TurnKey Linux Virtual Appliance Library

Fileserver appliance behind forwarding proxy

When configuring the file-server appliance behind a forwarding proxy, I cannot log-in because the internal ip is being used during the log-in procedure.

My config is: external static ip with apache server and mod_forward.  External DNS pointing to fixed IP address.

File server appliance with internal ip.

In host-address of the file server appliance, I have put the internal ip next to the alias.  The external dns is not visible from internal my domain.

Jeremy's picture

Which part of the login and what are you trying to log into?

Do you need both internal and external access? What component are you accessing? Can you explain the exact issue a little clearer?

I'm not expert in these things but I'd muck around a bit with the hostname, using the external IP/DNS address and see if you can get it to work that way. If it works and you need internal access too, then just add that same name as an entry in your internal DNS as well.

IP address instead of name

I need external access.  Internally, I can go to the file-server with ssh, so no problem if I cannot get this working.

Externally, the URL is storage.mydomain.com.  This points to a fixed IP address with an Apache web-server.  Depending on the name (e.g. www.mydomain.com, webmail.mydomain.com) this is being forwarded on my public server by mod_proxy to a different internal IP address on a different ESX instance with the fileserver appliance.  On the internal ip-address, the VM is not seeing the external address, because there is no internal DNS resolving to translate storage.mydomain.com to the internal ip.  This works fine for all other VMs, but for file server appliance I see the externally located browser loading pages from 10.0 ....  which is of coarse irrelevant (see logs below).  I believe there is some absolute path being used, instead of relative paths to provide further links.

If I surf from within my company network to this server, the 10.0 address is resolving well and the file-server appliance is working.  If I surf from within my company to the external dns, it is also working fine.

The login page loads but I have references to the local IP for following links:

<script type="text/javascript" src="http://10.0.1.23/fetchscript.php?&amp;subdir[0]=scripts/extjs/&amp;file[0]=yui-utilities.js&amp;subdir[1]=scripts/extjs/&amp;file[1]=ext-yui-adapter.js&amp;subdir[2]=scripts/extjs/&amp;file[2]=ext-all.js&amp;gzip=1"></script>
<script type="text/javascript" src="http://10.0.1.23/index.php?option=com_extplorer&amp;action=include_javascript&amp;file=functions.js"></script>	
<link rel="stylesheet" href="http://10.0.1.23/fetchscript.php?subdir[0]=scripts/extjs/css/&file[0]=ext-all.css&amp;subdir[1]=scripts/extjs/css/&file[1]=xtheme-aero.css&amp;gzip=1" />
<link rel="shortcut icon" href="http://10.0.1.23/eXtplorer.ico" />
<img src="http://10.0.1.23/images/eXtplorer.gif" align="middle" alt="eXtplorer Logo" />

I do not use the release candidate but the 2009.10-2 release.  I will try by installing the new release later on.

Edit 1: Added log info
Edit 2: clarification of servers

Jeremy's picture

Blind leading the blind here :)

Ok, now as the post title suggests I don't really know what I'm doing...! But the first thing I would try is checking/adjusting the hostname. Have a look at your hosts file (/etc/hosts). If you know what I'm talking about, skip to the last paragraph, if not, read on...:)

Here's mine from my home fileserver:

127.0.0.1 localhost.localdomain localhost
# Auto-generated hostname. Please do not remove this comment.
192.168.1.58 files.home.lan  files

This is an OpenVZ template running under Proxmox - Proxmox creates this file when you setup the VM, so don't worry if yours looks a little different. Obviously the first line is localhost, you can leave that alone, the second line in mine is commented so ignore that. The 3rd line is the one that you'll want to adjust, although in your case it may look a little different, feel free to post yours here if you would like my 2c. My fileserver's IP is 192.168.1.58 and it's name is 'files', my home domain is 'home.lan'. So my fileserver's FQDN (Fully Qualified Domain Name) is 'files.home.lan. Now in my case I don't think it really matters (I can browse to it via IP and it still works fine) but it your case it may matter because of the reverse proxy.

I suggest that you add the actual external domain name that you use to access this machine offsite to the line in your hosts file. Seeing as offsite access is the priority here, why not try putting it first.

10.0.1.23 storage.mydomain.com storage

or something like that. Does that work?

Another thing I just noticed is that you're using http, not https. If there's no reason, I'd advise using https at the very least for log in, better still for the lot, especially if the files are sensitive.

Local is working fine, remote is connecting to private IP

JedMeister, thanks for the hint.

Locally, it is working fine with the mix of local ip and public ip.... No need to fix the IP address there.  (at least to make it working, I agree it would be better with local DNS resolving.)

I know how to edit a host file.  I have more trouble with setting up a DNS with local resolving that is different of remote resolving.  I have a FQN with domain externally and I should really not mess with the external DNS resolving....  Therefor, I do no internal resolving over my internal DNS just to avoid this pitfall. I will take your advice and do some resolving on the local host of the server to point  to the internal address.

The problem is that externally, the 10.0... address should never be sent out.  All links should be to the DNS name.   Moreover, to expose the service to customers, I cannot ask them to reroute 10. requests to my server....

About HTTPS, yes it is usable.  My public proxy server will translate all HTTPS external traffic to local HTTP traffic.  Once it works well, I will shut down port 80 to force HTTPS only.  Thanks for the reminder anyhow.

BTW: I updated the seconds post while you were giving your answer.

Jeremy's picture

Sorry if I explained stuff you know already

I tend to err on the side of explaining too much (when I have time anyway) rather than not enough/ I figure even if its no use to you maybe someone might find it useful!? Did you try adjusting the hostname? Did it help at all?

installing a local DNS is pretty easy & its not that hard to configure either.!

apt-get install bind9 webmin-bind8

Will get you the basic DNS setup with the Webmin module to assist configuring it. Although it's probably just as easy to have a google and set it up manually. If you have it then forward to your normal external DNS then it shouldn't cause any issues. Then point all your internal PCs to it.

Thanks for your comments - found a solution

Dear JedMeister,

I traced the sources of the file-server appliance (11rc) and found that the PHP variable $_SERVER['HTTP_HOST'] is being used in the reply headers.  All reply headers are absolute.  There is nothing wrong with this, except if you combine this with my forwarding server.  This forwarding server was forwarding all external requests to my internal IP address, but it also replaced the header-fields in the HTTP request with the intenal IP.

There are 2 solutions to this problem, and both work.  Solution 1) Add statement  ProxyPreserveHost On in the proxy forwarding config of my apache server.  Solution 2: Modify the code in extplorer.init.php to reference the external DNS instead of taking the _SERVER variable.  The first is the neatest solution in case your fileserver appliance is behind a firewall.  Nothing has to be changed.  The second could be required in some cases but I do not recommend it.

Thanks for you help.  I will certainly take your other recommendations into account.

Jeremy's picture

Good work.

Glad you got it worked out.

Thanks very much for posting back, I'm sure others who encounter similar problems will benifit from your research and proposed work arounds.

And here is the description of the set-up

Install a pdc appliance or any appliance without apache.  Disable lighthttpd, install apache with apt-get and follow the next instructions.

http://www.internetcontact.be/scm/?p=537

Jeremy's picture

Thanks very much

This will definitely be handy.

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)