Firewall ports for remote debugging

[rbranha]

I have successfully installed Zend Debugger on my Linux development machine. I have also opened a remote debugging session in Zend Studio v6.1 from a PC on the same network. I can step through the code just as expected.

My problem is with opening a remote debugging session from outside of my network. I can open pages on the server using a browser, but I get an error when I click the "Test Debugger" button in Zend Studio. On the firewall for the server's network I have forwarded ports 10000 and 10137 to the server. Do I need to open ports on the firewall for the network where the client resides?

[emanuelt]

Hello rbranha,

To get debugging working you should allow the following connections in your router/firewall:
- source - studio:any ; destination - server:80
- source - server:any ; destination - studio:10137

The debug session evolves, in the simplest case, in this way:
1. Zend Studio sends an HTTP request for a .php file to the debug server, with GET parameters,
that define the address and the listening port of Zend Studio
(e.g.: http://server:80/test.php?start_debug=1 ... port=10137)
2. The web server (e.g. Apache) engages PHP engine to process the .php file.
3. Zend Debugger (hooked onto the PHP engine) interrupts the script execution and parses GET parameters.
4. Zend Debugger verifies the debug_host value against the zend_debugger.allow_hosts value of php.ini.
5. Zend Debugger (using a random port on the server) requests a Debug Protocol connection from Zend Studio on the IP address and port specified in GET parameters.
6. Zend Studio returns an acknowledgment and the debug session starts.
7. Upon debug session end, PHP returns to Apache the result of the script execution.
8. Apache returns HTTP reply to Zend Studio.

Please note, that following the standard client-server definition, in steps 5 and 6, Zend Studio is the server, and Zend Debugger is the client.


You can use the tunneling method in order to preform such a connection.
You can find more information about working with tunneling in ZS4E at:
Help => Help Contents => Search for - "Tunnel".



Regards,
Emanuel Taboch
Zend Technical Support Engineer.

[rbranha]

Emmanuelt,

Thanks for your response. Just to make sure I understand, let me restate your explanation:

Zend Studio (client) sends debug request to Zend Debugger via the web server (server) over port 80. This request is handled by dummy.php.
After processing the debug request, Zend Debugger becomes the client and opens a connection on port 10137 to Zend Studio (which is now the server) over which it communicates debug information.

If my understanding is correct, I'll need to forward port 10137 to my Zend Studio machine. Is this right?

How are requests from multiple Zend Studio sessions handled? Would I open multiple firewall ports and assign a port to each Zend Studio install?

[hornetbzz]

Question summary :

1) What are the required exact firewall settings to succeed in remote debugging ?
2) On top of the GUI, can I access to more detailed logs in order to understand why it's not working ?
3) Do Eclipse PDT integrated Zend Studio need a localhost server for being able to receiving the remote server messages ?

Hum I'm aware this is a pure noob question and may mixing firewall and routing issues or missing a configuration point in the Zend Debugger.
So I apologize in advance.

I read quite carefully this thread above as well as the detailed installation sticky notes and some notes about the SmoothWallExpress firewall settings like this, that and those but still could not answer to my point on my own (after reading and trying too..).

So here is what I'd like to achieve with SWE3.0 but I could not succeed till now.
Actually I doubt if it's possible with SWE "only" or if I shall use additionnal strategy/tools.

0) Zend Debugger and Eclipse PDT/ZendStudio Debug and PHP server Settings
I assume now the settings are correct as I just followed the sticky notes and get a pretty similar result.
Anyway I detailed them here.

1) NETWORK CONFIGURATION
Network :
ISP => DMZ => RED / SWE (subnet 0) => ORANGE (subnet 1) , GREEN (subnet 2).
all machines are running under various Linux OS.

GREEN :
Several machines but 1 machine (called "A") set up with Eclipse PDT (ie including Zend Studio Open Source), aiming to debug local code from GREEN to a remote server located on LAN (ORANGE), and another one on the WAN (so exiting through RED).

ORANGE :
Several machines but 1 (called "machine "B") hosting a web server that I would like to develop and debug remotely from GREEN. This server is running Apache 2.2, PHP5.3.2 and Zend Debugger v5.2. Machine "A" is allowed to access the web server and zend debugger by the Apache and PHP configuration setup.

RED
let say some home machines (wife, children, gran'ma..)

2) NEED TO
From the previous post, I understand the following :
a) GREEN : "any ports" allowed from machine "A" to ORANGE machine "B" on port 80
b) ORANGE: "any ports" allowed from machine "B" to GREEN machine "A" port 10137 (ie zend debugger return)
c) External WAN IP identified machines (let's call them machine "C") shall be able to access the ORANGE Machine "B" and getback informations on their port 10137.
I don't think this is a routing issue anyway I still doubt whether I should "route add" these on top of allowing these routes.

Could you pls confirm what firewall ports are needed to access :
(I mean that "any" is not a real satisfactory response, as I can't translate it into a configuration action)

3) TRIED TO

31) Trying to port forward between GREEN and ORANGE using the Web interface :

Incoming Rules:
Green subnet1 : High Ports range => Orange machine B : port 80
Orange machine B : High ports => Green Machine A : port 10137

Result: not working
Machine A Eclipse Test debugger msg: no connectivity from debugger to client machine A
Machine B Apache Error logs : [Zend Debugger] Cannot connect to host "machine A"

32) Trying to open pinholes between the 2 subnets GREEN and ORANGE
SWE documentation is saying :

The standard configuration, without any pinholes setup, is as follows:
Green can talk to purple and orange
Purple can talk to orange
Orange can talk to nothing
By default all interfaces can talk to red and the Internet. This will depend, of course, on how you configure outgoing filtering.

From these assessments, I understand I shall also allow Orange to talk with Green and allow GREEN/ORANGE to get out on ports 80 and High Ports, adding the following rules to the previous ones :

Outgoing Rules :
Green:High Ports range allowed to exit
Green:Web Ports allowed to exit
Orange:High Ports allowed to exit
Result: not working, no more effect than the previous rules set

Internal Rules :
Orange to Green on port 10137
Result: still not working even if there the connection between machine B and machine A looks now established
Machine A Eclipse Test debugger msg: Success
Machine B Apache Error logs :[Zend Debugger] Cannot send message

33) Revert to the only effecting rules, ie INTERNAL pinholes between the 2 subnets GREEN and ORANGE
Removing step by step all other rules (Incoming and Outgoing) does not change anything in the results of that kind of design of experiment.

Adding an additional rule, symetric of the single remaining rule like :
Green to Orange on port 10137
Result: still not working even if there the connection between machine B and machine A looks now established and Machine B Apache server looks now happy
Machine B Apache Error logs : no more msg "[Zend Debugger] Cannot send message"

Conclusion of this long assessments :
For sure I'm missing some points as it's still not working.
Any experience on a similar configuration would be more than appreciated.
Thx in advance

[rbzend]

Before we dive into this rainbow of zones, please try this way - Connecting Zend Studio to Zend Debugger over an SSH Tunnel.

Let me know about the result.

[hornetbzz]

Thx for this link that I already saw. But I tried it now :-)

All steps have been completed with success :

From the remote server machine tunneled with the client machine :
netstat -tln | grep :10137
tcp 0 0 127.0.0.1:10137 0.0.0.0:* LISTEN
tcp6 0 0 ::1:10137 :::* LISTEN

Apache log is not returning any error anymore after restart and Test Debug.

Sending http://www.test.dev/test_remote_debug/f ... on_id=1009

Both client and server are still returning the same error:

Eclipse PDT internal browser (same using external browser)
Error 404

Apache logs
[Wed Jun 30 22:06:34 2010] [error] [client 192.168.X.X] File does not exist: /home/www/test/test_remote_debug

Here we are.

[hornetbzz]

Provided the ssh tunnel does not change the result, what shall I do more to get it working ?

[rbzend]

The error message doesn't seem to be connected to debugging. Also, the debug_host in the URL you provided is strange. There should be no '+'. Check the settings in Zend Studio (Window | Preferences, PHP | Debug | Installed Debuggers, Zend Debugger).

[hornetbzz]

Thx looking on thousands of posts, I also noticed this strange "+" in th URL. The 2 IP's are separated by a comma in the windows/php/debug/installed debuggers configuration, as per attached. I also tried with a space, but keeping the same issue, so I reverted back to the comma.

But I guess the explanation is that this "+" is not in the PDT URL but because of phpbb. If I copy/paste the url straight from PDT and add a "_" in the forum thread, I have this:

"_http://www.test.dev/test_remote_debug/form1.php?debug_host=192.168.2.1%2C127.0.0.1&start_debug=1&debug_port=10137&original_url=http%3A%2F%2Fwww.test.dev%2Ftest_remote_debug%2Fform1.php&send_sess_end=1&debug_stop=1&debug_start_session=1&debug_no_cache=1278069182192&debug_session_id=1006"

But if I copy the same file to both the workspace AND the website, and remove the local path directory from the url, then the debug session is starting. But that's not "remote debugging" I assume.

[hornetbzz]

Now things sound a bit different :

New status
I have changed some firewall rules to allow outgoing communications for both machines (ie client and server) on the debug port (default port=10137 but can be changed in the debug client as well as on the server and firewall). From there, I get no more Apache logs error at least for this try.

BUT:
I can't debug a remote file. The debug process is started only if the local file to debug is also located on the server side. And as shown on the snap shot, I have to change manually the url, removing the local directory and adress directly the server file, otherwise I just get an error 404.

Capture.png (112.19 KiB) Viewed 3935 times

Debugger and server are both set up properly I guess.

Could you pls tell me what could be wrong again ?