How to run two webservers

[sesamebike]

Hi,

This how-to is now contributed to the wiki as well. Use the wiki functions to correct my mistakes

Cheers!

[Styno]

Great work, thanks! I'll try to add cgi-bin scripting info later today...

Question:
You've used several rules to gain acces to the webserver from WAN. I just used:

Code:

# allow webserver requests to port 8080 (busybox_httpd)
iptables -A INPUT -p tcp --dport 8080 --syn -j ACCEPT

I know this is not the same as redirecting port 80 to 8080, I only opens WAN access to port 8080, but is this method safe or should there be more rules?

[sesamebike]

Hi,

It's a matter of choice really. I'd like to have it on port 80 for external access in order to avoid having to specify port 8080 in the url. It's easier to remember for other people as well. But other than that, no, having it on port 8080 will work the same way.

Now to your question, yes I think that iptables line will suffice. You might want to consider adding

Code:

-i "$1" -d "$2".

if you want to limit the access to the WAN interface only. Note, $1 and $2 represents the external interface name and ip-adress. But again, it's your choice.

[Styno]

It's a matter of choice really. I'd like to have it on port 80 for external access in order to avoid having to specify port 8080 in the url. It's easier to remember for other people as well. But other than that, no, having it on port 8080 will work the same way.

Yes I knew that

Now to your question, yes I think that iptables line will suffice. You might want to consider adding

Code:

-i "$1" -d "$2".

if you want to limit the access to the WAN interface only. Note, $1 and $2 represents the external interface name and ip-adress. But again, it's your choice.

Thanks! Thats what I was wondering about, I will add -i "$1" to the rule.

[NIGHTCD]

Hello. is there any chance to get php up an running with this second webserver?

and how to do it... someone got an tutorial?


NIGHTCD

[pledge]

As far as I can understand $1 and $2 are shell variables, representing respectively the external interface name and its IP adress.
Are these variables set up automatically? because I am unable to use those in the iptables commands:

/usr/sbin/iptables -t nat -I PREROUTING -p tcp -d "$2" --dport 80 -j DNAT --to "$2":8080
/usr/sbin/iptables -t nat -D PREROUTING -i "$1" -p tcp --dport 80 -j DROP

Thanks for your help.

[sesamebike]

Hi Pledge,

No, they are not shell variables but rather arguments passed to the post-firewall script.

From the firmware documentation:

/usr/local/init/post-firewall is now executed at the end of the default firewall script. If you need any customizations place them here (this scripts also receives all the args passed to the original firewall script, i.e. $1/$2 are WAN_IF/WAN_IP, $3/$4 are LAN_IF/LAN_IP, $5/$6 are $DMZ_IF/$DMZ_IP

If you need to call the script manually you'll need to supply these to the script as follows:

/usr/local/init/post-firewall eth1 1.2.3.4

Replace 1.2.3.4 with the ip you got from your ISP.

Cheers!

[FilimoniC]

Uhm.. I get 401 error: unauthorised when I try to access to /cgi-bin/ directory
busybox_httpd -p 81 -u nobody -h /opt/share/www

[macsat]

Uhm.. I get 401 error: unauthorised when I try to access to /cgi-bin/ directory
busybox_httpd -p 81 -u nobody -h /opt/share/www

Do you have an /opt/share/www/cgi-bin directory ?

If so, is it readable by the webserver?

try a:

Code:

ls -la /opt/share/www

and post result here, if you dont fully get what I mean :-)

[oleo]

First try to run it as admin. Then as nobody!

Code:

[admin@oleo root]$ cat httpd.conf
A:*
/cgi-bin:admin:admin
.au:audio/basic
.asp:text/html

[SuperB]

Great howto, just what I need. I do have one problem; the iptables commands are not accepted by my router (which runs Oleg 1.9.2.7-7c).
When I run the post-firewall script from the shell I get an error message:

$post-firewall eth0 192.168.2.150
iptables: Bad rule (does a matching rule exist in that chain?)

eth0 is the device that is connected to the WAN.
192.168.2.150 is the fixed address I use on the WAN side (I am behind another router)

Removing the second line in the script takes care of the error message, but does not give me access to my web files.
Entering the commands one by one in the shell shows that no entries are added to the PREROUTING chain, only to the INPUT chain.

What am I doing wrong?

[SuperB]

OK, what I wanted was to run a (second) webserver for the WAN side. My website must be stored on a USB stick and will be updated through Samba.

I found out what I was doing wrong. The main issue was that my post-firewall script missed #!/bin/sh on the first line.

Then, I found out how to check the iptables chains:

Code:

iptables --list -t nat

for checking the PREROUTING chain and

Code:

iptables --list

for checking the INPUT chain.

With these commands I saw that (in my case) the rules were added to the bottom of the chain, were they are useless. So I added a 1 and 2 after the -I command to get them to the top of the chain. (I learned a lot on iptables here.)

The last problem I encountered was that starting busybox_httpd in post-boot on /tmp/harddisk, were I initially found my USB stick, does not work because this directory is not mapped at the time post-boot is executed. I mapped the USB stick to /mnt and finally I was ready.

Here are the files I use.

/etc/smb.conf:

Code:

[global]
workgroup=mygroup
guest account=nobody
security=share
browseable=yes
guest ok=yes
guest only=no
log level=1
max log size=100
encrypt passwords=yes
dns proxy=no

[fat32]
path=/mnt
writeable=yes
browseable=yes
force user=admin

/tmp/local/sbin/post-firewall:

Code:

#!/bin/sh
/usr/sbin/iptables -t nat -I PREROUTING 1 -p tcp -d "$2" --dport 80 -j DNAT --to "$2":8080
/usr/sbin/iptables -t nat -D PREROUTING -i "$1" -p tcp --dport 80 -j DROP
/usr/sbin/iptables -t nat -I PREROUTING 2 -i "$1" -p tcp --dport 8080 -j DROP
/usr/sbin/iptables -I INPUT 1 -i "$1" -d "$2" -p tcp --syn --dport 8080 -j ACCEPT

/tmp/local/sbin/post-boot:

Code:

#!/bin/sh
mount -t vfat /dev/scsi/host0/bus0/target0/lun0/part1 /mnt
/usr/sbin/smbd -D
/usr/sbin/nmbd -D
busybox_httpd -p 8080 -h /mnt

Note that I use -t vfat with the mount command. Before I added that all the files I copied to my USB stick over Samba got short (8.3) filenames.

[kRiSiS]

So I followed the instructions pretty carefully and have those 4 lines in my post-firewall. However, when trying to access busybox from the outside, it still fails, but the same server on an opened port 8008 works just fine. Here's the output from my "iptables --list -t nat":

Code:

DNAT       tcp  --  anywhere             [router interface]tcp dpt:www to:[router ip]:8080
DROP       tcp  --  anywhere             anywhere           tcp dpt:webcache

And I can confirm that busybox is running on port 8080 with "ps|grep busybox"

Can anyone tell me why this still fails? Any help would be appreciated.

[SuperB]

Please enter the command 'iptables --list' and see if you have an entry like this:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             [external IP]      tcp dpt:webcache flags:SYN,RST,ACK/SYN

And what do you mean by [router interface]? My output shows the [external IP] there.

[kRiSiS]

By router interface I mean the name assigned to my net connection by the cable company, in this case something like "myrouter.dyn.optonline.net" and by external IP I mean the actual IP address I get from going to www.whatismyip.com. I just didn't want to put the name and IP out there for all the internet to see.

I do have that line in my INPUT chain.

Code:

ACCEPT     tcp  --  anywhere             myrouter.dyn.optonline.nettcp dpt:webcache flags:SYN,RST,ACK/SYN

This is weird if what I have is exactly what you have. Any ideas?

Edit: I should probably add that I have a WL500gP. Though I don't think that makes any difference.