SoylentNews is people
SoylentNews
I've been given an old XP pc and have put (X)ubuntu on it in order to get a web-server running with the goal being to let family members sign in and download TV shows/movies/etc.
Have set it up according to a couple of sites (a mix of Ubuntu/apache etc sites) and am using ngrok to open up a tunnel (with the end goal being once it's running and accessible, i will go for the $5/mnth for the permanent address).
Have apache/mysql/php working (this is NEW territory for me, but i THINK it is working correctly) and have ngrok running, but i cannot connect from an external device (my tablet).
I THINK the problem is with firewall (ufw on ubuntu and the router firewall): have tried to get port 80 accessible through both , have allowed access through the router firewall for the web-server: my next plan is to completely stop ufw on the pc and just allow the router to run things.
Does anyone have advice/tips/help?
Gotta be at least a couple people familiar with running a web site around here :)
(Score: 2) by LoRdTAW on Saturday July 28 2018, @05:17PM
Have you attempted to talk to the web server from inside your network? If ngrok is using a client app to route data through HTTP tunnels then there is either a client config problem or your OS is blocking the http tunnel.
(Score: 2, Informative) by Anonymous Coward on Saturday July 28 2018, @05:28PM (1 child)
You said nothing about your ISP except "i will go for the $5/mnth for the permanent address" which I interpret as meaning you have a dynamically assigned IP address from your ISP. Many ISPs block their customers from running servers on well-known ports. That's especially common for customers in dynamic address pools. Check the terms of service, or talk to someone at your ISP, to make sure you're allowed to run a server. It may be that you're not allowed to unless you get the more expensive level of service.
(Score: 2) by Gaaark on Sunday July 29 2018, @10:07AM
Hmmm...I've got unlimited, but never thought about this.
Thanks!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Saturday July 28 2018, @05:34PM (4 children)
So you think the problem is your firewall, but don't post the config? What IP address is Apache listening on (all, localhost, etc.)? What command are you using for ngrok and what output is it giving? However, this sounds like total PEBKAC.
According to the docs, ngrok doesn't require any open ports on the firewall and ufw doesn't block loopback by default. I think you are confused or didn't read the manual. I think that the most probably explanation is that Apache isn't listening on a loopback address (e.g.127.0.0.1) or on a different port and you need to give it a proper Listen directive.
(Score: 0) by Anonymous Coward on Saturday July 28 2018, @07:23PM (3 children)
(Score: 2) by Gaaark on Saturday July 28 2018, @10:55PM (2 children)
Sorry, posted this from work hoping someone would have a miracle cure: my problem is time and experience. This is my first attempt at this.
tcp6 0 0 :::80 :::* LISTEN 663/apache2
Will have to look this up when i have more time. Probably not today or tomorrow: maybe not until Tuesday. :(
Surprised i got as far as i did!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Sunday July 29 2018, @03:39AM (1 child)
Three things. First, I'm the original parent of the thread, and not the one you replied to directly. I want to apologize for my tone, you caught me at a somewhat bad time and I came down harder than I probably should have.
Second, try setting your Apache "Listen" directive to
from the default. By binding locally to IPv4 only instead of dual-stacking with mapped addresses, you might get better results out of your tunnel.
Third, firewall all ports exposed on the internet. Ngrok doesn't require any open ports in your firewall. Worst case, you can add the WWW service on UFW, but that shouldn't be necessary.
(Score: 2) by Gaaark on Sunday July 29 2018, @10:04AM
Thanks: gonna look harder at this when I get a chance.
And yeah, I've been caught at bad times too. No problem.
This is all REALLY interesting, though: feeds the brain!
Thanks again.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Saturday July 28 2018, @05:38PM (1 child)
You said you think the problem may be with ufw, but you didn't post the rules you're using. If you do "ufw status" you can see what rules are being applied. You could show us that information too, if you wish. Canonical has a page [ubuntu.com] that may be helpful.
(Score: 2) by Gaaark on Saturday July 28 2018, @10:57PM
Thanks: as i said above to AC, my problem is time and experience. i probably won't really be able to get back at this until maybe Tuesday. My son (who is moderate to severe autistic) is off school and so fills our days.
Time is soooo short.
But thanks for the link.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by Gaaark on Saturday July 28 2018, @11:04PM (3 children)
Seems like what i needed was a reboot(?) because i can now access the apache2 default page through the ngrok.io tunnel!
Sigh: will have to wait until i can find time to do up a proper web page and populate it with my external hard drives and make it look fancy, lol.
Still want to do more reading about security, though: make sure i do it right. :/
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by realDonaldTrump on Sunday July 29 2018, @02:41AM (2 children)
Smart move! One thing I know about cyber, the reboot solves many many problems. Whether the bad cyber is in a cellphone or an aircraft carrier. And I wish I'd looked at your journal sooner, I would have said, "try the reboot." It's not 100%. But it's like 80%.
The journals. I can edit my journal. Very easy, I touch Journal then I touch where it says "edit." But unfortunately I don't know how to edit your journal. Or I'd put a #TrumpTrain [facebook.com] link in for you!
(Score: 2) by Gaaark on Sunday July 29 2018, @10:15AM (1 child)
O.
M.
G!
Donald fecking Trump taught me something!
Should I say thanks? Should I run and hide?
Should I shake his hand (always being aware of the 'pull in' thing he does)?
Is theRealDonaldTrump REALLY HillaryClinton???
:) Thanks.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by realDonaldTrump on Sunday July 29 2018, @12:38PM
You're welcome.
And if you want to thank me some more, when you have your elections. You folks have something that I guess is like our Electoral College. Where you vote for a guy, and that guy votes for the guy -- or woman -- who runs your Country. And hopefully you'll vote for somebody that isn't with Justin. He's been charging the U.S. massive tariffs and creating non-monetary barriers. Keeping our farmers and others out. Killing our economy! Canada used to be a great friend, they're not a friend anymore. And that's too bad.
(Score: 2) by cafebabe on Sunday July 29 2018, @03:57PM (1 child)
netstat -t -a -n -o -p helps diagnose numerous network problems including absent web servers, database connection problems and DNS problems.
1702845791×2
(Score: 2) by Gaaark on Sunday July 29 2018, @11:55PM
Thanks: will try when I get time. I'm hoping Tuesday, but.... :(
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Monday July 30 2018, @06:49PM
You should read https://httpd.apache.org/docs/2.4/misc/security_tips.html [apache.org] But here are some basic steps you can take to harden your server:
Run Apache as a dedicated non-privileged user and group (and definitely don't use nobody).
Secure your directories
Set your various timeout and limit values.
Disable scripting you don't need (SSI, CGI, etc.).
Disable HTTP methods you won't use (Probably anything not HEAD or GET).
Disable ETags.
Set proper security headers on your server.
Forbid .htaccess files.
Disable the Server header (ServerToken).
Set ServerSignature to Off.
Disable Global Directory Listings.
Consider adding mod_security and mod_envasive.
Disable mod_autoindex mod_info mod_include mod_userdir mod_imap mod_status and any other module you are not using.
Enable unattended-upgrades or your OS's equivalent.
Enable TLS
READ YOUR LOGS!!!