This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
I have my Webapp running on Ubuntu VM and I would like to forward or make it such that a call to my doman (www.mydomain.com) is automatically forwarded to port 8080. Right now I have to do www.mydomain.com:8080 and I would like that to happen automatically instead of me typing 8080 everytime. The VM does not have Apache server. Do I need it? Is there any other alternative to set this up?
SCJP 1.4, SCWCD 1.4 - Hints for you, Certified Scrum Master
Did a rm -R / to find out that I lost my entire Linux installation!
The port number is not part of the DNS address returned by the DNS name resolver. That only gives an IP address. It is a convention hard-coded into web clients that when you send out a URL HTTP request without a specific port number in the URL, the targeted port will be port 80, just as an HTTPS request will target port 443.
Both of these ports are below the magic line at port 4096, meaning that only privileged (root) users can open and listen to them. That's a security vulnerability, so I don't recommend running Tomcat or for that matter most J2EE webapp servers wired directly on ports 80/443. To get around that you can either do port forwarding or use a proxy.
Apache is one popular proxy, because it allows a single point of service for both Java and non-Java web applications and because it has a wealth of plugins and features such as URL rewriting. It also makes a good load-balancing front-end.
Squid is also popular. Unlike Apache, it isn't intended to be a general container for webapps itself, but it's designed specifically to be a proxy server.
Other products are also capable of operating as proxies. Although actually, it's a rare Ubuntu server system that doesn't have Apache2 installed on it.
The other possibility is to use true port forwarding. This can be done at the router for handling requests coming in from outside the LAN. Or you can do it at the local level, either at the VM host or guest levels. The easiest way to do that is to simple set up an IPTABLES forwarding rule. Here's an example that not only does port translation, it routes to a designated VM at another IP address.
An IDE is no substitute for an Intelligent Developer.
I do have the possibility to install Apache server, but I'm very much limited on my RAM, so I would probably not install Apache. I will try if I can set IPTABLES rules on my VM host. I've never done that before. Could you please elaborate a bit on which file I should modify to set the IPTABLES configuration for port forwarding?
I just checked my production server and Apache processes were pulling 32M virtual, which is humongous compared to some systems I've run - including IBM mainframes - but not that much in an era where a single JVM needs over 100M.
Still, if you don't need that much flexibility, why go to the trouble.
I haven't dug into an Ubuntu system lately, but the Red Hat distros keep a persistent copy of the IPTABLES in /etc/sysconfig/iptables. Since networking is one of the places where configuration differs most between Debian's heirs and Red Hat's, I'd check to see if there's something under /etc/network - or look at the /etc/init.d/iptables initscript and see where the iptables save and load commands do their dump/restores.
The easiest way to modify IPTABLES is to simply manually insert the new rule into the running system. The "iptables -t nat -L --line-number -n" command can show you the current rules in effect and that will assist you in picking where to best insert the new rule. The "nat" tables may be empty, depending on what other things have been configured. Once you have the rule inserted and tested, you can do an "/etc/init.d/iptables save" to make it permanent.
Some systems are migrating to the Shorewall firewall. I'm moving one of mine, in fact. Shorewall makes a much more complicated firewall, but the advantage is that it's done using well-documented config files which make it more obvious what you're actually controlling. And allow you to comment the rules so you'll know WHY this weird IP address you have a rule for is there.
You may need to pair your NAT rule with a reverse-NAT rule. There's some good examples and instructions if you Google for them.
Tim Holloway wrote:The "iptables -t nat -L --line-number -n" command can show you the current rules in effect and that will assist you in picking where to best insert the new rule. The "nat" tables may be empty, depending on what other things have been configured. Once you have the rule inserted and tested, you can do an "/etc/init.d/iptables save" to make it permanent.
That gave me the following output:
Frankly speaking, I do not understand a word of it. Could you infer something from that and help me further? My understanding is that I just have to do the following on my Ubuntu VM host to route all in coming requests to my domain to go to the landing page of my application:
Simplicity. There are 3 chains in the "nat" table: PREROUTING, POSTROUTING and OUTPUT. The PREROUTING chain processes incoming traffic before it goes to the main iptable's INPUT and FORWARD chains (depending on what's being routed). The POSTROUTING chain processes traffic after it has left the main iptable's OUTPUT chain right before it goes out through the Network Interface.
There is really good documentation on IPTABLES, including useful illustrations on traffic flow and I recommend it for anyone who wants to maintain a firewall or do network traffic routing and shaping. Their home is at netfilter.org, but one of the first places I like to go to get the "5-minute introduction" to new technologies is the Wikipedia.
Here's what a nat table with active chains looks like:
Don't expect to make too much sense of this, since part of what's in there was set up by my VM network manager, but if you'll look at the PREROUTING chain, you'll notice that I take all SMTP traffic headed to 18.104.22.168 and redirect it to an internal IP address and likewise the HTTP traffic for 22.214.171.124. That's because 10.0.0.2 is where my mailserver VM sits on the internal LAN and 10.0.0.6 is the VM that hosts www.mousetech.com.
You actually defined a rule that takes EVERYTHING targeting tcp port 80 and sends it to localhost port 80 regardless of where it came from or where it's going to. You might want to narrow that down to something more specific for a destination IP address.
I'm not sure, but I think probably a "real" IP address would be better than the internal localhost IP also. Traffic on localhost tends to be handled a bit differently and there might even be security issues.
Nothing, as such. You could also forward port 8080 on the IPV6 address, but unless there are other messages in the log, the server isn't listening to anything on the IPV4 port 8080, whether it's forwarded or not.
Tim Holloway wrote:
You probably also need to open up port 80 in the main INPUT or FORWARD iptable (-j ACCEPT). I put a "-j LOG" rule in at the end of my chain to let me know when the firewall has blocked something.
It still sort of fails. Should I restart my VM so that these changes take effect? I'm really helpless here. What I also noticed is that when I tried the following URL:
www.mydomain.com:80, I got a page not found, but the URL got redirected to www.mydomain.com. But when I tried www.mydomain.com:9000 or anything else, the url remained the same even after getting a page not found error.