3BB and incoming port 80

[Tywais]

I've been tasked to establish a file sync and sharing system at the office. I set up on my home computer a test system which includes Apache server, MySQL server, perl & php. With this foundation I implemented a local Cloud server and works fine. However, they will want external access, that is outside to the internalprivate server IP. I created a No-IP (Dynamic DNS service) account directing to my internal Apache web server. Opened up ports 80, 443(SSL) and port 3306 (MySQL) in the firewall and also port forwarded all 3 in the router.

Running from a website port scanner test, port 80 is closed, 443 & 3306 are open. I can access the internal Cloud (via Apache) using https (port 443) just fine but not the standard port 80. Not entirely surprised though as many ISPs block port 80 and 25 either they don't want private web/e-mail servers for traffic or security reasons. So 3BB blocks 80 but not critical for my testing purposes

Now my tests are completed and the system works as I wish it I am implementing it at the office. The university network is not a possibility to use a Dynamic DNS service as I have no access to their firewall to change port forwarding. However, the facility has a TOT 16Mbit fiber network and I may connect to it.

My question is, does anyone have experience setting up a home webserver under TOT and successfully able to access it via the standard port 80? I will still use a Dynamic DNS service for it to get a domain name. The other option is going for a static IP from TOT but our budget is very tight.

[Guest]

In my experience the TOT network works like GoDaddy servers. Sometimes it works, sometimes not. This might be depending what IPv4-range you get. I would drop that as an option.

The next question is: how much data do you have? Could it be shared with Dropbox, which handles sharing very well? If more quota is needed, could Google Drive be handy?

If you don't trust these global providers with your data, it's possible to use own server with clients using rsync (ssh port 22) to sync the data. This solution is a messy one as it's easy to sync the data, but much more difficult to check which part of the data is newest.

[Tywais]

The next question is: how much data do you have? Could it be shared with Dropbox, which handles sharing very well? If more quota is needed, could Google Drive be handy?

I wish to maintain our own private cloud as files have to be shared and customized into groups with direct control over permissions. It will broken into a variety of groups such as accounting, personnel, etc. Each independent of each other and not accessible without the group giving share permission on a file basis to other groups. Commercial clouds are not suited for this plus I don't want to rely upon them if there is an external network failure. It will be predominantly used internally but with access externally for Thailand wide research facilities but under read protection and specific share access as required.

In other words I need the customization necessary with my own cloud server. My tests show it working very well with autosyncing and auto versioning of files on the local computer to the internal cloud server. Even tested it with an Android cloud app successfully.

//edit - there will probably be a significant amount of data and another reason not to use a commercial cloud service as uploads will be terribly slow.

[Guest]

One way to do this is to follow the Unix groups and permissions, which I think you already are using.

Simply keep the intranet the way it is now (permissions handled in the way it should be), and allow the external connections using VPN.

Do you have a dedicated IP range reserved and used by your university?

[NeverSure]

Wayne, I got lost somewhere.

"Running from a website port scanner test, port 80 is closed"

How can you reach a website (http) if port 80 is closed? The the website, if not SSL, listens on port 80 for your request. If your router isn't sending via 80, this is confusing to me.

Do you have any other problems or reasons to believe that 80 is closed?

PS. Can you surf the web via http? Was that port scanner http? Maybe it was https and I didn't catch that?

If you can surf the web via http, I don't understand how 80 could be closed in your router.

Edited September 25, 2014 by NeverSure

[Tywais]

Wayne, I got lost somewhere.

"Running from a website port scanner test, port 80 is closed"

How can you reach a website (http) if port 80 is closed? The the website, if not SSL, listens on port 80 for your request. If your router isn't sending via 80, this is confusing to me.

Do you have any other problems or reasons to believe that 80 is closed?

blocking incoming port 80, not outbound port 80.

[Guest]

@neversure: Simple firewall rules normally only consider the port (80) and do not care about the protocol (http). That's very easy to overcome by serving a http server on a port 81 for an example. Then calling it as http://foo.bar:81/

[Tywais]

One way to do this is to follow the Unix groups and permissions, which I think you already are using.

Simply keep the intranet the way it is now (permissions handled in the way it should be), and allow the external connections using VPN.

Do you have a dedicated IP range reserved and used by your university?

The university has us on private IPs behind their firewall 10.xxx.xxx.xxx as are all other departments but different 10.x.x.x subdomains. The server is Windows 7 64-bit not a unix server as it more compatible for our needs. VPN is also an issue as again we have no static IP and require the use of a Dynamic DNS services such as DynDNS or in my case No-IP and without access to the uni firewall I can not port forward internally.

Before I ran my own firewall at the office with a static IP and domain name on a Linux server and could manage all this but they don't want departments to have their own firewall and require us to go directly through theirs. A real pain and loss all flexibility I once had or this would have been trivial.

[Tywais]

@neversure: Simple firewall rules normally only consider the port (80) and do not care about the protocol (http). That's very easy to overcome by serving a http server on a port 81 for an example. Then calling it as http://foo.bar:81/

Yes, port 80 is the default and alternates are usually 81 or 8080. All 3 of these are blocked for incoming by 3BB.

[Guest]

My advice is to use external provider, if that is an option.

If it's not or it is, then things get more complicated.

[IMHO]

You've already established that inbound port 80 is blocked. That means it's either TOT blocking it, or your own router/firewall blocking it. If the former, there's nothing you can do, and you already know the reasons why.

My question is, if 443 is open, why wouldn't you just use it? It would appear to make more sense to do the sync over HTTPS/SSL anyway, no?

[Tywais]

You've already established that inbound port 80 is blocked. That means it's either TOT blocking it, or your own router/firewall blocking it. If the former, there's nothing you can do, and you already know the reasons why.

My question is, if 443 is open, why wouldn't you just use it? It would appear to make more sense to do the sync over HTTPS/SSL anyway, no?

It's 3BB that is blocking 80 on my test arrangement at home and just trying to find out if TOT does the same as we have a TOT FO line used as a backup system at the facility. Obviously the easiest way now is for me to stick the server on the TOT line and see. And you are right, SSL is the more appropriate route to go due to sensitive data being sent. Just occurred to me after I put this topic up.

[Sayonarax]

Centos 6.5 has Apache server (httpd) installed by default.

How could 3BB block port 80? default http port...

[KittenKong]

I like Hamachi for this sort of thing. Makes life much easier.

[IMHO]

Centos 6.5 has Apache server (httpd) installed by default.

How could 3BB block port 80? default http port...

Easy, they block port 80 for incoming....

When you connect to a server using outbound port 80, the port at your receiving end isn't also 80...

[harrry]

Why not set up a server in the cloud. This gives you full control.

[Tywais]

Why not set up a server in the cloud. This gives you full control.

That costs money, something we are very short on due to major funding cutbacks in research, plus we want it internal for the main work for reliability and speed and external access for the lessor demands of remote collaboration. So far my setup is working quite nicely and do have full control and it is free as the software is open source and we already had the server sitting around looking for something to do.

If anyone is interested in the system. OS is running Windows 7 64-bit on a HP Proliant server (XEON processor). I used xampp which is a bundled package of Apache, MySQL, perl and php. An alternative is WampServer, similar package. The cloud software is ownCloud.

[harrry]

Why not set up a server in the cloud. This gives you full control.

That costs money, something we are very short on due to major funding cutbacks in research, plus we want it internal for the main work for reliability and speed and external access for the lessor demands of remote collaboration. So far my setup is working quite nicely and do have full control and it is free as the software is open source and we already had the server sitting around looking for something to do.

If anyone is interested in the system. OS is running Windows 7 64-bit on a HP Proliant server (XEON processor). I used xampp which is a bundled package of Apache, MySQL, perl and php. An alternative is WampServer, similar package. The cloud software is ownCloud.

Don't they have a licence for Windows server 2012 there...l.ready made cloud system if they do.

[Tywais]

Why not set up a server in the cloud. This gives you full control.

That costs money, something we are very short on due to major funding cutbacks in research, plus we want it internal for the main work for reliability and speed and external access for the lessor demands of remote collaboration. So far my setup is working quite nicely and do have full control and it is free as the software is open source and we already had the server sitting around looking for something to do.

If anyone is interested in the system. OS is running Windows 7 64-bit on a HP Proliant server (XEON processor). I used xampp which is a bundled package of Apache, MySQL, perl and php. An alternative is WampServer, similar package. The cloud software is ownCloud.

Don't they have a licence for Windows server 2012 there...l.ready made cloud system if they do.

We have a license for MS Server 2008 RC2 which is on the machine already. However the terminal services license (now called RDS) that came with it has expired and at nearly $2000 USD to renew the number of subscriptions out of the question and was a route I initially went for. Not sure what you mean by 'ready made' though. I will look further into our 2008 server to see what is needed but suspect a lot more of my time than this took which was less than 2 days to install, test, basic configuration and now working on the users and groups and logistics of data and user interaction. So mechanics in place, management work now.

[phazey]

Just want to add +1 to "just use 443 only"

Seriously in this day and age, if there's an option to encrypt your stuff going over the wire, use it.

My job entails me to do a lot of packet capturing, which i can see very clearly what people are doing.....If you're doing to generate your own keys, please use SHA2 as opposed to any other algorithms.

[Tywais]

Just want to add +1 to "just use 443 only"

Seriously in this day and age, if there's an option to encrypt your stuff going over the wire, use it.

My job entails me to do a lot of packet capturing, which i can see very clearly what people are doing.....If you're doing to generate your own keys, please use SHA2 as opposed to any other algorithms.

You are right about using SSL and I shouldn't have focused on port 80 for this task, just rushed to get remote testing working when I ran into this issue. And thanks for reminding me as I haven't generated my SSL certificate yet for the Apache server.

I know what you mean about the packet sniffing as I also had to do a lot of that to find out where abnormal traffic was coming from/to. Not only that but there are packet sniffers with built in password traps.

[Tywais]

Just an update on this. I moved the server over to the TOT line yesterday. Set port forwarding in the TOT fiber router for 80, 443, 3306 and open port check showed all 3 open and system up and running nicely now. Using No-IP dynamic DNS service and can access it via a domain name from anywhere.

Last thing to do is to generate the SSL certificate now.

[IMHO]

Just an update on this. I moved the server over to the TOT line yesterday. Set port forwarding in the TOT fiber router for 80, 443, 3306 and open port check showed all 3 open and system up and running nicely now. Using No-IP dynamic DNS service and can access it via a domain name from anywhere.

Last thing to do is to generate the SSL certificate now.

$8.50 for a real one, or do self-signed one for free

https://comodosslstore.com/positivessl.aspx