Solved

Apache runs on :8080 but times out when changed to :80

Posted on 2009-07-10
24
223 Views
Last Modified: 2012-06-27
This one has stumped me for about a week now.  I have apache 2 running on a CenOS 5 box.  I configured the httpd.conf file to use virtual hosts and configured the port to be 8080 for testing.  Now the server is ready to go live and I cannot get apache to respond on port 80.  I have the correct firewall rules, I even flushed iptables to be sure.  I change everything related to port 8080 to 80 in the conf file, restarted the service and simply get a network timeout error.  If I do a netstat i do see httpd listening on port 80.  I do not have anything else running on port 80.
0
Comment
Question by:thecureis
  • 9
  • 9
  • 2
  • +2
24 Comments
 
LVL 48

Expert Comment

by:Tintin
ID: 24827440
From the command line, what happens when you do

telnet <ip address> 80
0
 
LVL 40

Expert Comment

by:mrjoltcola
ID: 24827444
Can you connect from localhost?

telnet localhost 80

If so, then try telnet to the primary IP 80

Still sounds like firewall, if you get timeouts. Check the logs under apache/logs and see if there is anything interesting.

I would try disabling firewall altogether for a sanity check.


0
 
LVL 48

Expert Comment

by:Tintin
ID: 24827446
Also, do you see anything in /var/log/apache/error_log (note that the path to the logs will vary depending on your Apache setup and Linux distro)
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24827681
Hi,

Will you post your

netstat -anpt | grep ":80 "

output here ?

Cheers,
K.

0
 
LVL 3

Author Comment

by:thecureis
ID: 24827719
ok so i can telnet from localhost to 80 and when i type ehlo i get the apache 2 test page.  If I try to telnet from my computer i get nothing.

KeremE - Below is my output, note the 172.30.0.101 is my client
netstat -anpt | grep :80

tcp        0      0 10.198.0.7:80               172.30.0.101:1581           SYN_RECV    -

tcp        0      0 :::80                       :::*                        LISTEN      32088/httpd

Open in new window

0
 
LVL 3

Author Comment

by:thecureis
ID: 24827733
i have also stopped iptables
service iptables stop

And i still cannot telnet from my computer to port 80.

I have checked the error_log and see nothing
0
 
LVL 30

Accepted Solution

by:
Kerem ERSOY earned 250 total points
ID: 24827792
Hi,

The line :
tcp        0      0 10.198.0.7:80               172.30.0.101:1581           SYN_RECV    -

Shows that the connection has been closed using a SYN. This would generally happen when there's an HTTP blocker in between. Are you sure that there's no web blocker type of stuff ??

Since you have your IPTables F/W disabled and you can telnet to localhost 80 it seems that something is blocking your connection or there's a communication issue on one of your ends.

Are you sure that your PC does not block web access because of some client such as Norton NAC etc.

0
 
LVL 3

Author Comment

by:thecureis
ID: 24827817
Well I do not have anything such as Norton or McAfee installed and the connection is refused regardless of the client.  Is there anything on the linux box that could be blocking port 80? the only things running on this box are mysql and proftp
0
 
LVL 40

Expert Comment

by:mrjoltcola
ID: 24827868
What does your Listen line show in httpd.conf?

Are you saying the connection times out or is immediately refused? There is a difference.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24827877
In fact it does not seem  that the connection is not working. it seems that youe apache is serving the page but something is blocking the page.

Web PAge blockers like WebSense will send a syn like that.

Will you please post your httpd.conf here ?
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24827887
I'll be happy too see your apache log too (at least the last 5-10 lines)
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24828014
Normally you'll get something like this:

netstat -anpt | grep ":80 "
tcp        0      0 :::80                       :::*                        LISTEN      3878/httpd          
tcp        0      0 ::ffff:10.0.0.1:80          ::ffff:10.0.0.100:1668      TIME_WAIT   -

the time_wait indicated that the page was transferred successfully and the client (web browser) has closed the connection.

While in your case we see that there is a syn. If you' httpd was npt listening to 80 in the beginning we would not be seeing a line  like that:

tcp        0      0 10.198.0.7:80               172.30.0.101:1581           SYN_RECV    -

at all.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 3

Author Comment

by:thecureis
ID: 24828083
The connection times out after about 15 seconds and firefox says network timeout.

I have attached my apache conf
httpd.conf.txt
0
 
LVL 3

Author Comment

by:thecureis
ID: 24828101
I also believe that something is interrupting the connection but I am unsure of what.  I am not running a personal software firewall, only hardware firewall which both the linux server and I sit behind.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24828409
Your config seems ok but I did not understand how do you expect the client could return site1 or site2 but in this case you need to get default apache page.. But it is obvious that something is closing the conection..

Please check your network for this type of software.
0
 
LVL 3

Author Comment

by:thecureis
ID: 24828451
site1 and site2 are returned based on the url passed to the server, this works fine with the listening port set to 8080, just not 80.  Since the server is receiving the request then closing it, I doubt that anything on the network would cause this.  It seems to be something on the linux box itself.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24828481
I mean if you have set-up yor hosts file in your client system. If the request could reach the system then obviously VirtualHost logic will decode it and send it to the right virtual host.

If an application is listening to a port then it is the only application to listen that pot. The only exception is the use of a promiscuuous listening software such as snort. Do you run something like snort on the box ??

Will you post the output of

ps -aef

and

netstat -anpt
0
 
LVL 10

Expert Comment

by:nabeelmoidu
ID: 24829605
I'd suggest you do a  wireshark network dump and use the "Follow TCP stream"
http://www.wireshark.org/docs/wsug_html_chunked/ChAdvFollowTCPSection.html option so that you get an exact idea where the problem lies.
0
 
LVL 3

Author Comment

by:thecureis
ID: 24831323
KeremE - I am not running snort on this machine, its just a basic out of the box CentOS install.  I have done a netstat -anpt and I see everything listening and found port 80
  tcp        0      0 :::80                       :::*                        LISTEN      2868/httpd  

nabeelmoidu - I ran wireshark, attempting to connect via a web browser and filtered the results by dest ip.  I see 3 packets


They all read the same
SRC        DEST                    Protocol            Info

MY IP      Linux Server            TCP                 quaddb > HTTP [SYN] SEQ=0 WIN=65535 LEN=0 MSS=146

Open in new window

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24832851
This is the problem here.  Communication with a web server nd web browser does not end with SYN.  IT generally ends with a disconnect by the client. SYN packets are generally issued by policy enforcing servers such as web-blockers, IPS systems etc.

Can you disconnect the Ethernet port of your server and connect it to a separate switch and then connect another workstation to the same switch and retry if you can access the web server ?

Don't forget that your WS IP address must be in the same subnet as your webserver. So if IP's are manually assigned to your workstations then you might need to set it manually.
0
 
LVL 10

Assisted Solution

by:nabeelmoidu
nabeelmoidu earned 250 total points
ID: 24833738
Ok, so that means your SYN connection attempt does not get any reply. If you run tcpdump or wireshark on the server at teh same time, for eg.
tcpdump src host your-pc
and check if the SYN reaches the server, we can proceed further
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24834091
But your WireShark output shows that your HTTP Client sends SYN. I still insist that there's some web blocking logic in between ad cloding hhte connection.  Please do as I told and disconnect your server from your intranet and try with a siwtch and a workstation or a notebook.
0
 
LVL 3

Author Comment

by:thecureis
ID: 24834618
KaremeE - This is on a VMWare machine plugged into a plain old switch, not L2.  Do you think it has something to do with VMWare ESXI?

What I do not understand is that I do not see a  ACK coming back from the server, do you think that is what's being blocked?
0
 
LVL 3

Author Comment

by:thecureis
ID: 24834740
Ok, breakthrough, i can now access the server locally on port 80, just not from the web.  I have an A record pointing to our router and the rules are all in place but external does not work.  I am also testing on a VPN from my house and it just times out.  So I am not thinking it to be a firewall rule in our cisco.  Will check that out and post back.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now