DisgruntledGoat's questions

I have a Ubuntu server (18.04) which hosts some websites on Apache2, and also has a node app running. I want the node app to use SSL, but as it's not running as root it doesn't have permission to listen to ports below 1024.

So I set up an iptables rule like below, and listen on port 8443:

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

This works for node, but now the websites all break due to a certificate mismatch (Error code: SSL_ERROR_BAD_CERT_DOMAIN in Firefox). I presume this is due to HTTPS web requests also being forwarded to that same port.

Is there a way to detect and forward only the node requests, leaving Apache alone? Or some other solution.

I have the following Apache config, which displays a 503 Service Unavailable error to all visitors except for my IP address:

ErrorDocument 503 /503.html
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^127.0.0.1$
RewriteCond %{REQUEST_URI} !^/503.html$
RewriteRule .* - [R=503]

This is so that I can carry out maintenance on my site without errors showing for users. (I'm using my actual IP, not 127.0.0.1.)

However, to turn this off or on I need to comment/uncomment all the lines, or completely remove it. On my other server running nginx I used a geo clause with a variable (as seen in this question). So I can just change default from 0 to 1 to turn it on.

Is there a way to do something similar in Apache?

Using Nginx 1.4.6, Ubuntu 14.04 LTS. I have this in the http section of nginx.conf:

geo $maintenance {
    default         1;
    86.161.27.175   0;
}

In my site config I have this:

error_page 503 /static/errors/503.html;
location /mydir/ {
    if ($maintenance) {
        return 503;
    }
    try_files $uri $uri/ =404;
}

However, I am always getting a 503 error when viewing /mydir/ on my site, but for my IP that shouldn't be happening. I've double checked and that is definitely my current IP. I have another geo section for rate limiting that is working fine. Manually setting $maintenance to 0 just above the location block works fine.

Why is this not working?

I have nginx 1.4.3 running on a Ubuntu 12.04 machine. I have nginx set up to cache pages (they are database-driven but stay fairly static). I'm using MySQL and PHP-FPM.

However, I found that I would intermittently get blank pages cached. There were no errors of any kind, and as soon as I delete the appropriate file from /var/cache/nginx the page would come back.

After some investigation, I have found the issue is that if a HEAD request is received, nginx caches a blank response as the full response for that URL. So HEAD /example stores a blank file in the cache file for the /example page, and a subsequent GET /example returns a blank page. (I seem to get HEAD requests regularly from various search engines and bots.)

Here is the relevant site config:

location ~ \.php$ {
  try_files $uri =404;

  fastcgi_cache one;
  fastcgi_cache_key $scheme$host$request_uri;
  fastcgi_cache_valid  200 5m;
  fastcgi_cache_valid  301 302 304 12h;

  include /etc/nginx/fastcgi_params;
  fastcgi_pass 127.0.0.1:9000;
  fastcgi_index index.php;
  fastcgi_param SCRIPT_FILENAME /srv/www/mysite/public$fastcgi_script_name;
  fastcgi_param HTTPS off;
}

Is this a known bug in nginx? I haven't been able to find any information on this though various searches.

Is there a workaround? There is no way to prevent caching HEAD requests according to this.

I thought maybe there is some 'request method' variable that could be added to fastcgi_cache_key, so that HEAD and GET requests are cached separately. But I cannot find anything.

I have just set up a new server with nginx (which I am new to) and PHP. On my site there are essentially 3 different types of files:

• static content like CSS, JS, and some images (most images are on an external CDN)
• main PHP/MySQL database-driven website which essentially acts like a static site
• dynamic PHP/MySQL forum

It is my understanding from this question and this page that the static files need no special treatment and will be served as fast as possible.

I followed the answer from the above question to set up caching for PHP files and now I have a config like this:

location ~ \.php$ {
    try_files $uri =404;

    fastcgi_cache one;
    fastcgi_cache_key $scheme$host$request_uri;
    fastcgi_cache_valid  200 302 304 30m;
    fastcgi_cache_valid  301 1h;

    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/run/php-fastcgi/php-fastcgi.socket;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME /srv/www/example$fastcgi_script_name;
    fastcgi_param HTTPS off;
}

However, now I want to prevent caching on the forum (either for everyone or only for logged-in users - haven't checked if the latter is feasible with the forum software). I've heard that "if is evil" inside location blocks, so I am unsure how to proceed. With the if inside the location block I would probably add this in the middle:

if ($request_uri ~* "^/forum/") {
    fastcgi_cache_bypass 1;
}
# or possible this, if I'm able to cache pages for anonymous visitors
if ($request_uri ~* "^/forum/" && $http_cookie ~* "loggedincookie") {
    fastcgi_cache_bypass 1;
}

Will that work fine, or is there a better way to achieve this?

I have a Ubuntu server hosting client websites, IP: 88.208.194.208. We have Pro-FTPd set up and it runs fine when connecting through FileZilla to upload files etc. We have some clients with software that automates some file uploading so I have set up FTP accounts for each of them (actually standard user accounts in Linux, but the FTP uses them the same).

Most can connect fine but one client cannot, they get a "connection closed by host" error. They also noted that they cannot connect via Windows Explorer, which I tested and it doesn't work for me either. I get a message:

Windows cannot access this folder. Make sure you typed the file name correctly and that you have permission to access the folder.

Details: The FTP session was terminated

(I tried another server from Explorer and it connected fine so it's not WE itself.)

We have a basic iptables firewall on the server but nothing else AFAIK. iptables is not blocking anything specific.

I also checked log files and could not see the client server's IP address anywhere (ran grep in the entirety of var/logs). The client has also tried disabling firewalls etc their side with no luck.

Is this likely to be a problem on our side? Is there anything I can do to diagnose the issue?

I have some Apache configuration like this:

# Image hotlinking rule
RewriteCond %{HTTP_REFERER} ^http://badsite\.com/
RewriteRule .*/static/artwork/.*\.(jpg|png)$ /static/images/hotlink.png [L]

# Redirects
RewriteRule ^static/artwork/(.+)$    http://cdn.mysite.com/artwork/$1    [L,R=301]

# CodeIgniter
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1 [L]

It should do the following:

1. If a request for an image comes from badsite.com, block it and display the hotlink image instead.
2. If a regular request for an image comes in, redirect to the image hosted on the cdn subdomain.
3. Otherwise, if the request is not a file or directory, load a web page page (goes through CodeIgniter).

However, I think the first RewriteCond is applying to the redirect rule, not the hotlinking rule, because requests for images from that referrer are redirected to the CDN, not the hotlinking image. An example in the Apache docs (bottom of the section) implies that a line break stops RewriteCond applying, but that's not happening.

Is there a way to "reset" the RewriteCond rule, or is there some other error in my config?

I have a Ubuntu server with Postfix and Courier (both appear to be running fine). We used to have a control panel provided by our host but after upgrading the server it's no longer available. But now all of our emails are bouncing.

We host several domains and several email addresses per domain. When I send email to e.g. [email protected] it returns a failure notice:

The mail system
<[email protected]>: user unknown. Command output: Invalid user specified.

[email protected] is not an actual user but between Postfix and Courier I think I traced where it comes from. The virtual domains file /etc/postfix/virtual shows lines like this for each email address (first column should be the email address, second column the user):

[email protected]    [email protected]

Now in the folder /etc/courier/userdb/ there are files for each domain on the server. Inside these appear to be "virtual users" that correspond to the emails addresses set up. In the example.com folder is this:

[email protected]       uid=1000|gid=1001|home=/home/example/example.com/system/mail/users/scott|mail=/home/example/example.com/system/mail/users/scott/Maildir|gecos=scott|systempw=$1$M0USmU7K$2f/KbNOLOdVqp.Ra4gKXR/

(The example in /home/example/ is just a common user that "owns" several sites.)

My knowledge of Courier is almost non-existent but at a glance it seems like everything is set up. Is there a missing link somewhere between Postfix and Courier? What methods are there to diagnose why the mail isn't working?

Let me know if I can provide any more information.

I noticed in my Munin graphs for Apache that there was a large spike in traffic yesterday. However, I have been unable to correlate this with anything on the site.

Google Analytics does not show any traffic increase. It essentially only counts human users (those with Javascript enabled) so I'm guessing the spike could be from a scraper.

But I checked the Apache logs and the number of requests does not correlate with the Munin output. I ran a few commands to count the number of requests each hour from the logs and it just shows the regular increase, nothing like the spike shown in Munin.

I checked both other_vhosts_access.log (which counts the actual websites set up) and access.log (counts hits to the IP address, which seems to be mostly dummy connections or security polls).

Where might these extra hits be coming from?

Currently in apache2.conf I have AllowOverride all set for /var/www which simply allows htaccess for all the sites on the server (which is Ubuntu, 9.04).

However, I'd rather only allow overrides in each site root directory and nothing else. In other words, /var/www/site1, /var/www/site2, etc. can have a htaccess, but all other directories including /var/www and /var/www/site1/content cannot.

Is there a way to do this without having to write a rule for every site on the server?

EDIT: Maybe my question wasn't clear enough. But I have just tried a couple of things that didn't work as expected. I set AllowOverride none for the root directory then all for specific directories like this:

<Directory ~ "^/var/www/site1$">
  AllowOverride all
</Directory>

However, when loading a URL like site1.com/section/page the page cannot not be found (shows the browser error page, not my 404 page). Note section/page is not a real filesystem URL, it's a rewrite.

It was my understanding that:

1. In the previous configuration, Apache would look for a htaccess in /var/www/site1/section (which doesn't exist), then try /var/www/site1, and then any parent directories.
2. With the directives above, Apache should now just look at /var/www/site1 and no other directories. But that doesn't seem to be working...

Below is the result of iptables-save from a Ubuntu Linux server. My question is, is there anything wrong or sub-optimal about it?

For example I believe the rules are processed in order, so should the rules for ports 80 and 3306 (www/mysql) be moved to the top?

Also, what do the rules after the DROP do? They seem similar to rules further above.

# Generated by iptables-save v1.4.1.1 on Sun Feb 13 16:11:59 2011
*filter
:INPUT DROP [1:52]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [496336:22258327]
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT 
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT 
-A INPUT -p udp -m udp --dport 69 -m state --state NEW -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 69 -m state --state NEW -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 143 -m state --state NEW -j ACCEPT 
-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 20 -m state --state NEW -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT 
-A INPUT -p udp -m udp --dport 3306 -m state --state NEW -j ACCEPT 
-A INPUT -j DROP 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
COMMIT
# Completed on Sun Feb 13 16:11:59 2011

I have a dedicated server running Ubuntu 9.04. I have sites running fine on the server and are accessible from anywhere. However, pinging the server's IP address always results in timeouts.

I did some Googling and saw information that said to basically put 0 in the file /proc/sys/net/ipv4/icmp_echo_ignore_all. I checked and that was already the case (I ran the command on here just to make sure).

But the server is still not pingable. Is there something else that could be the problem?

PS. I have seen some places mention firewalls. I don't know if the server has a firewall installed (I haven't installed anything myself but the server came pre-built with everything). How would I find out if there is a firewall running? And can the server be pingable but keep the firewall running?

We're hosting a web site for a client on our dedicated server (Ubuntu 8.10) but from certain places (including their main office) they cannot get the web site to load. We transferred the domain and hosting from another company to ourselves back in November and the problems have been since then, sporadically.

• I can access the site with no problems.
• They can access other sites fine.
• They can also access other websites hosted on the server so it's not a server-wide thing.
• I have checked other sources (like downforeveryone....) and haven't found any problems.

What could be the problem? What other things should I look at?

I'm trying to install a package on my Ubuntu 8.10 server. However, I get this message:

The following packages have unmet dependencies.
webmin: Depends: apt-show-versions but it is not going to be installed
E: Unmet dependencies. Try ‘apt-get -f install’ with no packages (or specify a solution).

So I run apt-get -f install which offers to install apt-show-versions and libapt-pkg-perl. After selecting to install without verification, I get these errors:

Err http://gb.archive.ubuntu.com intrepid/universe libapt-pkg-perl 0.1.22build1
404 Not Found
Err http://gb.archive.ubuntu.com intrepid/universe apt-show-versions 0.13
404 Not Found
Failed to fetch http://gb.archive.ubuntu.com/ubuntu/pool/universe/liba/libapt-pkg-perl/libapt-pkg-perl_0.1.22build1_i386.deb 404 Not Found
Failed to fetch http://gb.archive.ubuntu.com/ubuntu/pool/universe/a/apt-show-versions/apt-show-versions_0.13_all.deb 404 Not Found
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

I've tried running apt-get update and adding --fix-missing as suggested, but neither works. Where do I go from here?

On my dedicated server, I have Postfix installed for sending email through the websites. One of my clients hosts their email with a third party so we have MX records set up on the domain.

However, when sending any Postfix emails from the server, they do not get the emails. I think since the domain is pointing at the server itself, it tries to send mail to itself, but there is nothing on the server to handle the email for that domain. (There are mail accounts for other domain which are working fine.)

How do I get Postfix to use the domain's MX records to send email? Server is Ubuntu 8.10 with standard LAMP stack. I have Webmin installed, and a control panel called "Matrix" provided by the host.

EDIT: if I try to send email from my own address, I get an error email from the Mail Delivery System, with this error:

<[email protected]>: user unknown. Command output: Invalid user specified.

Final-Recipient: rfc822; [email protected]
Action: failed
Status: 5.1.1
Diagnostic-Code: x-unix; Invalid user specified.

Here are the log entries made:

Jan  6 18:06:52 localhost postfix/pickup[29006]: 0329D3F69: uid=33 from=<[email protected]>
Jan  6 18:06:52 localhost postfix/cleanup[30495]: 0329D3F69: message-id=<[email protected]>
Jan  6 18:06:52 localhost postfix/qmgr[22461]: 0329D3F69: from=<[email protected]>, size=611, nrcpt=2 (queue active)
Jan  6 18:06:52 localhost postfix/pipe[30497]: 0329D3F69: to=<[email protected]>, relay=maildrop, delay=0.15, delays=0.1/0/0/0.04, dsn=5.1.1, status=bounced (user unknown. Command output: Invalid user specified. )
Jan  6 18:06:52 localhost postfix/smtp[30498]: 0329D3F69: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[209.85.227.27]:25, delay=0.61, delays=0.1/0.01/0.06/0.45, dsn=2.0.0, status=sent (250 2.0.0 OK 1294337212 o18si30528441wbo.103)
Jan  6 18:06:52 localhost postfix/cleanup[30495]: 868723F75: message-id=<[email protected]>
Jan  6 18:06:52 localhost postfix/bounce[30500]: 0329D3F69: sender non-delivery notification: 868723F75
Jan  6 18:06:52 localhost postfix/qmgr[22461]: 868723F75: from=<>, size=2553, nrcpt=1 (queue active)
Jan  6 18:06:52 localhost postfix/qmgr[22461]: 0329D3F69: removed
Jan  6 18:06:52 localhost postfix/pipe[30497]: 868723F75: to=<[email protected]>, relay=maildrop, delay=0.06, delays=0.01/0/0/0.05, dsn=2.0.0, status=sent (delivered via maildrop service)
Jan  6 18:06:52 localhost postfix/qmgr[22461]: 868723F75: removed

I've just rebooted my Ubuntu server and MySQL just won't start for some reason! I'm using:

/etc/init.d/mysql start

I just get this:

 * Starting MySQL database server mysqld                         [fail]

Why might this be happening? Apache is running and my site works OK apart from the database connection. MySQL server is installed normally via synaptic.

I ran:

sh -x /etc/init.d/mysql start

Which listed this among the output:

+ echo -e 0 processes alive and '/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf ping' resulted in\n/usr/bin/mysqladmin: connect to server at 'localhost' failed
error: 'Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)'
Check that mysqld is running and that the socket: '/var/run/mysqld/mysqld.sock' exists!\n

I followed the advice here for creating the .sock file but no luck.

(Let me know any more information you need me to provide.)

Update: I ran mysqld since the output above mentioned it, and got this error:

100516 17:37:57  InnoDB: Operating system error number 13 in a file operation.
InnoDB: The error means mysqld does not have the access rights to
InnoDB: the directory.
InnoDB: File name ./ibdata1
InnoDB: File operation call: 'open'.
InnoDB: Cannot continue operation.

Any idea what it means, or what file it refers to?

I have a dedicated server with Apache, on which I've set up some VirtualHosts. I've set up one to handle the www domain as well as the non-www domain.

My VH .conf file for the www:

<VirtualHost *>
  DocumentRoot /var/www/site
  ServerName www.example.com
  <Directory "/var/www/site">
    allow from all
  </Directory>
</VirtualHost>

With this .htaccess:

RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]

Is there a simple way to redirect the www to the non-www version? Currently I'm sending both versions to the same DocumentRoot and using .htaccess but I'm sure I must be able to do it in the VirtualHost file.

I've recently installed Webmin on a Ubuntu server but I can't get it to work. I asked a recent question about saving iptables but it turns out you don't need to "save" iptables changes.

Anyway, I still can't get Webmin working after opening the port up:

iptables -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT

It seems that either the command is not opening up port 10000, or there is a separate problem with Webmin. If I run iptables -L I see lines like the following, but no port 10000:

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5555 state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8002 state NEW
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:9001 state NEW

However, there is a line:

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:webmin

Any ideas why Webmin is not working? The IP address works fine and we can view web sites on the server, but https://[ip]:10000/ (or http) doesn't work.

I have just installed Webmin on a Ubuntu server. According to the docs you need to open up port 10000 (which is what Webmin runs on), with this:

iptables -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT

It then says you need to apply the firewall configuration with:

/etc/init.d/iptables restart

However, this command doesn't work for me. Is there a different command that saves the changes on Ubuntu?

I have just set up Subversion server, and test repository, on a Windows server. However I can't connect to it from any computers. Using TortoiseSVN, I get the error message:

Error: Can't connect to host '[host]': A connection attempt failed because the
Error: connected party did not properly respond after a period of time, or established
Error: connection failed because connected host has failed to respond.

I can connect to another SVN repository on a different server, so it's surely a problem with this server and installation.

• The Subversion service is running and listening on port 3690.
• I can ping the server's IP address just fine from various PCs.
• Firewall is disabled on the server and my PC (and nothing is blocked by the router).

Any ideas why I might not be able to connect?

Update: More info as requested by AlberT:

• netstat -a lists, among other lines, TCP GOWANPOINT:3690 GOWANPOINT:0 LISTENING
• I'm using TortoiseSVN to connect, as noted above. I'm trying to check out the new repository I created, and connecting to: svn://[server-ip]:3690/project_name
• Tried telnet-ing (using putty) and got a similar timeout error.
• OS: Windows Server 2003