?
Solved

client denied by server configuration

Posted on 2003-02-25
12
Medium Priority
?
65,058 Views
Last Modified: 2011-08-18
I have installed an SSL server and made my own certificate. Now I want to redirect via proxy requests to an Apache server to the SSL server (from LAN over public domain back to LAN).

When I enter a request in the browser I get :-

[Tue Feb 25 18:27:02 2003] [error] [client 128.40.1.14] client denied by server configuration: proxy:https://128.40.10.10/index.S

Apache is configured as follows :-

RewriteEngine on
RewriteLog logs/rewrite
RewriteRule  ^(/.+)\.S$ https://128.40.10.10$1.S [P,L]

# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
<IfModule mod_proxy.c>
    ProxyRequests On

    <Directory proxy:*>
        Order deny,allow
        Deny from all
        Allow from rd
    </Directory>

    #
    # Enable/disable the handling of HTTP/1.1 "Via:" headers.
    # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
    # Set to one of: Off | On | Full | Block
    #
    ProxyVia On

    #
    # To enable the cache as well, edit and uncomment the following lines:
    # (no cacheing without CacheRoot)
    #
#    CacheRoot "D:/usr/local/portal/Apache/proxy"
#    CacheSize 5
#    CacheGcInterval 4
#    CacheMaxExpire 24
#    CacheLastModifiedFactor 0.1
#    CacheDefaultExpire 1
#    NoCache a_domain.com another_domain.edu joes.garage_sale.com

</IfModule>
# End of proxy directives.

I can't find any reference to the incoming request on the https machine. Where do I start looking for the error?
0
Comment
Question by:BigRat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 15

Expert Comment

by:samri
ID: 8023816

It looks like your proxy cofiguration;

   <Directory proxy:*>
       Order deny,allow
       Deny from all
       Allow from rd
   </Directory>

is restricting the access.

I would suggest that you to to allow all first (or hardcoding your IP address 128.40.1.14 in the allow list).

hope this work.
0
 
LVL 27

Author Comment

by:BigRat
ID: 8025871
I have changed the directives to :-

<Directory proxy:*>
      Order deny,allow
      Allow from all
</Directory>

and still getting a 403 Forbidden (in access log but not in error log).
0
 
LVL 15

Expert Comment

by:samri
ID: 8031072
ok.  could you post the line from access.log
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 15

Expert Comment

by:samri
ID: 8031463
ok.  could you post the line from access.log
0
 
LVL 27

Author Comment

by:BigRat
ID: 8033413
Access log entry. The Apache is 1.3.27 on a Win2K machine. I'm also using IE 6.0 on the same machine and wanting to https to the 128.40.10.10 machine which has a correctly installed Apache waiting on port 443. The rewrite rule has been changed to recognize a double S on the URL so that we can independantly test (normal URLs have just one S on the end). If I change the entry to use http instead of https it all works fine - no problems relating to permissions.

127.0.0.1 - - [26/Feb/2003:18:35:23 +0100] "GET /index.SS HTTP/1.0" 403 269

I have searched around in Google groups and found one entry which said is isn't supported. I also found one in New Zealand which said he had achieved it. I have sent them mails but so far no response.

The New Zealand one takled about mod_rproxy (is this a spelling mistake?).

I'm going to install 1.2.xx for Windows on my machine and try that. I'll post a response later.
0
 
LVL 15

Accepted Solution

by:
samri earned 800 total points
ID: 8040764
BigRat,,


I would agree that mod_proxy that comes with Apache is pretty much limited.

have you consider using a 3rd proxy module;

http://search.cpan.org/author/CGILMORE/Apache-ProxyRewrite-0.17/ProxyRewrite.pm
http://search.cpan.org/author/CLINTDW/Apache-ReverseProxy-0.06/lib/Apache/ReverseProxy.pm

Apology on not be provide a direct solution (and "diverting" the discussion to alternate "approach".

cheers.
0
 
LVL 27

Author Comment

by:BigRat
ID: 8081404
samri,

the chap here who's doing this is away this week, but it looks promising. I'll get back to you next week.
0
 
LVL 15

Expert Comment

by:samri
ID: 8086525
sure pal.

take you time (no big hurry right;)

0
 
LVL 27

Author Comment

by:BigRat
ID: 8110629
Well, he's introduced a virtual host on 443 into the "proxy" server with the same rewrite rule sending the request onwards.

<VirtualHost _default_:443>

#  General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs"
ServerName nemo.rd
ServerAdmin root@nemo.rd
ErrorLog /usr/local/apache/logs/error_log    
TransferLog /usr/local/apache/logs/access_log
RewriteEngine on
RewriteLog logs/rewrite
RewriteLogLevel 0
RewriteRule ^(/.+)\.S$ https://128.40.3.1/$1.S [P,L]

</VirtualHost>

There is an identical rewrite for http. We also had to listen on both ports :-

Port 80
     
##
##  SSL Support
##
##  When we also provide SSL we have to listen to the
##  standard HTTP port (see above) and to the HTTPS port
##
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>

and this configuaration works.

Pity it's not documented somewhere.

I'll give you the points anyway for your help.
0
 
LVL 27

Author Comment

by:BigRat
ID: 8110634
An alternative, but proxy goes anyway.
0
 
LVL 15

Expert Comment

by:samri
ID: 8117937
BigRat,

Thanks for the pts, and apology for not be able to give you a "buletproff" solution.

I would agree on the fact that Apache are a bit lack of documentation.  However, if you look back at http://httpd.apache.org/docs/, it should cover most of the basic knowledge that you need to know.

In most cases, the docs (and the directive could be nested).  IHMO, to be confortable with apache one would need to experiment a bit- combination of modules and directive would get the jobs done.

Back to your case, you could have the same Vhost, and have it to do a proxy request to the backend server.  
(I think this should also work -- but never tried it).

..
ProxyPass          /   https://128.40.3.1/
ProxyPassReverse   /   https://128.40.3.1/
0
 
LVL 27

Author Comment

by:BigRat
ID: 8118952
These two directive just rewrite Location headers which we do not use. They do not rewrite Cookies, which would be much more useful. In any event the https usage is just as a secure medium - the data gets presented to the App server just as if it came via http.

It seems however that mod_proxy cannot work in forwarding mode unless mod-ssl is installed.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses
Course of the Month9 days, 1 hour left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question