Thanks @francilio . I’m still feeling a bit reluctant to hit that finish
button/tab.
Have you completed and passed this task already?
Thanks @francilio . I’m still feeling a bit reluctant to hit that finish
button/tab.
Have you completed and passed this task already?
Yes, I already done this task. you can check if the port is accessible with telnet. you run telnet {host} {port}, and it will report Connected to {host} if the port is accesible or will stuck on Trying {host} if it’s not. Run this on jump host (the three app servers nginx should be accessible but the apache should not) and on lb host (the two services should be accessible). As long this requirements are attended I don’t think another modifications will fail the task
Thank you @francilio!
I have just run (from the Jump Server & from the LB Server:
telnet stapp01:6880
telnet stapp02:6880
telnet stapp02:6880
…and I am getting:
Unknown host
I’m not sure what is missing.
Am I supposed to install & configure Firewalld on the App Servers only? That’s what I have done.
@juliettet , the host and port should be separated by space, so the right command is telnet stapp01 6880 (without the colon)
Ohhhhh…Thanks!
Now I’m getting connection refused when trying to connect to nginx
from Jump Host
:
telnet stapp01 6768
& this error when trying to connect to Apache
:
Trying 172.16.238.10...
telnet: connect to address 172.16.238.10: No route to host
Thank you for your patience:-)
Update:
…after running iptables -F
in all 3 app servers I am able to connect to Apache:
telnet stapp01 5001
Trying 172.16.238.10...
Connected to stapp01.
Escape character is '^]'.
…but not to nginx
from Jump Server
…
…let me check my configuration again…getting closer…I think…
Update #2:
I am now able to connect to Apache
AND to nginx
from the Jump Server
AND from the LB Server
when running:
telnet stapp01 8093 //nginx
telnet stapp02 8093 //nginx
telnet stapp03 8093 //nginx
telnet stapp01 8084 //apache
telnet stapp02 8084 //apache
telnet stapp03 8084 //apache
Should I have created more than one rich rule
?
Update #3;
Something is still wrong as I am able to connect via telnet to nginx
and to Apache
(as mentioned above) from both the Jump Server
+ the LB Server
.
Here are some screenshots of my latest configuration:
Could anyone help me understand what I’m missing?
I could post all of the steps that I have taken here…if that’s OK…not sure if it is. I’ve spent a LOT of time stuck on this one and I would love to actually understand what I am missing.
Also one more thing:
Does it matter that I am running all of these commands (on all App servers) as root
user? I was unable to install/start/enable firewalld without first switching to root user.
Does it matter that I am running all of these commands (on all App servers) as
root
user? I was unable to install/start/enable firewalld without first switching to root user.
No, it doesn’t matter.
Thanks @Tej-Singh-Rana!
On another note, I just realized (via this article => https://www.ryadel.com/en/install-nginx-centos-freebsd-reverse-proxy-cache/) that the commands used to open up Firewalld depend on which network interface you’re using: either WAN
OR eth0
. Iptables are needed only if using eth0
.
Does the network interface that I choose affect the overall outcome of this task? For my last attempt I went with WAN
.
Also, it appears that I am getting closer to the finish line (thank you @francilio & @amuthan1983), but I am getting an access forbidden
error when trying to curl nginx
. I’m not sure why this is happening. The telnet
commands appear to be working as expected now, as in Jump host is connecting to nginx
, but not to Apache
& the LB Server is connecting to NGINX and to Apache
.
…feels like I’m really close, but not sure.
Apologies for all of the questions, but for some reason this task is really tripping me up.
Cheers:-)
Hi @juliettet, thanks for posting this question and also for the great discussion! Just wondering if the issue was resolved?
Hi @Chance,
I was able to pass the task after much trial and error(s). I ended up using the WAN network interface
with Firewalld
.
Hi @SZI,
It is difficult for me to tell where exactly you may have gone wrong without getting some more details with regards to the steps that you have taken, but from the image/screenshot, it looks to me like you failed to implement step 2:
Allow incoming connections
from LB host only on Apache port
and block for all others
.
Try adding a rich rule that forwards traffic from LB to Apache.
Hope this helps:-)
@juliettet,
I followed the below steps referring to your earlier post.
#To check the status of nginx and httpd
systemctl status nginx && systemctl status httpd
#To check the port number for nginx and httpd
grep -i Listen /etc/httpd/conf/ht* /etc/nginx/nginx.conf
#install firewall & start and check status
yum install firewalld -y
systemctl start firewalld && systemctl enable firewalld && systemctl status firewalld
yum install net-tools
netstat -tulpn | grep LISTEN
systemctl restart dbus
systemctl start firewalld && systemctl enable firewalld && systemctl status firewalld
#adding firewall rules to allow and block
firewall-cmd --zone=public --add-port=8096/tcp --permanent
firewall-cmd --permanent --zone=public --add-service={http,https}
firewall-cmd --permanent --zone=public --add-rich-rule=‘rule family=“ipv4” source address=“172.16.238.14” port protocol=tcp port=8087 accept’
firewall-cmd --permanent --zone=public --change-interface=wan
firewall-cmd --reload
firewall-cmd --get-active-zones
systemctl restart firewalld && systemctl status firewalld
firewall-cmd --zone=public --list-ports && firewall-cmd --zone=public --list-all && firewall-cmd --list-all
Also, modified the nginx config file
server {
listen 8087;
listen [::]:8087;
server_name 172.16.238.10;
root /usr/share/nginx/html;
}
proxy_pass http://172.16.238.10:8087/;
Hi @SZI,
Take a look at what you have in your server block:
server {
listen 8087;
listen [::]:8087;
server_name 172.16.238.10;
root /usr/share/nginx/html;
}
The server block should be listening on the nginx port 8096
, not on the apache port 8087. Leave proxy_pass http://172.16.238.10:8087/;
as it is because Nginx is running as a reverse proxy server for Apache (as stated in the instructions).
I hope this helps:-)
…and make sure to restart nginx & apache after you’ve made your changes:
systemctl restart nginx
systemctl status httpd
BTW, I assume that you are running these command as the root user because there is no sudo prepended to your commands…
Hi @juliettet, Thank you for pointing out. I recognized my silly mistake while doing this task. But the task is marked as failed and not letting me know to retry since yesterday. Any thoughts as how to bring it back to review mode so i can give a try ?
Hi @SZI,
You should have an option (in your dashboard, on the right side of the task that was marked as failed) to mark for review
. Click on that & when someone responds with the correct answer/response, click on the check mark to mark the response as correct. After that, you should see an option to retry the task back in your main dashboard.