I'm using AWS instance and I have two ENI eth0 (192.168.1.100) and eth1 (192.168.1.200), usage of the ETH0 network interface for accepting the incoming connections from clients to NGINX(TCP) and an ETH1 network interface for outgoing connections from NGINX to destination( another instance TCP connection). Is it possible to do that?
As far as I know, yes, it's possible:
proxy_bind 192.168.1.200;
Documentation
#Alexander, Thanks. Its working fine with configuration below,
upstream my_tcp_connect {
server 192.168.1.300:9000;
zone tcp_mem 512k;
}
server {
tcp_nodelay on;
listen 9000 backlog=409600 so_keepalive=30m::10 reuseport;
proxy_pass my_tcp_connect;
proxy_connect_timeout 5s;
proxy_buffer_size 512k;
error_log /var/log/nginx/tcp_error.log info; # nginScript debug logging
proxy_bind 192.168.200;
}
I found some connections established from the NGINX instance,
tcp 0 0 192.168.200:59396 192.168.300:9000 ESTABLISHED 3046/nginx: worker
tcp 0 0 192.168.200:58680 192.168.300:9000 ESTABLISHED 3049/nginx: worker
tcp 0 0 192.168.100:9000 192.30.40.14:53110 ESTABLISHED 3048/nginx: worker
tcp 0 0 192.168.100:9000 192.30.40.14:54924 ESTABLISHED 3049/nginx: worker
TCP Connection instance:
tcp 0 0 192.168.1.300:9000 192.168.200:58632 ESTABLISHED 1997/tcp_connect
tcp 0 0 192.168.1.300:9000 192.168.200:59160 ESTABLISHED 1997/tcp_connect
tcp 0 0 192.168.1.300:9000 192.168.200:59360 ESTABLISHED 1997/tcp_connect
tcp 0 0 192.168.1.300:9000 192.168.200:59298 ESTABLISHED 1997/tcp_connect
Related
I'm trying to run a second web service on my VPS at port 3000.
On the VPS I run:
# php -S myhost.com:3000
and then in a browser, navigate to http://myhost.com:3000 but the browser times out and the service logs/outputs nothing.
If I run the service on port 80 (i.e., php -S myhost.com:80 and navigate to http://myhost.com), it works.
So firewall. Except that:
[root#spinal ~]# firewall-cmd --list-ports
3887/tcp 3000/tcp
(the 3887 is another service, which is working correctly.) And I rebooted the VPS after setting up port 3000 in the firewall. I reckon the service is listening correctly because:
[root#spinal ~]# netstat -tupl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:imap 0.0.0.0:* LISTEN 1907/dovecot
tcp 0 0 0.0.0.0:ciphire-data 0.0.0.0:* LISTEN 1876/sshd
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN 1903/nginx: master
tcp 0 0 0.0.0.0:urd 0.0.0.0:* LISTEN 2004/master
tcp 0 0 myhost.com:hbci 0.0.0.0:* LISTEN 2206/php
tcp 0 0 localhost.loca:postgres 0.0.0.0:* LISTEN 1908/postgres
tcp 0 0 0.0.0.0:smtp 0.0.0.0:* LISTEN 2004/master
tcp 0 0 0.0.0.0:https 0.0.0.0:* LISTEN 1903/nginx: master
tcp 0 0 0.0.0.0:imaps 0.0.0.0:* LISTEN 1907/dovecot
tcp 0 0 localhost.lo:cslistener 0.0.0.0:* LISTEN 1878/php-fpm: maste
tcp6 0 0 [::]:imap [::]:* LISTEN 1907/dovecot
tcp6 0 0 [::]:ciphire-data [::]:* LISTEN 1876/sshd
tcp6 0 0 [::]:urd [::]:* LISTEN 2004/master
tcp6 0 0 [::]:smtp [::]:* LISTEN 2004/master
tcp6 0 0 [::]:imaps [::]:* LISTEN 1907/dovecot
I can however connect locally. This works, when run on the VPS:
$ curl http://myhost.com:3000
so that again points at the firewall. But disabling the firewall doesn't help:
# systemctl stop firewalld
so it could be a DNS problem: my browser and the VPS differ on what myhost.com resolves-to. Except that, as mentioned above, switching to port 80 solves the problem. So it's something to do with coming-in on port 3000, from outside. But not firewalld.
The question at Can't reach nodejs on port 3000 from external on CentOS 7 is close to mine, but isn't conclusively answered.
I feel pretty stupid. It was a firewall; not on the VPS, but on my local network. When I tried it on a machine that doesn't go through my local network, it worked. I hope my public confession helps someone else.
I've setup a linux VM in Azure. I've added incoming port access to the current listening port on Apache. I've also done a curl localhost on the VM and see the apache html text. I hit the public IP of the VM and get nothing. Any ideas?
According to your description, please check those settings:
1. Please check Azure VM's NSG settings, make sure we have add port to inbound rules:
2. Vnet-->subnet's security group settings:
3. Check which port apache listening on:
netstat -ant
root#ubuntu:~# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 10.1.0.4:55870 191.237.32.134:443 TIME_WAIT
tcp 0 0 10.1.0.4:55874 191.237.32.134:443 TIME_WAIT
tcp 0 0 10.1.0.4:55876 191.237.32.134:443 TIME_WAIT
tcp 0 0 10.1.0.4:55868 191.237.32.134:443 TIME_WAIT
tcp 0 0 10.1.0.4:57772 168.63.129.16:80 TIME_WAIT
tcp 0 0 10.1.0.4:57766 168.63.129.16:80 TIME_WAIT
tcp 0 36 10.1.0.4:22 167.220.255.8:53651 ESTABLISHED
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
By the way, for test please disable ufw with this command ufw disable, then try to access the public IP address.
Update:
I follow those steps to modify apache default port:
1.Modify ports.conf, change port 80 to 80:
root#ubuntu:/etc/apache2# vi ports.conf
Listen 90
<IfModule ssl_module>
Listen 443
2.Add ServerName localhost to /etc/apache2/apache2.conf
root#ubuntu:/etc/apache2# vi /etc/apache2/apache2.conf
# Global configuration
#
ServerName localhost
3.Modify default port in /etc/apache2/sites-enabled/000-default.conf
root#ubuntu:/etc/apache2# vi /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:90>
4.Add inbound rule to Network Security Group:
By the way, to troubleshoot this issue, we can follow those steps:
1.Login this VM and use curl to test apache2:
curl localhost:90
2.Use your PC to telnet this VM's public IP and port 90
telnet xx.xx.xx.xx 90
If you can't telnet this port, please check your NSG settings and subnet's security group settings.
Here is my result, it works for me:
root#ubuntu:/etc/apache2# netstat -ant | grep 90
tcp6 0 0 :::90 :::* LISTEN
Proto Recv-Q Send-Q Local Address Foreign Address State PID
tcp 0 0 ip:11080 0.0:* LISTEN -
tcp 0 0 ip:5070 0.0:* LISTEN -
tcp 0 0 ip:5071 0.0:* LISTEN -
tcp 0 0 **127.0.0.1:5072** 0.0:* LISTEN -
tcp 0 0 ip:11443 0.0:* LISTEN -
tcp 0 0 **127.0.0.1:11444** 0.0:* LISTEN -
Not able to access port (11444 & 5072) externally.
Only working on Local Host not remotely.
We are using Ubuntu on Google Compute Engine.
Firewall rules Added
Just checking - have you also configured the firewall? By default, the ports may be blocked by the firewall. You can configure it to enable ports via either the Developer Console, or with the gcloud command line tool.
Some extra information about firewall's on Google Compute Engine can be found at:
https://cloud.google.com/compute/docs/networking?hl=en#firewalls
As the netstat output shows, your services listening on port 11444 and 5072 are bound to localhost (127.0.0.1) which means they only accept connections on the local loop interface. Change the binding IP address on your service configuration to 0.0.0.0.
Tried to avoid the listen IP only on the '127.0.0.1', so the listen port 8000 is also bind with the '0.0.0.0'. But external http clients still not able to get the http connection setup. Also tried tcpdump, the client SYN can reach to the node server, but not any response from the node.js http server... this caused the issue. Really appreciate your assistance!
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 1650/node
tcp 0 0 127.0.0.1:56064 127.0.0.1:27017 ESTABLISHED 1650/node
tcp 0 0 127.0.0.1:56062 127.0.0.1:27017 ESTABLISHED 1650/node
tcp 0 0 127.0.0.1:56065 127.0.0.1:27017 ESTABLISHED 1650/node
tcp 0 0 127.0.0.1:56063 127.0.0.1:27017 ESTABLISHED 1650/node
tcp 0 0 127.0.0.1:56061 127.0.0.1:27017 ESTABLISHED 1650/node
After installing Glassfish on a CentOS only unziping the zip archive, my server doesn't not bind on ipv4.
With
netstat -tnlup
I've got the result :
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5278/mysqld
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4621/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4825/master
tcp 0 0 :::8686 :::* LISTEN 14659/java
tcp 0 0 :::4848 :::* LISTEN 14659/java
tcp 0 0 :::8080 :::* LISTEN 14659/java
tcp 0 0 :::3700 :::* LISTEN 14659/java
tcp 0 0 :::8181 :::* LISTEN 14659/java
tcp 0 0 :::22 :::* LISTEN 4621/sshd
tcp 0 0 ::1:25 :::* LISTEN 4825/master
tcp 0 0 :::7676 :::* LISTEN 14659/java
udp 0 0 0.0.0.0:68 0.0.0.0:* 1168/dhclient
How can I force glassfish listen on ipv4 addresses too ?
You may find Glassfish is bound to IPv4 (and IPv6) but is being blocked by the iptables firewall settings:
As root:
/etc/init.d/iptables stop
Then try accessing Glassfish via IPv4. If that works then you can re-enable iptables and set the appropriate rules for your environment.
That CentOS isn't showing ports bound on IPv4 when they are also bound on IPv6 looks like a bug to me (2.6.32-358.23.2.el6.x86_64).
I just had this same problem. Not sure yet what triggered the issue, as I have two other servers with the same software that don't show this issue.
In my case, I was able to fix it by adding this environment variable:
export _JAVA_OPTIONS="-Djava.net.preferIPv4Stack=true"
Once I restarted Java with this variable, it bound to IPv4, but not v6. I'm curious as to why it's not binding to both.