Apache listens, but doesn't respond

Question

I'm working on setting up Apache on my router (on which I've installed Tomato, a custom linux-based firmware package). I have succeeded with installing Apache, and believe I have configured it correctly, but cannot get the default "It works!" page to load.

Running netstat, I can see the value in the "Recv-Q" column increment every time I attempt to access the served file via the browser, but its as if Apache won't or can't respond to the request. Tailing the Apache error_log also yields nothing.

Does anyone see anything obvious, or have some suggestions for things to try in order to get things working? Can I provide any additional info that would help?

Sample netstat output (see the 5th entry with the address ":::www":

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:domain          0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      
tcp        0      0 localhost:52698         0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:1338            0.0.0.0:*               LISTEN      
tcp        4      0 :::www                  :::*                    LISTEN      
tcp        0      0 :::domain               :::*                    LISTEN      
tcp        0      0 :::ssh                  :::*                    LISTEN      
tcp        0      0 :::telnet               :::*                    LISTEN      
tcp        0      0 localhost:52698         :::*                    LISTEN      
tcp        0      0 :::1338                 :::*                    LISTEN      
udp        0      0 localhost:38032         0.0.0.0:*                           
udp        0      0 0.0.0.0:5038            0.0.0.0:*                           
udp        0      0 0.0.0.0:domain          0.0.0.0:*                           
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                           
udp        0      0 0.0.0.0:60648           0.0.0.0:*                           
udp        0      0 0.0.0.0:49518           0.0.0.0:*                           
udp        0      0 0.0.0.0:38000           0.0.0.0:*                           
udp        0      0 :::domain               :::*                                
raw        0      0 0.0.0.0:255             0.0.0.0:*               255         
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING      13850 /opt/var/apache2/run/cgisock.1325

Apache error_log contents:

[Wed Feb 13 16:05:16 2013] [notice] Digest: generating secret for digest authentication ...
[Wed Feb 13 16:05:16 2013] [notice] Digest: done
[Wed Feb 13 16:05:16 2013] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Wed Feb 13 16:05:16 2013] [info] LDAP: SSL support available
[Wed Feb 13 16:05:16 2013] [info] mod_unique_id: using ip addr 192.168.253.1
[Wed Feb 13 16:05:17 2013] [notice] Apache/2.2.20 (Unix) DAV/2 configured -- resuming normal operations

Update: It looks like the firewall is blocking the incoming requests, even though I've opened up port 80 (and 443).

Firewall messages (scrubbed address info, x = local, y = remote):

Feb 13 16:53:15 UBERnet user.warn kernel: DROP IN=vlan2 OUT= MACSRC=xx:xx:xx:xx:xx:xx MACDST=yy:yy:yy:yy:yy:yy MACPROTO=0800 SRC=yyy.yyy.yyy.yyy DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x20 TTL=57 ID=48272 DF PROTO=TCP SPT=43229 DPT=80 SEQ=3727060622 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204056404020000)

iptables -L output:

Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
shlimit    tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW 
shlimit    tcp  --  anywhere             anywhere            tcp dpt:1338 state NEW 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1337 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1338 
logdrop    all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
           all  --  anywhere             anywhere            account: network/netmask: 192.168.253.0/255.255.255.0 name: lan 
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            state INVALID 
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
monitor    all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
wanin      all  --  anywhere             anywhere            
wanout     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain logdrop (2 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            state NEW limit: avg 1/sec burst 5 LOG level warning tcp-sequence tcp-options ip-options macdecode prefix `DROP ' 
DROP       all  --  anywhere             anywhere            

Chain logreject (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            limit: avg 1/sec burst 5 LOG level warning tcp-sequence tcp-options ip-options macdecode prefix `REJECT ' 
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 

Chain monitor (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere            WEBMON --max_domains 1000 --max_searches 1000 

Chain shlimit (2 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere            recent: SET name: shlimit side: source 
logdrop    all  --  anywhere             anywhere            recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source

Update: As a side note, I was able to get lighttpd working with just the iptables adjustment, so it does appear that it was an issue specific to Apache's configuration.

Would someone mind clarifying why this question is off-topic? Also, if you think it would be more appropriate on another stack exchange site, feel free to mention that as well (SuperUser perhaps?). Thanks! — Wilco, Feb 14 '13 at 17:55

score 2 · Answer 1 · answered Feb 14 '13 at 00:50

2

I have no idea what may be the problem but a useful next step might be to attach to the listening process (and its forks) with strace and have a look at what's going on when you try to connect.

strace -o apache.strace -f -p $PID

Puts the result into the file apache.strace.

answered Feb 14 '13 at 00:50

Hauke Laging

5,157
2
23
40

Unfortunately my particular environment does not have `strace` available. – Wilco Feb 14 '13 at 18:17

score 2 · Answer 2 · answered Feb 14 '13 at 03:34

2

In the firewall's INPUT chain, logdrop line kills your connection. It is a catch-all chain for dropping all unwanted traffic. The rule processing never reaches the web rules. You must move the ACCEPT rules above the logdrop rule.

answered Feb 14 '13 at 03:34

hayalci

3,611
3
25
37

score 1 · Answer 3 · answered Feb 14 '13 at 00:31

1

Something is wrong. Apache is listening on IPv6 only. Can you change the Listen parameter in Apache configuration file to

      Listen 0.0.0.0:80

And then restart Apache. Do netstat again, and make sure the output includes 0.0.0.0:www or something along those lines of IPv4.

answered Feb 14 '13 at 00:31

Daniel t.

9,061
1
32
36

Ah goot catch! I went ahead and tried that and now netstat correctly shows "0.0.0.0:80" but I still experience the same behavior (basically times out). – Wilco Feb 14 '13 at 00:43
check `iptables` now. Run `iptables -L -n` and see if connection to port 80 is allowed. – Daniel t. Feb 14 '13 at 00:45
just updated the post with the output from `iptables -L` – Wilco Feb 14 '13 at 01:00
did you use a web interface or command line to open the ports in iptables? Can you disable the firewall for a moment? Just wanted to see if this is a firewall or Apache config issue. – Daniel t. Feb 14 '13 at 01:16
I actually opened the ports directly via the command line. Went ahead and turned off the firewall and still can't seem to get Apache to respond. – Wilco Feb 14 '13 at 01:28
It could be Apache then. Can you check the Apache config file for `Allow from` lines, and see if it allows only from `127.0.0.1`. If that is the case you might need to add your IP there. As for iptables, use iptables -I instead of iptables -A to add rules. – Daniel t. Feb 14 '13 at 01:34

Apache listens, but doesn't respond

3 Answers3

Linked