RE: Update httpd.conf file: Apache virtualhost not working behin d firewall.

RE: Update httpd.conf file: Apache virtualhost not working behin d firewall.

[Chip Upsal]

names...

I doubt it is strictly an apache problem as if we remove the firewall and
assign the external ip address to the server it all works well.

-----Original Message-----
From: Justin Kay [mailto:jkay@nwrecc.org]
Sent: Friday, December 20, 2002 2:23 PM
To: 'Chip Upsal'
Subject: RE: Update httpd.conf file: Apache virtualhost not working
behin d fi rewall.


Does the server rely on ipaddresses or names for the virtual hosts?  Sounds
more like an apache configuration issue than a firewall issue to me...

jk


-----Original Message-----
From: Chip Upsal [mailto:chip@cyberwolf.com]
Sent: Friday, December 20, 2002 12:43 PM
To: 'netfilter@lists.netfilter.org'
Subject: Update httpd.conf file: Apache virtualhost not working behind
fi rewall.


Update: 

The format of the conf file has much to do with how the server responds.

specifically the virtual host directives:
for example:

<VirtualHost 192.168.0.2>
   ServerName site4.company.com
   ServerAlias site4*
   ServerAdmin admin@company.com
   DocumentRoot D:/web_root/foo4
   ErrorLog logs/site4.cyberwolf.com-error_log
   CustomLog logs/site4.cyberwolf.com-access_log common
</VirtualHost>

192.168.0.2 is the internal address of the server; this will make all
request to this server go to the first virtual root defined in the conf
file.

While if the directives look like:

<VirtualHost *>
   ServerName site4.company.com
   ServerAlias site4*
   ServerAdmin admin@company.com
   DocumentRoot D:/web_root/foo4
   ErrorLog logs/site4.cyberwolf.com-error_log
   CustomLog logs/site4.cyberwolf.com-access_log common
</VirtualHost>

or:

<VirtualHost site4.company.com>
   ServerName site4.company.com
   ServerAlias site4*
   ServerAdmin admin@company.com
   DocumentRoot D:/web_root/foo4
   ErrorLog logs/site4.cyberwolf.com-error_log
   CustomLog logs/site4.cyberwolf.com-access_log common
</VirtualHost>

Then all request to the server go the default DocumentRoot.

Any ideas what the NATing in NETFILTER could be doing to the host header?

I updated my iptables to version 1.2.6a with no help.


Chip



-----Original Message-----
From: Chip Upsal 
Sent: Thursday, December 19, 2002 6:39 PM
To: netfilter@lists.netfilter.org
Subject: Apache virtualhost not working behind firewall.


I have a windows 2000 server running apache 2.0.43 with virtual hosts 
behind an iptables firewall doing NAT.
I am running iptables v1.2.5 on a redhat 7.3 server.

My nat and fowarding rules look like:

INET_IP="216.184.9.5"
#HTTP_IP="216.184.9.6"
PWWEB_IP="216.184.9.30"
PWODBC_IP="216.184.9.29"
INET_IFACE="eth2"

LAN_IP="192.168.1.15"
LAN_IP_RANGE="192.168.1.0/24"
LAN_BCAST_ADRESS="192.168.1.255"
LAN_IFACE="eth0"


DMZ_PWWEB_IP="192.168.0.2"
DMZ_PWSQL_IP="192.168.0.3"
DMZ_PWODBC_IP="192.168.0.4"
DMZ_IP="192.168.0.1"
DMZ_IFACE="eth1"


$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT

#
# PWWEB
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_PWWEB_IP \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_PWWEB_IP \
-j icmp_packets

#
# PWODBC
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_PWODBC_IP \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d 
$DMZ_PWODBC_IP \
-j icmp_packets

#
# PWWEB
#
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $PWWEB_IP 
--dport 80 \
-j DNAT --to-destination $DMZ_PWWEB_IP

$IPTABLES -t nat -A PREROUTING -p ICMP -i $INET_IFACE -d $PWWEB_IP \
-j DNAT --to-destination $DMZ_PWWEB_IP

#
# PWODBC
#
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $PWODBC_IP 
--dport 80 \
-j DNAT --to-destination $DMZ_PWODBC_IP

$IPTABLES -t nat -A PREROUTING -p ICMP -i $INET_IFACE -d $PWODBC_IP \
-j DNAT --to-destination $DMZ_PWOBDC_IP


The problem....
When the server is connected directly to the internet all works well. 
However, when it is behind the firewall the virtualhost are not working 
(you can only access the default web site.

Furthermore i am getting the following errors when starting iptables;

[root@iptables init.d]# ./iptables restart
Flushing all current rules and user defined chains:        [  OK  ]
Clearing all current rules and user defined chains:        [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
iptables v1.2.5: Unknown arg `--to-destination'
Try `iptables -h' or 'iptables --help' for more information.
                                                            [  OK  ]


Any ideas on a solution would be most appriciated.


Chip

Re: Update httpd.conf file: Apache virtualhost not working behin d firewall.

[Andrea Rossato]

Chip Upsal wrote:
> I doubt it is strictly an apache problem as if we remove the firewall and
> assign the external ip address to the server it all works well.

if you solved the iptables problem and you are properly forwarding 
traffic to the internal box, that's probably an apache issue: as far as 
i understand you are creating a name based virtul host: apache should 
look in the _http_headers_ to respond with the correct web server name. 
(http headers are indeed in packet payloads and iptables will not touch 
them when S/DNATting).

so:

NameVirtualHost 192.168.0.2
<VirtualHost 192.168.0.2>
    ServerName site4.company.com
    ServerAlias site4*
    ServerAdmin admin@company.com
    DocumentRoot D:/web_root/foo4
    ErrorLog logs/site4.cyberwolf.com-error_log
    CustomLog logs/site4.cyberwolf.com-access_log common
</VirtualHost>

hope that this is going to work (is working for me, though).
andrea

Re: Update httpd.conf file: Apache virtualhost not working behin d firewall.

[Chip Upsal]

I tend to agree...but i have tried all the documented and undocumented 
VirutalHost setups i could find. Furthermore, it is bothersome that the 
VirtualHost work fine when the HTTP server is not behind the IPTables 
firewall.

Andrea Rossato wrote:

> Chip Upsal wrote:
>
>> I doubt it is strictly an apache problem as if we remove the firewall 
>> and
>> assign the external ip address to the server it all works well.
>
>
> if you solved the iptables problem and you are properly forwarding 
> traffic to the internal box, that's probably an apache issue: as far 
> as i understand you are creating a name based virtul host: apache 
> should look in the _http_headers_ to respond with the correct web 
> server name. (http headers are indeed in packet payloads and iptables 
> will not touch them when S/DNATting).
>
> so:
>
> NameVirtualHost 192.168.0.2
> <VirtualHost 192.168.0.2>
>    ServerName site4.company.com
>    ServerAlias site4*
>    ServerAdmin admin@company.com
>    DocumentRoot D:/web_root/foo4
>    ErrorLog logs/site4.cyberwolf.com-error_log
>    CustomLog logs/site4.cyberwolf.com-access_log common
> </VirtualHost>
>
> hope that this is going to work (is working for me, though).
> andrea
>