I'm using Apache to redirect a subdomain to a port (mod_proxy, mod_proxy_http, mod_proxy_ajp) and IP Tables to restrict direct port access except to me and the local server.

My IP Tables looks like so:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  -- !c-24-7-110-109.hsd1.ca.comcast.net  anywhere             tcp dpt:tproxy
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:tproxy
DROP       tcp  -- !c-24-7-110-109.hsd1.ca.comcast.net  anywhere             tcp dpt:http-alt
DROP       tcp  -- !c-24-7-110-109.hsd1.ca.comcast.net  anywhere             tcp dpt:webmin
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:webmin

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The context I'm going to use in this post is:

Sonatype Nexus: nexus.example.com => example.com:8081

Jenkins CI: jenkins.example.com => example.com:8080

Webmin: webmin.example.com => example.com:10000

What I have working right now is no direct port access except to me. I also want the local system to be able to access ports which is what, I believe, I have now. I'm using mod_proxy_ajp for Jenkins CI and Webmin and mod_proxy_http for Sonatype Nexus.

When I visit direct ports, each of these services loads just fine. When I have asked someone else to load each, they can't, so that's working.

Now, however, when trying to access one of the subdomains, get I get a never ending load (infinite loop?)

When I run a tracert on the subdomain, though, it ends fine so I can cross out infinite loop.

Here is my Sonatype Nexus apache virtual host configuration:

<VirtualHost *:80>
        ServerName nexus.majornoob.com
        ServerAlias www.nexus.majornoob.com
        ProxyRequests Off
        ProxyPreserveHost On
        ProxyPass / http://localhost:8081/
        ProxyPassReverse / http://localhost:8081/
        ProxyPassReverseCookiePath / /
        ErrorLog /var/www/majornoob/error-nexus.log
        LogLevel warn
        CustomLog /var/www/majornoob/access-nexus.log combined

and here is my Jenkins:

<VirtualHost *:80>
        ServerName jenkins.majornoob.com
        ServerAlias www.jenkins.majornoob.com
        ProxyRequests Off
        ProxyPreserveHost On
        ProxyPass / ajp://
        ProxyPassReverse / ajp://
        ProxyPassReverseCookiePath / /

        ErrorLog /var/www/majornoob/error-jenkins.log

        LogLevel warn

        CustomLog /var/www/majornoob/access-jenkins.log combined

These two examples of virtual hosts are using mod_proxy_ajp and mod_proxy_http respectively.

Can anyone help me to figure out why I am getting an infinite load?


edit: Nevermind on the infinite loop. After some time, I received a 503 Service Unavailable error.


The iptables rules are evaluated in order, top to bottom as printed. The problem you have is that the proxied connection is from localhost, which matches this rule:

DROP       tcp  -- !c-24-7-110-109.hsd1.ca.comcast.net  anywhere             tcp dpt:tproxy

localhost is not c-24-7-..., so the connection is dropped. The proxy module eventually times out; if the rule was REJECT instead of DROP, you'd get an error much quicker (because you'd get denied explicitly rather than the connection attempt just disappearing).

The solution is quite simple: reorder the rules to have the "accept from localhost" before the "deny from anywhere else". (IP routing matches by most-specific, but because iptables are multi-factor, that's not necessarily defined).

I'd generally recommend having a first rule that allows all localhost communication (via the loopback interface, just in case someone tries something weird over the ethernet); try adding

iptables -I INPUT -i lo -s localhost -d localhost -j ACCEPT

to insert (-I) that at the top of the list.


