Network Loopback
whiteeyebrows said 1 year, 4 months ago:
I am tinkering with GoDaddy VDC, and so far I really like it. However, I’m running into a problem with, what I believe is a network/firewall issue.
I’m unable to do any kind of HTTP request to my own server FROM my server. I think this is called a loopback or hairpin. I’m unable to hairpin any request from my server to my server.
For example:
From a bash prompt, I do a
# wget http://www.mydomain.com/index.php
–2011-12-31 09:44:52– http://www.mydomain.com/index.php
Resolving http://www.mydomain.com... <my WAN ip address>
Connecting to http://www.mydomain.com|<my WAN ip address>|:80… failed: Connection refused.
The same type of response happens when I try to do a checkout from a subversion repository on my own server.
If I however, do the checkout using “localhost” or “127.0.0.1″ (rather than using the fqdn of the repository server) then it works fine.
For example:
# svn co http://svn.mydomain.com/repository/trunk/ .
svn: OPTIONS of ‘http://svn.mydomain.com/repository/trunk’: could not connect to server (http://svn.mydomain.com)
I have ruled out anything to do with DNS – all these commands work fine from any remote server.
Bottom line – I don’t know whether this is a problem with my VPS/Server configuration – not being able to handle a request that is hairpinned from the server, or if it’s a limitation of GoDaddy infrastructure for using local addresses for servers and port forwards to get to the outside (rather than binding the outside addresses to the server themselves).
Any help anyone can give would be appreciated.
whiteeyebrows said 1 year, 4 months ago:
One more tidbit on this:
When trying to configure a site with a SSL certificate on Apache, I had to use the VirtualHosts directive “<VirtualHosts *.443>” to get the site to work. Specifying the actual outside IP address the HTTPS requests come in on was causing the server to fail and give error 107. I think this is a related problem. Feels like the server has no idea it has these outside IP addresses, so it doesn’t respond to requests from them.
I’d rather bind it to the IP address so that I can potentially have more than 1 SSL host on this machine.
christianh said 1 year, 4 months ago:
@whiteeyebrows
You’re correct with the way that the IP addresses and port forwarding are setup. You may want to consider using localhost or using the lwp-request command, which does no require you to resolve DNS.
–Christian
whiteeyebrows said 1 year, 4 months ago:
Thanks for the response Christian.
Unfortunately, “that’s just the way it is” isn’t a great answer.
Are you saying there’s no way to configure the server to bind the outside IP addresses? Huge limitation and possibly a deal breaker. As noted above, this prevents you from configuring multiple SSL certs on the same Virtual Data Center. That just doesn’t seem right.
Also – Wordpress relies on this behavior to be enabled to run the “wp-cron.php” file when people hit a Wordpress site. This is responsible for, among other things, posting scheduled posts. So it’s kind of a big deal.
It’s one thing if I need to learn how to configure Fedora to do something – but it’s another if the GoDaddy VDC network/firewall is explicitly preventing these types of hairpin requests.
Like I say, possibly a deal breaker for my business.
christianh said 1 year, 4 months ago:
@whiteeyebrows
Yes, you can bind outside IP addresses in Virtual DataCenter, but that is not how the IPs are configured by default. The IPs are configured and forwarded through the Virtual DataCenter network. If you need the IPs to be bound on the instance itself, you can use ifconfig to add them to the ethernet configuration.
–Christian
vincent said 1 year, 4 months ago:
Networking in Virtual DataCenter works in a way that is similar to a typical home network.. Your Cable/DSL is connected to a WiFi router and it gets a public IP address from the connection provider. Then it provides private IP addresses to all the machines in the house. If you want to run a server, you tell the router to forward a particular set of ports to a particular machine, but your machines never have public internet IP addresses.
So in Virtual DataCenter, Public IP addresses are bound to a routing “appliance” that provides DHCP, firewall, load balancing, VPN, etc. Machines inside a Network are on a private network with non-routable IP addresses, and are not reachable directly from the outside world. You cannot attach a public IP address directly to a machine (ifconfig won’t stop you, but it’s not going to work.)
That doesn’t mean you can’t host multiple SSL sites though. You can have multiple public IP addresses tied to the same network/routing appliance, and then use different ports to differentiate the VirtualHosts.
For example you could create three port forwards/load balancers:
Source -> Destination
50.62.1.1 : 443 -> 10.1.1.2 : 10000
50.62.1.2 : 443 -> 10.1.1.2 : 10001
50.62.1.3 : 443 -> 10.1.1.2 : 10002
Then create VirtualHosts on 10.1.1.2 for ports 10000, 10001 and 10002 each with different SSL certs.
Some relevant help articles:
Adding a Public IP to Your Virtual DataCenter
Adding a Load Balancer to Your Virtual DataCenter
Adding Port Forwarding to Your Virtual DataCenter
vincent said 1 year, 4 months ago:
Regarding your initial question: It looks like talking “back to yourself” is working for Load Balancers but not Port Forwards with the way things are currently setup inside the network appliances. We will be looking into the problem with Port Forwards.
But for now the simple workaround is switching to using a Load Balancer for HTTP(S).
0 min expected wait time