|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
RE: [PLUG] Apache server not serving...
|
no. the problem is when someone on the internet talks to the machine on
it's 192. port via the company firewall, then, only images have issues,
the html pages, and the cgi all execute without problems.
If 10.x clients communincate with the server on the 10.x port, there are
no problems what so ever.
at no time would a 10.x client communicate to the 192.x port, It's not
comcastically possible.
George
> -----Original Message-----
> From: plug-bounces@lists.phillylinux.org
> [mailto:plug-bounces@lists.phillylinux.org]On Behalf Of John Von Essen
> Sent: Wednesday, May 10, 2006 2:03 PM
> To: Philadelphia Linux User's Group Discussion List
> Subject: RE: [PLUG] Apache server not serving...
>
>
> You said when the 10.X client talks to apache using the 192
> address, thats when you have the image issue. When a 10.X
> host talks to
> another 10.X host (that happens to be multi-homed) - then
> there will be no
> issue, there is no routing, everything is broadcast.
>
> The issue is when a 10.X host talks to the apache host via it's 192
> address. In this case, the 10.X nic on apache host will
> NOT be used. The default gateway is used on the client side
> to determine
> how to route to a 192 address, so you reach the apache box via the 192
> NIC.
>
> Here's the problem, even though your packet gets routed to
> the 192 NIC of
> the apache host, the packet still contains data reflecting origination
> from a 10.X network. Why is this problem? Because the apache
> server see's
> that 10.X data in the packet and says, "Hey, I'm multi-homed
> on the 10.X,
> so I'll send my response through my 10.X nic. Problem is
> packet data has
> to return the same way it came in. Apache's response has to
> go back out
> through the gateway - which is on the 192.
>
> This is why multi-homing gets tricky.
>
> This really isn't a "bug" on anyones part, its just how
> things work. If
> you continue to multi-home the apache server, the solution is
> you have to
> talk to it via the 10.x address when coming from your
> internal machines,
> and simply just can't use the 192 address.
>
> -John
>
>
> On Wed, 10 May 2006, George Gallen wrote:
>
> > no the 10.x machines talk to the apache server using the
> 10.x interface (eth0)
> > the same server has a second interface (eth1) which is
> 192.x which talks to another
> > network (internet via a firewall).
> >
> > Apache responds to either nic both having differnet names.
> >
> > I really don't think it's the server or the config setup,
> as everything else works, just
> > images get hung up, and they are not that big either 100k.
> >
> > George
> >
> > ________________________________
> >
> > From: plug-bounces@lists.phillylinux.org on behalf of John Von Essen
> > Sent: Wed 5/10/2006 1:16 PM
> > To: Philadelphia Linux User's Group Discussion List
> > Subject: Re: [PLUG] Apache server not serving...
> >
> >
> >
> > Definitely a firewall/network design issue.
> >
> > A few things... How does a 10.X machine talk to 192.X
> machine? My guess is
> > it goes through the firewall, sounds like your firewall has
> two internal
> > nets (a 10.X int and a 192.X dmz).
> >
> > So the 10.X machines sends a packet through the firewall to
> the apache
> > box. Problem is, the apache box is multi-homed to the 10.X
> network. The
> > packets will not return to the sender by way of the
> firewall, instead, it
> > will just use broadcast info on that second 10.X NIC and
> return that way.
> > Packets have to return the same way they came in. Now I
> cant explain why
> > it works some of the time, but regardless, something screwy
> is going on.
> >
> > Your setup is common, and commonly has issues. My question
> is: If you are
> > on a 10.X machine, why would you want to talk to apache on
> the 192.X? And
> > if you did want to talk to apache on the 192.X, then why did you
> > multi-home the apache server in the first place?
> >
> > When you start playing around with firewalls, and multiple
> nets, you can
> > get lost when trying to do too much. Either run the apache
> box as a true
> > dmz machine with only a 192 nic, or if you do multi-home
> it, only talk to
> > it via the 10.X address from inside your corp network. You
> cant "easily"
> > do both...
> >
> > -John
> >
> > On Wed, 10 May 2006, George Gallen wrote:
> >
> > > This has been bugging me for a couple years now...
> > >
> > > I have a Redhat server (7.2) that has two NICS
> (eth0=10.10.) address, the other is a (eth1=192.168).
> > > call eth0 site1.domain.com and eth1 site2.domain.com
> > > Our corp network passes an internet IP through a firewall
> => 192.168 address
> > > Our internal corp network has the 10.10 addressing.
> > >
> > > Apache (1.3.27)
> > >
> > > The server works perfectly on the 10.10. Any requests to
> site1.domain.com work as expected, the
> > > HTML code is returned, all .cgi's work, and all images
> are sent.
> > >
> > > When one tries to access the system using the 192.168
> side, Any requests to site2.domain.com
> > > will return the HTML code as expected, and run the
> .cgi's as expected, however, I never
> > > get any of the images.
> > >
> > > Now, the strange part. If you look at the access logs, it
> shows the images as being sent?
> > > with the correct time and file size.
> > >
> > > I've been assured by our IIT staff that the firewall
> could not be possibly blocking them.
> > >
> > > There are no errors logged anywhere. Can anyone think of
> anything to check into?
> > >
> > > Generally this hasn't been an issue because all of web
> stuff that needed to be done externally,
> > > did not require images, just the html/cgi pages. But
> now I'm working on a project with images.
> > >
> > > I will have to setup a tcpdump on the eth1 tonight to
> monitor output to see what is actually being sent.
> > >
> > > Yes, I know the OS is old...that won't change, and the
> Apache is old, but the problem has existed
> > > on older versions of apache as well, I don't think
> upgrading will solve this issue.
> > >
> > >
> > > George Gallen
> > > Senior Programmer/Analyst
> > > Accounting/Data Division
> > > ggallen@slackinc.com
> > > ph:856.848.1000 Ext 220
> > >
> > > SLACK Incorporated - Delivering the best in health care
> information and education worldwide.
> > > http://www.slackinc.com
> > >
> > >
> > >
> >
> ______________________________________________________________
> _____________
> > Philadelphia Linux Users Group --
> http://www.phillylinux.org
> > Announcements -
> http://lists.phillylinux.org/mailman/listinfo/plug-announce
> > General Discussion --
> http://lists.phillylinux.org/mailman/listinfo/plug
> >
> >
> >
> ______________________________________________________________
> _____________
> Philadelphia Linux Users Group --
> http://www.phillylinux.org
> Announcements -
> http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion --
> http://lists.phillylinux.org/mailman/listinfo/plug
>
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|