Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Unable to view images served by nginx outside of LAN.
On my LAN, all the websites hosted on the nginx machine load fine. When outside of the LAN, they load incredibily slowly (>5 minutes for a 112KB jpg), and often it takes several clicks of the refresh button to load the image. When outside of the LAN, but connected to the VPN, everything works fine. Nginx error log doesn't show any error. The access log look the same for requests from the LAN and requests from the internet.
The server sits behind a firewall, which has two ethernet cards: eth0 (internet facing) and eth1 (LAN facing). Here is the output of iptables -L -n -v:
Code:
root@flyer:/var/www# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4565 11M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
311K 44M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:20091
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:20092
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:20093
956 68087 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
44 2947 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun2 * 0.0.0.0/0 0.0.0.0/0
2 96 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
590 32406 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 641K packets, 720M bytes)
pkts bytes target prot opt in out source destination
23 1208 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state NEW
11 560 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 state NEW
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 state NEW
22 1320 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 state NEW
3 180 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222 state NEW
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5222 state NEW
15 848 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
4 240 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
793 44584 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:19983 state NEW
2216 287K ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:19984 state NEW
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7777 state NEW
Chain OUTPUT (policy ACCEPT 544K packets, 789M bytes)
pkts bytes target prot opt in out source destination
Here's the script that loads the firewall rules on boot (/etc/iptables.rules):
Code:
# Generated by iptables-save v1.4.14 on Thu Jun 5 07:54:47 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [128367:93659631]
:OUTPUT ACCEPT [11855:3741587]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 20091 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 20092 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 20093 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -i tun1 -j ACCEPT
-A INPUT -i tun2 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth0 -j DROP
-A FORWARD -i eth0 -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 587 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 995 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 143 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 5222 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p udp -m udp --dport 5222 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 19983 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p udp -m udp --dport 19984 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 7777 -m state --state NEW -j ACCEPT
COMMIT
# Completed on Thu Jun 5 07:54:47 2014
# Generated by iptables-save v1.4.14 on Thu Jun 5 07:54:47 2014
*nat
:PREROUTING ACCEPT [7015750:481018493]
:INPUT ACCEPT [1286947:100210418]
:OUTPUT ACCEPT [1606496:123095807]
:POSTROUTING ACCEPT [6831463:714772610]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.15.33:25
-A PREROUTING -i eth0 -p tcp -m tcp --dport 587 -j DNAT --to-destination 192.168.15.33:587
-A PREROUTING -i eth0 -p tcp -m tcp --dport 995 -j DNAT --to-destination 192.168.15.33:995
-A PREROUTING -i eth0 -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.15.33:143
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5222 -j DNAT --to-destination 192.168.15.33:5222
-A PREROUTING -i eth0 -p udp -m udp --dport 5222 -j DNAT --to-destination 192.168.15.33:5222
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.15.33:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.15.33:443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 7777 -j DNAT --to-destination 192.168.15.33:7777
-A PREROUTING -i eth0 -p tcp -m tcp --dport 19983 -j DNAT --to-destination 192.168.15.109:19983
-A PREROUTING -i eth0 -p udp -m udp --dport 19984 -j DNAT --to-destination 192.168.15.109:19984
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE
-A POSTROUTING -o tun1 -j MASQUERADE
-A POSTROUTING -o tun2 -j MASQUERADE
COMMIT
# Completed on Thu Jun 5 07:54:47 2014
All the other services running on the same machine as nginx are working fine, the only thing having any issues is nginx. I've tried clearning my firewall rules and readding them one at a time, but that doesn't change anything. I'm stuck as to what to do, any suggestions?
I am not really an expert, but I'd like to help you.
personally i think it is a routing issue ( I just hope I am correct ), since clients that are directly connected (LAN clients or VPN ) can access your nginx server.
I can see that there is some NAT'ing done on your box that redirects traffic to your nginx server.
You could try running a live wireshark capture and see where your packets are lost.
Alternatively you could try and do : cat /proc/sys/net/ipv4/ip_forward
and see if it is set to 1.
Thanks pingu_penguin. ip forwarding is enabled on the gateway (firewall), and it's disabled on the webhost (nginx box). I've tried enabling it on the webhost, but that doesn't seem to have any effect.
I loaded up wireshark on the webhost, and there is indeed something going on when a non-local request is coming in. I'm not sure what it is though. On both clients - one outside the LAN not on VPN and the other outside the LAN but on VPN - I tried to load a 112Kb jpg file, bing.jpg. Here is what wireshark showes when I filtered traffic for the clients IP and port 80, when the client was outside the LAN, not on VPN: http://i.imgur.com/VWqc3pV.png
I also checked the non-VPN outside client by using chrome and looking at the debugger. I let it load for around 5 minutes, and nothing timed out. Here's a screenshot of that: http://i.imgur.com/q52zgVG.jpg
Any ideas as to what the problem is? I'm not sure why those ICMP destination unreachables are showing up. I'm able to ping that client from the webhost and my gateway, the gateway can ping the webhost, and the client is able to ping the gateway.
I dont think you will need forwarding on the webhost since it is not the one responsible for forwarding packets.
I can see port 25 is forwarded, do other services like mail work fine ?
perhaps you could try the following :
#iptables -t nat -A PREROUTING -p tcp --destination <your eth0 ip> --dport 80 -j DNAT --to-destination 192.168.15.33
instead of this line in ur script:
#iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.15.33:80
It also depends on the network connection. Residential networks for instance are almost always split speed (IMO stupidly). Cable/Fios is usually split something on the order of 3MBit up, 15MBit down.
When retrieving data from a server with split speed, you are retrieving data at the SLOW speed.
I dont think you will need forwarding on the webhost since it is not the one responsible for forwarding packets.
I can see port 25 is forwarded, do other services like mail work fine ?
perhaps you could try the following :
#iptables -t nat -A PREROUTING -p tcp --destination <your eth0 ip> --dport 80 -j DNAT --to-destination 192.168.15.33
instead of this line in ur script:
#iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.15.33:80
save your rules before editing and give it a try.
Thanks for the suggestion. Unfortunately, the problem persists.
Quote:
Originally Posted by jpollard
It also depends on the network connection. Residential networks for instance are almost always split speed (IMO stupidly). Cable/Fios is usually split something on the order of 3MBit up, 15MBit down.
When retrieving data from a server with split speed, you are retrieving data at the SLOW speed.
The weird thing is this only happens for clients outside the LAN, who are also not on the VPN, and only for jpgs, css, and basically web pages. If a non-LAN/non-VPN client downloads a zip or iso directly, it's fine. So if client A attempts to load www.domain.com (which is a Wordpress page for example), from outside the LAN, and they are not on the VPN, it will continually be in loading state (for 10+ minutes). The same client, from the same location, attempts to download www.domain.com/100GB.iso, the download happens fine.
Last edited by kitchenblock; 08-13-2014 at 06:35 AM.
This is wierd since usually fetching web pages requires less effort and bandwidth for the client as webpages are lesser in size.
How about you try this. we have to rule the firewall out.
I see your default policy for INPUT OUTPUT and FORWARD are set to accept anyway.
Save your firewall rules and flush the input and forward chains. ( #iptables -F -t filter)
Keep the nat table intact, dont flush the nat table (prerouting or postrouting).
If your other services like mail work fine and if you can access webpages outside the lan/vpn (both conditions true) , then the problem could be in your firewall configuration (INPUT and FORWARD chains).
If you still cannot access the webpages, and other services work fine then most probably the problem is not with the firewall rules.
cat /proc/sys/net/ipv4/ip_forward should be set to 1 for forwarding of course.
where 8123 is a random unused port. and then check if your clients outside the lan can access the webserver via that port
ie. http://<your eth0 ip>:8123
Save your firewall rules and flush the input and forward chains. ( #iptables -F -t filter)
Keep the nat table intact, dont flush the nat table (prerouting or postrouting).
If your other services like mail work fine and if you can access webpages outside the lan/vpn (both conditions true) , then the problem could be in your firewall configuration (INPUT and FORWARD chains).
If you still cannot access the webpages, and other services work fine then most probably the problem is not with the firewall rules.
cat /proc/sys/net/ipv4/ip_forward should be set to 1 for forwarding of course.
This had the same result - other services work, and direct download of large, single files like .ISO and .ZIP work, but webpages with images and css do not. Simple text pages work fine - this has been true throughout.
/proc/sys/net/ipv4/ip_forward is set to 1 on the firewall computer.
Quote:
Originally Posted by pingu_penguin
If the above doesnt work perhaps you could see if port 80 is already used by your firewall computer.
#netstat -tlpn | grep 80
or you could try using another higher test port and port forward it to your webserver box.
where 8123 is a random unused port. and then check if your clients outside the lan can access the webserver via that port
ie. http://<your eth0 ip>:8123
On firewall computer:
#netstat -tlpn | grep on
returns nothing.
I check on the webserver, and nginx is the only thing listening on port 80.
Mapping a random port to 80 on the webserver has the same result as the normal setup (large files works, text webpages work, jpg/css/wordpress pages do not work)
The more I think about this, the more I think the change occured after switching from Apache to nginx. As far as I remember, the only change I made on the firewall computer during the switch was to update the IP address from the apache server to the nginx server. I'm runnig ISPConfig 3.0.5.4p2, with nginx 1.2.1.
Here's nginx.conf:
Code:
user www-data;
worker_processes 4;
pid /var/run/nginx.pid;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
include perfect-forward-secrecy.conf;
}
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
