(Plesk 10.4 centos 5.8 linux apache2 server, with Tomcat5 on port 8080 and Apache Solr)
I get “The connection has timed out” on requesting domain.com:8080 or www.domain.com:8080 or ip.ad.dr.ess:8080
Every reason I can find why this might be seems not to be the case:
- Plesk thinks Tomcat is running fine and lists it as an active
service. - The firewall currently has an accept all rule on port 8080.
- There’s nothing relevant in the catalina tomcat logs (/var/log/tomcat5) – just
some stuff from last time tomcat was started. There’s no record at all of the requests that fail. netstat -lnp | grep 8080
gives the following, which I beleive
means Tomcat is listening to requests to port 8080 on all ip addresses from any ip and any port (please correct me if I’m wrong):
:
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 4018/java
This covers every cause of this time out that I can find – so I must be missing something fundamental.
It seems Tomcat is running, listening to the right port, is getting an appropriate IP address, is not obstructed by a firewall and is not failing after receiving a request in a way which would be recorded in the logs (so I believe it can’t be out of memory, or anything like that).
I’m all out of ideas on how to continue debugging this. I must have overlooked something obvious. Can anyone help?
Well, it turns out there are firewalls, and then there are firewalls.
I’d niavely assumed that setting an allow access rule on the port in the Parrallels/Plesk/VZ firewall UI was enough to stop the firewall blocking access to that port. I was wrong, this UI does not touch a wholly seperate layer of firewall based on iptables, which was blocking access to 8080 for all but selected IPs.
In my Plesk set up (which might be specific to my hosting arrangement, I’m not sure) the solution was to add rules to /etc/firewall/include
that look like this:
$IPTABLES -I INPUT -p tcp --dport 8080 -s ip.ad.dr.ess -j ACCEPT
$IPTABLES -I OUTPUT -p tcp --sport 8080 -d ip.ad.dr.ess -j ACCEPT
…followed by service firewall restart
(swapping ip.ad.dr.ess for the ip addresses you want to whitelist). I’m pretty sure in most hosting arrangements you could just run those lines as commands with /sbin/iptables
instead of $IPTABLES
, but having a file of custom firewall settings is pretty handy.
I guess this is a case of “If you give a man a crutch (like Plesk), he’ll assume he can lean on that crutch”
Check more discussion of this question.