From owner-freebsd-jail@FreeBSD.ORG Fri Nov 20 12:31:35 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2FDE71065676 for ; Fri, 20 Nov 2009 12:31:35 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 4B0BA8FC16 for ; Fri, 20 Nov 2009 12:31:33 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id nAKCV7XK068591; Fri, 20 Nov 2009 23:31:07 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 20 Nov 2009 23:31:06 +1100 (EST) From: Ian Smith To: "Scheithauer, Lars (FH)" In-Reply-To: <26040005B7F3AA41A0345BCE386CA09701C62A99@FHCLUSRV-EX.dcs.fh-heidelberg.de> Message-ID: <20091120224250.L65262@sola.nimnet.asn.au> References: <26040005B7F3AA41A0345BCE386CA09701C62A8E@FHCLUSRV-EX.dcs.fh-heidelberg.de><4B040838.8020103@quip.cz> <26040005B7F3AA41A0345BCE386CA09701C62A8F@FHCLUSRV-EX.dcs.fh-heidelberg.de><26040005B7F3AA41A0345BCE386CA09701C62A94@FHCLUSRV-EX.dcs.fh-heidelberg.de> <4B057741.7000700@cyanide-studio.com> <26040005B7F3AA41A0345BCE386CA09701C62A98@FHCLUSRV-EX.dcs.fh-heidelberg.de> <20091120180647.A65262@sola.nimnet.asn.au> <26040005B7F3AA41A0345BCE386CA09701C62A99@FHCLUSRV-EX.dcs.fh-heidelberg.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-jail@freebsd.org, Bastien Semene Subject: Re: AW: AW: AW: Problem with Apache in Jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2009 12:31:35 -0000 On Fri, 20 Nov 2009, Scheithauer, Lars (FH) wrote: > > So are you sure that (from outside your environment) the vhost > hostname > > resolves to its IP address ok? Does it have a unique public IP > address? > > If so, does reverse resolution of that address point to that hostname? > > Yes: > # host campus2.fh-heidelberg.de > campus2.fh-heidelberg.de is an alias for www2.fh-heidelberg.de. > www2.fh-heidelberg.de has address 193.197.74.48 > # host 193.197.74.48 > 48.74.197.193.in-addr.arpa domain name pointer www2.fh-heidelberg.de. Hi Lars. Same results from here. > > From (right) outside your net, does that IP address respond to pings? > > By IP address as well as by hostname? > > Yes. NOT from here, but I can ping its neighbouring DNS server, noticed from: ;; ADDITIONAL SECTION: dns1.belwue.de. 25303 IN A 129.143.2.10 dns3.belwue.de. 65090 IN A 131.246.119.18 dnsfh.fh-heidelberg.de. 81442 IN A 193.197.74.49 smithi on sola% ping 193.197.74.48 PING 193.197.74.48 (193.197.74.48): 56 data bytes ^C --- 193.197.74.48 ping statistics --- 7 packets transmitted, 0 packets received, 100% packet loss smithi on sola% ping 193.197.74.49 PING 193.197.74.49 (193.197.74.49): 56 data bytes 64 bytes from 193.197.74.49: icmp_seq=0 ttl=44 time=359.907 ms 64 bytes from 193.197.74.49: icmp_seq=1 ttl=44 time=365.433 ms 64 bytes from 193.197.74.49: icmp_seq=2 ttl=44 time=363.339 ms ^C --- 193.197.74.49 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 359.907/362.893/365.433/2.278 ms So it's not clear that any outside traffic is reaching .48, or if so, that its responses are getting out, given there's no local firewall. Which could be the whole problem - this might have nothing to do with apache at all? HTTP requests to .48 IP send setup packets which are not acknowledged, so it's never getting far enough to care which hostname was requested. Is .49 on the same box? Same interface? Maybe a netstat -nr outside and inside the jail might indicate something? Where's your gateway? So .. upstream firewall? Improper routing, either upstream or return route from that box (or the jail?) for that IP? Stabs in the dark .. > > Does your apache config specify name-based and/or IP-based virtual > > hosts? There can lurk some dragons .. > > I did try name-based, but it's currently just a catch-all (see below). On the face of it, it should answer for either hostname, and likely will when it gets packets through and/or gets responses back :) > > If this is a jail issue I've no idea at all, but if the DNS results I'd best stress that; I've never setup a jail, though I've been lurking. > > obtained from inside and outside your network perimeter differ, that > may > > explain some of what you're seeing. I guess an outside DNS query > > followed by an attemped HTTP connect tracked on tcpdump, perhaps in > > verbose packet-display mode (eg -nXs0) should provide more solid > clues? > > Ooooookay, now this really makes sense. > Sending packets to the URL don't even reach the jailhost (I can't > directly dump the jail's packages), but sending to its IP do... And I > can see packets leaving my client... This is persistent across different > browsers. Any ideas how that is possible? No. http://193.197.74.48/ is just the same from here of course, and all I see is setup packets leaving and no response. No upstream firewall/s? You can't run tcpdump inside a jail as root? > > Make sure that you're logging both the vhost concerned and the > 'default' > > config used if no vhost entry is satisfied, perhaps you'll see > something > > there? I specify error.log to catch any of these during vhost setup. > > I do, see below. Sure. It's not getting that far, seen from here at least. Sorry, I'm out of ideas, and have to go out. I'll leave the tail alone in case somebody else might catch a clue from it. Good luck, Ian > > You may need to share more of your apache configuration in the hope > that > > someone may spot something, once you confirm there are no DNS issues. > > ---------->>> /usr/local/etc/apache22/httpd.conf <<<---------- > ServerRoot "/usr/local" > Listen 80 > > ## modules > # [...] > > ## MAIN CONFIG > ServerAdmin support@fh-heidelberg.de > ServerName www2.fh-heidelberg.de:80 > DocumentRoot "/usr/local/www/apache22/data" > > ## disable all access, then allow specific services > > AllowOverride None > Order deny,allow > Deny from all > > > ## main site, currently just with a testpage > > Options Indexes FollowSymLinks > AllowOverride All > Order allow,deny > Allow from all > > > > DirectoryIndex index.html > > > ## prevent htaccess to be read > > Order allow,deny > Deny from all > Satisfy All > > > > > ## LOGGING > ErrorLog "/var/log/httpd-error.log" > logLevel debug > > > LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" > \"%{User-Agent}i\"" combined > LogFormat "%h %l %u %t \"%r\" %>s %b" common > > > LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" > \"%{User-Agent}i\" %I %O" combinedio > > > CustomLog "/var/log/httpd-access.log" combined > > > ## aliases and redirects > > ScriptAlias /cgi-bin/ "/usr/local/www/apache22/cgi-bin/" > > > ## cgi-bin > > AllowOverride None > Options None > Order allow,deny > Allow from all > > > DefaultType text/plain > > > TypesConfig etc/apache22/mime.types > > AddType application/x-compress .Z > AddType application/x-gzip .gz .tgz > > #AddHandler cgi-script .cgi > #AddHandler type-map var > > > ## Virtual hosts > #Include etc/apache22/extra/httpd-vhosts.conf > Include etc/apache22/vhosts/* > Include etc/apache22/Includes/*.conf > > > ----->>> /usr/local/etc/apache22/vhosts/campus2.fh-heidelberg.de > <<<----- > ## catch all > NameVirtualHost *:80 > > > ServerAdmin support@fh-heidelberg.de > DocumentRoot "/usr/local/www/apache22/campus2.fh-heidelberg.de" > ServerName campus2.fh-heidelberg.de > ErrorLog > "/var/log/apache2/campus2.fh-heidelberg.de_error.log" > CustomLog > "/var/log/apache2/campus2.fh-heidelberg.de_access.log" common > > > > > Best Regards, > Lars >