LinuxQuestions.org - Redirects to subdomain on LAN using FQDN not working from Internet

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - Redirects to subdomain on LAN using FQDN not working from Internet (https://www.linuxquestions.org/questions/linux-software-2/redirects-to-subdomain-on-lan-using-fqdn-not-working-from-internet-258995/)

Redirects to subdomain on LAN using FQDN not working from Internet

We are trying to add a sub domain and a 2nd webserver to our existing 1 domain name and 1 webserver setup IP 203.219.xx.xx port 80
We can reach and surf the subdomain and 2nd webserver from the Internet by using the IP address and port number
We cannot reach and surf the subdomain and 2nd webserver from the Internet when using the FQDN eg: sandbox.ourdomain.dom
The message from the browser is attempting to contact 192.168.0.50 and the browser eventually times out.
The subdomain correctly resolves back to our static IP (203.219.xx.xx)

How can we fix this ?

A more complete explanation is below. I have used ourdomain.dom to represent our primary IIS webserver and subdomain.ourdomain.dom for our 2nd webserver/sub domain. The 2nd webserver is Apache 1.3 on Debian Sarge

Existing

ourdomain.dom - resolves to 203.219.xx.xx - is served by our IIS webserver running on port 80
This setup works fine and has done so for a number of years.

Future

subdomain.ourdomain.dom - resolves to 203.219.xx.xx - is redirected by our IIS server to 192.168.0.50 port 8090 running Apache 1.3 webserver

We used Host headers in IIS to run the multiple websites.

HOST headers for ourdomain.dom

IP Address TCP port Host Header name
All unassigned port 80 ourdomain.dom
All unassigned port 80 www.ourdomain.dom
All unassigned port 80 203.219.xx.xx

HOST Headers for subdomain.ourdomain.dom
IP Address TCP port Host Header name
All unassigned port 80 subdomain.ourdomain.dom

In IIS, to setup the subdomain website we did the following

1) created the website subdomain.ourdomain.dom
2) selectd the Home Directory tab
3) select "A redirection to a URL " Redirect to http://192.168.0.50:8090
4) selected 2 options in The client will be sent to: section
- The exact URL entered aboved (turning this on and off makes no difference)
- A permanent redirection for this resource.

We can reach and surf the Apache webserver from the Internet by using the IP address and port number eg: 203.219.xx.xx:8090

When we use the FQDN of sandbox.ourdomain.dom we cannot reach the Apache server.

The message from the browser is attempting to contact 192.168.0.50

Here is our httpd.conf file. Please note I had to remove a lot of the commented lines so I was below the permitted message length for posts in this forums. This is our exact httpd.conf less comments

## httpd.conf -- Apache HTTP server configuration file

### Section 1: Global Environment

#
# ServerType is either inetd, or standalone. Inetd mode is only supported on
# Unix platforms.
#
ServerType standalone

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot /etc/apache

LockFile /var/lock/apache.lock

PidFile /var/run/apache.pid

ScoreBoardFile /var/run/apache.scoreboard

TimeOut 300

KeepAlive on

KeepAliveTimeout 15

MinSpareServers 5
MaxSpareServers 20

StartServers 5

MaxClients 150

# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the <VirtualHost>
# directive.
#

Listen 192.168.0.50:8090
Listen 127.0.0.1:8090

#
# BindAddress: You can support virtual hosts with this option. This directive
# is used to tell the server which IP address to listen to. It can either
# contain "*", an IP address, or a fully qualified Internet domain name.
# See also the <VirtualHost> and Listen directives.
#
#BindAddress *

# Please keep this LoadModule: line here, it is needed for installation.
Include /etc/apache/modules.conf

ExtendedStatus On

### Section 2: 'Main' server configuration

# Port: The port to which the standalone server listens. For
# ports < 1023, you will need apache to be run as root initially.
#
Port 8090

User www-data
Group www-data

ServerAdmin webmaster@ourdomain.dom

ServerName subdomain.ourdomain.dom

DocumentRoot /var/www

<Directory />
Options SymLinksIfOwnerMatch
AllowOverride None
</Directory>

Options Indexes Includes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny
Allow from all
</Directory>

<IfModule mod_userdir.c>
UserDir public_html
</IfModule>

<Directory /home/*/public_html>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
Order deny,allow
Deny from all
</Limit>
</Directory>

<IfModule mod_dir.c>
DirectoryIndex index.html index.htm index.shtml index.cgi index.php
</IfModule>

AccessFileName .htaccess

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

TypesConfig /etc/mime.types

DefaultType text/plain

<IfModule mod_mime_magic.c>
MIMEMagicFile share/magic
</IfModule>

HostNameLookups off

ErrorLog /var/log/apache/error.log
LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T %v" full
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %P %T" debug
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

CustomLog /var/log/apache/access.log combined

ServerSignature On

Alias /icons/ /usr/share/apache/icons/

<Directory /usr/share/apache/icons>
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

<Directory /usr/lib/cgi-bin/>
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>

<IfModule mod_autoindex.c>

#
# FancyIndexing: whether you want fancy directory indexing or standard
#
IndexOptions FancyIndexing NameWidth=*

#
# AddIcon* directives tell the server which icon to show for different
# files or filename extensions. These are only displayed for
# FancyIndexed directories.
#
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

#
# DefaultIcon: which icon to show for files which do not have an icon
# explicitly set.
#
DefaultIcon /icons/unknown.gif

#
# AddDescription: allows you to place a short description after a file in
# server-generated indexes. These are only displayed for FancyIndexed
# directories.
# Format: AddDescription "description" filename
#
#AddDescription "GZIP compressed document" .gz
#AddDescription "tar archive" .tar
#AddDescription "GZIP compressed tar archive" .tgz

#
# ReadmeName: the name of the README file the server will look for by
# default, and append to directory listings.
#
# HeaderName: the name of a file which should be prepended to
# directory indexes.
#
# The server will first look for name.html and include it if found.
# If name.html doesn't exist, the server will then look for name.txt
# and include it as plaintext if found.
#
ReadmeName README
HeaderName HEADER

#
# IndexIgnore: a set of filenames which directory indexing should ignore
# and not include in the listing. Shell-style wildcarding is permitted.
#
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

</IfModule>

#
# Document types.
#
<IfModule mod_mime.c>

# AddEncoding allows you to have certain browsers (Mosaic/X 2.1+)
# uncompress information on the fly. Note: Not all browsers support
# this. Despite the name similarity, the following Add* directives
# have nothing to do with the FancyIndexing customization
# directives above.

AddEncoding x-compress Z
AddEncoding x-gzip gz tgz

AddLanguage da .dk
AddLanguage nl .nl
AddLanguage en .en
AddLanguage et .ee
AddLanguage fr .fr
AddLanguage de .de
AddLanguage el .el
AddLanguage it .it
AddLanguage ja .ja
AddCharset ISO-2022-JP .jis
AddLanguage pl .po
AddCharset ISO-8859-2 .iso-pl
AddLanguage pt .pt
AddLanguage pt-br .pt-br
AddLanguage ltz .lu
AddLanguage ca .ca
AddLanguage es .es
AddLanguage sv .se
AddLanguage cz .cz

<IfModule mod_negotiation.c>
LanguagePriority en da nl et fr de el it ja pl pt pt-br ltz ca es sv
</IfModule>

AddType application/x-httpd-php .php .php3 .php4
AddType application/x-httpd-php-source .phps

AddType application/x-tar .tgz
AddType image/bmp .bmp

AddType text/x-hdml .hdml

</IfModule>

AddDefaultCharset on

<IfModule mod_setenvif.c>
#
# The following directives modify normal HTTP response behavior.
# The first directive disables keepalive for Netscape 2.x and browsers that
# spoof it. There are known problems with these browser implementations.
# The second directive is for Microsoft Internet Explorer 4.0b2
# which has a broken HTTP/1.1 implementation and does not properly
# support keepalive when it is used on 301 or 302 (redirect) responses.
#
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

#
# The following directive disables HTTP/1.1 responses to browsers which
# are in violation of the HTTP/1.0 spec by not being able to grok a
# basic 1.1 response.
#
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
</IfModule>

# If the perl module is installed, this will be enabled.
<IfModule mod_perl.c>
Alias /perl/ /var/www/perl/
<Location /perl>
SetHandler perl-script
PerlHandler Apache::Registry
Options +ExecCGI
</Location>
</IfModule>
# Allow access to local system documentation from localhost.
# (Debian Policy assumes /usr/share/doc is "/doc/", at least from the localhost.)
Alias /doc/ /usr/share/doc/

<Location /doc>
order deny,allow
deny from all
allow from 127.0.0.0/255.0.0.0
Options Indexes FollowSymLinks
</Location>

#
# There have been reports of people trying to abuse an old bug from pre-1.1
# days. This bug involved a CGI script distributed as a part of Apache.
# By uncommenting these lines you can redirect these attacks to a logging
# script on phf.apache.org. Or, you can record them yourself, using the script
# support/phf_abuse_log.cgi.
#
#<Location /cgi-bin/phf*>
# Deny from all
# ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
#</Location>

<IfModule mod_proxy.c>
#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<IfModule mod_proxy.c>
#ProxyRequests On
#
#<Directory proxy:*>
# Order deny,allow
# Deny from all
# Allow from .your_domain.com
#</Directory>
</IfModule>
#<VirtualHost _default_:*>
#</VirtualHost>

# Automatically added by the post-installation script
# as part of the transition to a config directory layout
# similar to apache2, and that will help users to migrate
# from apache to apache2 or revert back easily
Include /etc/apache/conf.d
Include /etc/moodle/apache.conf
NameVirtualHost subdomain.ourdomain.dom
UseCanonicalName off

If you're going to list localhost in httpd.conf, it should be first in httpd.conf

Aside from that, are you trying to browse to a private Intranet from the Internet? 192.x.x.x is private LAN and Internet will not get there without forwarding or a Virtual Host.

Another question is really why are you using Port 8090? Why not simply Port 80?

And lastly, your FQDN's are not FQDN's. Did you substitute an example domain name in the post?

There are a lot of reasons why it may not work, including no PTR in DNS for a real domain.

Thanks for the reply GinEric

>> If you're going to list localhost in httpd.conf, it should be first in httpd.conf

localhost is not in my httpd.conf

>> Aside from that, are you trying to browse to a private Intranet from the Internet?

Yes. Sort of. I am trying to add a 2nd webserver. I have only one class C IP address and that is "answered" by my Windows 2000 server which runs a web server on port 80 IIS should forward any requests for my subdomain to my 192.168.0.50 Apache webserver.

>> 192.x.x.x is private LAN and Internet will not get there without forwarding or a Virtual Host.

I have open port 8090 in Windows 2000. I can reach & surf the 2nd web server from the Internet ie: If I enter 203.219.xx.xx:8090 in my web browser it goes to my IIS webserver at 203.219.xxx.xx and is then redirected by my IIS server to my Apache webserver which is located at 192.168.0.50:8090

>> Another question is really why are you using Port 8090? Why not simply Port 80?

Because port 80 is answered by IIS. When I try to go to subdomain.domain.dom I receive an IIS generated message saying no website ois configured at this address. I am not experienced at setting up webservers HOWEVER after reading multiple FAQ's and readme's and a ton of Googling I believe I have my setup reasonably correct. Obviously something is wrong otherwise I wouldn't be asking for help.

>> And lastly, your FQDN's are not FQDN's. Did you substitute an example domain name in the post?

Yes, I substituted an example domain name in my post, otherwise every kiddie scripter would be onto my servers like a rabid dog. My FQDN is a real FQDN and resolves back to my IP address.

>> There are a lot of reasons why it may not work, including no PTR in DNS for a real domain.

What is a PRT ? At register.com I have entered the subdomains and the correct IP addresses. I did this a long time ago so the records were long ago correctly propagated to the DNS servers on the web. And if I turn off IIS host headers the subdomain is answered by my IIS server on the default port 80.

Any feedback appreciated

Ciao

Bump - Anyone ?
I believe I have documented my issue clearly and would appreciate any assistance.

I'm doing the same thing. One thing is, if you can reach it from the Internet, but not from within the LAN, in Windows you have to grant Internet browsing to the LAN users.

But probably more importantly, you need things like redirection in the httpd.conf and I would imagine somehow in the IIS, as in, allow from host, and so on.

The problem is not a simple one!

A PTR record, btw, is a pointer in your DNS record that points to a specific host. Example, we have A records and PTR's to www.Musics.com otherwise, it would not work. Some can be a CNAME, but things like smtp cannot.

If your main server does not have A, PTR, and perhaps CNAME, they're not in DNS. All localhost is not in DNS by RFC definition. This prevents glooming access to your LAN from outsiders, but can also prevent your route from FQDN server through LAN.

Secondary problems: if your using a router, the router has to forward packets for the LAN webserver, back and forth, as if it were the FQDN; this means that it gets treated as a vhost or perhaps a masquerading vhost.

The problem is getting the information out to both the Internet and LAN users, without security problems. I haven't used IIS for a long time simply because Apache runs on Windows machines and is more configurable, that is, I can make it work even when IIS refuses to.

What I use to make it work:

Ethereal - I get right down to the packet nitty-gritty to see why it's not serving the website. A very in-depth approach, requiring more reading.

All the syslogs I can muster.

And comparing an http call to the IP of the LAN web server to a host.domain.tld attempt. Many times, if you can get to it via it's LAN IP, you can then give it a name or alias that will get it out as the webserver. For example, if both Apache on the server and IIS on the LAN are aliased as the same, www.domain.com, they will collide! Hostnames must be unique! By renaing the LAN to host.domain.local, or some such, and aliasing it to www.domain.tld, it may work, but the server it's being forwarded through cannot have the www.domain.tld hostname. This was the reason I asked about your DNS PTR records. To get started, try the http://192.168.0.50:8090/ and see if it gets you to your LAN web server.

That port, 8090 is going to give you problems as well, since you'll have to forward it to port 8090 going to the outer server, and the outer server should forward it on port 80.

There really is no longer much need to use oddball ports anymore, well, with Apache anyway, because Apache has better security now on the httpd port. IIS is another issue.

But it may be good between the LAN webserver and the outer server.

Read, in Apache docs, Redirect Permanent Directive, vhost, in IIS Virtual Host, alias, forwarding.

I think you need the permanent redirection. Also read IIS for enabling LAN users to Internet browsing and vice versa.

Lastly, read IP masquerading; although I don't know if it will apply because you really shouldn't need to masquerade.

I've subscribed to the thread to see your progress as I'm doing the same thing.