someITGuy
asked on
CentOS firewall issue
I am running the latest version of CentOS with the latest version of Apache on 2 boxes as a reverse proxy.
My Cisco load balancer is not sending any traffic to box 1, while box 2 gets all the traffic.
In troubleshooting I see this:
DMZ10-1#telnet 192.168.10.52 80
Trying 192.168.10.52, 80 ...
% Connection refused by remote host
DMZ10-1#telnet 192.168.10.52 443
Trying 192.168.10.52, 443 ...
% Connection refused by remote host
DMZ10-1#telnet 192.168.10.53 80
Trying 192.168.10.53, 80 ... Open
^C
DMZ10-1#telnet 192.168.10.53 443
Trying 192.168.10.53, 443 ... Open
The first 2 attempts above are to box 1 & the 2nd 2 attempts to box 2.
Both boxes should be configured exactly the same, they both have the same settings under firewall options: SSH, HTTPS & HTTP are trusted services & no other ports are enabled on either box. SELinux is turned off on both boxes.
where to start the troubleshooting?
My Cisco load balancer is not sending any traffic to box 1, while box 2 gets all the traffic.
In troubleshooting I see this:
DMZ10-1#telnet 192.168.10.52 80
Trying 192.168.10.52, 80 ...
% Connection refused by remote host
DMZ10-1#telnet 192.168.10.52 443
Trying 192.168.10.52, 443 ...
% Connection refused by remote host
DMZ10-1#telnet 192.168.10.53 80
Trying 192.168.10.53, 80 ... Open
^C
DMZ10-1#telnet 192.168.10.53 443
Trying 192.168.10.53, 443 ... Open
The first 2 attempts above are to box 1 & the 2nd 2 attempts to box 2.
Both boxes should be configured exactly the same, they both have the same settings under firewall options: SSH, HTTPS & HTTP are trusted services & no other ports are enabled on either box. SELinux is turned off on both boxes.
where to start the troubleshooting?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My biggest issue is that I am not getting any inbound traffic to Box 1
ASKER
Box 1 worked until recently, I can't find any changes though.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
KeremE:
Everything checked out except the netstat, it looks like httpd is not running. When I try to start it I get this error:
[root@exxxpxv1 ~]# service httpd start
Starting httpd: Syntax error on line 115 of /etc/httpd/conf/httpd.conf
Invalid command 'DirectoryIndex', perhaps misspelled or defined by a module not included in the server configuration
[FAILED]
I checked the httpd.conf file on both boxes & other than IP's & hostnames everything is the same...
Everything checked out except the netstat, it looks like httpd is not running. When I try to start it I get this error:
[root@exxxpxv1 ~]# service httpd start
Starting httpd: Syntax error on line 115 of /etc/httpd/conf/httpd.conf
Invalid command 'DirectoryIndex', perhaps misspelled or defined by a module not included in the server configuration
[FAILED]
I checked the httpd.conf file on both boxes & other than IP's & hostnames everything is the same...
This has changed from a firewall issue to an httpd.conf issue. When you say the only difference between a good one and the bad one is the IP's and hostnames, was this determination based on visual inspection, or did you run the 'diff' command on them? You may have to post the httpd.conf file, or at least the offending portion of it (removing or masking private information), for it to be debugged any further.
ASKER
Agreed, the firewall is not the issue.
Do you folks feel I should create a new question? I can give all of you credit for this one since you all had great troubleshooting advice?
Do you folks feel I should create a new question? I can give all of you credit for this one since you all had great troubleshooting advice?
It seems that the problem is the HTTPD service is not working as I've indicated earlier, but not a firewalling issue. So you'd better close the question and open another one.
But you might as well try copying the working configuration from the running one assuming that both servers are identical in configuration and save your time instead :))
cheers,
K
But you might as well try copying the working configuration from the running one assuming that both servers are identical in configuration and save your time instead :))
cheers,
K
ASKER
Here is the offending section (according to the error message) of httpd.conf from Box 1:
DirectoryIndex index.html index.html.var
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
TypesConfig /etc/mime.types
DefaultType text/plain
<IfModule mod_mime_magic.c>
MIMEMagicFile conf/magic
</IfModule>
HostnameLookups Off
ErrorLog logs/owa-error_log
LogLevel info
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog logs/access_log combined
ServerSignature On
Alias /icons/ "/var/www/icons/"
<Directory "/var/www/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfModule mod_dav_fs.c>
# Location of the WebDAV lock database.
DAVLockDB /var/lib/dav/lockdb
</IfModule>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable
AddIconByEncoding (CMP,/icons/compressed.gif
Here is the same section of httpd.conf from Box 2:
DirectoryIndex index.html index.html.var
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
TypesConfig /etc/mime.types
DefaultType text/plain
<IfModule mod_mime_magic.c>
MIMEMagicFile conf/magic
</IfModule>
HostnameLookups Off
ErrorLog logs/owa-error_log
LogLevel info
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog logs/access_log combined
ServerSignature On
Alias /icons/ "/var/www/icons/"
<Directory "/var/www/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfModule mod_dav_fs.c>
# Location of the WebDAV lock database.
DAVLockDB /var/lib/dav/lockdb
</IfModule>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable
AddIconByEncoding (CMP,/icons/compressed.gif
DirectoryIndex index.html index.html.var
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
TypesConfig /etc/mime.types
DefaultType text/plain
<IfModule mod_mime_magic.c>
MIMEMagicFile conf/magic
</IfModule>
HostnameLookups Off
ErrorLog logs/owa-error_log
LogLevel info
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog logs/access_log combined
ServerSignature On
Alias /icons/ "/var/www/icons/"
<Directory "/var/www/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfModule mod_dav_fs.c>
# Location of the WebDAV lock database.
DAVLockDB /var/lib/dav/lockdb
</IfModule>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable
AddIconByEncoding (CMP,/icons/compressed.gif
Here is the same section of httpd.conf from Box 2:
DirectoryIndex index.html index.html.var
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
TypesConfig /etc/mime.types
DefaultType text/plain
<IfModule mod_mime_magic.c>
MIMEMagicFile conf/magic
</IfModule>
HostnameLookups Off
ErrorLog logs/owa-error_log
LogLevel info
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog logs/access_log combined
ServerSignature On
Alias /icons/ "/var/www/icons/"
<Directory "/var/www/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfModule mod_dav_fs.c>
# Location of the WebDAV lock database.
DAVLockDB /var/lib/dav/lockdb
</IfModule>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable
AddIconByEncoding (CMP,/icons/compressed.gif
It seems that you have a problem with your mod_dir.so. Yo might need to resintall whole apache. using yum.
There's no syntax error on the configuration excerpt you've posted.
Cheers,
K.
There's no syntax error on the configuration excerpt you've posted.
Cheers,
K.
ASKER
I created a new question for this issue:
https://www.experts-exchange.com/questions/26552508/Apache-HTTPD-service-will-not-start.html
https://www.experts-exchange.com/questions/26552508/Apache-HTTPD-service-will-not-start.html
ASKER
It looks like KeremE's suggestion to copy the good httpd.conf over to box 1 & edit as appropriate did work. I am up & running.
Wish I had given this advice on the other question :)
ASKER
Box 1:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.10.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 192.168.10.1 0.0.0.0 UG 0 0 0 eth0
Box 2:
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.10.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 192.168.10.1 0.0.0.0 UG 0 0 0 eth0
They both point to the router at .1 not the Cisco load balancer in the same subnet, but only box 2 gets any traffic....
My incoming traffic comes to these boxes from the Cisco load balancer, are you saying out-bound traffic (to my internal LAN) should also go through the Cisco load balancer?