[HELP] Cannot access webpages from apache server via Interne

[edwardbai93]

Hello everyone. I am a beginner with Pi and Apache servers. I recently installed apache server on my Pi, and when I access it from LAN, I got the "It works!" default page.

However, I could not access the webpage through the internet. I already have a DDNS: xxx.dlinkddns.com, and I setup the port forwarding (port 80) on my router. It did work for remote SFTP access after I opened port 22 .

The index.html is set in default in /var/www, but I cannot open it via Internet by typing http://xxx.dlinkddns.com/index.html. Are there any solutions to this problem? Thanks guys.

[DougieLawson]

Test your port forwarding at: http://www.yougetsignal.com/tools/open-ports/

Does your RPi have a fixed IP address on your LAN? Is the right address forwarded in your router?
Is Apache listening? Test it with http://localhost or http://192.168.1.xx or netstat -tln

[edwardbai93]

Test your port forwarding at: http://www.yougetsignal.com/tools/open-ports/

Does your RPi have a fixed IP address on your LAN? Is the right address forwarded in your router?
Is Apache listening? Test it with http://localhost or http://192.168.1.xx or netstat -tln

Hi DougieLawson, I typed the code you said: netstat -tln
And I got:

Code: Select all

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN

And I tried to List only listening TCP Ports using netstat -lt. The results are:

Code: Select all

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:ssh                   *:*                     LISTEN
tcp        0      0 *:microsoft-ds          *:*                     LISTEN
tcp        0      0 *:netbios-ssn           *:*                     LISTEN
tcp        0      0 *:http                  *:*                     LISTEN

Does that mean my TCP port 80 is listened by Apache? I am sure that I used DHCP to give my pi a static IP: 192.168.0.2. I can access this IP with a LAN computer using Putty/WinSCP. I am sure that my port forwarding is set like this, and the port 22 is working during remote access:

• SFTP tcp 192.168.0.2 22-22 22-22 Enabled
  WEB tcp 192.168.0.2 80-80 80-80 Enabled

What else could possibly be wrong? I've been confused all day long...

[DougieLawson]

What do you get from that yougetsignal web site?
Your system is running sshd, a web server and cifs/samba.

Can you access http://192.168.0.2 from your Windows machine?

[edwardbai93]

What do you get from that yougetsignal web site?
Your system is running sshd, a web server and cifs/samba.

Can you access http://192.168.0.2 from your Windows machine?

My Pi does not have an external IP address, so I used the DDNS domain (mydomain.dlinkddns.com), and it said that Port 80 is closed. Nor was it on after I typed 192.168.0.2 (LAN IP).

And a funny thing to mention, all devices that is connected to the same router (LAN devices) CAN open the page from http://mydomain.dlinkddns.com or http://192.168.0.2. But any device that is not connected to the router will fail to acess. Wonder what is going on here. I did not intended to make a web server just for the LAN

[DougieLawson]

When you're asleep your ISP does a sneaky thing - they disconnect your system. When you start using the internets again they reconnect. There are two possible things that happen at that point.
1. You get the same public IP address
2. They assign a new public IP address

When you run a dynamic DNS service you need to detect #2 and react to it. Your dyndns server will have a script to run to update your registration when your public IP address changes. That script can either run on your router or can run on your RPi.

[edwardbai93]

1. You get the same public IP address
2. They assign a new public IP address

When you run a dynamic DNS service you need to detect #2 and react to it. Your dyndns server will have a script to run to update your registration when your public IP address changes. That script can either run on your router or can run on your RPi.

My ISP gives me a static IP address (external), and I feed it to my router's WAN port. Both my PC and Pi are connected to the router by cable, and assigned with DHCP static IP address.

I am just wondering why my SFTP (Samba) works on my Pi in remote access, but my Web server fails.

[ripat]

Have you set up any kind of filtering/access control by host like:

- TCP wrapper (inetd's hosts.deny & hosts.allow) ?
- iptables ?
- apache mod_authz_host ?

[edwardbai93]

Have you set up any kind of filtering/access control by host like:

- TCP wrapper (inetd's hosts.deny & hosts.allow) ?
- iptables ?
- apache mod_authz_host ?

No, I don't think so... I don't recall blocking port 80 through any of these ways

[ripat]

According to your description of the problem, it is not the port that seems to be blocked but the client's IP when they try to connect to your server from outside. But, just to make sure your ISP doesn't block the port 80, you can try to change the port Apache listen on.

If no luck with that, investigate on the mod_authz_host module. Look for directives like Allow from... | Deny from... in the apache config file.

Check both the /etc/hosts.allow and /etc/hosts.deny files for any httpd filters

Dump the iptables (sudo iptables -vS) and search for any rule that might block the frames from outside your lan.

[edwardbai93]

According to your description of the problem, it is not the port that seems to be blocked but the client's IP when they try to connect to your server from outside. But, just to make sure your ISP doesn't block the port 80, you can try to change the port Apache listen on.

I checked /etc/apache2/ports.conf, and port 80 is always being listened. I also checked with nmap -h 80 -sT mydomain.com, which showed Port 80 is open.

If no luck with that, investigate on the mod_authz_host module. Look for directives like Allow from... | Deny from... in the apache config file.

I didn't see any port 80 or my hosts that is denied.

Check both the /etc/hosts.allow and /etc/hosts.deny files for any httpd filters

The files were unchanged, and blank.

Dump the iptables (sudo iptables -vS) and search for any rule that might block the frames from outside your lan.

Sorry I'm not really clear on this one. Could you give me a little hints? My iptables (and iptables-persistent) seems to be unsuccessfully installed due to some errors.

Thanks a lot!

[ripat]

According to your description of the problem, it is not the port that seems to be blocked but the client's IP when they try to connect to your server from outside. But, just to make sure your ISP doesn't block the port 80, you can try to change the port Apache listen on.

I checked /etc/apache2/ports.conf, and port 80 is always being listened. I also checked with nmap -h 80 -sT mydomain.com, which showed Port 80 is open.

There is a typo in your command. The option to scan a particular port is -p, not -h. But anyway, your port scan might not mean anything. Did you do it from inside your lan with your public ddns domain name? In that case, most routers do not enable the NAT reflection/loopback mode for requests sent from within the lan. Check the apache access log to see under which IP the scan was logged, a lan IP or your public ip? As I mentionned above, your ISP might block the port 80 for some reason. Try to change the port Apache server listen on and see if it makes any difference. On a typical Debian installation, you set that up in the /etc/apache2/ports.conf file. Try port 888 for example. Don't forget to reload the config file: $ sudo /etc/init.d/apache2 reload

If no luck with that, investigate on the mod_authz_host module. Look for directives like Allow from... | Deny from... in the apache config file.

I didn't see any port 80 or my hosts that is denied.

Just to make sure, run: $ grep -ri '\(allow\|deny\) from' /etc/apache2/*

Dump the iptables (sudo iptables -vS) and search for any rule that might block the frames from outside your lan.

Sorry I'm not really clear on this one. Could you give me a little hints? My iptables (and iptables-persistent) seems to be unsuccessfully installed due to some errors.

iptables is then probably not active.

[schenk]

Greeting all:
I am having the same issue after installing buster. I'm using all Ubiquiti router, switches, etc. I can ssh in through port forwarding OK, and access several port forwarding rules, but apache will not work to my two Raspberry pi Buster machines. When I check to see if port 80 is open (from the outside) it is not with the port forwarding rules to my Raspberry pi. But it is from with in the lan. I can access other web pages on my local network with other ports forwarded to other machines on the local network. So I am thinking that it is an issue with buster/apache.

If anyone has solver this issue, or can give me some insight, I would be very grateful!

Laurence