Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Varnish: Misc

503 Service Unavailable when using firewall

 

 

Varnish misc RSS feed   Index | Next | Previous | View Threaded


ivan.martinez at masterion

Dec 7, 2011, 8:52 AM

Post #1 of 7 (2275 views)
Permalink
503 Service Unavailable when using firewall

Hello all,
In a CentOS 6 server, I'm running Varnish in port 80 serving pages from
a Zotonic site in port 8000. It works fine when I leave all the ports
open. However, if I close all ports from 0 to 631 and explicitly open 80
and 8000, the following happens:

- I can see the website in server:8000.
- In server:80, I get the following after some seconds:

Error 503 Service Unavailable

Service Unavailable
Guru Meditation:

XID: 544990083

Varnish cache server

I have read about the sysctl issues with firewalls but it seems I have
it right:

[root [at] serve ivanmr]# sysctl -A | grep tw
net.ipv4.tcp_max_tw_buckets = 2048
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 0

varnish.log is empty. What can be the problem?. Thank you.

Ivan

_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc


hugo.cisneiros at gmail

Dec 7, 2011, 9:04 AM

Post #2 of 7 (2248 views)
Permalink
Re: 503 Service Unavailable when using firewall [In reply to]

On Wed, Dec 7, 2011 at 2:52 PM, Ivan Martinez
<ivan.martinez [at] masterion>wrote:

> In a CentOS 6 server, I'm running Varnish in port 80 serving pages from a
> Zotonic site in port 8000. It works fine when I leave all the ports open.
> However, if I close all ports from 0 to 631 and explicitly open 80 and
> 8000, the following happens:
>
> - I can see the website in server:8000.
> - In server:80, I get the following after some seconds:
>
> Error 503 Service Unavailable
>
> Service Unavailable
> Guru Meditation:
>
> XID: 544990083
>
> Varnish cache server
>

Error 503 happens when Varnish could not contact any backends. You can
check if a backend is up and healthy using the command:

varnishadm -T localhost:<adm_port> debug.health

The backend must be healthy. If it's sick, it means that varnish can't
connect on port server:8000 on your site for some reason
(nc/telnet/wget/curl can be useful to test here). Check if the firewall is
blocking the output, and it's accepting established/related connections on
the backend.

--
[]'s
Hugo
www.devin.com.br


roberto.fernandezcrisial at gmail

Dec 7, 2011, 9:43 AM

Post #3 of 7 (2244 views)
Permalink
Re: 503 Service Unavailable when using firewall [In reply to]

Ivan,

Have you tried telnet from Varnish server to Zotonic server?

$ telnet zotonic.address 8000

Check if there is any response.

--
Roberto O. FernŠndez Crisial
@rofc

On Wed, Dec 7, 2011 at 1:52 PM, Ivan Martinez
<ivan.martinez [at] masterion>wrote:

> Hello all,
> In a CentOS 6 server, I'm running Varnish in port 80 serving pages from a
> Zotonic site in port 8000. It works fine when I leave all the ports open.
> However, if I close all ports from 0 to 631 and explicitly open 80 and
> 8000, the following happens:
>
> - I can see the website in server:8000.
> - In server:80, I get the following after some seconds:
>
> Error 503 Service Unavailable
>
> Service Unavailable
> Guru Meditation:
>
> XID: 544990083
>
> Varnish cache server
>
> I have read about the sysctl issues with firewalls but it seems I have it
> right:
>
> [root [at] serve ivanmr]# sysctl -A | grep tw
> net.ipv4.tcp_max_tw_buckets = 2048
> net.ipv4.tcp_tw_recycle = 0
> net.ipv4.tcp_tw_reuse = 0
>
> varnish.log is empty. What can be the problem?. Thank you.
>
> Ivan
>
> ______________________________**_________________
> varnish-misc mailing list
> varnish-misc [at] varnish-cache
> https://www.varnish-cache.org/**lists/mailman/listinfo/**varnish-misc<https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc>
>


ivan.martinez at masterion

Dec 7, 2011, 9:53 AM

Post #4 of 7 (2241 views)
Permalink
Re: 503 Service Unavailable when using firewall [In reply to]

Thank you Roberto,

There is only one server running both
services, and if I can browse http://server:8000 from my local machine,
I suppose the telnet works as well.

Ivan

On Wed, 7 Dec 2011 14:43:50
-0300, Roberto O. Fern√°ndez Crisial wrote:

> Ivan,
> Have you tried
telnet from Varnish server to Zotonic server?
> $ telnet
zotonic.address 8000
> Check if there is any response.
> --
> Roberto
O. Fern√°ndez Crisial
> @rofc
>
> On Wed, Dec 7, 2011 at 1:52 PM, Ivan
Martinez wrote:
>
>> Hello all,
>> In a CentOS 6 server, I'm running
Varnish in port 80 serving pages from a Zotonic site in port 8000. It
works fine when I leave all the ports open. However, if I close all
ports from 0 to 631 and explicitly open 80 and 8000, the following
happens:
>>
>> - I can see the website in server:8000.
>> - In
server:80, I get the following after some seconds:
>>
>> Error 503
Service Unavailable
>>
>> Service Unavailable
>> Guru Meditation:
>>

>> XID: 544990083
>>
>> Varnish cache server
>>
>> I have read about
the sysctl issues with firewalls but it seems I have it right:
>>
>>
[root [at] serve ivanmr]# sysctl -A | grep tw
>> net.ipv4.tcp_max_tw_buckets
= 2048
>> net.ipv4.tcp_tw_recycle = 0
>> net.ipv4.tcp_tw_reuse = 0
>>

>> varnish.log is empty. What can be the problem?. Thank you.
>>
>>
Ivan
>>
>> _______________________________________________
>>
varnish-misc mailing list
>> varnish-misc [at] varnish-cache [1]
>>
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc [2]




Links:
------
[1] mailto:varnish-misc [at] varnish-cache
[2]
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
[3]
mailto:ivan.martinez [at] masterion


roberto.fernandezcrisial at gmail

Dec 7, 2011, 10:15 AM

Post #5 of 7 (2245 views)
Permalink
Re: 503 Service Unavailable when using firewall [In reply to]

Ivan,

Try to disable SELinux (enforced by default), and re-check your iptables
rules.

Regards,
Roberto.


2011/12/7 Ivan Martinez <ivan.martinez [at] masterion>

> **
>
> Thank you Roberto,
>
> There is only one server running both services, and if I can browse
> http://server:8000 from my local machine, I suppose the telnet works as
> well.
>
> Ivan
>
> On Wed, 7 Dec 2011 14:43:50 -0300, Roberto O. FernŠndez Crisial wrote:
>
> Ivan,
> Have you tried telnet from Varnish server to Zotonic server?
> $ telnet zotonic.address 8000
> Check if there is any response.
> --
> Roberto O. FernŠndez Crisial
> @rofc
>
> On Wed, Dec 7, 2011 at 1:52 PM, Ivan Martinez <ivan.martinez [at] masterion
> > wrote:
>
>> Hello all,
>> In a CentOS 6 server, I'm running Varnish in port 80 serving pages from a
>> Zotonic site in port 8000. It works fine when I leave all the ports open.
>> However, if I close all ports from 0 to 631 and explicitly open 80 and
>> 8000, the following happens:
>>
>> - I can see the website in server:8000.
>> - In server:80, I get the following after some seconds:
>>
>> Error 503 Service Unavailable
>>
>> Service Unavailable
>> Guru Meditation:
>>
>> XID: 544990083
>>
>> Varnish cache server
>>
>> I have read about the sysctl issues with firewalls but it seems I have it
>> right:
>>
>> [root [at] serve ivanmr]# sysctl -A | grep tw
>> net.ipv4.tcp_max_tw_buckets = 2048
>> net.ipv4.tcp_tw_recycle = 0
>> net.ipv4.tcp_tw_reuse = 0
>>
>> varnish.log is empty. What can be the problem?. Thank you.
>>
>> Ivan
>>
>> _______________________________________________
>> varnish-misc mailing list
>> varnish-misc [at] varnish-cache
>> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
>
>


david.birdsong at gmail

Dec 7, 2011, 10:49 AM

Post #6 of 7 (2239 views)
Permalink
Re: 503 Service Unavailable when using firewall [In reply to]

2011/12/7 Ivan Martinez <ivan.martinez [at] masterion>:
> Thank you Roberto,
>
> There is only one server running both services, and if I can browse
> http://server:8000 from my local machine, I suppose the telnet works as
> well.

Right, but you should still try to telnet *from* the varnish machine
to the backend despite the fact that your local machine can reach the
backend.

>
> Ivan
>
> On Wed, 7 Dec 2011 14:43:50 -0300, Roberto O. FernŠndez Crisial wrote:
>
> Ivan,
>
> Have you tried telnet from Varnish server to Zotonic server?
> $ telnet zotonic.address 8000
> Check if there is any response.
> --
> Roberto O. FernŠndez Crisial
> @rofc
>
> On Wed, Dec 7, 2011 at 1:52 PM, Ivan Martinez <ivan.martinez [at] masterion>
> wrote:
>>
>> Hello all,
>> In a CentOS 6 server, I'm running Varnish in port 80 serving pages from a
>> Zotonic site in port 8000. It works fine when I leave all the ports open.
>> However, if I close all ports from 0 to 631 and explicitly open 80 and 8000,
>> the following happens:
>>
>> - I can see the website in server:8000.
>> - In server:80, I get the following after some seconds:
>>
>> Error 503 Service Unavailable
>>
>> Service Unavailable
>> Guru Meditation:
>>
>> XID: 544990083
>>
>> Varnish cache server
>>
>> I have read about the sysctl issues with firewalls but it seems I have it
>> right:
>>
>> [root [at] serve ivanmr]# sysctl -A | grep tw
>> net.ipv4.tcp_max_tw_buckets = 2048
>> net.ipv4.tcp_tw_recycle = 0
>> net.ipv4.tcp_tw_reuse = 0
>>
>> varnish.log is empty. What can be the problem?. Thank you.
>>
>> Ivan
>>
>> _______________________________________________
>> varnish-misc mailing list
>> varnish-misc [at] varnish-cache
>> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
>
>
> _______________________________________________
> varnish-misc mailing list
> varnish-misc [at] varnish-cache
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc


ivan.martinez at masterion

Dec 8, 2011, 3:12 AM

Post #7 of 7 (2235 views)
Permalink
Re: 503 Service Unavailable when using firewall [In reply to]

Yes, I'm using Firewall Builder and had "lo" configured as "Unnumbered
interface". Changed to "Static IP address" and now everything works
fine. "Unnumbered" worked in another server, I don't know why... Thank
you everybody and sorry for wasting your time with silly mistakes.
Ivan

> Thank you Hugo, looks like I'm blocking internal traffic:
>
> [root [at] serve ivanmr]# varnishadm -T 127.0.0.1:6082 debug.health
> Connection failed (127.0.0.1:6082)
> [root [at] serve ivanmr]# nmap 127.0.0.1 -p 8000
>
> Starting Nmap 5.21 ( http://nmap.org ) at 2011-12-07 18:52 UTC
> sendto in send_ip_packet: sendto(4, packet, 44, 0, 127.0.0.1, 16) =>
> Operation not permitted
> Offending packet: TCP 127.0.0.1:43982 > 127.0.0.1:8000 S ttl=52
> id=29152 iplen=44 seq=521959048 win=1024 <mss 1460>
> sendto in send_ip_packet: sendto(4, packet, 44, 0, 127.0.0.1, 16) =>
> Operation not permitted
> Offending packet: TCP 127.0.0.1:43983 > 127.0.0.1:8000 S ttl=48
> id=55619 iplen=44 seq=522024585 win=1024 <mss 1460>
> Nmap scan report for localhost (127.0.0.1)
> Host is up.
> PORT STATE SERVICE
> 8000/tcp filtered http-alt
>
> Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds
>
> I will review my firewall configuration again... :-(
> Ivan


_______________________________________________
varnish-misc mailing list
varnish-misc [at] varnish-cache
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc

Varnish misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.