Mailing List Archive

Still sounds like a firewall or possibly a hardware problem. Maybe TCP
wrappers? Take a look at /etc/hosts.allow and /etc/hosts.deny. Can you
ping into the box? Can you ping out from it?

Darren
----- Original Message -----
From: "Jason Michelizzi" <mich0212@d.umn.edu>
To: <users@httpd.apache.org>
Sent: Thursday, December 20, 2001 9:47 PM
Subject: cannot access pages except from my box


> I have Apache 1.3.22 running on my Red Hat Linux (7.1) box, and I have a
> strange problem. I cannot access web pages from outside of my box. For
> example, if I tell my favorite web browser on my Linux to go to
> http://131.212.89.168 I can see my web page just fine. But, if I go to
> another machine and do the same, the browser just sits there for awhile
> until a timeout occurrs and it reports that my ip address is not
> responding.
> If also tried opening a telnet connection to my ip address on port 80
> ... similar results.
>
> I believe that my firewall settings are correct, I've even setting it so
> that it accepts everything that comes to my machine. No luck. I'm
> thinking that I have a setting wrong for Apache, or, perhaps, my network
> administrator doesn't want me running a web server, though I don't think
> that's the problem.
>
> thanks,
> Jason
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Darren wrote:
>
> Still sounds like a firewall or possibly a hardware problem. Maybe TCP
> wrappers? Take a look at /etc/hosts.allow and /etc/hosts.deny. Can you
> ping into the box? Can you ping out from it?
>
> Darren

Yes, I can ping into and out of my box. I can also do other things: I
have an ssh daemon running on tcp port 22, and I can ssh into my box
from different machines (after having written the proper ipchains
firewall rules). Both the /etc/hosts.allow and /etc/hosts.deny files
are empty (except for some comments). What should they contain?

thanks again

> ----- Original Message -----
> From: "Jason Michelizzi" <mich0212@d.umn.edu>
> To: <users@httpd.apache.org>
> Sent: Thursday, December 20, 2001 9:47 PM
> Subject: cannot access pages except from my box
>
> > I have Apache 1.3.22 running on my Red Hat Linux (7.1) box, and I have a
> > strange problem. I cannot access web pages from outside of my box. For
> > example, if I tell my favorite web browser on my Linux to go to
> > http://131.212.89.168 I can see my web page just fine. But, if I go to
> > another machine and do the same, the browser just sits there for awhile
> > until a timeout occurrs and it reports that my ip address is not
> > responding.
> > If also tried opening a telnet connection to my ip address on port 80
> > ... similar results.
> >
> > I believe that my firewall settings are correct, I've even setting it so
> > that it accepts everything that comes to my machine. No luck. I'm
> > thinking that I have a setting wrong for Apache, or, perhaps, my network
> > administrator doesn't want me running a web server, though I don't think
> > that's the problem.
> >

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Heres my guess.

You have apache doing DNS lookups on IPs by any chance? Look for this setting and make sure its commented out: #HostnameLookups On

If its not..then its fully possible that your local machine can look itself up (local DNS or /etc/hosts file) and you can browse yourself. But other clients are not reversing DNS properly, and apache will hang on sending the data if it cant look those hosts up.

-----Original Message-----
From: Jason Michelizzi [mailto:mich0212@d.umn.edu]
Sent: Thursday, December 20, 2001 8:20 PM
To: users@httpd.apache.org
Subject: Re: cannot access pages except from my box


Darren wrote:
>
> Still sounds like a firewall or possibly a hardware problem. Maybe TCP
> wrappers? Take a look at /etc/hosts.allow and /etc/hosts.deny. Can you
> ping into the box? Can you ping out from it?
>
> Darren

Yes, I can ping into and out of my box. I can also do other things: I
have an ssh daemon running on tcp port 22, and I can ssh into my box
from different machines (after having written the proper ipchains
firewall rules). Both the /etc/hosts.allow and /etc/hosts.deny files
are empty (except for some comments). What should they contain?

thanks again

> ----- Original Message -----
> From: "Jason Michelizzi" <mich0212@d.umn.edu>
> To: <users@httpd.apache.org>
> Sent: Thursday, December 20, 2001 9:47 PM
> Subject: cannot access pages except from my box
>
> > I have Apache 1.3.22 running on my Red Hat Linux (7.1) box, and I have a
> > strange problem. I cannot access web pages from outside of my box. For
> > example, if I tell my favorite web browser on my Linux to go to
> > http://131.212.89.168 I can see my web page just fine. But, if I go to
> > another machine and do the same, the browser just sits there for awhile
> > until a timeout occurrs and it reports that my ip address is not
> > responding.
> > If also tried opening a telnet connection to my ip address on port 80
> > ... similar results.
> >
> > I believe that my firewall settings are correct, I've even setting it so
> > that it accepts everything that comes to my machine. No luck. I'm
> > thinking that I have a setting wrong for Apache, or, perhaps, my network
> > administrator doesn't want me running a web server, though I don't think
> > that's the problem.
> >

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

"Mohler, Jeff" wrote:
>
> Heres my guess.
>
> You have apache doing DNS lookups on IPs by any chance? Look for this setting and make sure its commented out: #HostnameLookups On
>
> If its not..then its fully possible that your local machine can look itself up (local DNS or /etc/hosts file) and you can browse yourself. But other clients are not reversing DNS properly, and apache will hang on sending the data if it cant look those hosts up.
>

I grep'ed for HostnameLookups and found the line:

HostnameLookups Off (_not_ commented out)

in both httpd.conf and httpd.conf.default. I tried messing with this,
but again, the browser just sits there saying connect: contacting host
131.212.89.168 for awhile, then times out.

One more curious thing: I tried telling the ssh daemon to listen to
port 80 on my Linux box. When I tried logging into my machine from a
different machine, it hung up forever (or at least for several minutes
until I hit Ctrl-c). When I did the same thing to port 79 (as well as
the usual 22) everything worked fine. Interesting.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

If basic access is not the problem then I'm thinking Apache
isn't setup to listen to the right area. Do you have these
set in your httpd.conf?

Port 80
ServerName 131.212.89.168


-=- RuneImp
ImpTech - Web Design, Hosting & Computer Tech
http://imptech.net
rune@imptech.net


----- Original Message -----
From: "Jason Michelizzi" <mich0212@d.umn.edu>
To: <users@httpd.apache.org>
Sent: Thursday, December 20, 2001 8:50 PM
Subject: Re: cannot access pages except from my box


"Mohler, Jeff" wrote:
>
> Heres my guess.
>
> You have apache doing DNS lookups on IPs by any chance? Look for this setting
and make sure its commented out: #HostnameLookups On
>
> If its not..then its fully possible that your local machine can look itself up
(local DNS or /etc/hosts file) and you can browse yourself. But other clients
are not reversing DNS properly, and apache will hang on sending the data if it
cant look those hosts up.
>

I grep'ed for HostnameLookups and found the line:

HostnameLookups Off (_not_ commented out)

in both httpd.conf and httpd.conf.default. I tried messing with this,
but again, the browser just sits there saying connect: contacting host
131.212.89.168 for awhile, then times out.

One more curious thing: I tried telling the ssh daemon to listen to
port 80 on my Linux box. When I tried logging into my machine from a
different machine, it hung up forever (or at least for several minutes
until I hit Ctrl-c). When I did the same thing to port 79 (as well as
the usual 22) everything worked fine. Interesting.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Jason Michelizzi wrote:

> One more curious thing: I tried telling the ssh daemon to listen to
> port 80 on my Linux box. When I tried logging into my machine from a
> different machine, it hung up forever (or at least for several minutes
> until I hit Ctrl-c). When I did the same thing to port 79 (as well as
> the usual 22) everything worked fine. Interesting.

Hanging forever is usually a FW configuration effect - the FW is set to
"drop" the packets. This is the best defence against hackers who try
scanning ports etc. because they don't know how long to wait between
tries. If it were set to "reject" the packets you would get an immediate
"connection refused" and the hacker-prog could try a new port.

So, double-check your FW config. Try changing any "drop" rules to
"reject" and see if the behaviour changes, or add "log" to any drop
rules and then look in the FW log to see if the attempts are logged.

If not that, snoop on the webserver to see if the requests are arriving:

# snoop port 80

should see something...

Rgds,

Owen Boyle.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Owen Boyle wrote:
>
> Jason Michelizzi wrote:
>
> > One more curious thing: I tried telling the ssh daemon to listen to
> > port 80 on my Linux box. When I tried logging into my machine from a
> > different machine, it hung up forever (or at least for several minutes
> > until I hit Ctrl-c). When I did the same thing to port 79 (as well as
> > the usual 22) everything worked fine. Interesting.
>
> Hanging forever is usually a FW configuration effect - the FW is set to
> "drop" the packets. This is the best defence against hackers who try
> scanning ports etc. because they don't know how long to wait between
> tries. If it were set to "reject" the packets you would get an immediate
> "connection refused" and the hacker-prog could try a new port.
>
> So, double-check your FW config. Try changing any "drop" rules to
> "reject" and see if the behaviour changes, or add "log" to any drop
> rules and then look in the FW log to see if the attempts are logged.
>
> If not that, snoop on the webserver to see if the requests are arriving:
>
> # snoop port 80
>
> should see something...
>

Does Linux have a snoop utility? I couldn't find one. Solaris does
right?

I don't think the problem is the firewall. There are no "DENY" rules,
only "ACCEPT" and "REJECT" rules (see below). Again, when I had the ssh
daemon listen to port 80, it didn't work, but when I had it listen to
other well-known ports, I could ssh to my box just fine. I've tried
having Apache listen to port 79 on my box. When I did this, I could
retrieve files just fine by telneting to port 79 and typing "GET
http://131.212.89.168 HTTP/1.0" I did this both from my machine and
from other machines... and it worked! But not if Apache is on port 80.
I'm beginning to think my network administrator doesn't want me running
a web server....

Here is the input chain of my firewall, if it is helpful:

[root@umd89-168 /root]# ipchains -L input
Chain input (policy ACCEPT):
target prot opt source destination
ports
ACCEPT udp ------ ns.nts.umn.edu anywhere
domain -> any
ACCEPT udp ------ netadm.d.umn.edu anywhere
domain -> any
ACCEPT udp ------ anywhere anywhere
bootps:bootpc -> bootps:bootpc
ACCEPT udp ------ anywhere anywhere
bootps:bootpc -> bootps:bootpc
ACCEPT all ------ anywhere anywhere n/a
ACCEPT tcp ------ anywhere anywhere any
-> http
ACCEPT tcp ------ anywhere umd89-168.d.umn.edu any
-> ssh
REJECT tcp -y---- anywhere anywhere any
-> nfs
REJECT udp ------ anywhere anywhere any
-> 0:1023
REJECT udp ------ anywhere anywhere any
-> nfs
REJECT tcp -y---- anywhere anywhere any
-> x11:6009
REJECT tcp -y---- anywhere anywhere any
-> xfs

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Jason Michelizzi wrote:
>
>
> Does Linux have a snoop utility? I couldn't find one. Solaris does
> right?

/usr/sbin/snoop? - you have to be root to run it.

> from other machines... and it worked! But not if Apache is on port 80.
> I'm beginning to think my network administrator doesn't want me running
> a web server....

Then definately something is blocking port 80 specifically. If you have
a network between you client and server you have to find out what is
blocking port 80 - could be a FW, a bridge, a router... This si not
sounding like an apache problem at all..

Rgds,

Owen Boyle.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Owen Boyle wrote:
>
> Jason Michelizzi wrote:
> >
> >
> > Does Linux have a snoop utility? I couldn't find one. Solaris does
> > right?
>
> /usr/sbin/snoop? - you have to be root to run it.
>
> > from other machines... and it worked! But not if Apache is on port 80.
> > I'm beginning to think my network administrator doesn't want me running
> > a web server....
>
> Then definately something is blocking port 80 specifically. If you have
> a network between you client and server you have to find out what is
> blocking port 80 - could be a FW, a bridge, a router... This si not
> sounding like an apache problem at all..

Yep. I just found this (very well-hidden) gem on the web site of the
University's IS department.

<quote>
Access to Personal Web Servers Restricted

To prevent a possible virus flareup, ITSS has restricted inbound access
to Port 80 on certain segments of the UMD campus. This restriction will
stop all access to personal web servers running
on these segments. It will not affect access to the UMD web site or any
off-campus web server.

The segments that are restricted (including the Residence Hall areas)
were showing very high bandwidth within the Residence Halls, to/from the
campus, and to/from the
commercial Internet. The traffic corresponds closely to a virus flareup
often referred to as "Code Red". Since several new variants of this
virus have appeared, and the default
method of spreading this is through IIS web servers running on port 80,
we have taken this action to protect bandwidth needed to run the mission
critical parts of the UMD
campus community.

This filter will be in place until the Code Red virus and variants cease
to take bandwidth needed for mission critical network needs. A useful
website explaining the University of
Minnesota requirements for setting this restriction is: University
Network Management Guidelines.
</quote>

Thanks to everyone for your help anyways.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

This just went over my head. But, I'm wondering, can't you run apache on a
different port? If you were able to work something like that out, would
users have to specify yourdomain.com:some_port? Or, could DNS handle that
for you?


Darren


----- Original Message -----
From: "Jason Michelizzi" <mich0212@d.umn.edu>
To: <users@httpd.apache.org>
Sent: Friday, December 21, 2001 9:03 AM
Subject: Re: cannot access pages except from my box


> Owen Boyle wrote:
> >
> > Jason Michelizzi wrote:
> > >
> > >
> > > Does Linux have a snoop utility? I couldn't find one. Solaris does
> > > right?
> >
> > /usr/sbin/snoop? - you have to be root to run it.
> >
> > > from other machines... and it worked! But not if Apache is on port
80.
> > > I'm beginning to think my network administrator doesn't want me
running
> > > a web server....
> >
> > Then definately something is blocking port 80 specifically. If you have
> > a network between you client and server you have to find out what is
> > blocking port 80 - could be a FW, a bridge, a router... This si not
> > sounding like an apache problem at all..
>
> Yep. I just found this (very well-hidden) gem on the web site of the
> University's IS department.
>
> <quote>
> Access to Personal Web Servers Restricted
>
> To prevent a possible virus flareup, ITSS has restricted inbound access
> to Port 80 on certain segments of the UMD campus. This restriction will
> stop all access to personal web servers running
> on these segments. It will not affect access to the UMD web site or any
> off-campus web server.
>
> The segments that are restricted (including the Residence Hall areas)
> were showing very high bandwidth within the Residence Halls, to/from the
> campus, and to/from the
> commercial Internet. The traffic corresponds closely to a virus flareup
> often referred to as "Code Red". Since several new variants of this
> virus have appeared, and the default
> method of spreading this is through IIS web servers running on port 80,
> we have taken this action to protect bandwidth needed to run the mission
> critical parts of the UMD
> campus community.
>
> This filter will be in place until the Code Red virus and variants cease
> to take bandwidth needed for mission critical network needs. A useful
> website explaining the University of
> Minnesota requirements for setting this restriction is: University
> Network Management Guidelines.
> </quote>
>
> Thanks to everyone for your help anyways.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

use the Port directive.

eg:
Port 8080

Listen works for additional ports you want to listen on...

Listen 8080


.............................................
Chad Morland
Sr. UNIX Administrator
InQuent Technologies Inc.
T. 416-645-4554
F. 416-645-3920
www.inquent.com
.............................................



On Fri, 21 Dec 2001, Darren wrote:

> This just went over my head. But, I'm wondering, can't you run apache on a
> different port? If you were able to work something like that out, would
> users have to specify yourdomain.com:some_port? Or, could DNS handle that
> for you?
>
>
> Darren
>
>
> ----- Original Message -----
> From: "Jason Michelizzi" <mich0212@d.umn.edu>
> To: <users@httpd.apache.org>
> Sent: Friday, December 21, 2001 9:03 AM
> Subject: Re: cannot access pages except from my box
>
>
> > Owen Boyle wrote:
> > >
> > > Jason Michelizzi wrote:
> > > >
> > > >
> > > > Does Linux have a snoop utility? I couldn't find one. Solaris does
> > > > right?
> > >
> > > /usr/sbin/snoop? - you have to be root to run it.
> > >
> > > > from other machines... and it worked! But not if Apache is on port
> 80.
> > > > I'm beginning to think my network administrator doesn't want me
> running
> > > > a web server....
> > >
> > > Then definately something is blocking port 80 specifically. If you have
> > > a network between you client and server you have to find out what is
> > > blocking port 80 - could be a FW, a bridge, a router... This si not
> > > sounding like an apache problem at all..
> >
> > Yep. I just found this (very well-hidden) gem on the web site of the
> > University's IS department.
> >
> > <quote>
> > Access to Personal Web Servers Restricted
> >
> > To prevent a possible virus flareup, ITSS has restricted inbound access
> > to Port 80 on certain segments of the UMD campus. This restriction will
> > stop all access to personal web servers running
> > on these segments. It will not affect access to the UMD web site or any
> > off-campus web server.
> >
> > The segments that are restricted (including the Residence Hall areas)
> > were showing very high bandwidth within the Residence Halls, to/from the
> > campus, and to/from the
> > commercial Internet. The traffic corresponds closely to a virus flareup
> > often referred to as "Code Red". Since several new variants of this
> > virus have appeared, and the default
> > method of spreading this is through IIS web servers running on port 80,
> > we have taken this action to protect bandwidth needed to run the mission
> > critical parts of the UMD
> > campus community.
> >
> > This filter will be in place until the Code Red virus and variants cease
> > to take bandwidth needed for mission critical network needs. A useful
> > website explaining the University of
> > Minnesota requirements for setting this restriction is: University
> > Network Management Guidelines.
> > </quote>
> >
> > Thanks to everyone for your help anyways.
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

on 12/21/01 10:24 AM, Darren at backdoc@crotchett.com wrote:

> This just went over my head. But, I'm wondering, can't you run apache on a
> different port? If you were able to work something like that out, would
> users have to specify yourdomain.com:some_port? Or, could DNS handle that
> for you?

I'm a complete newbie to all of this, so someone please correct me if I am
wrong, but from the research I've done recently (in trying to get two
servers set up behind one IP) DNS can not handle port mapping.

Personally, this seems to be a big omission from the overall workings of the
internet.

I've been trying to figure out how to run two physical servers behind one IP
address. The consensus seems to be that you can't, unless you want to mess
with some complex load-balancing systems, or run a proxy server outside of
your LAN. The only real solution is to get a second routable IP
address--which doesn't fix the particular problem you are having.

One thought: could you set up domain forwarding? Have some ISP set up
yourdomain.com to point at youripaddress:8080 or something? (Or is that
basically dns?)

Again, if this is incorrect, someone please jump in.

-Darrel


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

DNS just resolves to IP addresses. It does not tell what port to go to.

You could set up a forwarder, either with an HTTP redirect header, or a
redirect META tag, or even a Javascript redirect, that sends users from
Port 80 somewhere to Port 8080 on your server. This would actually involve
the client hitting that external site first, then being redirected to your
site on a specific port. However it should be more-or-less transparent to
end users.

-Andelius

On Fri, 21 Dec 2001 10:40:11 -0600
Darrel Austin <daustin@visi.com> wrote:

> on 12/21/01 10:24 AM, Darren at backdoc@crotchett.com wrote:
>
> > This just went over my head. But, I'm wondering, can't you run apache
on a
> > different port? If you were able to work something like that out,
would
> > users have to specify yourdomain.com:some_port? Or, could DNS handle
that
> > for you?
>
> I'm a complete newbie to all of this, so someone please correct me if I
am
> wrong, but from the research I've done recently (in trying to get two
> servers set up behind one IP) DNS can not handle port mapping.
>
> Personally, this seems to be a big omission from the overall workings of
the
> internet.
>
> I've been trying to figure out how to run two physical servers behind
one IP
> address. The consensus seems to be that you can't, unless you want to
mess
> with some complex load-balancing systems, or run a proxy server outside
of
> your LAN. The only real solution is to get a second routable IP
> address--which doesn't fix the particular problem you are having.
>
> One thought: could you set up domain forwarding? Have some ISP set up
> yourdomain.com to point at youripaddress:8080 or something? (Or is that
> basically dns?)
>
> Again, if this is incorrect, someone please jump in.
>
> -Darrel
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Or you could buy a cheap netgear or such firewall that
has port mapping built it. You assign it the IP address (Internet)
and configure it to remap to a certain IP address based
on port # (on the LAN side of the firewall)

It works great, and it's cheap and easy to setup

George

>-----Original Message-----
>From: Darrel Austin [mailto:daustin@visi.com]
>Sent: Friday, December 21, 2001 11:40 AM
>To: users@httpd.apache.org
>Subject: Re: cannot access pages except from my box
>
>
>on 12/21/01 10:24 AM, Darren at backdoc@crotchett.com wrote:
>
>> This just went over my head. But, I'm wondering, can't you
>run apache on a
>> different port? If you were able to work something like
>that out, would
>> users have to specify yourdomain.com:some_port? Or, could
>DNS handle that
>> for you?
>
>I'm a complete newbie to all of this, so someone please
>correct me if I am
>wrong, but from the research I've done recently (in trying to get two
>servers set up behind one IP) DNS can not handle port mapping.
>
>Personally, this seems to be a big omission from the overall
>workings of the
>internet.
>
>I've been trying to figure out how to run two physical servers
>behind one IP
>address. The consensus seems to be that you can't, unless you
>want to mess
>with some complex load-balancing systems, or run a proxy
>server outside of
>your LAN. The only real solution is to get a second routable IP
>address--which doesn't fix the particular problem you are having.
>
>One thought: could you set up domain forwarding? Have some ISP set up
>yourdomain.com to point at youripaddress:8080 or something? (Or is that
>basically dns?)
>
>Again, if this is incorrect, someone please jump in.
>
>-Darrel
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>

Three simple letters... NAT ;)


On Fri, 21 Dec 2001, George Gallen wrote:

> Or you could buy a cheap netgear or such firewall that
> has port mapping built it. You assign it the IP address (Internet)
> and configure it to remap to a certain IP address based
> on port # (on the LAN side of the firewall)
>
> It works great, and it's cheap and easy to setup
>
> George
>
> >-----Original Message-----
> >From: Darrel Austin [mailto:daustin@visi.com]
> >Sent: Friday, December 21, 2001 11:40 AM
> >To: users@httpd.apache.org
> >Subject: Re: cannot access pages except from my box
> >
> >
> >on 12/21/01 10:24 AM, Darren at backdoc@crotchett.com wrote:
> >
> >> This just went over my head. But, I'm wondering, can't you
> >run apache on a
> >> different port? If you were able to work something like
> >that out, would
> >> users have to specify yourdomain.com:some_port? Or, could
> >DNS handle that
> >> for you?
> >
> >I'm a complete newbie to all of this, so someone please
> >correct me if I am
> >wrong, but from the research I've done recently (in trying to get two
> >servers set up behind one IP) DNS can not handle port mapping.
> >
> >Personally, this seems to be a big omission from the overall
> >workings of the
> >internet.
> >
> >I've been trying to figure out how to run two physical servers
> >behind one IP
> >address. The consensus seems to be that you can't, unless you
> >want to mess
> >with some complex load-balancing systems, or run a proxy
> >server outside of
> >your LAN. The only real solution is to get a second routable IP
> >address--which doesn't fix the particular problem you are having.
> >
> >One thought: could you set up domain forwarding? Have some ISP set up
> >yourdomain.com to point at youripaddress:8080 or something? (Or is that
> >basically dns?)
> >
> >Again, if this is incorrect, someone please jump in.
> >
> >-Darrel
> >
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP
> >Server Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
> >
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Chad Morland wrote:
>
> Three simple letters... NAT ;)
>
> On Fri, 21 Dec 2001, George Gallen wrote:
>
> > Or you could buy a cheap netgear or such firewall that
> > has port mapping built it. You assign it the IP address (Internet)
> > and configure it to remap to a certain IP address based
> > on port # (on the LAN side of the firewall)
> >
> > It works great, and it's cheap and easy to setup
> >
> > George
> >

Both are interesting ideas, but I don't know if they'd work in my
situation. My problem is that packets sent from somewhere out on the
Internet that are destined for port 80 on my ip address are filtered out
by my service provider. My machine itself is perfectly happy accepting
packets on port 80; the problem seems to be that the extended LAN I'm
hooked to intentionally drops these incoming packets. The solution
would be to address the incoming packets to a different port before they
arrive at the network I'm connected to ... but how? It seems this would
require my having another ip address out there somewhere acting as a
proxy of sorts.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

OK Could you specify the port? Just tell Apache to listen on another port.
Then, specify the port to your website (ex. www.yourdomain.com:8080). I
wouldn't know how to handle this automatically unless you did the router
suggestion. I have a linksys routher that does that sort of thing. It
works great. But, I understand that putting it on your box would be too
late in the process. It would have to go on the entry point to your
network. And, your admins have already indicated their position on that
idea.

Darren


----- Original Message -----
From: "Jason Michelizzi" <mich0212@d.umn.edu>
To: <users@httpd.apache.org>
Sent: Friday, December 21, 2001 11:13 AM
Subject: Re: cannot access pages except from my box


> Chad Morland wrote:
> >
> > Three simple letters... NAT ;)
> >
> > On Fri, 21 Dec 2001, George Gallen wrote:
> >
> > > Or you could buy a cheap netgear or such firewall that
> > > has port mapping built it. You assign it the IP address (Internet)
> > > and configure it to remap to a certain IP address based
> > > on port # (on the LAN side of the firewall)
> > >
> > > It works great, and it's cheap and easy to setup
> > >
> > > George
> > >
>
> Both are interesting ideas, but I don't know if they'd work in my
> situation. My problem is that packets sent from somewhere out on the
> Internet that are destined for port 80 on my ip address are filtered out
> by my service provider. My machine itself is perfectly happy accepting
> packets on port 80; the problem seems to be that the extended LAN I'm
> hooked to intentionally drops these incoming packets. The solution
> would be to address the incoming packets to a different port before they
> arrive at the network I'm connected to ... but how? It seems this would
> require my having another ip address out there somewhere acting as a
> proxy of sorts.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

I fear that this thread is quickly becoming off-topic for this least
since it no longer has much to do with Apache. Nevertheless, I thought
I'd share a response I received from my sys admin:

<quote>
The standard HTTP port TCP 80 is blocked from routing, but you should be
able
to setup the server on TCP 80 for access on your subnet.

Technically, the ResHall systems can use a nonstandard port for HTTP,
you
just need to advertise it. For example, use something like TCP 81.
Don't
use 8080 as this is a common "alternative" HTTP port and may fall victim
to
the port 80 attacks.

The reason for not routing TCP 80 is controlling the Code Red worm,
which
is still being seen here and on the Internet.
</quote>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Jason Michelizzi <mich0212@d.umn.edu> said something to this effect on 12/21/2001:
> Both are interesting ideas, but I don't know if they'd work in
> my situation. My problem is that packets sent from somewhere
> out on the Internet that are destined for port 80 on my ip
> address are filtered out by my service provider. My machine
> itself is perfectly happy accepting packets on port 80; the
> problem seems to be that the extended LAN I'm hooked to
> intentionally drops these incoming packets. The solution would
> be to address the incoming packets to a different port before
> they arrive at the network I'm connected to ... but how? It
> seems this would require my having another ip address out there
> somewhere acting as a proxy of sorts.

Yes, you'd need to set up a machine outside the LAN behind the
firewall; proxy all connections to this machine to your box that
has Apache running on a high port.

Keep in mind that this other box could definitely be running
squid in reverse proxy mode, listening on port 80 and forwarding
to port 8080. That way you'd gain the advantages of a caching
proxy as well...

(darren)

--
Blore's Razor:
Given a choice between two theories, take the one
which is funnier.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Would the admins allow you to hook up a machine
(at your expense), in front of their firewall that
would do port forwarding for your IP (domain name)
only.

OR, maybe they would change their firewall to not
just kill port 80, but only kill port 80 on machines
that haven't been "authorized" (ie. NON-IIS).

Kinda Deny all except for these.....

This way, yes there will still be bandwidth of the
code-red junk, but at least they (admins) would know
it's not going to infect anyone.

George

>-----Original Message-----
>From: Darren [mailto:backdoc@crotchett.com]
>Sent: Friday, December 21, 2001 12:20 PM
>To: users@httpd.apache.org; mich0212@d.umn.edu
>Subject: Re: cannot access pages except from my box
>
>
>OK Could you specify the port? Just tell Apache to listen on
>another port.
>Then, specify the port to your website (ex.
>www.yourdomain.com:8080). I
>wouldn't know how to handle this automatically unless you did
>the router
>suggestion. I have a linksys routher that does that sort of thing. It
>works great. But, I understand that putting it on your box
>would be too
>late in the process. It would have to go on the entry point to your
>network. And, your admins have already indicated their
>position on that
>idea.
>
>Darren
>
>
>----- Original Message -----
>From: "Jason Michelizzi" <mich0212@d.umn.edu>
>To: <users@httpd.apache.org>
>Sent: Friday, December 21, 2001 11:13 AM
>Subject: Re: cannot access pages except from my box
>
>
>> Chad Morland wrote:
>> >
>> > Three simple letters... NAT ;)
>> >
>> > On Fri, 21 Dec 2001, George Gallen wrote:
>> >
>> > > Or you could buy a cheap netgear or such firewall that
>> > > has port mapping built it. You assign it the IP address
>(Internet)
>> > > and configure it to remap to a certain IP address based
>> > > on port # (on the LAN side of the firewall)
>> > >
>> > > It works great, and it's cheap and easy to setup
>> > >
>> > > George
>> > >
>>
>> Both are interesting ideas, but I don't know if they'd work in my
>> situation. My problem is that packets sent from somewhere out on the
>> Internet that are destined for port 80 on my ip address are
>filtered out
>> by my service provider. My machine itself is perfectly
>happy accepting
>> packets on port 80; the problem seems to be that the extended LAN I'm
>> hooked to intentionally drops these incoming packets. The solution
>> would be to address the incoming packets to a different port
>before they
>> arrive at the network I'm connected to ... but how? It
>seems this would
>> require my having another ip address out there somewhere acting as a
>> proxy of sorts.
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP
>Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>