Can't access apache webserver from external IPs with 10.5.5

Question

Level 2

155 points

Can't access apache webserver from external IPs with 10.5.5

I've just setup a new install of 10.5.5. I have one website configured on port 443 with SSL enabled. It all works fine internally.

My router forwards external requests on 443 on to the local machine (192.168.5.1) which I can see working as the server's firewall is logging the access as accepted:

Nov 24 19:37:10 server ipfw[4657]: 12308 Accept TCP 82.132.136.215:58095 192.168.5.1:443 in via en0

So neither the router nor the OS X server firewall is blocking the request, but the webserver is not responding. There is no mention of the access request in the apache access or error log.

As mentioned, the server is working perfectly from local IPs on the same subnet. netstat shows this setup for port 443:

tcp46 0 0 *.443 . LISTEN

Any one any ideas on what I can do to diagnose this? I had this working perfectly with OS X client's apache but since installing the server version I have no access from external IPs.

Cheers

Russell

15" MacBook Pro C2D, Mac OS X (10.5)

Posted on Nov 24, 2008 11:41 AM

Reply

Answer 1

rh Author

Level 2

155 points

Nov 24, 2008 11:44 AM in response to rh

Also, after confirming the firewall was a) seeing and b) allowing the external request to port 443, I disabled OS X Server's firewall completely to see if that was causing an issue, but no change.

Cheers

Russell

Reply

Answer 2

Camelot

Level 9

58,563 points

Nov 26, 2008 10:05 AM in response to rh

Are other services on this machine accessible from the outside world?

From your description I'd first guess it was a routing issue (the server doesn't know how to get back to the remote client), but if that were the case no other services would work either - hence my question.

Reply

Answer 3

rh Author

Level 2

155 points

Nov 26, 2008 10:09 AM in response to Camelot

HI, I don't believe its a routing problem as the network is very simple and as mentioned, the router/network config hasn't changed, all I've done is installed OS X server rather than client.

But to answer your question, yes, SSH works from external IPs so the routing is definitely working. Also, OS X Server firewall is seeing and allowing the inbound traffic as mentioned, but the apache logs show no mention of the request.

I've looked through the apache config to see if I can spot anything that might be denying external IPs but can't see anything. Its basically a fresh install of OS X 10.5.4, upgraded to 10.5.5, then I configured the web server using Server Admin to be on port 443 and use my SSL certificates, I haven't changed anything else in the config.

Cheers

Russell

Reply

Answer 4

Rath

Level 1

0 points

Nov 28, 2008 4:09 AM in response to rh

I have got the same problem, even though I am not using a secure http connection since I have upgraded. The settings have not change and it worked fine before I updated my server install. Has anybody solved this problem yet?

Reply

Answer 5

Nov 28, 2008 7:08 AM in response to Rath

Hi,
Can you do a port scan from your client to the domain name? If you have a DNS entry for your external IP address to your primary zone then you should get something like the following:
Port Scanning host: external IP address or domain name (example.com)

Open TCP Port: 80 http
Port Scan has completed ...
Similar for Open TCP Port: 443 https

In your port scan use a range like 79 to 81 or 442 to 444 so you get what you are looking for specifically and in short time.

HTH,
Harry

Reply

Answer 6

MrHoffman

Level 10

146,407 points

Nov 28, 2008 9:24 AM in response to rh

I'll presume https is enabled in the Mac OS X Server firewall; it looks like it, but it's worth confirming.

Within Server Admin, select Web, Sites, {select a site}, Security, is SSL enabled?

Reply

Answer 7

rh Author

Level 2

155 points

Nov 28, 2008 10:53 AM in response to MrHoffman

Hi, yes, as mentioned above, the firewall isn't the problem. With the OS X firewall disabled it doesn't work, and with it enabled and logging all traffic, it logs the accepted traffic form the external IP to port 443. Just get no response from the web server.

And yes SSL is set up correctly, as it all works fine from local IPs and the exact same setup worked when I was just using OS X client rather than server.

Cheers

Russell

Reply

Answer 8

rh Author

Level 2

155 points

Nov 28, 2008 11:01 AM in response to harry-pmsi

Hi, port scan doesn't show anything for 443. For SSH, I do get

Open TCP Port: 22 ssh

which is correct, but no access to 443. But OS X firewall is seeing and allowing the traffic external traffic to 443 as mentioned above.

Cheers

Russell

Reply

Answer 9

Nov 28, 2008 12:38 PM in response to rh

Hi,
Is there a DNS entry that points traffic on domain name to your server from an external IP? For instance a machine A record for domain name with external IP address within your primary zone?
Is the ISP letting traffic through on port 443? Can you ping your domain name externally?
Can you get to your server externally on port 80?
Does your web server have a site with your domain name the same as your external address?

If port scan shows no port open on 443 then traffic is not directed to your server or your service doesn't have port 443 in the general panel selected and enabled.
Do you have enable SSL in the security panel selected with a certificate available?

Reply

Answer 10

rh Author

Level 2

155 points

Nov 28, 2008 1:50 PM in response to harry-pmsi

Yes, I have external DNS set up correctly pointing to my static IP. I can SSH in successfully from external addresses, just can't get a response from apache.

As mentioned in other threads, if I enable 'log allowed traffic' in the OS X server firewall, it logs a successful attempt on port 443 from the external IP address so traffic is reaching OS X server on port 443 (see the first post in this thread).

So traffic is getting to the server but am getting no response from Apache. I've tried apache on port 80 with no ssl and on port 443 with SSL an no difference.

Internally, I can talk to the server successfully on 443 using SSL. Apache just seems to be ignoring request from external IP addresses as there is nothing in the access/error log.

I have one site configured. It is configured with the correct DNS name, any IP address and on port 443 with SSL enabled. And it accepts local traffic successfully.

Cheers

Russell

Reply

Answer 11

Nov 28, 2008 2:20 PM in response to rh

Do you have your server's system preferences->network-> DNS server ->internal ip address?

And if you put your static ip address in for the domain name of a web site and enable it can you reach the web server then.

Assuming you have restarted apache web server.

Harry

Reply

Answer 12

Nov 29, 2008 7:44 PM in response to harry-pmsi

One additional check is to run the following in Terminal

$ telnet www.yourdomain.com 443

once a connection is made: execute

$ HEAD / HTTPS/1.1

You should get back some lines like:

<address>
your domain.com

Sat Nov 29 22:39:31 2008
Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l
</address>

If no connection is made you should get back an error response like connection refused and where.

You can also do this for port 80 using HTTP/1.1
(note HTTP/1.1 will work for both) since you are looking for the Apache 2.2 response.

HTH,
Harry

Reply

Answer 13

rh Author

Level 2

155 points

Nov 30, 2008 2:33 AM in response to harry-pmsi

Hi Harry, as expected, telnet server 22 works and responds with

Escape character is '^]'.
SSH-2.0-OpenSSH_5.1

But telnetting to 443 fails to connect after a minute or so and responds with

telnet: connect to address XX.XX.XX.XX: Operation timed out
telnet: Unable to connect to remote host

It may well be something to do with my IP setup. Internally, my network is on 192.168.5.X/255.255.255.0. My server is 192.168.5.1 and also provides internal DNS. Telnet works from internal IPs.

Externally I have a static IP and external DNS requests resolve to this static IP (as I can ssh to myserver.mydomain.com from external addresses and 'host myserver.mydomain.com' returns the correct info).

Perhaps Apache isn't responding because its seeing a request to the external IP address coming in, but I thought setting the site to respond to address 'any' should over come this. It worked fine with the client.

Cheers

Russell

Reply

Answer 14

rh Author

Level 2

155 points

Nov 30, 2008 2:37 AM in response to rh

And to check it wasn't OS X's firewall blocking, I pulled the following lines from my log:

Nov 30 10:35:25 server ipfw[30783]: 12300 Accept TCP 213.122.54.29:49621 192.168.5.1:22 in via en0
Nov 30 10:35:30 server ipfw[30783]: 12308 Accept TCP 213.122.54.29:49622 192.168.5.1:443 in via en0

To show the 2 telnet attempts suceeding in get through the firewall.

Cheers

Russell

Reply

Answer 15

Nov 30, 2008 12:46 PM in response to rh

Russell,
Put a machine A record for your domain name within your primary zone DNS pointed to your external IP address (213.122.54.29).
Or else enter your static IP (213.122.54.29) as your website domain to test your connection from external.
The any IP address is reaching your internal web host server. Any is fine.

Also your reverse pointer at your ISP doesn't seem to be right.

Harry

Reply