-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sshttp with pppoe #11
Comments
Strange thing. What is tcpdump and stracing the sshttpd saying? Is at least If its really just the mtu, "ip link ... mtu 1492" for the ethernet device should also produce However, my guess would be that some of the iptables rules dont work properly 25 #if it clashes with complex NATing rules, try this try commenting out the flushing and maybe -P ACCEPT so you can be sure |
My nf-setup is also slightly changed (though working when using with eth0 directly): You think might be a problem the using of DIVERTHTTP instead of your DIVERT word? PS: I'll have to get home for further testing |
I'm pretty sure the problem it's not my existing iptables/routing setup; I'm using the default Ubuntu 16.04 desktop installation with ufw allowing 22, 80, 443 and DEFAULT_FORWARD_POLICY="ACCEPT". Please also consider that the websites are accessible as long as I'm not running the nf-setup script -> this leads me to the conclusion that the problem is created by nf-setup script itself. According to http://wiki.squid-cache.org/Features/Tproxy4:
When commenting the line: |
I have 1492 mtu well set for pppoe, no doubt here (many painful tests, too late now to write about them now). ufw status: |
OK. I tracked it down a bit. As the process seems to exit on the failure (your netstat shows no running sshttp on port 443), I conclude that the bind() already fails during sshttp::init(). However, do you run a patched version? Usually you should see the error message straight on stderr, not in the syslog. This really looks like your ${wan_ip} is somewhat messed up and you try to bind |
I analyzed the syslog and seems that the eth0 is going to sleep while used by ppp0 witch in turn disconnects ppp0. This correlates very well with your last post. So for the moment I see no issue with sshttp. |
I just solved the ppp0 sleeping problem by commenting these in NetworkManager-pppoe configuration:
Now my internet connection is stable and under control:
pretty clear ... |
... then I restarted the computer, started nginx on wan_ip:443 and wan_ip:1080 and it worked using the wan_ip:443 (https://wan_ip/my-web-site-url). I guess sshttp should work too. |
Besides eth0 I also have another card named eth1. When it is enabled nginx also complains about couldn't binding to 443. The test just above (done 2x) is accomplished with eth1 disabled at start. With the same environment setup then sshttp starts fine on wan_ip:443 (hooray); I then try ssh or https over 443 and I get: |
When moving everything to 127.0.0.1 instead of wan_ip: |
Same for: |
I've done the same tests with sslh and I've got the same result (i'll ask them too about this): |
I use ubuntu 16.04 with ufw with default configuration + ports 22, 80, 443 allowed. |
Thats strange and sounds less of a sshttp problem itself, as reportedly sshl shows the |
Well, I'm using:
from localhost but this works well when not using pppoe. |
It may be different for ppp since its a point to point device. if the local ssh or curl |
First I'll clarify something very important (I guess I induced some confusion related to these):
Practically I understand that I might miss some correct configuration for the listening ports and/or ethernet interface but I have no idea about which. I start sshttpd this way:
nginx.conf contains only: I stress again: stopping sshttp then using nginx with ppp0_ip:443 will make nginx work on 443. This totally puzzles me:
I'm pretty sure when using curl then curl itself won't bind a port but only open a connection on a port, is it? |
Ok, besides the comments above I anyway tried to do as you said and I connected from internet with my phone to ppp0_ip:443 and it works both for ssh:443 and https:443 (hooray). There's a problem still! :( E.g. wordpress (used by my blog) is hardcoding the base website url; so any link on it will be formed like https://my-internet-domain/my-website. Accessing https://my-internet-domain/ from localhost (host running sshttp) yields a series of these errors:
and of course I'm writing my blog post from localhost ... Not to mention that is better/easier/safer for me to test my other personal websites by accessing them using my-internet-domain instead of using ppp0_ip or other tricks. Any idea about solving this? |
I'm feeling like a noob; anyway thanks to you I guess I solved the entire puzzle. My claim that without pppoe it works is not true - I get the same error which, as you already said, it's natural. Every time I tested https and ssh I made a small but decisive mistake. I tested https://my-domain-name/my-website while my-domain-name was resolved to router's WAN ip (you know, the bookmark was easily accessible in browser's toolbar). Instead I should have test https://eth0_ip/my-website in order for the test to be equivalent to the one with ppp0_ip. With ssh I used a shorter equivalent to ssh -p 443 my_username@my-domain-name with again my-domain-name being resolved to router's WAN ip (here I used ~/.ssh/config which was using my-domain-name). Instead I should have test ssh -p 443 my_username@eth0_ip in order for the test to be equivalent to the one with ppp0_ip. Anyway the question remains: |
Ok, so I conclude that everything is fine with sshttp and nothing needs to be fixed. |
Hi, I'm trying to use sshttp with pppoe (mtu=1492, pppoe over eth0) e.g.:
sshttpd -n 4 -S 1022 -H 1443 -L 443 -l ${ppp0_ip} -U nobody -R /run/sshttpd
with my equivalent nf-setup using DEV=ppp0 instead of eth0 and 1022, 1443 ports I get the following behaviour:
When using this setup directly with eth0 (behind a router which connects to same ISP using same pppoe configuration + mtu=1500) everything works as expected (ssh username@eth0_ip, websites are accessible).
The exact mtu=1492 for ppp0 is mandatory otherwise no website works - found after many painful tests.
When using pppoe I bind sshd to ppp0_ip:1022 and nginx to ppp0_ip:1443 while when using eth0 directly I bind them to eth0_ip:1022 and eth0_ip:1443.
I guess sshttpd binary has nothing to do with the problem but only the iptables used by nf-setup; may be those iptables change/reset the mtu to 1500 -> I guess this might be because the result seems very similar to when used mtu 1500 with pppoe (websites hang).
So is this a bug or not?
The text was updated successfully, but these errors were encountered: