Frage Apache kann nicht extern zugegriffen werden


Ich habe Ubuntu Server mit vorinstallierten Apache2, Mssql, PHP5. Ich installiere vTiger CRM und es ist auf meinem lokalen Host und internen IP verfügbar.

Aber ich kann es nicht mit meiner externen IP erreichen. Ich habe alle Setups auf meinem Router überprüft und es scheint in Ordnung zu sein.

Das ist mein netstat -ntlp | grep HÖREN

(No info could be read for "-p": geteuid()=1000 but you should be root.)
tcp        0      0 10.1.0.4:16001          0.0.0.0:*               LISTEN            
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:29131         0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      
tcp6       0      0 :::80                   :::*                    LISTEN      
tcp6       0      0 :::22                   :::*                    LISTEN 

ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0d:3a:b3:0e:a1  
          inet addr:10.1.0.4  Bcast:10.1.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20d:3aff:feb3:ea1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15216 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16493 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:10379793 (10.3 MB)  TX bytes:7676670 (7.6 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1414 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1414 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:208812 (208.8 KB)  TX bytes:208812 (208.8 KB)

apache2 ports.conf

Listen 80

<IfModule ssl_module>
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

tcpdump -i eth0 Port 80

19:08:55.678954 IP 10.1.0.4.36536 > 168.63.129.16.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 27278000 ecr 783042300], length 0
19:08:55.679007 IP 10.1.0.4.36536 > 168.63.129.16.http: Flags [P.], seq 1:204, ack 1, win 229, options [nop,nop,TS val 27278000 ecr 783042300], length 203
19:08:55.729432 IP 168.63.129.16.http > 10.1.0.4.36536: Flags [.], ack 204, win 513, options [nop,nop,TS val 783042305 ecr 27278000], length 0
19:08:55.729458 IP 10.1.0.4.36536 > 168.63.129.16.http: Flags [P.], seq 204:646, ack 1, win 229, options [nop,nop,TS val 27278013 ecr 783042305], length 442
19:08:55.731846 IP 168.63.129.16.http > 10.1.0.4.36536: Flags [P.], seq 1:188, ack 646, win 511, options [nop,nop,TS val 783042305 ecr 27278013], length 187
19:08:55.731878 IP 10.1.0.4.36536 > 168.63.129.16.http: Flags [.], ack 188, win 237, options [nop,nop,TS val 27278013 ecr 783042305], length 0
19:08:55.732685 IP 10.1.0.4.36536 > 168.63.129.16.http: Flags [F.], seq 646, ack 188, win 237, options [nop,nop,TS val 27278014 ecr 783042305], length 0
19:08:55.733574 IP 168.63.129.16.http > 10.1.0.4.36536: Flags [F.], seq 188, ack 647, win 511, options [nop,nop,TS val 783042306 ecr 27278014], length 0
19:08:55.733587 IP 10.1.0.4.36536 > 168.63.129.16.http: Flags [.], ack 189, win 237, options [nop,nop,TS val 27278014 ecr 783042306], length 0
19:09:20.850089 IP 10.1.0.4.36545 > 168.63.129.16.http: Flags [S], seq 718277970, win 29200, options [mss 1460,sackOK,TS val 27284293 ecr 0,nop,wscale 7], length 0
19:09:20.850513 IP 168.63.129.16.http > 10.1.0.4.36545: Flags [S.], seq 228035263, ack 718277971, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 783044817 ecr 27284293], length 0

cat /etc/apache2/sites-available/vtiger.stuffex.com.ua.conf

<VirtualHost *:443>
  ServerAdmin a.redko@stuffex.com.ua
  DocumentRoot /var/www/html/vtiger.stuffex.com.ua/
  ServerName vtiger.stuffex.com.ua
  ServerAlias www.vtiger.stuffex.com.ua
  SSLEngine on
  SSLCertificateFile /etc/apache2/ssl/server.crt
  SSLCertificateKeyFile /etc/apache2/ssl/server.key
  <Directory /var/www/html/vtiger.stuffex.com.ua/>
    Options FollowSymLinks
    AllowOverride All
  </Directory>
  ErrorLog /var/log/apache2/vtiger.stuffex.com.ua-error_log
  CustomLog /var/log/apache2/vtiger.status.com.ua-access_log common
</VirtualHost>

<VirtualHost *:80>
   ServerName vtiger.stuffex.com.ua
   Redirect permanent / https://vtiger.stuffex.com.ua/
</VirtualHost>

httpd.conf

# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.4/ for detailed information about
# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
# hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.

# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
#   /etc/apache2/
#   |-- apache2.conf
#   |   `--  ports.conf
#   |-- mods-enabled
#   |   |-- *.load
#   |   `-- *.conf
#   |-- conf-enabled
#   |   `-- *.conf
#   `-- sites-enabled
#       `-- *.conf
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
#   together by including all remaining configuration files when starting up the
#   web server.
#
# * ports.conf is always included from the main configuration file. It is
#   supposed to determine listening ports for incoming connections which can be
#   customized anytime.
#
# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
#   directories contain particular configuration snippets which manage modules,
#   global configuration fragments, or virtual host configurations,
#   respectively.
#
#   They are activated by symlinking available configuration files from their
#   respective *-available/ counterparts. These should be managed by using our
#   helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
#   their respective man pages for detailed information.
#
# * The binary is called apache2. Due to the use of environment variables, in
#   the default configuration, apache2 needs to be started/stopped with
#   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
#   work with the default configuration.


# Global configuration
#

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the Mutex documentation (available
# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
#ServerRoot "/etc/apache2"

#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
Mutex file:${APACHE_LOCK_DIR} default

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5


# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log

#
# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn

# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

# Include list of ports to listen on
Include ports.conf


# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

<Directory /usr/share>
    AllowOverride None
    Require all granted
</Directory>

<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

#<Directory /srv/>
#   Options Indexes FollowSymLinks
#   AllowOverride None
#   Require all granted
#</Directory>




# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#
AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>


#
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# These deviate from the Common Log Format definitions in that they use %O
# (the actual bytes sent including headers) instead of %b (the size of the
# requested file), because the latter makes it impossible to detect partial
# requests.
#
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.

# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf

# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Was mache ich falsch?


2
2017-07-17 18:42


Ursprung


1. Verwenden Sie tcpdump, um sicherzustellen, dass Anfragen an die öffentliche IP tatsächlich in der Linux-Box ankommen: tcpdump -i eth0 port 80  1. Überprüfen Sie, ob Ihre virtuellen Hosts entweder Wildcards (namensbasierte virtuelle Hosts) oder die reale externe IP-Adresse verwenden 1. Wenn dies nicht zur Lösung führt, geben Sie bitte Folgendes an: * eine (wahrscheinlich anonymisierte) Version Ihres /etc/apache2/sites-available/ welche sind symlinked von /etc/apache2/sites-enabled/    * entsprechende Protokolleinträge von /var/log/apache2/ - Phillip -Zyan K Lee- Stockmann
Hi, ich füge / etc / apache2 / sites-available / (es verband mit / etc / apache2 / sites-enabled /) zu meinem Beitrag hinzu. Meine Katze vtiger.stuffex.com.ua-error_log ist leer - Saasha


Antworten:


Ich würde vorschlagen, dass Sie Ihren vhost auf Namen basierend ändern:

  • Ersetzen Sie die IP-Adresse durch *: 443 und fügen Sie SSL-Zertifikate hinzu
  • Setzen Sie den Servernamen auf Ihren Alias ​​minus www.
  • Fügen Sie einen zweiten vhost für http hinzu, der nur zu https umleitet

Dies sollte Ihnen ermöglichen, vtiger aus dem lokalen Netzwerk und von der Außenwelt zu verwenden, und hat Sicherheit über https hinzugefügt.

Jetzt sehen wir, warum Ihre aktuelle Konfiguration nicht funktioniert hat:

  • tcpdump gibt zwei IP-Adressen an 10.1.0.4 und 168.63.129.16 - Letzteres scheint Ihre externe IP-Adresse zu sein, während das erste das interne ist (ist das richtig?)
  • Ihr vhost teilt dem httpd mit, NUR Anforderungen zu beantworten, auf die es ankommt 52.178.222.227
  • Vermutlich gingen alle Holzfäller zu /var/log/apache2/(access|error)?log

Der httpd konnte keinen passenden vhost für die Anfragen finden (wahrscheinlich haben Sie den Standard entfernt?) Und alle Anfragen abgelehnt.


2
2017-07-17 20:11



Hallo Phillip, vielen Dank für die ausführliche Antwort. Ich konfiguriere vtiger.stuffex.com.ua.conf wie gesagt: ersetze Port 443 und einen neuen vhost, um http auf https umzuleiten. (siehe mein Update in den ersten Post) ist es richtig? - Saasha
Genau, meine interne IP ist 10.1.0.4, extern scheint 168.63.129.16 zu sein, aber meine azurblaue Wolke sagt mir, dass 52.178.222.227 meine externe IP ist. Ich bin verwirrt - Saasha
Außerdem füge ich meine httpd.conf in den ursprünglichen Beitrag ein - Saasha
Ich bin mir nicht sicher, was Microsoft mit ihrem azurblauen Ding macht, aber das sieht so aus, als wäre es ein nat-Gateway. Anyway: Namen basierte Vhosts sollten dieses Problem umgehen. - Phillip -Zyan K Lee- Stockmann
aber es funktioniert immer noch nicht :( - Saasha