|
Unable to load images
Unable to view images served by nginx outside of LAN.
On my LAN, all the websites hosted on the nginx machine load fine. When outside of the LAN, they load incredibily slowly (>5 minutes for a 112KB jpg), and often it takes several clicks of the refresh button to load the image. When outside of the LAN, but connected to the VPN, everything works fine. Nginx error log doesn't show any error. The access log look the same for requests from the LAN and requests from the internet. The server sits behind a firewall, which has two ethernet cards: eth0 (internet facing) and eth1 (LAN facing). Here is the output of iptables -L -n -v: Code:
Code:
# Generated by iptables-save v1.4.14 on Thu Jun 5 07:54:47 2014 |
I am not really an expert, but I'd like to help you.
personally i think it is a routing issue ( I just hope I am correct ), since clients that are directly connected (LAN clients or VPN ) can access your nginx server. I can see that there is some NAT'ing done on your box that redirects traffic to your nginx server. You could try running a live wireshark capture and see where your packets are lost. Alternatively you could try and do : cat /proc/sys/net/ipv4/ip_forward and see if it is set to 1. |
Thanks pingu_penguin. ip forwarding is enabled on the gateway (firewall), and it's disabled on the webhost (nginx box). I've tried enabling it on the webhost, but that doesn't seem to have any effect.
I loaded up wireshark on the webhost, and there is indeed something going on when a non-local request is coming in. I'm not sure what it is though. On both clients - one outside the LAN not on VPN and the other outside the LAN but on VPN - I tried to load a 112Kb jpg file, bing.jpg. Here is what wireshark showes when I filtered traffic for the clients IP and port 80, when the client was outside the LAN, not on VPN: http://i.imgur.com/VWqc3pV.png Here is the traffic for the client outside the LAN, but on the VPN: http://i.imgur.com/lXsgBUk.png I also checked the non-VPN outside client by using chrome and looking at the debugger. I let it load for around 5 minutes, and nothing timed out. Here's a screenshot of that: http://i.imgur.com/q52zgVG.jpg Any ideas as to what the problem is? I'm not sure why those ICMP destination unreachables are showing up. I'm able to ping that client from the webhost and my gateway, the gateway can ping the webhost, and the client is able to ping the gateway. |
I dont think you will need forwarding on the webhost since it is not the one responsible for forwarding packets.
I can see port 25 is forwarded, do other services like mail work fine ? perhaps you could try the following : #iptables -t nat -A PREROUTING -p tcp --destination <your eth0 ip> --dport 80 -j DNAT --to-destination 192.168.15.33 instead of this line in ur script: #iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.15.33:80 save your rules before editing and give it a try. |
It also depends on the network connection. Residential networks for instance are almost always split speed (IMO stupidly). Cable/Fios is usually split something on the order of 3MBit up, 15MBit down.
When retrieving data from a server with split speed, you are retrieving data at the SLOW speed. |
Quote:
Quote:
|
This is wierd since usually fetching web pages requires less effort and bandwidth for the client as webpages are lesser in size.
How about you try this. we have to rule the firewall out. I see your default policy for INPUT OUTPUT and FORWARD are set to accept anyway. Save your firewall rules and flush the input and forward chains. ( #iptables -F -t filter) Keep the nat table intact, dont flush the nat table (prerouting or postrouting). If your other services like mail work fine and if you can access webpages outside the lan/vpn (both conditions true) , then the problem could be in your firewall configuration (INPUT and FORWARD chains). If you still cannot access the webpages, and other services work fine then most probably the problem is not with the firewall rules. cat /proc/sys/net/ipv4/ip_forward should be set to 1 for forwarding of course. |
If the above doesnt work perhaps you could see if port 80 is already used by your firewall computer.
#netstat -tlpn | grep 80 or you could try using another higher test port and port forward it to your webserver box. #iptables -t nat -A PREROUTING -p tcp --destination <your eth0 ip> --dport 8123 -j DNAT --to-destination 192.168.15.33:80 where 8123 is a random unused port. and then check if your clients outside the lan can access the webserver via that port ie. http://<your eth0 ip>:8123 |
Quote:
/proc/sys/net/ipv4/ip_forward is set to 1 on the firewall computer. Quote:
#netstat -tlpn | grep on returns nothing. I check on the webserver, and nginx is the only thing listening on port 80. Mapping a random port to 80 on the webserver has the same result as the normal setup (large files works, text webpages work, jpg/css/wordpress pages do not work) The more I think about this, the more I think the change occured after switching from Apache to nginx. As far as I remember, the only change I made on the firewall computer during the switch was to update the IP address from the apache server to the nginx server. I'm runnig ISPConfig 3.0.5.4p2, with nginx 1.2.1. Here's nginx.conf: Code:
user www-data;And /etc/nginx/mime.types: Code:
types {Code:
server { |
I dont know nginx configuration much, but perhaps the following link could be a possible solution for you :
http://stackoverflow.com/questions/1...load-css-files |
I'll take a look at that and see if it helps.
Thanks for all your help, this is quite an adventure! |
Excellent, it saves me. Thank you a lot!
|
| All times are GMT -5. The time now is 01:04 PM. |