Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 65126
  • Last Modified:

client denied by server configuration

I have installed an SSL server and made my own certificate. Now I want to redirect via proxy requests to an Apache server to the SSL server (from LAN over public domain back to LAN).

When I enter a request in the browser I get :-

[Tue Feb 25 18:27:02 2003] [error] [client 128.40.1.14] client denied by server configuration: proxy:https://128.40.10.10/index.S

Apache is configured as follows :-

RewriteEngine on
RewriteLog logs/rewrite
RewriteRule  ^(/.+)\.S$ https://128.40.10.10$1.S [P,L]

# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
<IfModule mod_proxy.c>
    ProxyRequests On

    <Directory proxy:*>
        Order deny,allow
        Deny from all
        Allow from rd
    </Directory>

    #
    # Enable/disable the handling of HTTP/1.1 "Via:" headers.
    # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
    # Set to one of: Off | On | Full | Block
    #
    ProxyVia On

    #
    # To enable the cache as well, edit and uncomment the following lines:
    # (no cacheing without CacheRoot)
    #
#    CacheRoot "D:/usr/local/portal/Apache/proxy"
#    CacheSize 5
#    CacheGcInterval 4
#    CacheMaxExpire 24
#    CacheLastModifiedFactor 0.1
#    CacheDefaultExpire 1
#    NoCache a_domain.com another_domain.edu joes.garage_sale.com

</IfModule>
# End of proxy directives.

I can't find any reference to the incoming request on the https machine. Where do I start looking for the error?
0
BigRat
Asked:
BigRat
  • 6
  • 6
1 Solution
 
samriCommented:

It looks like your proxy cofiguration;

   <Directory proxy:*>
       Order deny,allow
       Deny from all
       Allow from rd
   </Directory>

is restricting the access.

I would suggest that you to to allow all first (or hardcoding your IP address 128.40.1.14 in the allow list).

hope this work.
0
 
BigRatAuthor Commented:
I have changed the directives to :-

<Directory proxy:*>
      Order deny,allow
      Allow from all
</Directory>

and still getting a 403 Forbidden (in access log but not in error log).
0
 
samriCommented:
ok.  could you post the line from access.log
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
samriCommented:
ok.  could you post the line from access.log
0
 
BigRatAuthor Commented:
Access log entry. The Apache is 1.3.27 on a Win2K machine. I'm also using IE 6.0 on the same machine and wanting to https to the 128.40.10.10 machine which has a correctly installed Apache waiting on port 443. The rewrite rule has been changed to recognize a double S on the URL so that we can independantly test (normal URLs have just one S on the end). If I change the entry to use http instead of https it all works fine - no problems relating to permissions.

127.0.0.1 - - [26/Feb/2003:18:35:23 +0100] "GET /index.SS HTTP/1.0" 403 269

I have searched around in Google groups and found one entry which said is isn't supported. I also found one in New Zealand which said he had achieved it. I have sent them mails but so far no response.

The New Zealand one takled about mod_rproxy (is this a spelling mistake?).

I'm going to install 1.2.xx for Windows on my machine and try that. I'll post a response later.
0
 
samriCommented:
BigRat,,


I would agree that mod_proxy that comes with Apache is pretty much limited.

have you consider using a 3rd proxy module;

http://search.cpan.org/author/CGILMORE/Apache-ProxyRewrite-0.17/ProxyRewrite.pm
http://search.cpan.org/author/CLINTDW/Apache-ReverseProxy-0.06/lib/Apache/ReverseProxy.pm

Apology on not be provide a direct solution (and "diverting" the discussion to alternate "approach".

cheers.
0
 
BigRatAuthor Commented:
samri,

the chap here who's doing this is away this week, but it looks promising. I'll get back to you next week.
0
 
samriCommented:
sure pal.

take you time (no big hurry right;)

0
 
BigRatAuthor Commented:
Well, he's introduced a virtual host on 443 into the "proxy" server with the same rewrite rule sending the request onwards.

<VirtualHost _default_:443>

#  General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs"
ServerName nemo.rd
ServerAdmin root@nemo.rd
ErrorLog /usr/local/apache/logs/error_log    
TransferLog /usr/local/apache/logs/access_log
RewriteEngine on
RewriteLog logs/rewrite
RewriteLogLevel 0
RewriteRule ^(/.+)\.S$ https://128.40.3.1/$1.S [P,L]

</VirtualHost>

There is an identical rewrite for http. We also had to listen on both ports :-

Port 80
     
##
##  SSL Support
##
##  When we also provide SSL we have to listen to the
##  standard HTTP port (see above) and to the HTTPS port
##
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>

and this configuaration works.

Pity it's not documented somewhere.

I'll give you the points anyway for your help.
0
 
BigRatAuthor Commented:
An alternative, but proxy goes anyway.
0
 
samriCommented:
BigRat,

Thanks for the pts, and apology for not be able to give you a "buletproff" solution.

I would agree on the fact that Apache are a bit lack of documentation.  However, if you look back at http://httpd.apache.org/docs/, it should cover most of the basic knowledge that you need to know.

In most cases, the docs (and the directive could be nested).  IHMO, to be confortable with apache one would need to experiment a bit- combination of modules and directive would get the jobs done.

Back to your case, you could have the same Vhost, and have it to do a proxy request to the backend server.  
(I think this should also work -- but never tried it).

..
ProxyPass          /   https://128.40.3.1/
ProxyPassReverse   /   https://128.40.3.1/
0
 
BigRatAuthor Commented:
These two directive just rewrite Location headers which we do not use. They do not rewrite Cookies, which would be much more useful. In any event the https usage is just as a secure medium - the data gets presented to the App server just as if it came via http.

It seems however that mod_proxy cannot work in forwarding mode unless mod-ssl is installed.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now