New ISPconfig3 installation - what to do before creating the first client/website

It seems your problem is solved and you can now access your ubuntu servers default web pages from the outside world so my advice would not be necessary.

I use nginx and it's sites-enabled/100-mysite.vhost listen directive is "listen *:80;" so it's listening on my 127.0.0.1 and 192.168.xx.xx IPs by default. From the inside of my LAN I have no problem bringing up a page for the domainname associated with the EXTERNAL IP of my router, but I am using a DMZ from the router to my internal server.

What I did have a problem with is using this server as a DNS slave and for the life of me it would not transfer the /etc/bind/slave records and I think it finally worked after this tweak which means I may not have disabled apparmor on this Ubuntu raring server.

Code:

~ cat /etc/apparmor.d/local/usr.sbin.named
# Site-specific additions and overrides for usr.sbin.named.
# For more details, please see /etc/apparmor.d/local/README.

/etc/bind/slave/ lrw,

 

/etc/hosts, listen *:80; & DMZ

Hi Markc,

Thanks for that and yes it works now! But there is a couple of things that still would like to fix

1. As you write you have "...got no problem bringing up a page for the domainname associated with the EXTERNAL IP of my router"
But I still do and you gave me this advice earlier on: "...and on your linux desktop add "192.168.xx.xx yourdomainname.tld" to /etc/hosts to force your browser to go directly to the webserver on the LAN IP."
To this I ask: Do I have to do this for all my domains/websites that I want to go directly to? (myfirstdomain.tld, myseconddomain.tld, mythirddomain.tld etc.) And, do I have to make both "192.168.xx.xx myfirstdomain.tld" and "192.168.xx.xx www.myfirstdomain.tld" if I want to reach domains/websites with and without "www" in the browser - or is this "handled" in ISPconfig's "subdomain" function!?! Sorry for that!

2. Regarding: "...listen *:80;" so it's listening on my 127.0.0.1 and 192.168.xx.xx IPs by default..." and "...When you configure the webserver, tell it to listen on the INTERNAL LAN IP..." I am not sure if my system "ISPconfig3 Single Server System - Ubuntu Server 10.04" have anything listening on any ports default - I haven't seen this in any of the 3 files I posted. So I ask, do you think that there is this "listening on port 80" anywhere in this default setup? Or, do you think I need it now that the websites is working from the outside?
It's just that I don't know exactly how this controlpanel works, I haven't "activated" anything "virtual", but maybe there is several "virtual" functions that I just dont understand. Back in the days we used 1 public IPnumber per clients domain/website which we had the nameservers point at. Simple and easy. And he keeps on going! Sorry about that too.

3. Regarding the DMZ you told about, I to use the DMZ function now, after having my modem/router reset and knocked back into the stoneage. I thought about it after reading your post and decided that I too wanted to use this to function. There is all kind of security installed on the ISPconfig system and a firewall to be activated. Normally, and back in the days where I as an ISP used (with Microsoft IIS Servers" I had all servers on the public/unsecure side of a router. That was the way to do it then and this is the way to do it now, I se that. To have some security on my workdesktop which is also on this Internet connection, I configured another router (DLink DIR-655) to run DHCP on another subnet with full protection and everything. So from here on there is only "finetuning of the system" to do and some adapting too.

Thanks for everything - looking forward to hear from you.

Kind Regards,
Dan

 

So when you say "it works" I presume you mean you can surf to your control panel on your DMZ server from the outside world but you can't get to the same site directly from another machine on your internal LAN?

My "solution" of hardwiring IPs and domainnames on each internal workstation should not be needed and is just a workaround in some bizarre situation. The domain I point to my external IP is the same as when I ping it from the inside on my laptop so when I surf to mydomain.tld my browser goes to my router and that passes it back into my internal LAN on the DMZ so in other words it doesn't matter if I ping my domain from inside or outside of my router it will still go the server on my DMZ. The nginx listen directive for ports 80 and 443 listen to everything on that server which is 127.0.0.1 and 192.168.xx.xx. If I type 192.168.xx.xx into my browser I still get the same vhost that I see by going to mydomain.tld from outside or inside my router.

I have my ISOConfig CP listen to port 443 so if I go to https://mydomain.tld I get my CP from inside or outside my router. If I use https://192.168.xx.xx then I still get the CP. You should be able to do the same or similar to this.

 

So when you say "it works" I presume you mean you can surf to your control panel on your DMZ server from the outside world but you can't get to the same site directly from another machine on your internal LAN?
Exactly!

My "solution" of hardwiring IPs and domainnames on each internal workstation should not be needed and is just a workaround in some bizarre situation. The domain I point to my external IP is the same as when I ping it from the inside on my laptop so when I surf to mydomain.tld my browser goes to my router and that passes it back into my internal LAN on the DMZ so in other words it doesn't matter if I ping my domain from inside or outside of my router it will still go the server on my DMZ. The nginx listen directive for ports 80 and 443 listen to everything on that server which is 127.0.0.1 and 192.168.xx.xx. If I type 192.168.xx.xx into my browser I still get the same vhost that I see by going to mydomain.tld from outside or inside my router.


I have my ISOConfig CP listen to port 443 so if I go to https://mydomain.tld I get my CP from inside or outside my router. If I use https://192.168.xx.xx then I still get the CP. You should be able to do the same or similar to this.
From the outside I just use my https://myfixedipnumber:8080 - from the inside https://192.168.x.xx:8080 . Have you changed the port ISPconfig listens to then? I'm not sure about this, which is why I have posted a thread with a question regarding the use of the servername from the outside. The name we gave it during installation was server1.domain.tld and was set up as a hostname and in the ISPconfig APP you are also told to enter "server1.example.tld" This is why I am a little confused. Well, don't use any mor time trying to explain me this, you are many steps ahead of me I must read the 373 pages for the third time

Kind Regards,
Dan

 

Yes, I use port 443 instead of 8080 for my CP. So what happens when you go to https://myfixedipnumber:8080 from inside your LAN?

If that works the same as https://192.168.x.xx:8080 then all is well and you are only missing a domainname and DNS resolution for it.

Have you got a registered domainname you can point to your external IP?

If not then you could try to emulate it with either Bind and use, say, one.lan two.lan three.lan kind of hostnames with lan as your private top level domain (TLD) or use "ip hostname" mappiings in /etc/hosts on your server and workstation. But, this won't work from the outside world so of limited use.

 

Yes, I use port 443 instead of 8080 for my CP.
Ahhh, I see..

So what happens when you go to https://myfixedipnumber:8080 from inside your LAN? If that works the same as https://192.168.x.xx:8080 then all is well and you are only missing a domainname and DNS resolution for it.
Absolutely nothing other than:
The connection has timed out
The server at myfixedipnumber is taking too long to respond.

Have you got a registered domainname you can point to your external IP?
Yes, I've got several And I am a little lost here, but I'm quite qurious exactly what it is you are using this trick for. Sorry for being slow

"use "ip hostname" mappiings in /etc/hosts"
Yes, this is what I'm trying to do right now. Been installing VIM-NOX on my desktop to ba able to VI /etc/hosts. But I've been reading a lot about troubles with "read only" rights and about server1.example.tld where server1 is the hostname and with example.tld being the domainname you have FQDM the fully qualified domainname. But, yes, I would like to be able to reach some of the websites I'm hosting on the ISPconfig3 server. And from my windowsbased notebook I know about editing the host-file. I'm just not sure about the way to do it on the Ubuntu Desktop 12.04 - Here's my "/etc/hosts" output with my suggestion. Please correct me. And when the file is rewritten, do I need to restart the service (would hate to restart the desktop) He's back!!!

127.0.0.1 localhost
127.0.1.1 Blackbird (mydesktoppcbutyoualreadyknowthisimsure)
192.168.1.200 mydomain1.tld
192.168.1.200 www.mydomain1.tld
192.168.1.200 mydomain2.tld
192.168.1.200 www.mydomain2.tld

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
~
~

Kind Regards,
Dan

 

If you can't get to your CP via the external IP from within your LAN, but you can from the outside, then something is obviously weird. This problem needs to be fixed first and it may be something to do with firewall rules on either your desktop or server. If you are using a DMZ on your router than perhaps make sure any previous port forwarding rules are removed. This may make no difference but you need to nudge a few things to try and get access from your desktop to the server via the external IP of your router. Running tcpdump on the server is invaluable but there can be a lot of RTFM involved using it... usually something like tcpdump -i eth0 not port 22 on the server will reveal what traffic is or is not hitting the server.

As for the /etc/hosts "trick", it should not be necessary if you have real registered domains that you can use. But for the sake of testing, something like this...

Code:

# desktop
192.168.1.201 blackbird.mydomain1.tld blackbird

# server
192.168.1.200 www.mydomain1.tld www.mydomain2.tld mydomain1.tld mydomain2.tld

needs to be added to both /etc/hosts (or windows equiv) so that both machines know about each others temporary domainnames for testing. "192.168.1.201" is a placeholder for whatever your desktop IP is.

You might find nano a friendlier editor unless you actually prefer vi. I use this alias in my ~/.bashrc...

Code:

alias e='nano -t -x -c'

 

server1.myispserver.tld & to see websites in browser using domains within LAN

Hi Markc,

If you can't get to your CP via the external IP from within your LAN, but you can from the outside, then something is obviously weird. This problem needs to be fixed first and it may be something to do with firewall rules on either your desktop or server. If you are using a DMZ on your router than perhaps make sure any previous port forwarding rules are removed. This may make no difference but you need to nudge a few things to try and get access from your desktop to the server via the external IP of your router. Running tcpdump on the server is invaluable but there can be a lot of RTFM involved using it... usually something like tcpdump -i eth0 not port 22 on the server will reveal what traffic is or is not hitting the server.
I will try that command and maybe post the result for you!? I have seen this problem before, not to be able to reach websites/domains on a server from a workstation within the LAN - and the solution was to add ipnumber and domain to /etc/hosts or at least I think it was (were*).

As for the /etc/hosts "trick", it should not be necessary if you have real registered domains that you can use. But for the sake of testing, something like this... Code: # desktop 192.168.1.201 blackbird.mydomain1.tld blackbird
I'm sorry, have been looking at this several times now and I'm not sure about the reason for doing this. Why use the desktop as a subdomain? If this is what it is. Is it to be able to reach the desktop using the subdomain from the outside?

# server 192.168.1.200 www.mydomain1.tld www.mydomain2.tld mydomain1.tld mydomain2.tld
This is what thought should be on the desktop /etc/hosts file, to be able to reach a website/domain on the ispserver within the LAN.!? Making a request for mydomain1.tld in the desktop browser, them via the /etc/hosts file it is being directed directly to myispserver 192.168.1.200 . Because, making a request for the domain1.tld it will directed to the outside fixed ipnumber by the primary nameserver.
Again, I'm sorry. I'm not quite sure what to do yet or how these tvinge works exactly.

needs to be added to both /etc/hosts (or windows equiv) so that both machines know about each others temporary domainnames for testing. "192.168.1.201" is a placeholder for whatever your desktop IP is.
Placeholder, I'm not sure what this is. Maybe I should go back in the thread and read a little. I will do that


You might find nano a friendlier editor unless you actually prefer vi. I use this alias in my ~/.bashrc... Code: alias e='nano -t -x -c'
What does the alias do? Is it some kind of variable* you set so that you only need to ype "e" in front of a filename? I "vim-nox'e" the vi so that it behaves a little better, but I'm very qurious so please tell me more Do you "apt-get" or "aptitude" ? I noticed that "aptitude" not is default in the ubuntu desktop 12.04 but has to be installed.

(* not sure about the word and how it's spelled)
(Funny words is the result of danish spellchecking* on a smartphone)

By the way, which timezone are you in? So that I can try to answer during your daytime instead of in the middel of the night

Kind Regards
Dan

 

My timezone is +10. Yes, the e alias just makes it easier to "e filename". I also use a "se" alias that just prepends a sudo to easily edit root owned files.

Trying to add temporary domainname mapping to your desktop and server is not really necessary. You should try to solve the basic networking problem of being able to "see" your DMZ server by going to your external IP from your desktop machine.

Run the tcpdump command on your server and then try to surf to your external router IP on your desktop and see what tcpdump says, or not. It should be obvious whether you see any sign of network traffic, coming from your desktop, on your server. We just need a yes or no answer.

 

TCPdump from ispserver - Trying to reach fixed IP from desktop - part1,2 & 3

Hi Mark,

I sent you a private message containing the info - There is some "private" stuff in it

Kind Regards,
Dan