[LON-CAPA-admin] ports for library/access server

Stuart Raeburn raeburn at msu.edu
Thu Sep 5 10:09:48 EDT 2013


> 1. Do both library and access servers need to have all of these ports open?

The following port needs to be configured to be open in your server's  
firewall rules:

80 (and 443 if using Apache/SSL), need to be open for inbound requests  
to the web server.  Port 80 (and 443 if SSL) need to be open for  
inbound traffic from any IP.

Port 8080 is no longer used by LON-CAPA and does not need to be open.

I would recommend opening port 22 (ssh) if you wish to allow ssh  
access for a system administrator.  However, LON-CAPA, per se, does  
not require this port to be open.  You can certainly restrict the IP  
range for which port 22 is open.

As regards port 5663 (which is used for "internal" traffic between  
LON-CAPA servers), that port does not need to be explicitly set to be  
opened for inbound traffic when you configure your server's firewall.

That is because when you run /etc/init.d/loncontrol start or  
/etc/init.d/loncontrol restart to start/restart the LON-CAPA daemons,  
iptables rules will be automatically appended to the existing rules to  
allow inbound traffic on port 5663 from servers in the LON-CAPA network.

There is also a nightly script:

(run as user www -- see entry in: /etc/cron.d/loncapa)

which (amongst other things) updates the iptables rules for port 5663,  
to append rules for any new servers added to the cluster.

(The hostnames of servers in your cluster are retrieved from one of  
the servers listed at the top of the file:  
/home/httpd/lonTabs/hosts.tab.  For a LON-CAPA server in the  
production cluster, these will be the authoritative "LON-CAPA DNS"  
servers sun by the following LON-CAPA Academic Consortium members:  

You will need to allow outbound traffic from port 5663, but it is  
typical that the default firewall rules on a Linux server for outbound  
traffic allow that automatically.

You do not need port 25 open to inbound traffic.

In addition to configuring ports on the server itself you may also  
need to ask your network administrators to configure any network rules  
they maintain to allow inbound/outbound traffic to/from your server on  
port 5663.

Stuart Raeburn
LON-CAPA Academic Consortium

Quoting "Moore, Nathan T" <NMoore at winona.edu>:

> Apologies if this is a common question.
> I am setting up a lon-capa library and access server.  From the
> documentation, it looks like the necessary ports to be part of the network
> are:
> 80, 8080, 5663, 22, 25
> 1. Do both library and access servers need to have all of these ports open?
> 2. Can any of these ports be restricted to a subset of IP's, e.g. Only
> computers from within my institution, or only other library servers?  My
> IT department is nervous about opening these ports to the whole world and
> would like to restrict them, if possible.
> Thanks!
> Nathan Moore
> --
> -- -- -- -- -- -- -- --
> Dr. Nathan Moore
> Physics, Winona State University
> Winona, MN
> nmoore at winona.edu
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin

More information about the LON-CAPA-admin mailing list