httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Dunphy <bluethu...@gmail.com>
Subject Re: [users@httpd] apache 2.4 allow by IP
Date Thu, 19 Mar 2015 20:26:28 GMT
This is what I'm seeing in the error logs:

[Thu Mar 19 13:22:34.274686 2015] [authz_core:error] [pid 56979:tid
140005409228544] [client 216.178.108.232:63636] AH01630: client denied by
server configuration: /opt/apache2/htdocs/hcphp.nbc.com/server-status

But that error seems to be referencing another VHOST:


#Mod_status config
    ExtendedStatus on
<Location /server-status>
    SetHandler server-status
    Require ip 10.10.10.5
    #Require all granted
</Location>

<VirtualHost *>
    ServerAdmin     webmaster@somewhere.com
    DocumentRoot    /opt/apache2/htdocs/hcphp.nbc.com
    ServerName      hcphp.nbc.com
    ServerAlias     phphc.nbc.com 10.10.10.5  uszwsls00015la.dmz.tfayd.com
<Directory /*>
        AddHandler cgi-script .cgi
        Options -Indexes +FollowSymLinks +ExecCGI +Includes
        AllowOverride All
        Require all granted
</Directory>
     RewriteEngine On
     RewriteCond %{REQUEST_METHOD} ^TRACE
     RewriteRule .* - [F]
     ExpiresActive On
     ExpiresDefault "access plus 30 minutes"
 </VirtualHost>

I'm still not sure why this is happening. Any help/clues would be
appreciated!

Tim

On Thu, Mar 19, 2015 at 3:42 PM, Daniel <dferradal@gmail.com> wrote:

>
>
>
>
>>
>> On 3/19/2015 1:24 PM, Daniel wrote:
>>
>>
>>
>> 2015-03-19 18:06 GMT+01:00 Robert Webb <rwebb@ropeguru.com>:
>>
>>> I don't agree with your analysis.
>>>
>>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
is an href
>>> inside an html page that does nothing until clicked on by the client.
>>>
>>> This is all assuming that the access denied he is getting is from
>>> http://$(hostname>>-i)/server-status and "server-status" is the html
>>> page of the code he posted. Not when clicking on the healthcheck.php href
>>> link.
>>>
>>>
>>> Robert
>>>
>>>
>>> On Thu, 19 Mar 2015 17:57:09 +0100
>>>  Daniel <dferradal@gmail.com> wrote:
>>>
>>>>  2015-03-19 17:41 GMT+01:00 Tim Dunphy <bluethundr@gmail.com>:
>>>>
>>>>    Hey all,
>>>>>
>>>>>  I'm attempting to setup the server-status module and limit access to
>>>>> it
>>>>> by IP.
>>>>>
>>>>> So I have this block in my apache configuration file:
>>>>>
>>>>> #Mod_status config
>>>>>     ExtendedStatus on
>>>>> <Location /server-status>
>>>>>     SetHandler server-status
>>>>>     Require ip 10.10.10.5 127.0.0.1
>>>>> </Location>
>>>>>
>>>>> And if I do a GET by IP, I'm getting permission denied
>>>>>
>>>>> [root@uszwslp00031la apache2]# GET http://$(hostname -i)/server-status
>>>>> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
>>>>> <html>
>>>>>  <head>
>>>>>   <title>Index of /</title>
>>>>>  </head>
>>>>>  <body>
>>>>> <h1>Index of /</h1>
>>>>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
>>>>> </ul>
>>>>> </body></html>
>>>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>>>> <html><head>
>>>>> <title>403 Forbidden</title>
>>>>> </head><body>
>>>>> <h1>Forbidden</h1>
>>>>>  *<p>You don't have permission to access /server-status*
>>>>> on this server.<br />
>>>>> </p>
>>>>> </body></html>
>>>>>
>>>>> Can someone please let me know where I'm going wrong?
>>>>>
>>>>> Thanks
>>>>> Tim
>>>>>
>>>>> --
>>>>> GPG me!!
>>>>>
>>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>>>
>>>>>
>>>>>  Hello,
>>>>
>>>> This shoud give you a tip:
>>>> <h1>Index of /</h1>
>>>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
>>>> <-------------
>>>> which has nothing to do with server-status
>>>>
>>>> make sure you are accessing the correct virtualhost
>>>>
>>>> --
>>>>  *Daniel Ferradal*
>>>> IT Specialist
>>>>
>>>> email         dferradal@gmail.com
>>>> linkedin     es.linkedin.com/in/danielferradal
>>>>
>>>
>>>
>>>
>>  Should that be the case he still needs to check the error.log
>>
>>
>>  --
>>    *Daniel Ferradal*
>> IT Specialist
>>
>>      email         dferradal@gmail.com
>>     linkedin     es.linkedin.com/in/danielferradal
>>
>> 2015-03-19 20:33 GMT+01:00 Larry Irwin <larry.irwin@ccamedical.com>:
>>
>>> How about using this within a Directory entry:
>>>                 Order deny,allow
>>>                 Deny from all
>>>                 # Private IP ranges
>>>                 Allow from 127.0.0.1/32
>>>                 Allow from 10.0.0.5/32
>>> And then add the server status are under that Directory...
>>> Wouldn't that do it?
>>>
>> --
>> Larry Irwin
>> V.P. Development
>> CCA Medical
>> Ph: 864-233-2700 ext 225
>> Fax: 864-271-1755
>> Cell: 864-525-1322
>> Email: larry.irwin@ccamedical.com
>>
>>
> He is using Require, so 2.4.x. Using deprecated directives in 2.4 is not
> recommended.
>
> The server-status uri will be a virtual path when you define the handler
> for it, not a real directory, so the logical way is calling it Location.
>
> Also if you need to define ranges in 2.4 (not sure about 2.2 know) I don't
> think you need to use CIDR notation, even less if you use /32 hostmask
> which is the same as the IP alone. In 2.4 with Require you can even just
> specify part of the ip to define ranges: aka "Require ip 10" to allow
> 10.0.0.0/8.
>
> He needs to check source ip and error.log to know why he is being denied
> access.
>
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email         dferradal@gmail.com
> linkedin     es.linkedin.com/in/danielferradal
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

Mime
View raw message