Curl works, but not pages in a web browser with OpenLiteSpeed
Solution 1
I think that your problem is that OpenLiteSpeed is only listening on localhost address.
Please make sure that is listening for 0.0.0.0, which means all the addresses. In my sample there are processes listening on 127.0.0.1 and processes listening on all the ip's in IPV4 0.0.0.0 and IPV6 :::
carles@fast:~$ sudo netstat -tulpn | grep LISTEN
[sudo] password for carles:
tcp 0 0 127.0.0.1:6942 0.0.0.0:* LISTEN 45335/java
tcp 0 0 127.0.0.1:41601 0.0.0.0:* LISTEN 45335/java
tcp 0 0 127.0.0.1:63342 0.0.0.0:* LISTEN 45335/java
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 827/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1143/sshd: /usr/sbi
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 455095/cupsd
tcp 0 0 127.0.0.1:34585 0.0.0.0:* LISTEN 160123/java
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2072/master
tcp 0 0 127.0.0.1:43195 0.0.0.0:* LISTEN 160123/java
tcp6 0 0 :::22 :::* LISTEN 1143/sshd: /usr/sbi
tcp6 0 0 ::1:631 :::* LISTEN 455095/cupsd
tcp6 0 0 :::25 :::* LISTEN 2072/master
If you want to debug if traffic gets from other sites, run tcpdump on the Server and attempt to connect from another machine. You'll see if there is that attempt. Please check this before and provide an answer to continue debugging.
But whatever your connectivity problem is you can get to the localhost:8088 from your browser using a tunnel.
If you use Ubuntu as your Desktop you can do:
ssh -L LOCAL_PORT:DESTINATION:DESTINATION_PORT [USER@]SSH_SERVER
For example:
ssh -L 8088:123.45.67.89:8080 [USER@]123.45.67.89
Then in your browser you just connect to localhost:8088 and the tunnel will make the magic and your Server will believe that the connection is made local, so you can configure anything from your browser.
Cheers
Solution 2
I strongly advice you NOT to open these ports. Instead do the following.
Connect to your server with your outside machine via SSH and create an encrypted tunnel just for you. Type the following in your terminal and you will be able to browse your desired webpages.
Open a terminal on your local machine with ssh.
ssh -L 8088:example.com:8088 [email protected]
As long as you keep this terminal open, you can now browse the desired page with. https://localhost:8088
and yes your browser will be terrified that this certificate is wrong, just click continue and you are all set.
Repeat this with the other port. Or if you use Windows use putty and check the ssl options. WSL2 also works for me.
Related videos on Youtube
16 : 39
31 : 23
14 : 48
07 : 15
13 : 30
BlueDogRanch
International man of mystery currently in Montana.
Updated on September 18, 2022Comments
-
BlueDogRanch over 1 year
I'm running Ubuntu 20.04.1 LTS on a Linode server and OpenLiteSpeed
openlitespeed.org.I'm getting timeouts for
example.com:8088andexample.com:7080, the two OpenLiteSpeed admin and config pages, in a browser.But while logged in via SSH, running
curl 127.0.0.1gives me the text of the index.html file at root, andcurl http://localhost:8088gives me the html dump of the OpenLiteSpeed admin page.From another host, running
curl 123.45.67.123works.Going directly to the site/server IP
123.45.67.123works.From another host, running
curl exampledoes not return anything.Going to
example.comin a browser works and shows me the index.html page.Pinging
example.comworks.But I can't connect to
example.com:8088orexample.com:7080in a browser.Apache is running, but OpenLiteSpeed hasn't yet been configured to use port 80, since I can't get to the admin pages.
ufw status shows:
65500 ALLOW Anywhere 443 ALLOW Anywhere 443/tcp ALLOW Anywhere 7080/tcp ALLOW Anywhere 8088/tcp ALLOW Anywhere OpenSSH ALLOW Anywhere 80/tcp ALLOW Anywhere 65500 (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 7080/tcp (v6) ALLOW Anywhere (v6) 8088/tcp (v6) ALLOW Anywhere (v6) OpenSSH (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6)Completely disabling ufw makes no difference with the issue.
Any ideas?
Edit 10/25/2020:
Edit 10/26/2020
This worked from my local Mac with port 7080 denied in
ufwon the server and brings up the OLS admin page:ssh -L 7080:123.45.67.123:7080 [email protected]Important note: I was using CloudFlare, which was part of the problem. CloudFlare blocks port 7080 (as well as others; see https://support.cloudflare.com/hc/en-us/articles/200169156-Identifying-network-ports-compatible-with-Cloudflare-s-proxy ). So in order to use the localhost tunnel as Carles Mateo's answer, you need to change OpenLiteSpeed's admin port to an allowed CloudFlare port (like 8443) in /usr/local
/lsws/admin/conf/admin_config.conf, restart OpenLiteSpeed. And also disable any SSLs at CloudFlare, at least until you configure an SSL that doesn't throw security errors.Overall, my solution to protect the OpenLiteSpeed admin page from script kiddies, etc., while using CloudFlare is to change to and use port 8443 to configure OLS settings, and then via SSH change that port back to 7080, which is blocked by default by CloudFlare.
-
BlueDogRanch over 3 yearsThanks, that makes sense for security, but your ssh example gives me
Bad local forwarding specification 8088:localhost:example.com:8088 -
BlueDogRanch over 3 yearsThanks, same issue with ssh:
Bad local forwarding specification 8088:localhost:example.com:8088. netstat output added. -
Carles Mateo over 3 yearsremove the localhost. So 8088:example.com:8088. If you want to use it the is localhost:8088:example.com:8088.
-
Carles Mateo over 3 yearsAs s1mmel comments, admin ports should not be open to worldwide. Even if you add firewall rules if one day the firewall is stopped or you change it inadvertently you would be exposed to be hacked.
-
BlueDogRanch over 3 yearsThanks! This worked for the OpenLightSpeed admin page:
ssh -L 7080:123.45.67.123 :7080 [email protected]with port 7080 denied inufw. I had to use the IP rather than the domain. I also added more details in my updated question.
