From owner-freebsd-jail@FreeBSD.ORG Fri Nov 20 09:07:33 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A116106566B for ; Fri, 20 Nov 2009 09:07:33 +0000 (UTC) (envelope-from Lars.Scheithauer@fh-heidelberg.de) Received: from dnsfh.fh-heidelberg.de (dnsfh.fh-heidelberg.de [193.197.74.49]) by mx1.freebsd.org (Postfix) with ESMTP id 49FCB8FC15 for ; Fri, 20 Nov 2009 09:07:32 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by dnsfh.spamfilter.fh-heidelberg.de (Postfix) with ESMTP id 6652A20023; Fri, 20 Nov 2009 10:07:31 +0100 (CET) X-Virus-Scanned: AMAVIS New Header in DNSFH Received: from dnsfh.fh-heidelberg.de ([127.0.0.1]) by localhost (dnsfh.fh-heidelberg.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id afKlL94zW5jI; Fri, 20 Nov 2009 10:07:28 +0100 (CET) Received: from FHCLUSRV-EX.dcs.fh-heidelberg.de (FHCLUSRV-N1.dcs.fh-heidelberg.de [172.28.0.41]) by dnsfh.fh-heidelberg.de (Postfix) with ESMTP id 4E3D92001A; Fri, 20 Nov 2009 10:07:28 +0100 (CET) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 20 Nov 2009 10:07:27 +0100 Message-ID: <26040005B7F3AA41A0345BCE386CA09701C62A99@FHCLUSRV-EX.dcs.fh-heidelberg.de> In-Reply-To: <20091120180647.A65262@sola.nimnet.asn.au> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: AW: AW: Problem with Apache in Jail Thread-Index: AcppuT8KThmOC8CQSXGcx+z1bM7kSAAALVjQ References: <26040005B7F3AA41A0345BCE386CA09701C62A8E@FHCLUSRV-EX.dcs.fh-heidelberg.de><4B040838.8020103@quip.cz> <26040005B7F3AA41A0345BCE386CA09701C62A8F@FHCLUSRV-EX.dcs.fh-heidelberg.de><26040005B7F3AA41A0345BCE386CA09701C62A94@FHCLUSRV-EX.dcs.fh-heidelberg.de> <4B057741.7000700@cyanide-studio.com> <26040005B7F3AA41A0345BCE386CA09701C62A98@FHCLUSRV-EX.dcs.fh-heidelberg.de> <20091120180647.A65262@sola.nimnet.asn.au> From: "Scheithauer, Lars (FH)" To: "Ian Smith" Cc: freebsd-jail@freebsd.org, Bastien Semene Subject: AW: AW: AW: Problem with Apache in Jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2009 09:07:33 -0000 Hi Ian, > So are you sure that (from outside your environment) the vhost hostname=20 > resolves to its IP address ok? Does it have a unique public IP address? > If so, does reverse resolution of that address point to that hostname? Yes: # host campus2.fh-heidelberg.de campus2.fh-heidelberg.de is an alias for www2.fh-heidelberg.de. www2.fh-heidelberg.de has address 193.197.74.48 # host 193.197.74.48 48.74.197.193.in-addr.arpa domain name pointer www2.fh-heidelberg.de. > From (right) outside your net, does that IP address respond to pings? > By IP address as well as by hostname? Yes. > Does your apache config specify name-based and/or IP-based virtual=20 > hosts? There can lurk some dragons .. I did try name-based, but it's currently just a catch-all (see below). > If this is a jail issue I've no idea at all, but if the DNS results=20 > obtained from inside and outside your network perimeter differ, that may=20 > explain some of what you're seeing. I guess an outside DNS query=20 > followed by an attemped HTTP connect tracked on tcpdump, perhaps in=20 > verbose packet-display mode (eg -nXs0) should provide more solid clues? Ooooookay, now this really makes sense.=20 Sending packets to the URL don't even reach the jailhost (I can't directly dump the jail's packages), but sending to its IP do... And I can see packets leaving my client... This is persistent across different browsers. Any ideas how that is possible? > Make sure that you're logging both the vhost concerned and the 'default'=20 > config used if no vhost entry is satisfied, perhaps you'll see something=20 > there? I specify error.log to catch any of these during vhost setup. I do, see below. > You may need to share more of your apache configuration in the hope that=20 > someone may spot something, once you confirm there are no DNS issues. ---------->>> /usr/local/etc/apache22/httpd.conf <<<---------- ServerRoot "/usr/local" Listen 80 ## modules # [...] ## MAIN CONFIG ServerAdmin support@fh-heidelberg.de ServerName www2.fh-heidelberg.de:80 DocumentRoot "/usr/local/www/apache22/data" ## disable all access, then allow specific services AllowOverride None Order deny,allow Deny from all ## main site, currently just with a testpage Options Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from all DirectoryIndex index.html ## prevent htaccess to be read Order allow,deny Deny from all Satisfy All ## LOGGING ErrorLog "/var/log/httpd-error.log" logLevel debug LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio CustomLog "/var/log/httpd-access.log" combined ## aliases and redirects ScriptAlias /cgi-bin/ "/usr/local/www/apache22/cgi-bin/" ## cgi-bin AllowOverride None Options None Order allow,deny Allow from all DefaultType text/plain TypesConfig etc/apache22/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz #AddHandler cgi-script .cgi #AddHandler type-map var ## Virtual hosts #Include etc/apache22/extra/httpd-vhosts.conf Include etc/apache22/vhosts/* Include etc/apache22/Includes/*.conf ----->>> /usr/local/etc/apache22/vhosts/campus2.fh-heidelberg.de <<<----- ## catch all NameVirtualHost *:80 ServerAdmin support@fh-heidelberg.de DocumentRoot "/usr/local/www/apache22/campus2.fh-heidelberg.de" ServerName campus2.fh-heidelberg.de ErrorLog "/var/log/apache2/campus2.fh-heidelberg.de_error.log" CustomLog "/var/log/apache2/campus2.fh-heidelberg.de_access.log" common Best Regards, Lars