Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
problem w/ Apache RewriteCond
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
kronos1
n00b
n00b


Joined: 25 May 2003
Posts: 29
Location: New Hampshire, USA

PostPosted: Wed Jul 02, 2003 3:42 am    Post subject: problem w/ Apache RewriteCond Reply with quote

I use the rewrite module in apache for a condition that checks if the computer making a request for an mp3 on my server is on my home network or not. I use the following line:

RewriteCond %{REMOTE_ADDR} !^192\.168\.0\..*$

However, as you may have guessed, this doesn't work. I use a Dlink 614+ router, which controls the dhcp settings. I'm positive that all local IP addresses are 192.168.0.somthing, so the number should be correct. However, the condition works if I change the address condition line to:

RewriteCond %{REMOTE_ADDR} !^64\.222\..*$

This address is my actual dynamic IP that verizon gives me. But I've checked the IP address on the computer I'm accessing my server with, and it is in the form 192.168.0.100. So what am I missing? Is there something that I need to change in the router settings? I've checked, but I didn't see anything. Any help would be appreciated.
Back to top
View user's profile Send private message
slartibartfasz
Veteran
Veteran


Joined: 29 Oct 2002
Posts: 1462
Location: Vienna, Austria

PostPosted: Wed Jul 02, 2003 6:16 am    Post subject: Reply with quote

a guess: your router does NAT - masquerading. as private network adresses of the form 192.168... are not routable, the adress is changed by the router to the real adress. and this is the adress apache gets to see. how do u connect to the server apache is on? did u try to use the internal ip of the apache server instead of its hostname?

if this is the case, the solution would be to disable masquerading for adresses with destination port 80,443 and perhaps 8080 and destination ip of the apache server.
_________________
To an engineer the glass is neither half full, nor half empty - it is just twice as big as it needs to be.
Back to top
View user's profile Send private message
kronos1
n00b
n00b


Joined: 25 May 2003
Posts: 29
Location: New Hampshire, USA

PostPosted: Wed Jul 02, 2003 3:17 pm    Post subject: RE: Reply with quote

Quote:
how do u connect to the server apache is on? did u try to use the internal ip of the apache server instead of its hostname?


Thanks for the reply. I did try to use the 192.168... ip to connect to the server, and the rewrite condition was still ignored. I didn't see anything on how to disable NAT on my router in the settings or the manual. However, there is a section in my router's setttings that talks about 'Special Applications'. It says:

"Special Application is used to run applications that require multiple connections. Some applications require multiple connections, such as Internet gaming, video conferencing, Internet telephony and others. These applications have difficulties working through NAT (Network Address Translation). Special Applications makes some of these applications work with the DI-614+. If you need to run applications that require multiple connections, specify the port normally associated with an application in the "Trigger Port" field, select the protocol type as TCP or UDP, then enter the public ports associated with the trigger port to open them for inbound traffic."

This is the only part of the documentation that mentions NAT, so I figured it might have something to do with it. Is this what I should be looking at?
Back to top
View user's profile Send private message
slartibartfasz
Veteran
Veteran


Joined: 29 Oct 2002
Posts: 1462
Location: Vienna, Austria

PostPosted: Wed Jul 02, 2003 3:28 pm    Post subject: Re: RE: Reply with quote

kronos1 wrote:
This is the only part of the documentation that mentions NAT, so I figured it might have something to do with it. Is this what I should be looking at?


i dont think that this will help. but to clarify things: i never used a hardware router and my first guess is exactly that - a guess. dont be too sure that this is correct. another guess: search for something like 'dont route local adresses' in your manual ---> this guess is even wilder than the one before and i think i better keep my mouth shut before i make a fool of myself :roll:

better wait for an answer from someone who's more knowledgeable in this field...
_________________
To an engineer the glass is neither half full, nor half empty - it is just twice as big as it needs to be.
Back to top
View user's profile Send private message
cdunham
Apprentice
Apprentice


Joined: 06 Jun 2003
Posts: 211
Location: Rhode Island

PostPosted: Wed Jul 02, 2003 11:57 pm    Post subject: Reply with quote

Please clarify what it is that you are trying to do. It *sounds* like you have a server somewhere on the Internet that is running the Apache server you are configuring, and you want to make sure that only you can get the mp3s from it, is that correct?

Also, your home network has a NAT router between you and the Internet, and you have a LAN behind it with private addressing (192.168.x.x).

If this is the case, then your server will see any computers from your LAN as having the address Verizon assigns you. That's what NAT does. So, all you need to do is configure the server to only allow MP3s from that address.

Of course, if the address changes often enough that a manual server change gets to be a pain, you may have to find another solution, like putting the MP3s behind a hidden and password-protected URL.
_________________
This post more meaningful in a scalar context.
Back to top
View user's profile Send private message
kronos1
n00b
n00b


Joined: 25 May 2003
Posts: 29
Location: New Hampshire, USA

PostPosted: Thu Jul 03, 2003 1:30 am    Post subject: Ok Reply with quote

Thanks for the reply cdunham. I am running a server (the gentoo system) using apache, and I'm trying to use mod_rewrite to make a condition that tests whether the computer that is requesting an mp3 file is on the local network or not. So I was using the code that I showed in my first post. Basically, I just need that condition to be implemented, whether it's with mod_rewrite or some other way. I just want the server to know if certain requests are coming remotely or on the LAN.
Back to top
View user's profile Send private message
cdunham
Apprentice
Apprentice


Joined: 06 Jun 2003
Posts: 211
Location: Rhode Island

PostPosted: Thu Jul 03, 2003 1:47 am    Post subject: Reply with quote

Got it. Then your original rule *should* work. Can you post the entire set? Specifically, what is/are the actual RewriteRule line(s)?

It's possible that your routers is NATting both ways, which would make it very simple, just use it's address for the condition. You should notice that right away in the logs.
_________________
This post more meaningful in a scalar context.
Back to top
View user's profile Send private message
kronos1
n00b
n00b


Joined: 25 May 2003
Posts: 29
Location: New Hampshire, USA

PostPosted: Thu Jul 03, 2003 2:09 am    Post subject: alrighty Reply with quote

Here is the code. It's my mod_mp3 module. This code works for most offsite requests, but not if someone is also on verizon dsl (since most verizon generated ip's are 64.222.somthing...). Anyways, here it is:

Code:
<IfModule mod_mp3.c>

Listen 8032
Listen 8001
Listen 8080
Listen 8003

<VirtualHost _default_:8032>

Timeout 1200
DocumentRoot /home/httpd/htdocs/netjuke/var/music

RewriteEngine on
RewriteMap mp3hash txt:/home/httpd/htdocs/netjuke/var/music/mp3/mp3hash.txt
RewriteMap mp3throttle txt:/home/httpd/htdocs/netjuke/var/music/mp3/mp3throttle.txt

# Is this an offsite request?
RewriteCond %{REMOTE_ADDR} !^64\.222\..*$
# Is this a request for an MP3 file?
RewriteCond %{REQUEST_URI} ^.*mp3$
# Is this a file that should be bitrate-throttled for offsite requests?
RewriteCond ${mp3throttle:/home/httpd/htdocs/netjuke/var/music$1} =Y
# If all above conditions are met, redirect to the throttling virtual server
# and cease all rewriting activity on this request.
RewriteRule ^(.*)$ http://jimlink.dyndns.org:8001/\?op=play\&song=${mp3hash:/home/httpd/htdocs/netjuke/var/music$1} [L]

</VirtualHost>

<VirtualHost _default_:8080>

Timeout 1200
DocumentRoot /home/httpd/htdocs/netjuke/var/music

RewriteEngine on
RewriteMap mp3hash txt:/home/httpd/htdocs/netjuke/var/music/mp3/mp3hash.txt
RewriteMap mp3throttle txt:/home/httpd/htdocs/netjuke/var/music/mp3/mp3throttle.txt

# Is this an offsite request?
RewriteCond %{REMOTE_ADDR} !^64\.222\..*$
# Is this a request for an MP3 file?
RewriteCond %{REQUEST_URI} ^.*mp3$
# Is this a file that should be bitrate-throttled for offsite requests?
RewriteCond ${mp3throttle:/home/httpd/htdocs/netjuke/var/music$1} =Y
# If all above conditions are met, redirect to the throttling virtual server
# and cease all rewriting activity on this request.
RewriteRule ^(.*)$ http://jimlink.dyndns.org:8003/\?op=play\&song=${mp3hash:/home/httpd/htdocs/netjuke/var/music$1} [L]

</VirtualHost>

# The 32kbps throttling mod_mp3 virtual host.
<VirtualHost _default_:8001>
Timeout 1200
DocumentRoot /home/httpd/htdocs/netjuke/var/music/mp3

MP3Engine On
MP3CastName "Jimjuke - 32kbps"
MP3Playlist /home/httpd/htdocs/netjuke/var/music/mp3/mp3list.txt
MP3DefaultOperation select
MP3LimitPlayConnections 10
MP3Encoder "/usr/bin/lame -f -b 32 --silent % -"

</VirtualHost>

# The bitrate-throttling virtual host.
<VirtualHost _default_:8003>
Timeout 1200
DocumentRoot /home/httpd/htdocs/netjuke/var/music/mp3

MP3Engine On
MP3CastName "JimJuke - 80kbps"
MP3Playlist /home/httpd/htdocs/netjuke/var/music/mp3/mp3list.txt
MP3DefaultOperation select
MP3LimitPlayConnections 10
MP3Encoder "/usr/bin/lame -f -b 80 --silent % -"
</VirtualHost>
 
</IfModule>


Please excuse the comments, as they haven't been updated since I've been fiddling with this code. I also looked at the logs like you said, and I didn't see any 192.168.0... ip's anywhere. Thanks again for your help.
Back to top
View user's profile Send private message
cdunham
Apprentice
Apprentice


Joined: 06 Jun 2003
Posts: 211
Location: Rhode Island

PostPosted: Thu Jul 03, 2003 2:23 am    Post subject: Reply with quote

Well, two things. First, why not just expand the condition to your full address? You might even be able to script it, if it changes often.

But more importantly, it sounds like the requests to this server are going through the router and back, getting NATted. I assume this is a server behind the firewall, and you have holes to direct requests on the various ports to it? If so, it must have a 192.168 address to can access it from locally, right?

Or is it in a dmz?
_________________
This post more meaningful in a scalar context.
Back to top
View user's profile Send private message
kronos1
n00b
n00b


Joined: 25 May 2003
Posts: 29
Location: New Hampshire, USA

PostPosted: Thu Jul 03, 2003 4:20 am    Post subject: yeah Reply with quote

I actually have expanded the condition to my full ip address, but it does get changed from time to time. How would I go about scripting it to update in the rewritecond automatically?
Back to top
View user's profile Send private message
cdunham
Apprentice
Apprentice


Joined: 06 Jun 2003
Posts: 211
Location: Rhode Island

PostPosted: Thu Jul 03, 2003 4:42 am    Post subject: Reply with quote

Quote:
How would I go about scripting it to update in the rewritecond automatically?


I assume you have a cron job or something that calls dyndnsupdate or whatever? You could have another script that ran just after it, and if it detected a change, it would re-write the rule(s) to a small file (that is Included in your apache.conf) and restart Apache.

But I think your better bet is to get it working with your local addresses, as you probably want it inside the NAT firewall...
_________________
This post more meaningful in a scalar context.
Back to top
View user's profile Send private message
kronos1
n00b
n00b


Joined: 25 May 2003
Posts: 29
Location: New Hampshire, USA

PostPosted: Thu Jul 03, 2003 2:39 pm    Post subject: ok Reply with quote

Ok, to go back to your previous post, the server (nor any other computer on the network) is in the DMZ. I have also tried accessing the server by its local ip address, not the dyndns name. I've looked at the documentation for my router, and the only thing I found about NAT is what I posted before :( Do you think there is no way to disable that?
Back to top
View user's profile Send private message
cdunham
Apprentice
Apprentice


Joined: 06 Jun 2003
Posts: 211
Location: Rhode Island

PostPosted: Thu Jul 03, 2003 3:05 pm    Post subject: Reply with quote

Quote:
the server (nor any other computer on the network) is in the DMZ.


Sorry, the server *is* in the dmz, or isn't?

If it is not, then it must be being accessed by it's internal address by the router, and you should be able to access it from other local machines.

If it is, then we need to know if the router NATs before or after the dmz...

However, in looking at the specs, my guess is that this box doesn't support a "real" dmz, just a default server for forwarding ports...

Oh, this is a wireless router. Which of the server and your client machine are wired and which are wireless? What are the network configs for the wired and wireless networks? Are they the same segment, or two different ones?
_________________
This post more meaningful in a scalar context.
Back to top
View user's profile Send private message
kronos1
n00b
n00b


Joined: 25 May 2003
Posts: 29
Location: New Hampshire, USA

PostPosted: Thu Jul 03, 2003 3:23 pm    Post subject: Reply with quote

Sorry….the server (nor any other computer on the network) is NOT in the DMZ, and I AM able to access it from local machines using its internal ip.

As far as the setup, my server is wired to the router and I have one client that connects wirelessly. The server runs gentoo, and the client is a win xp machine. I’m not sure what you mean by the same segment.
Back to top
View user's profile Send private message
cdunham
Apprentice
Apprentice


Joined: 06 Jun 2003
Posts: 211
Location: Rhode Island

PostPosted: Thu Jul 03, 2003 3:50 pm    Post subject: Reply with quote

When you connect to the server from your XP machine, what IP address shows up in the apache logs?
_________________
This post more meaningful in a scalar context.
Back to top
View user's profile Send private message
kronos1
n00b
n00b


Joined: 25 May 2003
Posts: 29
Location: New Hampshire, USA

PostPosted: Thu Jul 03, 2003 4:30 pm    Post subject: Reply with quote

The real ip address (64.222.whatever) shows up in the logs. Not the local.
Back to top
View user's profile Send private message
cdunham
Apprentice
Apprentice


Joined: 06 Jun 2003
Posts: 211
Location: Rhode Island

PostPosted: Thu Jul 03, 2003 5:06 pm    Post subject: Reply with quote

You seem to have some kind of routing problem. All the machines inside the router should have local addresses only, and their default gateway set to the router's local address. If the router is doing dhcp for you, make sure it's settings are to configure this way.

The only box that should have the external address is the Internet side of the router...
_________________
This post more meaningful in a scalar context.
Back to top
View user's profile Send private message
kronos1
n00b
n00b


Joined: 25 May 2003
Posts: 29
Location: New Hampshire, USA

PostPosted: Thu Jul 03, 2003 5:16 pm    Post subject: Reply with quote

Here's something I just noticed as well. When I check my ip settings on the win xp machine, it gives all the correct LAN settings. My ip address and default gateway are local. But when I look at the settings on the router itself, it's telling me the default gateway is the actual ip address (64.222....). I think if I can change that, it would be fixed.
Back to top
View user's profile Send private message
cdunham
Apprentice
Apprentice


Joined: 06 Jun 2003
Posts: 211
Location: Rhode Island

PostPosted: Thu Jul 03, 2003 5:21 pm    Post subject: Reply with quote

The router's default gateway should be the upstream Verizon router, assigned by their dhcp server. Your local machine's default gateways should be the router internal address, assigned by the router's dhcp server...
_________________
This post more meaningful in a scalar context.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum