Apache DNS not recognised

slack---line · 10-06-2009, 05:16 AM

Hi,

Just finishing off setting up a server, and am having trouble getting Apache to recognise the domain name I've been assigned (statsmail.trehtcancer.nhs.uk).

Initially I was getting the following errors in the logs...

Code:

[Tue Oct 06 08:26:38 2009] [notice] SIGUSR1 received.  Doing graceful restart
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for
ServerName

So I added 'ServerName statsmail.trentcancer.nhs.uk' to /etc/apache2/httpd.conf and also /etc/apache2/apache2.conf, and restarted the server and the error message has gone...

Code:

[Tue Oct 06 08:26:38 2009] [notice] SIGUSR1 received.  Doing graceful restart
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for
ServerName
[Tue Oct 06 08:26:38 2009] [notice] Apache/2.2.11 (Ubuntu) configured -- resuming normal operations
[Tue Oct 06 09:27:55 2009] [notice] caught SIGTERM, shutting down
[Tue Oct 06 09:27:55 2009] [notice] Apache/2.2.11 (Ubuntu) configured -- resuming normal operations
[Tue Oct 06 10:06:02 2009] [notice] caught SIGTERM, shutting down
[Tue Oct 06 10:06:03 2009] [notice] Apache/2.2.11 (Ubuntu) configured -- resuming normal operations

But connections just time out now when I point the browser at the address, despite the fact I can see it on localhost *i.e. 127.0.1.1).

I think I'm missing something in the configuration though because it Apache doesn't appear to be listening on the Foreign Address as netstat shows...

Code:

root@miles:/etc/apache2# netstat  netstat -a -tcp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:www                   *:*                     LISTEN      3368/apache2   
tcp        0      0 localhost:ipp           *:*                     LISTEN      3556/cupsd     
tcp        0      0 *:smtp                  *:*                     LISTEN      29230/master   
tcp        0      1 miles.local:45380       statsmail.trentcanc:www SYN_SENT    28248/firefox   
tcp6       0      0 [::]:smtp               [::]:*                  LISTEN      2160/sshd

Any pointers on where I might have gone wrong would be appreciated (can post config files if required). Feels like I'm so close, but not quite there!

Cheers

slack

bathory · 10-06-2009, 06:29 AM

Quote:

tcp 0 0 *:www *:* LISTEN 3368/apache2

apache listens on all the available interfaces as it's shown by the "*" in the netstat output. I guess you have to add an entry in /etc/hosts like this:

Code:

x.x.x.x statsmail.trehtcancer.nhs.uk

where x.x.x.x is your ip.

slack---line · 10-06-2009, 08:04 AM

Forgot to add that I'd seen that mentioned in another thread in these forums and have the following already in there...

Code:

10.211.48.240   statsmail.trentcancer.nhs.uk

Restarted apache and still no dice.

There's no firewall in place on the local machine either...

Code:

root@miles:/etc/apache2# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

But this computer has been placed in a DMZ, and strangely the IP address that ifconfig reports is not the same as that which www.whatismyipaddress.com reports and I've been told the computer is configured as (purposefully omitted loopback btw)...

Code:

root@miles:/etc/apache2# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:14:22:b0:9e:c7 
          inet addr:192.168.2.22  Bcast:192.168.7.255  Mask:255.255.248.0
          inet6 addr: fe80::214:22ff:feb0:9ec7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1500493 errors:0 dropped:0 overruns:0 frame:0
          TX packets:93528 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:284352007 (284.3 MB)  TX bytes:9113800 (9.1 MB)

I've been told the computers been setup with DNS as statsmail.trentcancer.nhs.uk and nslookup reports a different IP associated with this address (its reporting the same as www.whatismyipaddress.com)

Code:

root@miles:/etc/apache2# nslookup statsmail.trentcancer.nhs.uk
Server:      194.72.7.142
Address:   194.72.7.142#53

Non-authoritative answer:
Name:   statsmail.trentcancer.nhs.uk
Address: 10.211.48.240

The DNS administrator here at the place I work has told me that port 80 isn't blocked at all (nor is 25), although given he doesn't appear to have read 80% of each of the emails I've sent him I get the impression he's not too up to speed on what I'm trying to do or how to set it up properly at his end.

bathory · 10-06-2009, 08:23 AM

So the ip of the box is 192.168.2.22. Can you access http://192.168.2.22 from the same box running apache?
If you can, I guess it's a problem with ip_forwarding from 10.211.48.240 --> 192.168.2.22 assuming that there is no firewall in between.

slack---line · 10-06-2009, 08:34 AM

Quote:

Originally Posted by bathory

So the ip of the box is 192.168.2.22. Can you access http://192.168.2.22 from the same box running apache?
If you can, I guess it's a problem with ip_forwarding from 10.211.48.240 --> 192.168.2.22 assuming that there is no firewall in between.

Ah ha, I think you're onto something bathroy.

I can indeed access http://192.168.2.22/ on the machine itself.

How do I go about getting the forwarding set up?

Would it be an entry in /etc/hosts that maps one to another? (My suspicion is its not since /etc/hosts is traditionally for mapping names to IP address', no?)

Is forwarding of one IP's address's to another an aspect of the DMZ? Since the 10.211.48.240 is what this appears to the outside world, whilst within teh DMZ the server thinks its 192.168.2.22?

bathory · 10-06-2009, 08:42 AM

If everything is setup correctly in your router, you can access your server from outside your 192.168.2 network using its public ip 10.211.48.240. Try it from a computer in dmz and see what you get.

slack---line · 10-06-2009, 09:02 AM

Quote:

Originally Posted by bathory

If everything is setup correctly in your router, you can access your server from outside your 192.168.2 network using its public ip 10.211.48.240. Try it from a computer in dmz and see what you get.

I'm not sure I have access to a computer on the DMZ, that itself is separate from the rest of the network here (IT are based in another building in the city).

I've contacted the guy who registered the DNS though and have asked (well basically told him, as the impression I get is that he knows less than I do, being cynical, but probably a M$-Windoze flunky) that the forwarding of requests to 10.211.48.240 isn't making it to 192.168.2.22 within the DMZ, because everything works on the server itself but not when the FQDN is used.

bathory · 10-06-2009, 09:18 AM

If you don't need your server to be accessible outside from your network, then ask the dns guy to change the ip in the dns to 192.168.2.22 and change the entry in your /etc/hosts accordingly.

Regards

slack---line · 10-06-2009, 09:44 AM

Quote:

Originally Posted by bathory

If you don't need your server to be accessible outside from your network, then ask the dns guy to change the ip in the dns to 192.168.2.22 and change the entry in your /etc/hosts accordingly.

Regards

I don't think I can do that as I can't telnet to 192.168.2.22 (or 10.211.48.240 for that matter) from my computer here at work (nor ping either address) and my understanding is that the DMZ is isolated from the rest of the network.

I'll see what the IT/DNS guy comes back with, cheers for your help so far (got to head home and take my sick cat to the vets now though).

slack

Matir · 10-06-2009, 10:44 AM

FYI, 192.168.2.22 would NEVER be accessible to the outside world as this is an RFC 1918 private/reserved IP address. It may not be routed. If you are using a NAT-DMZ (Network Address Translation DMZ) they will need to forward requests for 10.211.48.240 to 192.168.2.22. Alternatively, they can place you on another subnet with direct internet access and the machine may be reconfigured as 10.211.48.240. (If you choose the latter route, I do suggest setting up a firewall at that time unless they will continue to keep you behind the corporate firewall.)

chrism01 · 10-06-2009, 11:15 PM

See http://en.wikipedia.org/wiki/IP_address: ip range 10.0.0.0 - 10.255.255.255 is also a reserved range.
I couldn't nslookup or ping 194.72.7.142 : is that a private server?

slack---line · 10-07-2009, 10:40 AM

Right, cheers for the pointers guys.

There is another set of firewalls in place that I was completely unaware of and it does appear as though port-forwarding isn't established correctly.

I've taken the computer out of the DMZ, put it on the local intranet and can access web-pages fine.

Apparently the people in charge of this extra firewall are "looking into the problem" (i.e. someones not in work today and I have to wait until they are back tomorrow before it can be fixed!).

Cheers for the help/pointers, kind of glad to know that its not anything I did!

slack