George Gallen on 10 May 2006 17:46:08 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

RE: [PLUG] Apache server not serving...


no the 10.x machines talk to the apache server  using the 10.x interface (eth0)
the same server has a second interface (eth1) which is 192.x which talks to another
   network (internet via a firewall).
 
Apache responds to either nic both having differnet names.
 
I really don't think it's the server or the config setup, as everything else works, just
   images get hung up, and they are not that big either 100k. 
 
George

________________________________

From: plug-bounces@lists.phillylinux.org on behalf of John Von Essen
Sent: Wed 5/10/2006 1:16 PM
To: Philadelphia Linux User's Group Discussion List
Subject: Re: [PLUG] Apache server not serving...



Definitely a firewall/network design issue.

A few things... How does a 10.X machine talk to 192.X machine? My guess is
it goes through the firewall, sounds like your firewall has two internal
nets (a 10.X int and a 192.X dmz).

So the 10.X machines sends a packet through the firewall to the apache
box. Problem is, the apache box is multi-homed to the 10.X network. The
packets will not return to the sender by way of the firewall, instead, it
will just use broadcast info on that second 10.X NIC and return that way.
Packets have to return the same way they came in. Now I cant explain why
it works some of the time, but regardless, something screwy is going on.

Your setup is common, and commonly has issues. My question is: If you are
on a 10.X machine, why would you want to talk to apache on the 192.X? And
if you did want to talk to apache on the 192.X, then why did you
multi-home the apache server in the first place?

When you start playing around with firewalls, and multiple nets, you can
get lost when trying to do too much. Either run the apache box as a true
dmz machine with only a 192 nic, or if you do multi-home it, only talk to
it via the 10.X address from inside your corp network. You cant "easily"
do both...

-John

On Wed, 10 May 2006, George Gallen wrote:

> This has been bugging me for a couple years now...
>
> I have a Redhat server (7.2) that has two NICS (eth0=10.10.) address, the other is a (eth1=192.168).
> call eth0 site1.domain.com and eth1 site2.domain.com
> Our corp network passes an internet IP through a firewall => 192.168 address
> Our internal corp network has the 10.10 addressing.
>
> Apache (1.3.27)
>
> The server works perfectly on the 10.10. Any requests to site1.domain.com work as expected, the
>    HTML code is returned, all .cgi's work, and all images are sent.
>
> When one tries to access the system using the 192.168 side, Any requests to site2.domain.com
>    will return the HTML code as expected, and run the .cgi's as expected, however, I never
>    get any of the images.
>
> Now, the strange part. If you look at the access logs, it shows the images as being sent?
>   with the correct time and file size.
>
> I've been assured by our IIT staff that the firewall could not be possibly blocking them.
>
> There are no errors logged anywhere. Can anyone think of anything to check into?
>
> Generally this hasn't been an issue because all of web stuff that needed to be done externally,
>   did not require images, just the html/cgi pages. But now I'm working on a project with images.
>
> I will have to setup a tcpdump on the eth1 tonight to monitor output to see what is actually being sent.
>
> Yes, I know the OS is old...that won't change, and the Apache is old, but the problem has existed
>    on older versions of apache as well, I don't think upgrading will solve this issue.
>
>
> George Gallen
> Senior Programmer/Analyst
> Accounting/Data Division
> ggallen@slackinc.com
> ph:856.848.1000 Ext 220
>
> SLACK Incorporated - Delivering the best in health care information and education worldwide.
> http://www.slackinc.com
>
>
>
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


<<winmail.dat>>

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug