Unable to access Apache web server outside/inside local network
My apologies if any technical terms are used in the wrong way. I'm still new to Linux/Networking
I've been trying to solve this problem for over a week now, and all the related questions from other people haven't helped me. I recently set up a webserver running on apache2 to host my own website. I also plan to use it for SSH, FTP and VNC. I registered a domain name with GoDaddy at cokongwu.com. A static IP has been set up for the server (192.168.0.105) and I have also set up portforwarding for ports 80, 21, 23, 53 and 443 of this static IP. Reading a guide on how to set up a publicly accessible web server, I thought it was necessary because it worked fine at first, but of course I found that once I tried to access the web server using a domain name outside the network, I couldn't connect. After more searching, I found that I needed to change the A record in the GoDaddy zone file to my public IP. After doing this, I found that I could no longer connect to my web server at all, neither inside the network, nor where I rerouted it to the router page, and outside the network where the connection would simply time out. Later I found out that since my public IP can't be set to static, I have to use a service, specifically dyndns, so that it keeps updating when the IP changes. I set up the dyndns updater from the software update center and set up my dyndns account cokongwu.com with an A record pointing to my public IP and an alias www.cokongwu.com pointing to cokongwu.com. I also set up a hostname cokongwu.dyndns.org which also points to my public IP and added the dyndns nameservers to Godaddy's nameservers. My A record for cokongwu.
After all, trying to access hostname.com still gives the same problem as before. Accessing it points to my public ip, not the internal ip, but inside the network I just forward to the router settings page, and outside the network it just times out. I don't have an idea for a solution to this problem, so any ideas are welcome. Should it (public IP) redirect to my internal IP?
Sorry again if I'm using any of these technical terms in the wrong way, I'm still very new to this.
I am aware of some issues related to this command, so I will do the same:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5556 0.0.0.0:* LISTEN 3387/dyn_updater
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 2729/vino-server
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::21 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
tcp6 0 0 :::5800 :::* LISTEN 2729/vino-server
tcp6 0 0 :::5900 :::* LISTEN 2729/vino-server
udp 0 0 0.0.0.0:5353 0.0.0.0:* -
udp 0 0 127.0.1.1:53 0.0.0.0:* -
udp 0 0 0.0.0.0:39124 0.0.0.0:* -
udp 0 0 0.0.0.0:631 0.0.0.0:* -
udp6 0 0 :::5353 :::* -
udp6 0 0 :::53973 :::* -
ufw:
sudo ufw status
[sudo] password for fender:
Status: inactive
000-default.conf:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName cokongwu.com
ServerAlias www.cokongwu.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
From what I understand, you have the following problem:
1- Unable to access web server from inside LAN (using FQDN, "Fully Qualified Domain Name" www.cokongwu.com) ?
2- You cannot verify the functionality of the website externally ?
1- Access the web server from inside using FQDN.
I don't see your question where you're trying to access the web server, so I'm assuming it's from a separate client inside the LAN.
Since you're most likely using an external dns server, your request to www.cokongwu.com will resolve to a public IP address, that is, outside of your internet router (see below). Since this router will not route traffic from the external IP number from the inside back to the inside , the traffic will stop at that point.
In order for everything to work inside the network , www.cokongwu.com must resolve to your internal IP address (192.168.0.105). You can try to browse the web server using the internal IP number, but since you intend to use SSL, you will eventually need to use the FQDN to access the web server, otherwise you will get a certificate error.
The "hard way" to fix internal name resolution is to set up an internal DNS server, but the above approach can do the trick with small deployments. You seem to be no stranger to Google, and if you want to set up an internal DNS server, there are plenty of guides on the internet about it.
After internal name resolution gives you the internal IP address, browsing to the web server will give the same reply as if you were a client from the outside.
2- External access to the web server.
Solving www.cokongwu.com dig www.cokongwu.com +noall +answergave me the following reply.
www.cokongwu.com。0 IN CNAME cokongwu.com。
cokongwu.com。59英寸A 69.171.137.28
This shows that the www host is a C name (alias) pointing to cokongwu.com , which is an A record. A reverse lookup on 69.171.137.28 yields :dig -x 69.171.137.28 +short
dsl-69-171-137-28.acanac.net
This looks like a dynamic host. If the dyndns update is running, that should be your current public IP address. Verify this with the following command on the command line:
curl -s checkip.dyndns.org | sed -e 's/.*Current IP Address: //' -e 's/<.*$//'
( stolen from here ) or browse to www.whatismyip.com
Assuming this is your current situation, externally browsing to www.cokongwu.com should work...
I tried it and it didn't work, it could mean any of the following or a combination of them:
A - The dyndns service has not updated your IP address
B - The forwarding in your external router is not working
C - The web server is not replying
Using for a quick test telnet <ip number> <port number>will not yield any response to any of the port numbers you listed above. This would lead me to believe that the reason should be A or B. If it's B, you may not be port forwarding correctly, or if you are using a router with a modem, you are not bridging the modem to the router properly so that it can handle all port forwarding requests.
I have some other thoughts, I noticed that you mentioned port 53 as one of the ports forwarded to the web server. Port 53 UDP is the standard for incoming dns requests . Unless you actually have a dns server running on the webserver machine , you can safely close this port...it won't do anything anyway.
I also noticed that you mentioned using ssh and ftp, but opened ports 21 and 23 in the firewall and forwarded them to the web server. Port 23 is the telnet port and port 21 is the FTP port . I strongly advise against using these services as they are insecure protocols that transmit everything in clear text , including usernames and passwords.
I recommend opening and forwarding port 22 only in the firewall . ssh uses port 22 , which is an alternative to telnet. Port 22 is also used by the scp service , which uses the ssh service for file transfers. Using ssh and scp instead of telnet and ftp will keep all your traffic to and from your web server secure.
Another suggestion is to use a different port for incoming ssh, preferably a port number over 1000, such as port 1522 (just an example). This is to avoid external port scans from discovering incoming ssh services. Just change the input port from 22 to a higher port number (ie 1522), but still forward it to port 22 on the web server . Then use the high port number (1522) to access the ssh server from the outside and use port 22 to access the ssh server from the inside.
I hope this helps you and hope you solve your problem =)