I am new to OpenStack and I need to change default http port for dashboard(horizon) which is currently set to 80. I've installed/deployed OpenStack using devstack script.
Which configuration files do I need to touch and change?
Obviously, changing only /etc/apache2/sites-available/horizon.conf won't do the trick...
Well, just poor me... it was only a matter of Apache Virtualhost configuration. I added another Listen directive into ports.conf file.
Sorry for posting this stupid question.
If you only edit horizon.conf, the change won't last unstack && cleanup && stack.
To make it persistent, edit /your/devstack/location/files/apache-horizon.template adding the appropriate Listen directive.
However, you still need to change the Apache listen port, as it listens on 80 anyway.
Centos 7.4, OpenStack Pike & Queens instruction
Change Puppets module ports file config /etc/httpd/conf/ports.conf:
change line Listen 80 to Listen 8888
Change default host port /etc/httpd/conf.d/15-default.conf:
change line <VirtualHost *:80> to <VirtualHost *:8888>
Change Horizon host port /etc/httpd/conf.d/15-horizon_vhost.conf:
change line <VirtualHost *:80> to <VirtualHost *:8888>
Restart http server:
$ systemctl restart httpd.service
Modify iptables:
List the iptables rules with line numbers and remember one with Horizon (11 in my case)
$ iptables -L -n --line-numbers
[...]
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80 /* 001 horizon 80 incoming */
[...]
Insert the new rule at 11
$ iptables -I INPUT 11 -p tcp -m multiport --dports 8888 -j ACCEPT -m comment --comment "001 horizon 8888 incoming"
$ service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
Remove the old rule (11+1=12, check it: $ iptables -L -n --line-numbers)
$ iptables -D INPUT 12
$ service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
Related
I want to setup Privoxy to be able to filter all http requests that my Wordpress page are sending and receiving, but I have hard time trying to do it.
I setup Wordpress with bitnami package and privoxy with apt-get install and found out that in order to intercept all of requests I have to turn on "accept-intercepted-requests" and actually redirect them with iptables.
I Tried this command to do so:
sudo iptables -t nat -D OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8118
But when I try to access website outside of localhost I have connection refused message.
My question is: is it possible to intercept all http request of webserver with privoxy and iptables or maybe I have to use some other software to achieve this?
I figured it out, so I am posting solution for anyone who also struggles with this:
sudo iptables -t nat -A PREROUTING -i {INTERFACE_NAME} -p tcp --dport {WEBSITE_PORT} -j REDIRECT --to-port {PROXY_PORT}
where:
INTERFACE_NAME - name of your VM interface which can be get with the ifconfig command (for me it was ens33)
WEBSITE_PORT - port on which your apache2 service is listening (default is 80 or 8080)
PROXY_PORT - port of Privoxy (default is 8118)
It works with every website that is hosted using Apache. (I tested it also with phpBB and it works with no problems.)
I've been trying to get ffmpeg to stream in rtmp but connection to port 1935 is always refused. I really don't know what else I can do to allow this connection.
Here is what specs I'm running.
Ubuntu 18.04 (tried with 19.04) however same issue - here is why I think I've made a mistake
No Nginx installation at the moment
FFMPEG "ffmpeg version 3.4.6-0ubuntu0.18.04.1 Copyright (c) 2000-2019 the FFmpeg developers built with gcc 7 (Ubuntu 7.3.0-16ubuntu3)"
This is the script I run:
ffmpeg -i "test.mp4" -c:v copy -c:a copy -f flv "rtmp://127.0.0.1/stream/test"
Error I get is:
[tcp # 0x55ff05ab8ce0] Connection to tcp://127.0.0.1:1935 failed: Connection refused
I've done some research and been across many posts about ffserver.conf and I have made those changes but still no luck. Here is my config file. I also have ran ffserver once using this config.
HTTPPort 8090
HTTPBindAddress 127.0.0.1
MaxHTTPConnections 2000
MaxClients 1000
MaxBandwidth 1000
CustomLog -
<Feed feed1.ffm>
File /tmp/feed1.ffm
FileMaxSize 200K
# Only allow connections from localhost to the feed.
ACL allow 127.0.0.1
ACL allow localhost
ACL allow 192.168.0.0 192.168.255.255
</Feed>
<Stream test1.mpg>
# coming from live feed 'feed1'
Feed feed1.ffm
Format mpeg
AudioBitRate 32
# Number of audio channels: 1 = mono, 2 = stereo
AudioChannels 2
AudioSampleRate 44100
# Bitrate for the video stream
VideoBitRate 64
# Ratecontrol buffer size
VideoBufferSize 40
# Number of frames per second
VideoFrameRate 3
</Stream>
<Stream test.asf>
Feed feed1.ffm
Format asf
VideoFrameRate 15
VideoSize 352x240
VideoBitRate 256
VideoBufferSize 40
VideoGopSize 30
AudioBitRate 64
StartSendOnKey
</Stream>
# Special streams
# Server status
<Stream stat.html>
Format status
ACL allow localhost
ACL allow 127.0.0.1
ACL allow 192.168.0.0 192.168.255.255
#FaviconURL http://pond1.gladstonefamily.net:8080/favicon.ico
</Stream>
<Redirect index.html>
URL http://www.ffmpeg.org/
</Redirect>
Here is my ufw status:
-- ------ ----
22/tcp ALLOW Anywhere
22 ALLOW Anywhere
1935/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
1935/tcp (v6) ALLOW Anywhere (v6)
but still nothing, I've also opened ports in iptables but no luck. Here is how this is done:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 1935 -j ACCEPT
and
iptables -A OUTPUT -m state --state NEW -m tcp -p tcp --dport 1935 -j ACCEPT
and still nothing, every time I run ffmpeg I get connection refused. I have previously installed nginx just to test but no luck.
What am I doing wrong here? Isn't this port suppose to be open now?
Thanks
#JJ-the-Second, I have been using nginx rtmp module on ubuntu natively and it is working completely fine. But instead of sending stream to 127.0.0.1, I either send it to localhost or 0.0.0.0
I figured it out, I was using Nginx RTMP module - Nginx RTMP for some reason doesn't work well on Ubuntu but fine with Alpine 3.8 - As soon as I started a nginx rtmp docker container and exposed 1935 and 80 everything started working fine. Listen learnt, never install nginx rtmp module on ubuntu.
new to setting up a load balancer:
I am working with the google compute engine.
Set up 3 servers running on 3 different ports: 5010, 5011 and 5012.
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j REDIRECT --to-port 5010/11/12.. on each specific server
set up a health check to port 8080 . let's call it example-health-check
set up a target pool that contains the health check and all the 3 instances. let's call it example-target-pool
Set up a forwarding rule with tcp:5010-5012 and linked it target pool to the example-target-pool
when I go to the lb ip in each one of the ports the connection is very weird. it works but very slow in most of the requests but once in a while a request is very fast to pass..
any ideas ?
I am setting up iptables rules on the server where nginx and php-fpm are running. I have allow both 80 and 443 ports but as I see there are also addiitonal connections to higher ports that are blocked.
Sample output of
netstat -anpn | grep -v ":80"
tcp 0 1 10.0.0.1:8109 10.1.2.24:29837 SYN_SENT 19834/nginx: worker
tcp 0 1 10.2.3.45:31890 10.0.0.1:26701 SYN_SENT 17831/nginx: worker
10.0.0.1 is server IP, others are clients.
My iptables rules:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
Can someone explain:
Why do nginx uses ports different from standard 80 and 443.
What is this additional ports range?
How to properly allow connections to nginx with iptables?
Thanks in advance!
Nginx will typically perform internal redirects when processing a request and this will establish connections on high numbered ports. I do not believe you can find this range.
Here is what I see for example:
tcp 0 0 192.168.0.126:80 0.0.0.0:* LISTEN 9432/nginx: worker
tcp 0 0 192.168.0.126:80 192.168.0.177:62950 ESTABLISHED 9432/nginx: worker
tcp 0 0 192.168.0.126:80 192.168.0.177:62949 ESTABLISHED 9432/nginx: worker
tcp 0 0 192.168.0.126:80 192.168.0.177:62947 ESTABLISHED 9432/nginx: worker
unix 3 [ ] STREAM CONNECTED 29213 9432/nginx: worker
The reason your firewall rules work is because you:
Have opened the required ports that your Nginx server listeners need (i.e. 80 and 443)
You have included the following firewall rule that allows all requests to localhost (127.0.0.1) so Nginx internal redirects that open high numbered ports are not blocked:
iptables -A INPUT -i lo -j ACCEPT
So to answer your questions:
Nginx server listeners can listen to any port you like not just 80 and 443. Why it uses additional ports is for internal redirects and as such an aspect of the implementation.
I do not believe you can find this range. In fact I would doubt any code would ask the system to utilize a certain port but rather would ask the OS for a high numbered unused port.
You may not have realized it but the firewall rules you implemented should work fine.
I use PHP-FPM with Nginx as well. I block all ports except 22/80/443 in iptables and haven't experienced any issues with connectivity. I examined my own netstat and it looks identical to your output. Are you sure your iptables rules are correct? Could you post the output of sudo iptables -L
I have created a J2EE application that runs on GlassFish, HTTPS enabled. When the user typed http: //www.mydomain.com:8080/app, it will be redirected to https: //www.mydomain.com:8181/app/login.
However, when I see in some of the websites, it can actually redirected to something like https: //www.mydomain.com/app/login (without the HTTPS port 8181). Does this means that the server is running both HTTP and HTTPS on port 80?
How to configure this on GlassFish 3.1?
Non-root user should not use ports below 1024.
It is better to do port forwarding from 80 to 8080 and 443 (https default) to 8181.
Execute this as root:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8181
Need to make this permanent:
iptables-save -c > /etc/iptables.rules
iptables-restore < /etc/iptables.rules
and call during startup, vi /etc/network/if-pre-up.d/iptablesload
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
You can also configure it in the admin web gui under:
Configuration -> Server Config -> Network Config -> Network Listeners
Just to give out more details on alexblum's answer, when you login into the Glassfish Admin panel, go to Configurations -> server-config -> Network Listeners in Network Config.
Then click on New to add a new listener.
On the new listener page, just select 80 as your port and put 0.0.0.0 as your IP.
Select tcp as your Transport and use http-thread-pool as your Thread Pool
Save and Restart your Glassfish instance.
Thats what worked for me anyways.
The default port for HTTP is 80. When you access a URL: http://www.example.com/ you are connecting to www.example.com:80.
The default port for HTTPS is 443. When you access a URL: https://www.example.com/ you are connecting to www.example.com:443.
(See List of port numbers)
(See configuration of GlassFish to use other ports)