Can't access apache webserver from external IPs with 10.5.5

I've just setup a new install of 10.5.5. I have one website configured on port 443 with SSL enabled. It all works fine internally.

My router forwards external requests on 443 on to the local machine (192.168.5.1) which I can see working as the server's firewall is logging the access as accepted:

Nov 24 19:37:10 server ipfw[4657]: 12308 Accept TCP 82.132.136.215:58095 192.168.5.1:443 in via en0

So neither the router nor the OS X server firewall is blocking the request, but the webserver is not responding. There is no mention of the access request in the apache access or error log.

As mentioned, the server is working perfectly from local IPs on the same subnet. netstat shows this setup for port 443:

tcp46 0 0 *.443 . LISTEN

Any one any ideas on what I can do to diagnose this? I had this working perfectly with OS X client's apache but since installing the server version I have no access from external IPs.

Cheers

Russell

15" MacBook Pro C2D, Mac OS X (10.5)

Posted on Nov 24, 2008 11:41 AM

19 replies

rh Author

Level 2

155 points

Dec 1, 2008 9:24 AM in response to harry-pmsi

Hi Harry, the 212.xxxx address is the remote address I was accessing the server from. My external reverse dns may not be setup correctly but this didn't cause a problem under OS X client.

But to take the DNS out of the equation, I actually have to sites, one on 192.168.5.x subnet (where the server is) and another on 192.168.10.x subnet, connected together over VPN (not using OS X vpn, but vpn directly between the broadband routers at each site). I can ssh from the 10.x subtnet to the server no problem, and 10.x machines can use the 192.168.5.1 server DNS so there is no connection/firewall problem.

Also, from either site, server.mydomain.com points to 192.168.5.1 and 192.168.5.1 reverses to server.mydomain.com so DNS is correct.

But the 10.x addresses can nolonger access https on the 192.168.5.1 server (similar to external IPs, just no response from the server when telnetting to 443).

Interestingly, I have another machine running https server (non-OS X server) on 192.168.5.2 (same site as the problem server) and I can access that from 10.x network no problem, so the problem is definitely limited to the OS X server machine and most probably the apache config as it doesn't appear to be a firewall problem on OS X server.

To me, it just appears apache is ignoring any request from machines not on its subnet, but I've no idea what in the apache config could do this (or what limitations to look for). I've browsed httpd.config but nothing obvious stands out, but then I'm not really up on apache config.

I will try and make the sites on the same subnet but I'm away on work for a week (was trying to get this access working before going) so doubt I will have time to alter the site setups until I'm back. And even if that solves the connection issue from the second site, I doubt it will help with the external access issue as it won't have changed anything for that.

Cheers

Russell

rh Author

Level 2

155 points

Dec 16, 2008 2:59 AM in response to rh

OK, for those interested, after a combo update to 10.5.6 on the server, everything is now working as expected. Any IP address can now access the web server.

Thanks to all those who replied trying to solve the issue. Looks like a problem with 10.5.5 server.

Cheers

Russell

Dec 18, 2008 1:50 PM in response to rh

I'm on 10.5.5 server and I have a weird problem that sounds like yours here are my symptoms.

I have a bunch of firewalls but to avoid getting caught up in the specifics lets say. I can point my external ips to internal addresses and if I point to 10.5.5 server the traffic disappears can't ssh. If I change simply the internal ip 192.168.0.3 (xserve) to 192.168.0.2 (macbook) everything is fine.

If I use the internal address 192.168.0.3 ssh works on the xserve directly just not from the external ip.

rh Author

Level 2

155 points

Dec 21, 2008 2:52 AM in response to ben@cogs.com

Not sure this is the same issue. I had no trouble with SSH and other services, it was only apache that I couldn't access from machines not on my subnet.

Are you sure the traffic is getting through your firewalls? To check this, I enabled logging all allowed access in OS X's firewall so I could see the access on the OS X machine. My traffic was being allowed through by the OS X firewall, just being ignored after that by apache.

Can you do the same with OS X's firewall to confirm the traffic is reaching the OS X machine?

Cheers

Russell

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Can't access apache webserver from external IPs with 10.5.5