I'm using the new Azure cloud app and I have created a new VM with ubuntu 14.04.
I installed apache2 and some common modules (like php5).
Well, after that, I configured my app, but when I tried to access, The browser shows "Timeout" (using Chrome). The "ping" maps the hostname to the ip address but it doesn't gets any response (i suppose that ping is disabled by default)
At first I thought it was my app, so I only set the default apache settings in the "sites-enabled" folder (the one with the static html page that comes with apache).
But the same happens, so I check the usual things like firewall, iptables rules, etc. But I get always the same result :/
This is not my first server, but I'm not able to think in another option, so I just want to check what you guys think about what could be the problem.
iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw status
Status: inactive
default settings on the site-enabled folder (I erased the comments lines)
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1654/sshd
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 34899/postgres
tcp 0 0 x2.x2.x2.x2:16001 (other ip diff from server's ip) 0.0.0.0:* LISTEN 937/python
tcp6 0 0 :::80 :::* LISTEN 48801/apache2
tcp6 0 0 :::22 :::* LISTEN 1654/sshd
telnet ip 80 (from my pc)
Connecting To x.x.x.x 80...Could not open connection to the host, on port 80
: Connect failed
telnet localhost 80
Connected to localhost.
Escape character is '^]'.
exit
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Not Implemented</title>
</head><body>
<h1>Not Implemented</h1>
<p>exit to / not supported.<br />
</p>
<hr>
<address>Apache/2.4.7 (Ubuntu) Server at x3.x3.x3.x3 Port 80</address>
</body></html>
Connection closed by foreign host.
The ip x2.x2.x2.x2 and x3.x3.x3.x3 have the same value but they aren't equal to the server IP. (At least isn't the same ip value I use to connect to the VM by ssh)
Sounds like it might be an endpoint. By default when you create a virtual machine in the Azure portal, endpoints for Remote Desktop, Windows PowerShell Remoting, and Secure Shell (SSH) are automatically created.
You will have to go into the Azure portal to configure additional endpoints.
Each endpoint has a public and private. Public is used for outside requests/traffic coming into the VM through the load balance. Private is use by the VM for incoming traffic to route to the proper port/app.
Here is a link on Azure help that talks about setting up endpoints
https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-set-up-endpoints/
Related
I am running ubuntu 18.04 on my virtualbox and my host machine is a mac. There is a service active on port 8080 on the VM but I have port forwarded that to my host the same way that I have done it for other ports via Settings -> Network -> Port Forwarding. I have confirmed that other ports are properly port forwarded as I can actually see a different webpage hosted on port 5000. (And port 22 is working as that's how I've ssh to my VM). I am not able to see a webpage when I visit http://127.0.0.1:8080 or http://localhost:8080
My problem is that I am not sure why I'm having trouble with port 8080 where my Vue app is running at. After running the command "yarn serve", I get
App running at:
- Local: http://localhost:8080/ (copied to clipboard)
[19:11:02] Server listening on localhost:8080
Some of the things I've checked are:
Firewall:
sudo uft status
Status: inactive
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Running nmap on VM shows:
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
5000/tcp open upnp
5432/tcp open postgresql
8080/tcp open http-proxy
Running nmap on host machine shows:
PORT STATE SERVICE
22/tcp open ssh
5000/tcp open upnp
5001/tcp open commplex-link
5050/tcp open mmcc
8000/tcp open http-alt
8080/tcp open http-proxy
If I do curl localhost:5000 from host I get what is expected but if I do curl localhost:8080 I get
curl: (56) Recv failure: Connection reset by peer
Note: doing curl on both ports 5000 and 8080 returns information as expected from Ubuntu VM.
What's my problem?
If this is off topic please redirect me. I've tried posting on stackexchange network engineering but it doesn't even have the virtualbox tag.
I ended up running the project on my host and worked straight away. I also created a new vue app on the VM and was able to view the webpage from the host's browser. My guess is that the project that couldn't be seen on the host browser is also using other services running on different ports which I have not port forwarded for. Although this is just my guess.
I have:
VPN server (SoftEther), to which I connected.
IP Tables rules to send all traffic from VPN to Proxy server.
Proxy server (Java). I use LittleProxy https://github.com/adamfisk/LittleProxy. It doesn't intercept HTTPS traffic.
All these items connected like this:
VPN client ===> VPN server ===> Proxy server ===> Intenet
HTTP traffic works fine, but HTTPS doesn't.
When I try to go to https://google.com, I see an error in Chrome:
This site can't provide a secure connection
When I connect browser directly to the Proxy server - HTTPS works fine
When I connect only to VPN server - HTTPS works fine.
The same problem appears, if I switch VPN to OpenVPN.
After sniffing traffic I identified that HTTPS requests are trying to go via HTTP protocol to HTTPS address. It seems to be some issues with redirect, since when I just go to www.google.com, after 2 redirects (generated by google) I am able to reach google via https, but when I enter https://google.com - error.
In Wireshark I got 400 error:
Expert Info (Warning/Security): Unencrypted HTTP protocol detected over encrypted port, could indicate a dangerous misconfiguration.
My IP Tables rules:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- ip-192-168-200-0.ec2.internal/24 anywhere tcp dpt:http to:172.31.64.145:9090
DNAT tcp -- ip-192-168-200-0.ec2.internal/24 anywhere tcp dpt:https to:172.31.64.145:9090
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- ip-192-168-200-0.ec2.internal/24 anywhere
MASQUERADE all -- ip-192-168-200-0.ec2.internal anywhere
Where 172.31.64.145:9090 - IP of Proxy server.
VPN server and Proxy servers run on the same AWS instance.
I'm doing a GET request to my EC2 instance, but I'm getting the following error:
80: Connection refused
These are the security rules of my instance:
Ports Protocol Source launch-wizard-1
80 tcp 0.0.0.0/0 ✔
22 tcp 177.32.53.207/32 ✔
What's wrong with these rules? Why can't I access port 80?
EDIT
I attached my apache conf file (/etc/apache2/apache2.conf) in this url, since it's too big to post all the code here.
EDIT2
when I run netstat -ntlp | grep LISTEN
I get this:
(No info could be read for "-p": geteuid()=1000 but you should be root.)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN
What is the source of your connection request? Are you attempting to access your instance from outside of Amazon or from a difference EC2 instance in the same availability zone? Are you supplying an IP address or a DNS name as the argument to your connecting code?
Keep in mind that AWS EC2 uses SDN (software defined networking) which doesn't work quite like classical TCP/IP routing that you may be expecting from using Linux, or other OSes, on bare metal systems (or even on VMs using more traditional networking).
Ultimately you will probably want to allocate "elastic IP" (EIP) from AWS and bind it to your web server instance. Then route your requests to that IP address. (Often you'd also create a DNS entry, perhaps through Amazon's "Route53" service to use the a name rather than the address).
It's possible to get to your instance from within and from outside their network. But you have to use the Amazon generated DNS name to do so then, because they use split-horizon, your clients will get the correct (internal or external) IP address.
Also you have to consider the security settings on your VPC (virtual private cloud) network(s) as well as those you've applied to your instance.
I am running an Ubuntu 12.04 server with Apache 2.2 and OpenSSL 1.01(recent). I am attempting to serve a self signed certificate across for HTTPS browsing. The server is also running webmin, and a tomcat application server.
Currently HTTPS requests do not work for the primary server, returning an er_connection_refused.
I am currently using virtual hosts to specify locations for https connections. HTTPS only works for my webmin portal and not for any other location on the webserver. I had assumed this was a port conflict between miniserv and apache, however there doesn't appear to be any conflict that I can determine. I have checked for other possible webservers that may be using SSL (such as jetty or nginx) but there doesn't appear to be any.
Is there any way to determine which services are associate with which ports. Failing that is there any way to determine which services are currently using SSL.
Thanks in advance.
To find out which services are listening on SSL run:
netstat -tulpn | grep :443
It will generate output like:
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1607/https
It sounds like it could also be a conflict in the way you have set up SSL for the virtual hosts. Often vhost config can be a bit funny if you're sharing the same certificate for multiple vhosts.
Edit:
Also another good one for finding what is using a given port is:
lsof -i :443 | grep LISTEN
Which generates output as:
httpd 1132 apache 5u IPv6 22762080 0t0 TCP *:https (LISTEN)
httpd 3084 apache 5u IPv6 22762080 0t0 TCP *:https (LISTEN)
httpd 3312 apache 5u IPv6 22762080 0t0 TCP *:https (LISTEN)
httpd 3555 apache 5u IPv6 22762080 0t0 TCP *:https (LISTEN)
httpd 3593 apache 5u IPv6 22762080 0t0 TCP *:https (LISTEN)
all,
I have a website which can be accessed via HTTP well at port 86. Now it is required to add SSL to secure the connection. This website is served with thttpd web server which, yes, has no SSL support. I searched a lot through google then. Suggestions are adding SSL through Stunnel to thttpd.
UPDATED:
Here is my stunnel.conf:
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2013
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
; **************************************************************************
; * Global options *
; **************************************************************************
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
chroot = /usr/local/var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = nogroup
fips = no
; PID is created inside the chroot jail
pid = /stunnel.pid
; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/stunnel.pem
;key = /usr/local/etc/stunnel/mail.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /usr/local/etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
;CRLfile = /usr/local/etc/stunnel/crls.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
; **************************************************************************
; * Service definitions (remove all services for inetd mode) *
; **************************************************************************
; Example SSL server mode services
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
; Example SSL client mode services
;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995
;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993
;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465
; Example SSL front-end to a web server
[https]
accept = 443
connect = 86
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0
; vim:ft=dosini
Here is the result I got:
linux-1ryy:/usr/local/etc/stunnel # /usr/local/bin/stunnel
Clients allowed=500
stunnel 4.56 on i686-pc-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
Reading configuration from file /usr/local/etc/stunnel/stunnel.conf
FIPS mode is disabled
Compression not enabled
Snagged 64 random bytes from /root/.rnd
Wrote 1024 new random bytes to /root/.rnd
PRNG seeded successfully
Initializing service [https]
Certificate: /usr/local/etc/stunnel/stunnel.pem
Certificate loaded
Key file: /usr/local/etc/stunnel/stunnel.pem
Private key loaded
Using DH parameters from /usr/local/etc/stunnel/stunnel.pem
DH initialized with 1024-bit key
ECDH initialized with curve prime256v1
SSL options set: 0x01000004
Configuration successful
Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)
Closing service [https]
Service [https] closed (FD=7)
Sessions cached before flush: 0
Sessions cached after flush: 0
Service [https] closed
str_stats: 10 block(s), 883 data byte(s), 420 control byte(s)
Here is the port listening information before running /usr/local/bin/stunnel:
linux-1ryy:/usr/local/etc/stunnel # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5484/mysqld
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 336/xinetd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1558/sshd
tcp 0 0 :::86 :::* LISTEN 5536/thttpd
tcp 0 0 :::22 :::* LISTEN 1558/sshd
And here is the port listening information after running it:
linux-1ryy:/usr/local/etc/stunnel # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5484/mysqld
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 336/xinetd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1558/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 23145/stunnel
tcp 0 0 :::86 :::* LISTEN 5536/thttpd
tcp 0 0 :::22 :::* LISTEN 1558/sshd
I have no idea now what is going wrong. Any suggestions will be appreciated.
ADDED:
If I close firewall, I can access via https://<my-ip-address> successfully. However, I keep still getting this error message:
Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)
Wondering why...
As can be seen from the netstat there is already an stunnel process on port 443 (pid=10833) (and another on port 8443, pid=11191) and that's why starting another stunnel process on port 443 fails with
Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)