client denied by server configuration
I have installed an SSL server and made my own certificate. Now I want to redirect via proxy requests to an Apache server to the SSL server (from LAN over public domain back to LAN).
When I enter a request in the browser I get :-
[Tue Feb 25 18:27:02 2003] [error] [client 128.40.1.14] client denied by server configuration: proxy:https://128.40.10.10/index.S
Apache is configured as follows :-
RewriteEngine on
RewriteLog logs/rewrite
RewriteRule ^(/.+)\.S$ https://128.40.10.10$1.S [P,L]
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
<IfModule mod_proxy.c>
ProxyRequests On
<Directory proxy:*>
Order deny,allow
Deny from all
Allow from rd
</Directory>
#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#
ProxyVia On
#
# To enable the cache as well, edit and uncomment the following lines:
# (no cacheing without CacheRoot)
#
# CacheRoot "D:/usr/local/portal/Apach
# CacheSize 5
# CacheGcInterval 4
# CacheMaxExpire 24
# CacheLastModifiedFactor 0.1
# CacheDefaultExpire 1
# NoCache a_domain.com another_domain.edu joes.garage_sale.com
</IfModule>
# End of proxy directives.
I can't find any reference to the incoming request on the https machine. Where do I start looking for the error?
When I enter a request in the browser I get :-
[Tue Feb 25 18:27:02 2003] [error] [client 128.40.1.14] client denied by server configuration: proxy:https://128.40.10.10/index.S
Apache is configured as follows :-
RewriteEngine on
RewriteLog logs/rewrite
RewriteRule ^(/.+)\.S$ https://128.40.10.10$1.S [P,L]
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
<IfModule mod_proxy.c>
ProxyRequests On
<Directory proxy:*>
Order deny,allow
Deny from all
Allow from rd
</Directory>
#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#
ProxyVia On
#
# To enable the cache as well, edit and uncomment the following lines:
# (no cacheing without CacheRoot)
#
# CacheRoot "D:/usr/local/portal/Apach
# CacheSize 5
# CacheGcInterval 4
# CacheMaxExpire 24
# CacheLastModifiedFactor 0.1
# CacheDefaultExpire 1
# NoCache a_domain.com another_domain.edu joes.garage_sale.com
</IfModule>
# End of proxy directives.
I can't find any reference to the incoming request on the https machine. Where do I start looking for the error?
ASKER
I have changed the directives to :-
<Directory proxy:*>
Order deny,allow
Allow from all
</Directory>
and still getting a 403 Forbidden (in access log but not in error log).
<Directory proxy:*>
Order deny,allow
Allow from all
</Directory>
and still getting a 403 Forbidden (in access log but not in error log).
ok. could you post the line from access.log
ok. could you post the line from access.log
ASKER
Access log entry. The Apache is 1.3.27 on a Win2K machine. I'm also using IE 6.0 on the same machine and wanting to https to the 128.40.10.10 machine which has a correctly installed Apache waiting on port 443. The rewrite rule has been changed to recognize a double S on the URL so that we can independantly test (normal URLs have just one S on the end). If I change the entry to use http instead of https it all works fine - no problems relating to permissions.
127.0.0.1 - - [26/Feb/2003:18:35:23 +0100] "GET /index.SS HTTP/1.0" 403 269
I have searched around in Google groups and found one entry which said is isn't supported. I also found one in New Zealand which said he had achieved it. I have sent them mails but so far no response.
The New Zealand one takled about mod_rproxy (is this a spelling mistake?).
I'm going to install 1.2.xx for Windows on my machine and try that. I'll post a response later.
127.0.0.1 - - [26/Feb/2003:18:35:23 +0100] "GET /index.SS HTTP/1.0" 403 269
I have searched around in Google groups and found one entry which said is isn't supported. I also found one in New Zealand which said he had achieved it. I have sent them mails but so far no response.
The New Zealand one takled about mod_rproxy (is this a spelling mistake?).
I'm going to install 1.2.xx for Windows on my machine and try that. I'll post a response later.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
samri,
the chap here who's doing this is away this week, but it looks promising. I'll get back to you next week.
the chap here who's doing this is away this week, but it looks promising. I'll get back to you next week.
sure pal.
take you time (no big hurry right;)
take you time (no big hurry right;)
ASKER
Well, he's introduced a virtual host on 443 into the "proxy" server with the same rewrite rule sending the request onwards.
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs"
ServerName nemo.rd
ServerAdmin root@nemo.rd
ErrorLog /usr/local/apache/logs/err
TransferLog /usr/local/apache/logs/acc
RewriteEngine on
RewriteLog logs/rewrite
RewriteLogLevel 0
RewriteRule ^(/.+)\.S$ https://128.40.3.1/$1.S [P,L]
</VirtualHost>
There is an identical rewrite for http. We also had to listen on both ports :-
Port 80
##
## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>
and this configuaration works.
Pity it's not documented somewhere.
I'll give you the points anyway for your help.
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs"
ServerName nemo.rd
ServerAdmin root@nemo.rd
ErrorLog /usr/local/apache/logs/err
TransferLog /usr/local/apache/logs/acc
RewriteEngine on
RewriteLog logs/rewrite
RewriteLogLevel 0
RewriteRule ^(/.+)\.S$ https://128.40.3.1/$1.S [P,L]
</VirtualHost>
There is an identical rewrite for http. We also had to listen on both ports :-
Port 80
##
## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>
and this configuaration works.
Pity it's not documented somewhere.
I'll give you the points anyway for your help.
ASKER
An alternative, but proxy goes anyway.
BigRat,
Thanks for the pts, and apology for not be able to give you a "buletproff" solution.
I would agree on the fact that Apache are a bit lack of documentation. However, if you look back at http://httpd.apache.org/docs/, it should cover most of the basic knowledge that you need to know.
In most cases, the docs (and the directive could be nested). IHMO, to be confortable with apache one would need to experiment a bit- combination of modules and directive would get the jobs done.
Back to your case, you could have the same Vhost, and have it to do a proxy request to the backend server.
(I think this should also work -- but never tried it).
..
ProxyPass / https://128.40.3.1/
ProxyPassReverse / https://128.40.3.1/
Thanks for the pts, and apology for not be able to give you a "buletproff" solution.
I would agree on the fact that Apache are a bit lack of documentation. However, if you look back at http://httpd.apache.org/docs/, it should cover most of the basic knowledge that you need to know.
In most cases, the docs (and the directive could be nested). IHMO, to be confortable with apache one would need to experiment a bit- combination of modules and directive would get the jobs done.
Back to your case, you could have the same Vhost, and have it to do a proxy request to the backend server.
(I think this should also work -- but never tried it).
..
ProxyPass / https://128.40.3.1/
ProxyPassReverse / https://128.40.3.1/
ASKER
These two directive just rewrite Location headers which we do not use. They do not rewrite Cookies, which would be much more useful. In any event the https usage is just as a secure medium - the data gets presented to the App server just as if it came via http.
It seems however that mod_proxy cannot work in forwarding mode unless mod-ssl is installed.
It seems however that mod_proxy cannot work in forwarding mode unless mod-ssl is installed.
It looks like your proxy cofiguration;
<Directory proxy:*>
Order deny,allow
Deny from all
Allow from rd
</Directory>
is restricting the access.
I would suggest that you to to allow all first (or hardcoding your IP address 128.40.1.14 in the allow list).
hope this work.