John Von Essen on 10 May 2006 18:03:35 -0000 |
You said when the 10.X client talks to apache using the 192 address, thats when you have the image issue. When a 10.X host talks to another 10.X host (that happens to be multi-homed) - then there will be no issue, there is no routing, everything is broadcast. The issue is when a 10.X host talks to the apache host via it's 192 address. In this case, the 10.X nic on apache host will NOT be used. The default gateway is used on the client side to determine how to route to a 192 address, so you reach the apache box via the 192 NIC. Here's the problem, even though your packet gets routed to the 192 NIC of the apache host, the packet still contains data reflecting origination from a 10.X network. Why is this problem? Because the apache server see's that 10.X data in the packet and says, "Hey, I'm multi-homed on the 10.X, so I'll send my response through my 10.X nic. Problem is packet data has to return the same way it came in. Apache's response has to go back out through the gateway - which is on the 192. This is why multi-homing gets tricky. This really isn't a "bug" on anyones part, its just how things work. If you continue to multi-home the apache server, the solution is you have to talk to it via the 10.x address when coming from your internal machines, and simply just can't use the 192 address. -John On Wed, 10 May 2006, George Gallen wrote: > no the 10.x machines talk to the apache server using the 10.x interface (eth0) > the same server has a second interface (eth1) which is 192.x which talks to another > network (internet via a firewall). > > Apache responds to either nic both having differnet names. > > I really don't think it's the server or the config setup, as everything else works, just > images get hung up, and they are not that big either 100k. > > George > > ________________________________ > > From: plug-bounces@lists.phillylinux.org on behalf of John Von Essen > Sent: Wed 5/10/2006 1:16 PM > To: Philadelphia Linux User's Group Discussion List > Subject: Re: [PLUG] Apache server not serving... > > > > Definitely a firewall/network design issue. > > A few things... How does a 10.X machine talk to 192.X machine? My guess is > it goes through the firewall, sounds like your firewall has two internal > nets (a 10.X int and a 192.X dmz). > > So the 10.X machines sends a packet through the firewall to the apache > box. Problem is, the apache box is multi-homed to the 10.X network. The > packets will not return to the sender by way of the firewall, instead, it > will just use broadcast info on that second 10.X NIC and return that way. > Packets have to return the same way they came in. Now I cant explain why > it works some of the time, but regardless, something screwy is going on. > > Your setup is common, and commonly has issues. My question is: If you are > on a 10.X machine, why would you want to talk to apache on the 192.X? And > if you did want to talk to apache on the 192.X, then why did you > multi-home the apache server in the first place? > > When you start playing around with firewalls, and multiple nets, you can > get lost when trying to do too much. Either run the apache box as a true > dmz machine with only a 192 nic, or if you do multi-home it, only talk to > it via the 10.X address from inside your corp network. You cant "easily" > do both... > > -John > > On Wed, 10 May 2006, George Gallen wrote: > > > This has been bugging me for a couple years now... > > > > I have a Redhat server (7.2) that has two NICS (eth0=10.10.) address, the other is a (eth1=192.168). > > call eth0 site1.domain.com and eth1 site2.domain.com > > Our corp network passes an internet IP through a firewall => 192.168 address > > Our internal corp network has the 10.10 addressing. > > > > Apache (1.3.27) > > > > The server works perfectly on the 10.10. Any requests to site1.domain.com work as expected, the > > HTML code is returned, all .cgi's work, and all images are sent. > > > > When one tries to access the system using the 192.168 side, Any requests to site2.domain.com > > will return the HTML code as expected, and run the .cgi's as expected, however, I never > > get any of the images. > > > > Now, the strange part. If you look at the access logs, it shows the images as being sent? > > with the correct time and file size. > > > > I've been assured by our IIT staff that the firewall could not be possibly blocking them. > > > > There are no errors logged anywhere. Can anyone think of anything to check into? > > > > Generally this hasn't been an issue because all of web stuff that needed to be done externally, > > did not require images, just the html/cgi pages. But now I'm working on a project with images. > > > > I will have to setup a tcpdump on the eth1 tonight to monitor output to see what is actually being sent. > > > > Yes, I know the OS is old...that won't change, and the Apache is old, but the problem has existed > > on older versions of apache as well, I don't think upgrading will solve this issue. > > > > > > George Gallen > > Senior Programmer/Analyst > > Accounting/Data Division > > ggallen@slackinc.com > > ph:856.848.1000 Ext 220 > > > > SLACK Incorporated - Delivering the best in health care information and education worldwide. > > http://www.slackinc.com > > > > > > > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug > > > ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|