTL Answer
obliqueuniverse.org. NS 10800 jupiter.obliqueuniverse.org.
obliqueuniverse.org. SOA 10800

MName RName Serial No. Refresh Retry Expire MinTTL
jupiter.obliqueuniverse.org. root.localhost. 2008100701 28800 7200
604800 86400

Reverse Query

Domain Type TTL Answer
110.37.237.207.in-addr.arpa. PTR 86400 obliqueuniverse.org.

The browsers on all the hosts on my LAN can resolve arbitrary domain
names. This would indicate that there is_no_problem with domain name
resolution.

What do you think?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - -
>> How is your check for apache in monit.conf?

Do you mean monitrc?

cat -n monitrc | sed -n '406,417p'

check process apache with pidfile /var/run/apache2.pid
group www
start program = "/etc/init.d/apache2 start"
stop program = "/etc/init.d/apache2 stop"
if failed host www.obliqueuniverse.org port 80 protocol http
and request "/monit/token" then restart
if cpu is greater than 60% for 2 cycles then alert
if cpu > 80% for 5 cycles then restart
if totalmem > 500 MB for 5 cycles then restart
if children > 250 then restart
if loadavg(5min) greater than 10 for 8 cycles then stop
if 3 restarts within 5 cycles then timeout
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - -
> > # monit validate
>
> > /etc/monit/monitrc:414: Warning: TOTALMEMORY statement does not work
> > properly on Linux

> there is obviously a error mit totalmemory in your config, remove it it.
> It seems you use a old monit version, I haven't any trouble with mem
> checks.

Can I just *remove* the line: "if totalmem > 500 MB for 5 cycles
then restart"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - -
> > HTTP error: Server returned status 404
>
> You try to connect to a non existing file, place an index file in the
> documentroot directory if you check only for /, otherwise you need to
> write also the filename in your configfile.  

Excuse my ignorance, but how do I identify the document root?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - -
> > USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
> > root      5291  1.6  2.5 23044 9776 ?        Ss   21:03   0:00 /usr/
>
> How much memory has your machine? You'are using 2.5% with one process,
> ypu should check your apache conf, it depends on the modules you need but
> usually I've never seen a parent process it's using more than 10 to 12 MB..

My machine has a total of 384MB RAM
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - -

Thanks for your helpful observations!

Best Regards,

Vwaju
New York City
Back to top
Login to vote
Burkhard Ott

External


Since: Aug 13, 2008
Posts: 9



(Msg. 4) Posted: Sun Nov 30, 2008 10:30 pm
Post subject: Re:_monit_– [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Am Sun, 30 Nov 2008 11:42:07 -0800 schrieb Vwaju:

> Thanks for your thoughtful observations!

No problem at all.

> I can't connect with the canonical name:
> https://jupiter.obliqueuniverse.org:2812

You don forward this port, I conected to you public IP and receive your
Apache welcome page. (http://207.237.37.110/apache2-default/ DNS works
also)

> "Failed to Connect"
> "Firefox can't established a connection to the server at
> jupiter.obliqueuniverse.org:2812"

As I said you haven't open this port on your public IP.
You'll probably still need a DNAT rule in your iptables configuration.


This are your reachable ports from outside:

20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http


> I notice that I *also* can't connect to the FTP server, Apache, or
> ISPConfig using the FQDN.
> I can connect *only* using the NAT address 192.168.2.2 (whether from
> the Windows machine (192.168.2.3) or another computer running Linux
> (192.168.2.5) on my LAN.)

check via host or nslookup your name entries it should be similar like
this:

host jupiter.obliqueuniverse.org
jupiter.obliqueuniverse.org has address 207.237.37.110

Try traceroute to 207.237.37.110 you should usually see that your
packet goes via your gateway to your server outside, otherwise you nee to
check your /etc/hosts and/or your local DNS if available.


> This makes me think I have an underlying problem with domain name
> resolution. However, if query the DNS servers using
> DNSWatch http://www.dnswatch.info/ I find both the forward and reverse
> queries give the right answer

You need to perform this check local not via a website.


> The browsers on all the hosts on my LAN can resolve arbitrary domain
> names. This would indicate that there is_no_problem with domain name
> resolution.

check via host/dig/nslookup not with calling a domain in a browser.

>>> How is your check for apache in monit.conf?
>
> Do you mean monitrc?

Sure, I compile and package monit by myself since I added some extra
features for my environment and I use /etc/monit/monit.conf. But in the
regular configure script they use monitrc if no other option is given.


> cat -n monitrc | sed -n '406,417p'
>
> check process apache with pidfile /var/run/apache2.pid
> group www
> start program = "/etc/init.d/apache2 start"
> stop program = "/etc/init.d/apache2 stop"
> if failed host www.obliqueuniverse.org port 80 protocol http
> and request "/monit/token" then restart
> if cpu is greater than 60% for 2 cycles then alert
> if cpu > 80% for 5 cycles then restart
> if totalmem > 500 MB for 5 cycles then restart
> if children > 250 then restart
> if loadavg(5min) greater than 10 for 8 cycles then stop
> if 3 restarts within 5 cycles then timeout

> Can I just *remove* the line: "if totalmem > 500 MB for 5 cycles then
> restart"

Yes you can then the error should disappear.


> Excuse my ignorance, but how do I identify the document root? - - - - -

cat /etc/apache2/sites-enabled/001-default | grep DocumentRoot

As I see you use debian you it should be /var/www but if you didn't touch
the rewrite rule then you'll bee redireted to /var/www/apache2-default.


> My machine has a total of 384MB RAM

Ok, the the value is ok.

> Thanks for your helpful observations!
No problem at all, have fun on your computers.

cheers
Back to top
Login to vote
Vwaju

External


Since: Dec 11, 2007
Posts: 48



(Msg. 5) Posted: Mon Dec 01, 2008 7:20 pm
Post subject: Re:_monit_–_can't_connect_from_browser [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Gutten Abend, Burkhard --

> > I can't connect with the canonical name:
> >https://jupiter.obliqueuniverse.org:2812
>
> You don't forward this port, I connected to you public IP and receive your
> Apache welcome page. (http://207.237.37.110/apache2-default/DNS works
> also)

I have my Dell Truemobile 2300 router configured to forward
207.237.37.110:2812 to 192.168.2.2:2812

> > "Failed to Connect"
> > "Firefox can't established a connection to the server at
> > jupiter.obliqueuniverse.org:2812"
>
> As I said you haven't open this port on your public IP.
> You'll probably still need a DNAT rule in your iptables configuration.

This is my first encounter with iptables. I looked at the man page,
and the learning curve looks steep. Without further study, I can't
tell what the command to create the rule should look like.

Can you advise me on this?

Is there a tutorial on how to use iptables that is perhaps more
descriptive than the man page?
>
> This are your reachable ports from outside:
>
> 20/tcp closed ftp-data
> 21/tcp open   ftp
> 22/tcp open   ssh
> 53/tcp open   domain
> 80/tcp open   http
>
All of these ports are listed in the port forwarding table for the
Dell router. I'm not sure why port 20 shows as "closed", since I have
both ports 20 and 21 forwarded from 207.237.37.110 to the ftp server
on 192.168.2.2.

Does this also have to do with a DNAT rule in iptables?

> > I notice that I *also*  can't connect to the FTP server, Apache, or
> > ISPConfig using the FQDN.
> > I can connect *only* using the NAT address 192.168.2.2 (whether from
> > the Windows machine (192.168.2.3) or another computer running Linux
> > (192.168.2.5) on my LAN.)
>
> check via host or nslookup your name entries it should be similar like
> this:
>
> host jupiter.obliqueuniverse.org
> jupiter.obliqueuniverse.org has address 207.237.37.110

- - - - - - - - - - - - - - - - - - - - - - - - - - -
On my Windows machine (192.168.2.3), which *does not know* about the
DNS server on 192.168.2.2:

> nslookup 207.237.37.110

Server: ns2.dns.rcn.net
Address: 207.172.3.9

Name: obliqueuniverse.org
Address: 207.237.37.110

> nslookup obliqueuniverse.org

Server: ns2.dns.rcn.net
Address: 207.172.3.9

Non-authoritative answer:
Name: obliqueuniverse.org
Address: 207.237.37.110
- - - - - - - - - - - - - - - - - - - - - - - - - - -
On jupiter (192.168.2.2) itself:

# hostname
jupiter.obliqueuniverse.org

# nslookup 207.237.37.110

Server: 192.168.2.2
Address: 192.168.2.2#53

110.37.237.207.in-addr.arpa name = obliqueuniverse.org.

# nslookup obliqueuniverse.org

Server: 192.168.2.2
Address: 192.168.2.2#53

Name: obliqueuniverse.org
Address: 207.237.37.110
- - - - - - - - - - - - - - - - - - - - - - - - - - -

> Try traceroute to 207.237.37.110 you should usually see that your
> packet goes via your gateway to your server outside, otherwise you nee to
> check your /etc/hosts and/or your local DNS if available.

On 192.168.2.2:

# traceroute 207.237.37.110
1 obliqueuniverse.org (207.237.37.110) 0.778 ms 0.726 ms
0.654 ms

# traceroute obliqueuniverse.org
1 obliqueuniverse.org (207.237.37.110) 0.800 ms 0.721 ms
0.648 ms

It looks like you can't run traceroute from Windows XP (or else I just
don't know how).
- - - - - - - - - - - - - - - - - - - - - - - - - - -

> cat /etc/apache2/sites-enabled/001-default | grep DocumentRoot
>
> As I see you use debian you it should be /var/www but if you didn't touch
> the rewrite rule then you'll bee redireted to /var/www/apache2-default.

I put an index.html file in /var/www and restarted apache, but I still
get the "Test Page for Apache installation" . I moved the index.html
to /var/www/apache2-default, and I still get the test page. I looked
at apache2.conf to see if there is something I need to reconfigure,
but I can't see anything.

Thanks again for your help!

Best Regards,
Vwaju
Back to top
Login to vote
Burkhard Ott

External


Since: Aug 13, 2008
Posts: 9



(Msg. 6) Posted: Tue Dec 02, 2008 9:31 am
Post subject: Re:_monit_– [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Am Mon, 01 Dec 2008 19:20:57 -0800 schrieb Vwaju:

> I have my Dell Truemobile 2300 router configured to forward
> 207.237.37.110:2812 to 192.168.2.2:2812
> This is my first encounter with iptables. I looked at the man page,
> and the learning curve looks steep. Without further study, I can't
> tell what the command to create the rule should look like.
> Can you advise me on this?
> Is there a tutorial on how to use iptables that is perhaps more
> descriptive than the man page?

Yup, man iptables or google for iptables, but I think I didn't fully
understand what you're trying top do.

I assume that you want juniper routes your packets for port 2812 to your
router and masquerade the src ip, right.

(any:juniper:2812)->juniper->(juniperip:router:2812)->192.168.2.2 ...

Is it correct? If so I then I can write you more detailed informations on
which machine you have to take action.

> All of these ports are listed in the port forwarding table for the
> Dell router. I'm not sure why port 20 shows as "closed", since I have
> both ports 20 and 21 forwarded from 207.237.37.110 to the ftp server
> on 192.168.2.2.

Port 20 is the datachannel, your forward is correct.
You'll find more information about ftp vai google.


> On my Windows machine (192.168.2.3), which *does not know* about the
> DNS server on 192.168.2.2:

DNS looks ok.

> On 192.168.2.2:
>
> # traceroute 207.237.37.110
> 1 obliqueuniverse.org (207.237.37.110) 0.778 ms 0.726 ms
> 0.654 ms

Do you have 207.237.37.110 beside 192.168.2.0/24 ?
Ususally I miss here a router or gateway which is makes the NAT for
192.168.2.3.


How is you network infrastruture?

juniper->(internet)->router->192.168.2.0/24 ?

Could you please confirm or correct this?

> I put an index.html file in /var/www and restarted apache, but I still
> get the "Test Page for Apache installation" . I moved the index.html
> to /var/www/apache2-default, and I still get the test page. I looked
> at apache2.conf to see if there is something I need to reconfigure,
> but I can't see anything.

Yep, you have a rewrite rule in 000-default that say's rewrite the url to
/var/www/apache2-default. If you comment this line and restart apache then
your index.html in /var/www will be shown. You also will find logfile in
/var/log/apache2 or similar. You'll have an access and an error log there
you can find wich files are accessed (path either),status codes etc.

> Thanks again for your help!

No problem at all.
Back to top
Login to vote
Vwaju

External


Since: Dec 11, 2007
Posts: 48



(Msg. 7) Posted: Tue Dec 02, 2008 10:16 am
Post subject: Re:_monit_–_can't_connect_from_browser [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Guten Tag, Burkhard

> Do you have 207.237.37.110 beside 192.168.2.0/24 ?
> Ususally I miss here a router or gateway which is makes the NAT for
> 192.168.2.3.
>
> How is you network infrastruture?
>
> jupiter->(internet)->router->192.168.2.0/24 ?

> Could you please confirm or correct this?

Is "jupiter->(internet)->router->192.168.2.0/24" a DNAT rule? How do
you translate it?

I have a static IP address (207.237.37.110) from RCN (my ISP) and 4
computers on my LAN. My Dell Truemobile 2300 Broadband Router does
NAT as follows:

192.168.2.1 (the router itself )
192.168.2.2 (jupiter.obliqueuniverse.org, running Debian 3.1)
192.168.2.3 Windows XP machine
192.168.2.4 Windows XP machine
192.168.2.5 (ganymede.obliqueuniverse.org, running Slackware 12.0)

> I assume that you want jupiter to route your packets for port 2812 to your
> router and masquerade the src ip, right.

Packets incoming from the Internet, addressed to
jupiter.obliqueuniverse.org:2812 (207.237.37.110:2812) should be
routed to jupiter.obliqueuniverse.org:2812 (192.168.2.2:2812). I
believe that the port-forwarding table on the router takes care of
this. Am I right?

Packets from jupiter.obliqueuniverse.org:2812 (192.168.2.2:2812)
should go to the router (192.168.2.1 on my LAN) and would appear to
the Internet to come from 207.237.37.110:2812. Am I right that *this*
is where you need the DNAT rule in iptables?

Similarly ports 20,21,22,80, and 81

> (any:jupiter:2812)->jupiter->(jupiter:router:2812)->192.168.2.2 ...

Given the network infrastructure described above: Does this rule route
from 192.168.2.2:2812 to 192.168.2.1 (the router) and translate it to
207.237.37.110:2812?

> > I put an index.html file in /var/www and restarted apache, but I still
> > get the "Test Page for Apache installation" .  I moved the index.html
> > to /var/www/apache2-default, and I still get the test page.  I looked
> > at apache2.conf to see if there is something I need to reconfigure,
> > but I can't see anything.
>
> Yep, you have a rewrite rule in 000-default that say's rewrite the url to
> /var/www/apache2-default. If you comment this line and restart apache then
> your index.html in /var/www will be shown. You also will find logfile in
> /var/log/apache2 or similar. You'll have an access and an error log there
> you can find wich files are accessed (path either),status codes etc.

Yes! I have now published my Oblique Universe home page.

From inside my LAN, I can access it with http://192.168.2.2:80

Can you access is with http://207.237.37.110:80 ?

However, when I try http://obliqueuniverse.org from inside my LAN, I
get an error screen that says:

"Duplicate Administrator
This device is managed by 192.168.2.2 currently!!"

What do you get?

Danke Schon

Best Regards,
Vwaju
Back to top
Login to vote
Burkhard Ott

External


Since: Aug 13, 2008
Posts: 9



(Msg. 8) Posted: Tue Dec 02, 2008 10:57 pm
Post subject: Re:_monit_– [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Am Tue, 02 Dec 2008 10:16:33 -0800 schrieb Vwaju:

> Guten Tag, Burkhard

Hi Vwaju, you're alos learning German? Smile

> Is "jupiter->(internet)->router->192.168.2.0/24" a DNAT rule? How do
> you translate it?

Nope, I was wondering about your route (tracroute) and would make sure
where the webserver is located because I thought it is outside your LAN,
but htis is no problem either.

> I have a static IP address (207.237.37.110) from RCN (my ISP) and 4
> computers on my LAN. My Dell Truemobile 2300 Broadband Router does
> NAT as follows:
>
> 192.168.2.1 (the router itself )
> 192.168.2.2 (jupiter.obliqueuniverse.org, running Debian 3.1)
> 192.168.2.3 Windows XP machine
> 192.168.2.4 Windows XP machine
> 192.168.2.5 (ganymede.obliqueuniverse.org, running Slackware 12.0)

Ok, that clear the situation.
I shortly explain which way packets to the webserver flows.

If you reach the webserver via 192.168.2.2 then the packets goes via your
nic directly to your webserver, there is no hop between because you are in
the same subnet.
Your routing table looks like that:

192.168.2.0 0.0.0.0 255.255.255.0 eth0
0.0.0.0 192.168.2.1 eth0

That means you will reach IP's from 192.168.2.1-254 directly in your
subnet.
If you would have the network 10.10.10.0/24 connectrd to your router, then
the packets would send every packet for the IP 10.0.0.1.254 to your router
because it's your default gateway and this network is not directly
connected to your 192.168.2.0/24.
That is exactely what happend if you sent your packets to the webserver
to 207.237.37.110.
Your packet goes straight to your router and the router forward it to your
webserver.
Usually the router will send an redirect to your computer that you can
access the webserver directly via 192.168.2.2, but it depends on the
router software config.

So if I try to reach your webserver I come from outside the lan, pass some
internet routers and will be routed to your router and if the router has a
forward entry for port 2812. he will forward this packet to your webserver.
On the webserver comes now an IP from outside (an IP in germany), on the
webserver the default gateway is used to send the answer and that is your
router, he also has to route it to his default gateway because he has my
ip not on a local port, the answer passes now some internetrouter and will
reach my router, computer etc.

That means you only need a port forward on your router to port 2812.
You don't need a iptable rule on your webserver.

btw with iptables it could look like this:
iptables -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp --dport 2812 -j dnat
--to-destination 192.168.2.2

The rule say every packet which is for port 2812 on my external interface
with destination port 2812, replace the destination IP with 192.168.2.2.
(with -d 207.237.37.110 you could specify the external address)

You obviously did it correct with port 80 because I see your yellow page
with all the names. I also can reach port 2812 there comes a htaccess and
ask me for usernam and password via ssl.


>> I assume that you want jupiter to route your packets for port 2812 to your
>> router and masquerade the src ip, right.
>
> Packets incoming from the Internet, addressed to
> jupiter.obliqueuniverse.org:2812 (207.237.37.110:2812) should be
> routed to jupiter.obliqueuniverse.org:2812 (192.168.2.2:2812). I
> believe that the port-forwarding table on the router takes care of
> this. Am I right?

yep, and it works either.


> Packets from jupiter.obliqueuniverse.org:2812 (192.168.2.2:2812)
> should go to the router (192.168.2.1 on my LAN) and would appear to
> the Internet to come from 207.237.37.110:2812. Am I right that *this*
> is where you need the DNAT rule in iptables?

Yes because your external IP 207.237.37.110 is terminated locally on your
router and if there is 2812 open then the device sends usually port
icmp not reachable.
With DNAT it takes care of the ip for the answer packet but replaces it
192.168.2.2 and send it into your LAN. On the way back he does the same
but replaces 192.168.2.2 again.

I guess you forward today every port to 192.168.2.2, because I can also
reach ssh and your dns.

> Similarly ports 20,21,22,80, and 81

Port 20 and 21 are a little special because ftp works a little different.

> Given the network infrastructure described above: Does this rule route
> from 192.168.2.2:2812 to 192.168.2.1 (the router) and translate it to
> 207.237.37.110:2812?

Nope, it doesn't and you don't nedd that in case of DNAT.


> Yes! I have now published my Oblique Universe home page.

Yes I already watched it Smile.


> From inside my LAN, I can access it with http://192.168.2.2:80
>
> Can you access is with http://207.237.37.110:80 ?

Yep.

> However, when I try http://obliqueuniverse.org from inside my LAN, I
> get an error screen that says:
> "Duplicate Administrator
> This device is managed by 192.168.2.2 currently!!"

I have never seen such a stupid message but I think it's the icmp redirect
I described above.

I also have a hint for you install on your computer tcpdump or better
wireshark and sniff the connection while you try to access the external
IP.
You will see an icmp redirect packet (should be the second or third).

Where have you seen the "Duplicate Administrator" error message, I bet on
the router itself then it would be a weird translation for an icmp
redirect but anyway.

Everything seems to be working so far, now you need to make it secure Smile.


cheers
Back to top
Login to vote
Vwaju

External


Since: Dec 11, 2007
Posts: 48



(Msg. 9) Posted: Wed Dec 03, 2008 7:03 am
Post subject: Re:_monit_–_can't_connect_from_browser [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Guten Tag, Burkhard

> Hi Vwaju, you're also learning German? Smile

I would love to learn German, but I only know a few words. Am I right
that your native language is German? (You speak English very well!)

> If you reach the webserver via 192.168.2.2 then the packets goes via your
> nic directly to your webserver, there is no hop between because you are in
> the same subnet.
> Your routing table looks like that:
>
> 192.168.2.0 0.0.0.0 255.255.255.0 eth0
> 0.0.0.0 192.168.2.1 eth0

Yes, that's what I have:

# route

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
192.168.2.0 * 255.255.255.0 U 0
0 0 eth0
default 192.168.2.1 0.0.0.0 UG 0
0 0 eth0

> Usually the router will send a redirect to your computer that you can
> access the webserver directly via 192.168.2.2, but it depends on the
> router software config.

It seems that it does send a redirect, because I can reach the
webserver directly with 192.168.2.2 (from inside my LAN).
What I *cannot* do is reach the webserver from inside my LAN with
Internet address 207.237.37.110.

> That means you only need a port forward on your router to port 2812.
> You don't need a iptable rule on your webserver.

Excellent!

> btw with iptables it could look like this:
> iptables -A PREROUTING -i $EXTERNAL_INTERFACE -p tcp --dport 2812 -j dnat
> --to-destination 192.168.2.2

> The rule say every packet which is for port 2812 on my external interface
> with destination port 2812, replace the destination IP with 192.168.2.2.
> (with -d 207.237.37.110 you could specify the external address)

Thank you for this explication. It will help me to understand the
cryptic man page for iptables!

> You obviously did it correct with port 80 because I see your yellow page
> with all the names. I also can reach port 2812 there comes a htaccess and
> ask me for usernam and password via ssl.

Good! I will try this from outside the LAN!

Inside the LAN, I still cannot get a connection at 2812. Working
Hypothesis: This is a result of a IMCP redirect at the router
interface.

Is that right?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Just to summarize for reference purposes: my results in Firefox on
192.168.2.3 (from inside my LAN):

http://192.168.2.2
index.html of obliqueuniverse.org, as expected

http://192.168.2.2:80
index.html of obliqueuniverse.org, as expected

http://192.168.2.2:81
http://192.168.2.2:81/login.php (login screen for ISPConfig) as
expected

http://obliqueuniverse.org
prompted for id/password for Dell Truemobile 2300 Broadband Router
web-based administration tool
when I login, I get:
"Duplicate Administrator
This device is managed by 192.168.2.2 currently!!"
If I hit ENTER again, it takes me to the web-based router
administration tool

http://207.237.37.110
same as previous

https://192.168.2.2:2812
Secure Connection Failed
192.168.2.2 uses an invalid security certificate
The certificate is not trusted because it is self-signed.
The certificate is valid only for jupiter.obliqueuniverse.org
(Error code: sec_error_ca_cert_invalid)

https://obliqueuniverse.org:2812
Failed to Connect

https://jupiter.obliqueuniverse.org:2812
Failed to Connect

I still don't understand this last 3 results!
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

> > Can you access is with http://207.237.37.110:80 ?

> Yep.

> > However, when I try http://obliqueuniverse.orgfrom inside my LAN, I
> > get an error screen that says:
> > "Duplicate Administrator
> > This device is managed by 192.168.2.2 currently!!"
>
> I have never seen such a stupid message but I think it's the icmp redirect
> I described above.

> I also have a hint for you install on your computer tcpdump or better
> wireshark and sniff the connection while you try to access the external
> IP.

I haven't heard about wireshark. You prefer this to tcpdump? Where
do you get it?

> You will see an icmp redirect packet (should be the second or third).

If I were to find this packet, how would I correct the redirect?

> Where have you seen the "Duplicate Administrator" error message, I bet on
> the router itself then it would be a weird translation for an icmp
> redirect but anyway.

I assume this is a message, as you say, from the router itself, since
in some cases, when I hit ENTER again, I get the web interface to the
router administration tool.

Thank you again. Your observations are *extremely* helpful!

Best Regards,
Vwaju
Back to top
Login to vote
kevin.paulus

External


Since: Feb 07, 2008
Posts: 5



(Msg. 10) Posted: Fri Dec 05, 2008 10:50 am
Post subject: Re: monit –_can't_connect_from_brow [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Vwaju wrote:
> Gutten Abend, Burkhard --
>
>>> I can't connect with the canonical name:
>>> https://jupiter.obliqueuniverse.org:2812
>> You don't forward this port, I connected to you public IP and receive your
>> Apache welcome page. (http://207.237.37.110/apache2-default/DNS works
>> also)
>
> I have my Dell Truemobile 2300 router configured to forward
> 207.237.37.110:2812 to 192.168.2.2:2812
>
>>> "Failed to Connect"
>>> "Firefox can't established a connection to the server at
>>> jupiter.obliqueuniverse.org:2812"
>> As I said you haven't open this port on your public IP.
>> You'll probably still need a DNAT rule in your iptables configuration.
>
> This is my first encounter with iptables. I looked at the man page,
> and the learning curve looks steep. Without further study, I can't
> tell what the command to create the rule should look like.
>
> Can you advise me on this?
>
> Is there a tutorial on how to use iptables that is perhaps more
> descriptive than the man page?
>> This are your reachable ports from outside:
>>
>> 20/tcp closed ftp-data
>> 21/tcp open ftp
>> 22/tcp open ssh
>> 53/tcp open domain
>> 80/tcp open http
>>
> All of these ports are listed in the port forwarding table for the
> Dell router. I'm not sure why port 20 shows as "closed", since I have
> both ports 20 and 21 forwarded from 207.237.37.110 to the ftp server
> on 192.168.2.2.
>
> Does this also have to do with a DNAT rule in iptables?
>
>>> I notice that I *also* can't connect to the FTP server, Apache, or
>>> ISPConfig using the FQDN.
>>> I can connect *only* using the NAT address 192.168.2.2 (whether from
>>> the Windows machine (192.168.2.3) or another computer running Linux
>>> (192.168.2.5) on my LAN.)
>> check via host or nslookup your name entries it should be similar like
>> this:
>>
>> host jupiter.obliqueuniverse.org
>> jupiter.obliqueuniverse.org has address 207.237.37.110
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - -
> On my Windows machine (192.168.2.3), which *does not know* about the
> DNS server on 192.168.2.2:
>
>> nslookup 207.237.37.110
>
> Server: ns2.dns.rcn.net
> Address: 207.172.3.9
>
> Name: obliqueuniverse.org
> Address: 207.237.37.110
>
>> nslookup obliqueuniverse.org
>
> Server: ns2.dns.rcn.net
> Address: 207.172.3.9
>
> Non-authoritative answer:
> Name: obliqueuniverse.org
> Address: 207.237.37.110
> - - - - - - - - - - - - - - - - - - - - - - - - - - -
> On jupiter (192.168.2.2) itself:
>
> # hostname
> jupiter.obliqueuniverse.org
>
> # nslookup 207.237.37.110
>
> Server: 192.168.2.2
> Address: 192.168.2.2#53
>
> 110.37.237.207.in-addr.arpa name = obliqueuniverse.org.
>
> # nslookup obliqueuniverse.org
>
> Server: 192.168.2.2
> Address: 192.168.2.2#53
>
> Name: obliqueuniverse.org
> Address: 207.237.37.110
> - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
>> Try traceroute to 207.237.37.110 you should usually see that your
>> packet goes via your gateway to your server outside, otherwise you nee to
>> check your /etc/hosts and/or your local DNS if available.
>
> On 192.168.2.2:
>
> # traceroute 207.237.37.110
> 1 obliqueuniverse.org (207.237.37.110) 0.778 ms 0.726 ms
> 0.654 ms
>
> # traceroute obliqueuniverse.org
> 1 obliqueuniverse.org (207.237.37.110) 0.800 ms 0.721 ms
> 0.648 ms
>
> It looks like you can't run traceroute from Windows XP (or else I just
> don't know how).
> - - - - - - - - - - - - - - - - - - - - - - - - - - -

it's called tracert in windows !
Back to top
Login to vote
Vwaju

External


Since: Dec 11, 2007
Posts: 48



(Msg. 11) Posted: Fri Dec 05, 2008 11:50 am
Post subject: Re:_monit_–_can't_connect_from_browser [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Guten Tag, Burkhard

I am sorry for not responding sooner. I just couldn't get to this
thread yesterday.

> What you could try is to figure out you probably can disable to send icmp
> redirects (just for testing purposes), it makes more sense to connect
> directly so the router has nothing to do.

Yes.

> It's just practice, you could try firewallbuilder for the first time there
> you can build your objects and playing around with iptables, it can also
> produce a shell script then you see the whole syntax, maybe it makes it
> more clearly. (apt.get install fwbuilder)

Thanks for the tip! I will come back to this. For now I should
probably get to postfix, and get my mail working.

> > Inside the LAN, I still cannot get a connection at 2812. Working
> > Hypothesis: This is a result of a IMCP redirect at the router
> > interface.
>
> > Is that right?
>
> I guess your forward rule in the router say forward
> packets for port 2812 to 192.168.2.2:443, if this is the case than it is
> the redirect.
> Did you check that the port on the webserver handles ssl on port 2812,
> (netstat -ntlp) if not then you need to check your ssl.conf (/etc/apache2
> ...), search inside the configfile for a Listen 443 and write above or
> underneath this line Listen 2812, restart apache and check with netstat if
> now is this port listening.

I never thought of that!

http on port 80 (207.237.37.110) is forwarded to port 80
(192.168.2.2), but I forgot that https would be on a *different* port!

$cat /etc/services | grep '443'
https 443/tcp # http protocol over TSL/SSL
https 443/udp

$netstat -ntlp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 0.0.0.0:993
0.0.0.0:* LISTEN 2215/inetd
tcp 0 0 0.0.0.0:995
0.0.0.0:* LISTEN 2215/inetd
tcp 0 0 127.0.0.1:3306
0.0.0.0:* LISTEN 2268/mysqld
tcp 0 0 0.0.0.0:110
0.0.0.0:* LISTEN 2215/inetd
tcp 0 0 0.0.0.0:143
0.0.0.0:* LISTEN 2215/inetd
tcp 0 0 0.0.0.0:81
0.0.0.0:* LISTEN 2475/ispconfig_http
tcp 0 0 0.0.0.0:21
0.0.0.0:* LISTEN 2644/proftpd: (acce
tcp 0 0 192.168.2.2:53
0.0.0.0:* LISTEN 2631/named
tcp 0 0 127.0.0.1:53
0.0.0.0:* LISTEN 2631/named
tcp 0 0 127.0.0.1:953
0.0.0.0:* LISTEN 2631/named
tcp 0 0 0.0.0.0:25
0.0.0.0:* LISTEN 2614/master
tcp 0 0 0.0.0.0:2812
0.0.0.0:* LISTEN 2655/monit
tcp6 0 0 :::
80 :::* LISTEN 5569/
apache2
tcp6 0 0 :::
22 :::* LISTEN 2421/
sshd
tcp6 0 0 ::
1:953 :::* LISTEN 2631/
named
tcp6 0 0 :::
25 :::* LISTEN 2614/
master
tcp6 0 0 :::
443 :::* LISTEN 5569/
apache2

Here is what I have now:

207.237.37.110:80 forwarded to 192.168.2.2:80
(http)
207.237.37.110:443 forwarded to 192.168.2.2:443 (https)
207.237.37.110:2812 forwarded to 192.168.2.2:2812 (monit)

monit is configured (according to the install instructions) to receive
requests on 2812. However, traffic to monit is through https:

https://192.168.2.2:2812
https://obliqueuniverse.org:2812

Therefore, should I map *all* https traffic to 2812, like this:

207.237.37.110:80 forwarded to 192.168.2.2:80 (http
207.237.37.110:443 forwarded to 192.168.2.2:2812
(https) ???
207.237.37.110:2812 forwarded to 192.168.2.2:2812 (monit)

> >http://obliqueuniverse.org
> > prompted for id/password for Dell Truemobile 2300 Broadband Router
> > web-based administration tool
> > when I login, I get:
> > "Duplicate Administrator
> > This device is managed by 192.168.2.2 currently!!"
> > If I hit ENTER again, it takes me to the web-based router
> > administration tool
>
> ok, it doesn't sounds like icmp redirect did you login from your webserver
> to the router or have you a check which connects to the router from the
> webserver? It sounds like you, a service or somebody logged in.

I have never logged in to the router from the webserver, as far as I
know. I have always changed the router configuration from 192.168.2.3
(the Windows machine) with the web-based configuration tool (http://
my.router) in Firefox. This problem only appeared in the last 4-5
days, so it must be something I've done recently.

> >https://192.168.2.2:2812
> > Secure Connection Failed
> > 192.168.2.2 uses an invalid security certificate
> > The certificate is not trusted because it is self-signed.
> > The certificate is valid only for jupiter.obliqueuniverse.org
> > (Error code: sec_error_ca_cert_invalid)
>
> >https://obliqueuniverse.org:2812
> > Failed to Connect
>
> >https://jupiter.obliqueuniverse.org:2812
> > Failed to Connect
>
> > I still don't understand this last 3 results!
>
> The first thing is in your certificate the common name section has
> jupiter.obliqueuniverse.org in your address bar is 192.168.2.2, the browser
> checks both entries and detects it's not the same therefore he is yelling
> about.

O.K.

> For 2 and 3 first check if you have a listening port 2812 on jupiter who
> is able to speak ssl (i described above how to do that).
>
> Then add the following line to /etc/hosts on your machine:
>
> 192.168.2.2 jupiter.obliqueuniverse.org

I already have this line:

$ cat /etc/hosts

127.0.0.1 localhost.localdomain localhost jupiter

127.0.0.1 localhost.localdomain localhost jupiter
192.168.2.2 jupiter.obliqueuniverse.org jupiter

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

> Now the browser will (should) first check /etc/hosts to resolve
> jupiter.obliqueuniverse.org and will connect directly but now you have the
> correct name in your address bar that matches to your certificate.

From this side of my LAN, still not able to do this.

> (you can also check the common name with openssl x509 -in $YOURCERT -noout
> -subject | grep "CN" then you should see jupiter.obliqueuniverse.org)

Don't know what $YOURCERT is. Is it supposed to be a variable in my
environnment?

$ echo $YOURCERT
<silence>

> I think now you have a login left on the webinterface or somthing similar,
> but it could also be an router software issue, did you logout correctly
> when you leave the admin panel (logout button or something)?

Actually, I don't think I had *ever* logged out from the router -- I
always just closed the browser tab. Now that you mention it, there
*is* a log out button, which I just used. However, it doesn't change
the behavior.

It is Friday afternoon, December 5 here in New York City. I will be
away for the weekend, and probably not able to check this thread again
until Monday. However, I am eager to hear what you have to say.

Have a great weekend!

Vwaju
Back to top
Login to vote
Burkhard Ott

External


Since: Aug 13, 2008
Posts: 9



(Msg. 12) Posted: Sat Dec 06, 2008 10:48 am
Post subject: Re:_monit_– [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Am Fri, 05 Dec 2008 11:50:35 -0800 schrieb Vwaju:

>> > Inside the LAN, I still cannot get a connection at 2812. Working
>> > Hypothesis: This is a result of a IMCP redirect at the router
>> > interface.
>>
>> > Is that right?

I think so , to make sure you could use a sniffer if there the redirect
packet appears then you know for sure it comes Smile.


> Here is what I have now:
>
> 207.237.37.110:80 forwarded to 192.168.2.2:80
> (http)
> 207.237.37.110:443 forwarded to 192.168.2.2:443 (https)
> 207.237.37.110:2812 forwarded to 192.168.2.2:2812 (monit)

Ah I see, I probably explained you something wrong while I thougt you try
to reach https socket from apache.
2812 is you standardport for monit right? Ok if this is the case Apache
ssl shouldn't listen on 2812, so if you have enabled this you need to
disable it.
With netstat you can see the ports there are waiting for
connections, after monit restart it should listen on 2812 again, check
that with netstat.
You also need to check in syslog for errors from monit.
Then usually you coan connect to this port via browser.

> monit is configured (according to the install instructions) to receive
> requests on 2812. However, traffic to monit is through https:
>
> https://192.168.2.2:2812
> https://obliqueuniverse.org:2812

> Therefore, should I map *all* https traffic to 2812, like this:

No, actually I would make monit reachable from outside thats not a good
idea.


> 207.237.37.110:443 forwarded to 192.168.2.2:2812 (https) ???
> 207.237.37.110:2812 forwarded to 192.168.2.2:2812 (monit)

This would work but you then you can't access ssl from apache anymore.
In this case your rule should look like this:
207.237.37.110:80 -> 192.168.2.2:80
207.237.37.110:443 -> 192.168.2.2:443
and for monit
207.237.37.110:2812 -> 192.168.2.2:2812
but again I wouldn't do that otherwise if somebody can fake the
authentification (brute force attack or whatever) he can enable/disbable
your configured services from outside, so it's not a good idea.

> I have never logged in to the router from the webserver, as far as I
> know. I have always changed the router configuration from 192.168.2.3
> (the Windows machine) with the web-based configuration tool (http://
> my.router) in Firefox. This problem only appeared in the last 4-5 days,
> so it must be something I've done recently.

Usually this tool says only that an administrator is already logged in and
if you log in then you kick him out.
If you logout do you use the logout button or whatever it has or do you
only close the browser.

> From this side of my LAN, still not able to do this.

Ok, what happens if you use a broser direktly on the webserver (lynx or
similar, its a console based browser), can you connect? If not check the
port 2812 an see what monit writes in /var/log/syslog, probably ther is
still a config error.

> Don't know what $YOURCERT is. Is it supposed to be a variable in my
> environnment?
> $ echo $YOURCERT
> <silence>

Nope that can't work. You should have a certificate for your ssl
connection and you replace $YOURCERT with this.

e.g.

Lets assume my cert is in /tmp with name foo.pem the syntax would be like
this:

openssl x509 -in /tmp/foo.pem -noout -subject

openssl would now show me the subject line of this certificate, in the CN
section you'll find the name which will be checked by the browser.
The browser check the name in your addressbar with this CN, if it's
different then he screams, because the cert is signed only for the host
you can see in CN otherwise you need to renew your cert and make a
wildcard cert so you would have *.obliqueuniverse.org, in this case it
every host in the domain obliqueuniverse.org would match.

> Actually, I don't think I had *ever* logged out from the router -- I
> always just closed the browser tab. Now that you mention it, there *is*
> a log out button, which I just used. However, it doesn't change the
> behavior.

Hi,hi thats what I thought in this case the router software has a bug with
the session, if you use the interface then the router creates a session
and will delete it if you log out. If the software is well coded you would
be automatically logged out if the connection ist closed plus/minus some
minutes.
The most manufacturer doesn't care about that would be a great opportunity
to check out session hijacking but you can practice that later Smile.

> It is Friday afternoon, December 5 here in New York City. I will be
> away for the weekend, and probably not able to check this thread again
> until Monday. However, I am eager to hear what you have to say.

No problem, I think if you want you can also write me an email so we don't
need to post everything here and google save everything for us Smile.
And as far as I have seen nonbody else had interest in our thread.

> Have a great weekend!
You too, but here it snows and rains the whole day so thats probably the
reason I am sitting in front off the computer at the weekend Smile.

ttyl
Back to top
Login to vote
Display posts from previous:   
Related Topics:
Unable to mount root fs on 00:ff - Hi, I did a diskless boot of pxelinux.0. From the prompt, I booted the vmlinux, which comes with RedHat 8.0 and appended root=/dev/nfs ip=dhcp nfsroot=... Then I got the error: VFS: Cannot open root device "nfs" or "00:ff" Please a...

Forwarding an IP from external to internal - I'm looking to forward traffic going to an external IP address to a local IP address. The rule I found to try this with is: iptables -t nat -A PREROUTING -p tcp -d 207.176.140.17 -j DNAT --to-destination 192.168.2.33 Now I know very little about..

Hardware requirements to feed multiple IPSec connections - Hello everybody, background is a VPN-Gateway probably (status: planning) running SuSE 8.2, Kernel 2.4.21 and latest stable FreeS/WAN to establish a VPN with another gateway of the same brand. Additionally that first gateway will have to feed other..

squid traffic measurement - Hi, I've a static IP-address, I've also a linux box on which runs squid which distrubuites internet connection over 20 PC on a Department. Now on a another department of the company ( about 30 PC) is needed internet connection over the same squid proxy....

syslog and proftpd - Hi, i hope my questions is in this ng not soooo misdirected ;) ... My new installed proftpd do not log by syslog. If i change the entry in conf-file to SystemLog /foo/bar/log i have an logfile with FTP session opened. User *** login ... ....
       Linux (Home) -> Networking All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Categories:
 Windows Forums
 Game Forums
  Linux Forums
 Mac Forums
 PDA Forums
 Mobile Forums
  Top  |  Store  |  RSS Feeds RSS  |  Data Feeds  |  Advertise  |  Submit  |  Bookmark  |  Newsletter  |  Contact