Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

HTTP 403 - VPN can't access internal website

Posted on 2017-02-27
89
Medium Priority
?
90 Views
Last Modified: 2017-04-03
Have a user who is VPNing into network.  When they do they try to access a site (e.g. internal.mysite.com/items).  They are unable to access the site.  They receive an HTTP 403 error.

The site is hosted on a Linux web server.
0
Comment
Question by:CipherIS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 48
  • 26
  • 14
  • +1
89 Comments
 
LVL 5

Accepted Solution

by:
Colin_UK earned 2000 total points (awarded by participants)
ID: 42026296
Hi,

Does the webserver have any type of IP address restriction either by .htaccess or Server Directives?
If so, depending on your VPN Infrastructure, you may need to add the remote LAN IP to the restrictions.

Hope this helps
Colin
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42026413
Can you please explain

"you may need to add the remote LAN IP to the restrictions"

I will look for .htaccess.  How do I find Server Directives?

Thanks
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42026414
This is what is in the .htaccess file.

Options -Indexes

RewriteEngine On
RewriteBase /

RewriteRule	^network(.*)$  /modules/network/  [NC]
RewriteRule	^network/(.*)$  /modules/network/$1  [NC]
RewriteRule	^phones(.*)$  /modules/internalpbx/  [NC]
RewriteRule	^phones/(.*)$  /modules/internalpbx/$1  [NC]
RewriteRule	^bsp(.*)$  /modules/bsp/  [NC]

RewriteRule	^itemsregion(.*)$  /modules/itemsregion/  [NC]
RewriteRule	^webissues(.*)$  /modules/webissues/  [NC]

Open in new window

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42026461
Make sure the domain-name part of the URL users want to access is the same shown in browser address bar after clicking:
If he wants to access  internal.mysite.com/items it should also show that in browser address bar. I assume he is able to see correct page at  internal.mysite.com/ ?

Also make sure that client can translate domain-name part via his DNS - he should be using internal DNS servers to lookup internal domain-names and hostnames.

If all of these is correct, it might just be a matter of flushing the DNS cache on client computer - in windows terminal:
ipconfig -flushdns
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 42026493
Most probably DNS resolution is still external, not internal, as hinted above.
I would test with   nslookup internal.mysite.com    and see to which IP it resolves.
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027455
I don't understand most of what was suggested.  Not a network person.  

User logs into Wifi using the GUEST connection.  
User VPN's into the network.
User attempts to access website and receives below 403 error.

403
I did use nslookup internal.mysite.com and the result was
Server:  Unknown
Address:  xx.xx.x.x

Non-authoritative user:
Name:  internal.mysite.com
Address:  xx.xxx.xxx.xx

The site is on a Linux (Ubuntu) Server.  How can I check to see if the user's IP is blocked.  User is located in another country.
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42027481
So you did the nslookup on the machine with the error, right? The IP address is the correct one?

Which web server is running on the Ubuntu? Apache, nginx? You should check the config file for the site, for apache it should be in /etc/apache2/sites-available/your-config-file  
Under the <Direcotory> setting, it is possible to secure on IP addresses

Also, check if there is a .htaccess file for your site - for apache this should be in /var/www/yoursite/.htaccess
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027500
Yes, nslookup on the machine with error.  I can access the site but I'm internal.  User who is external using VPN can't access the site.

I checked the .htaccess and posted it above.  

How do I check if it is running Ubuntu, Apache?  I believe it is Ubuntu.  The connection was named Ubuntu in FileZilla.

What do you mean by
"it is possible to secure on IP address"?

How can I check to see if the User's IP is blocked from the site?
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027532
What is the difference with getting your IP from ipconfig or going to google and typing "My IP"?

If I check to see if the user's IP is blocked (which I don't know how to do yet), which IP am I checking for?  IPConfig or the google IP?
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027550
Do you add the persons IP with the following command?

iptables -A INPUT -s xxx.xxx.xx.xxx -j ACCEPT    

If you add their IP with the above command and there is a rule that blocks IP's from their country would that enable the user to access the site?
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42027551
Your .htaccess file is not blocking

In this file
/etc/apache2/sites-available/your-config-file

it is possible to write code that will allow access to the site based on IP addresses, so check that file

The difference is that ipconfig -all shows the windows pc's private IP address, corresponding the local network it is on - the other one is the public IP address.. As he is using VPN, he would likely have an adapter with an IP address given by the VPN server - also a private IP address - this one is the one that should be opened for - if site is locked on IP addresses.. And this IP will also be shown with ipconfig -all or maybe in the VPN client software
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42027555
check your iptables config with
iptables -L

if this is on and configured it might be blocking - iptables is a firewall
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027560
When I check my iptables config with iptables -L, what am I looking for?

I will get the user to run ipconfig on their machine and send me a screenshot.
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42027562
well, first of all to see if it is enabled and configured with any rules.. if it just shows something like this:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Then it is not doing any blocking

If there is IP addresses and port numbers all over, it is, and you would have to make a new rule to support the VPN client subnet
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027569
Ok, thanks.  As soon as I can get access to the server I will try that.

So, if it matches what you provided then it is a firewall issues, yes?
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42027571
If it matches what I provided, then it is not an issue with iptables firewall in linux
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027575
Ok, so NOT an iptables firewall issue.

What is the difference between iptables firewall and firewall?
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42027578
iptables is just the firewall used on ubuntu and many other linux systems.. just like windows has its own firewall, called Windows Firewall..

hmm.. and you checked the configuration file for your site in the /etc/apache2/sites-available/ folder?
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027581
I'm trying to get to the configuration file.  

I'm using PuTTY to try to connect to the server.

Let me see if I can find the file via FIleZilla.
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42027584
Also, some more basic troubleshooting:

ping internal.mysite.com

tracert internal.mysite.com

and make sure that the IP address that it writes in the outcomes is the same as you would expect your internal server to use - eg. not a public one
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027586
Using filezilla I checked

www (root)
www/internal.mysite.com (.htaccess is there)
I checked all subfolders under internal.mysite.com and did NOT see a configuration file.
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42027589
the one I'm looking for is in

/etc/apache2/sites-available/
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027590
I did perform the ping earlier and that seemed to work.

tracert is complete.

Don't see any issues with either two commands.
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027591
Ok, I need to find /etc/apache2/sites-available.

I'll try to find it.  Not showing up in filezilla.
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42027592
Alright, and the IP address stems?

Try

telnet internal.mysite.com 80
and
telnet internal.mysite.com 443
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027626
I did

telnet internal.mysite.com 80 and the screen went blank

telnet internal.mysite.com 443 - could not open connection to the host on port 443
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42027639
My last shot would be that config file - it could also be this one:

/etc/apache2/apache2.conf

otherwise do:

apache2ctl -S

on the server - you might need sudo in front of the command

and paste the output here
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027651
Ok.  Trying to get the login info and trying to use putty.

In the meantime I had the user run ipconfig.  This is what the user provided.  I should be checking the DNS, correct?  User's DNS is similar to mine.  Starts with 10.

IPConfig
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42027663
well, is similar or same?

try from your pc to ask the dns server mentioned in his ipconfig of the ip address:

nslookup internal.mysite.com his.dns.ip.address
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027729
Let's say my ip address is 10.0.0.01, his is 10.0.0.2.

I ran the nslookup internal.mysite.com 10.0.0.2 (example ip) and it returned

Server:  Unknown
Address:  10.0.0.2

Non-authoritative answer:
Name:  internal.mysite.com
Address:  64.xx.xx.xx
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42027736
Alright... so 10.0.0.2 is his dns server and 10.0.0.1 is yours?

an address starting with 64 is not an internal private one... is this the ip address you use from your side too?
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027739
When I type nslookup internal.mysite.com with my ip (10.0.0.1 - example)  I receive

Server:  servername(I think).mysite.local
Address:  10.0.0.1

Non-authoritative answer:
Name:  internal.mysite.com
Address:  64.xx.xx.xx

I noticed I used the DCHP server IP and not DNS IP when running my IP
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027742
When I use my DNS IP I get a similar result as the user

Server:  unknown
Address:  10.0.0.1

Non-authoritative answer:
Name:  internal.mysite.com
Address:  64.xx.xx.xx
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42027752
Okay

On the computer where you can access the site, do
ping the.server.name.you.want.to.test
and
nslookup the.server.name.you.want.to.test

Compare these, and compare with the ones from the computer that can't reach the site

If all IP addresses are correct, it is not DNS issue

I have to ask, if you are actually trying to reach a site called internal.mysite.com?
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027808
no.  Mysite is replaced with the actual name.  It is internal.xxxxxx.com.
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42027813
could you please list results from the commands, for both working and not working machine?
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027815
I don't have access to the users computer but I'm comparing my ipconfig to theirs.

The DNS Server is exactly the same:

10.0.0.1 (example)

The DHCP Server is different

Theirs 172.xx.xx.xx
Mine 10.x.x.x
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42027823
we still haven't looked in the apache config file?
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42027824
No, trying to log into the server.  Waiting for credentials.
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42027826
Alright alright :)
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42028079
I was provided the credentials and seem to be having issues logging in with putty.

When I type nslookup internal.mysite.com  I get

Server:  Unknown
Addess: 10.xx.xx.3

Naon-authoritative answer
Name:  internal.mysite.com
Address: 64.xxx.xxx.xxx

When I connect to putty and select an existing profile and load it it states the ip is 10.xx.xx.13.  

Unable to use credentials (access denied via putty.)

I'm told those are the correct credentials but I can't login with them.  I tried typing them in and copy and Right-click for pasting.  No success.
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42028097
You probably shouldn't use a profile in putty, but just type in the ip address or hostname and connect directly

Where was this nslookup performed from?
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42028104
nslookup is performed from my machine.  The profile in putty was created by someone else.
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42028429
I ask you to not use the profile in putty. Just write the IP of the server and hit connect - you know the Ubuntu server IP address, don't you?
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42029055
Still trying to get the credentials to log onto the server.
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42029060
Yes.  I also tried it without the profile in putty.  I'm getting an access denied with the credentials I was provided.  Still trying to get the correct credentials.  

When I put the IP with port 22 it does provide me with login.
0
 
LVL 5

Expert Comment

by:Colin_UK
ID: 42029107
It still sounds like the webserver is responsible for the forbidden message. Could you post your httpd.conf file here?
Will need to list the main httpd.conf and any ssl.conf or virtualhosts.conf if in seperate files.

Colin
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42029121
I'm trying to get access to the IPTables and files.  I can't see them in Filezilla.  I'm trying to log onto the server.  As soon as I can login I will post those files.

Thanks
0
 
LVL 5

Expert Comment

by:Colin_UK
ID: 42029190
oo, my last post didn't appear - I'll say it again, sorry if 2 suddenly appear.

This issue is not firewall (IPtables) as you are getting a valid response from the webserver.
This issue is not routing/DNS related as you are getting a valid response from the webserver.

The response is HTTP 403 which indicates a permissions problem for the requested URL.

If I can see the webserver configuration files (all of them, as this setting can be placed anywhere).
If it's running Apache webserver then the config files are normally named with .conf extensions. Can you post these?

The other piece of info that would be helpful is to know whether the VPN connection is Dial In user or Site-Site type?

Colin
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42029250
I'm trying to get the files.

An update.

I had another user who is located in the same office as I attempt to access the website.  He is working remotely today and tried it and he also receives the 403 error.

So, when the user is here he can access the site but when he is connected VPN he receives forbidden.
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42029618
Ok, finally got credentials.  Error.log says

[Wed Mar 01 09:26:53.012926 2017] [authz_core:error] [pid 2929] [client xx.xx.xx.xx:1160] AH01630: client denied by server configuration: /home/webserver/www/internal.mysite.com/items

Looking for other files.
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42029754
This is the app being used to VPN in.

VPN
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42029772
If you have access now, would you please write following commands:

cat /etc/apache2/apache2.conf
ls /etc/apache2/sites-enabled

and post both outputs here
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42029791
cat /etc/apache2/apache2.conf
Result -> Permission Denied

ls /etc/apache2/sites-enabled
Result -> 000-default.conf
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42029797
Okay, put 'sudo' in front of the first command, without the '

And also show us output of

sudo cat /etc/apache2/sites-available/000-default.conf
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42029821
000-default.conf
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

Open in new window

0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42029824
And the other file please
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42029834
Here is the other (attached).  I saw in the text file the following.  (Changed some values).  Looks like it is blocking hte VPN IP?  
<VirtualHost *:80>
        DocumentRoot "/home/webserver/www/internal.mysite.com"
        ServerName internal.mysite.com
        <Directory "/home/webserver/www/internal.mysite.com">
                Require ip 10.0.0.0/255.0.0.0
                Require ip 127.0.0.1
        </Directory>
</VirtualHost>

Open in new window

conf.txt
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42029836
Exactly what you there it finally is

Put

Require ip and the ip of your VPN subnet just under the last line
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42029839
With the SUDO code I will be able to update and save?
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42029840
And restart apache

sudo systemctl daemon-reload
And
sudo service apache2 restart
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42029842
okay you do

sudo nano /etc/apache2/apache2.conf

then put a new require ip line for your vpn subnet

hit ctrl+x and then Y for save

now use the two commands from above to restart apache
0
 
LVL 4

Expert Comment

by:Gammelgaard
ID: 42030298
Did it finally work? Can I ask you to check answer as correct if that is the case?
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42032889
I was out yesterday.  Working on it now.  So, what I received from IT is the below IP for the VPN subnet

172.0.2.0/24 (example)

Do I just add it as displayed above with the /24?  It isn't 24.0.0.0?

Just want to make sure I entered it correctly before I reload and restart.  I entered 172.0.2.0/24.

Thanks
0
 
LVL 5

Expert Comment

by:Colin_UK
ID: 42032938
Yes 172.0.2.0/24 is the correct format (it will allow 172.0.2.1 - 172.0.2.254 inclusive)
Colin
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42032980
I ran below

sudo systemctl daemon-reload

And receveid "systemctl" not found.

Can I just run sudo service apache2 restart ?
0
 
LVL 5

Expert Comment

by:Colin_UK
ID: 42032990
depends which Linux distro it is.
Centos and possibly others can do
sudo service httpd restart
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42033001
So do I run

sudo service apache2 restart

and not worry about

sudo systemctl daemon-reload

or is there something else I need to run before sudo service apache2 restart

Thanks
0
 
LVL 5

Expert Comment

by:Colin_UK
ID: 42033016
No, as long as you've edited the conf file to add the extra IP.
Then restart Apache using whatever is required for your Linux version (if you don't know restarting the whole server will do ;) )

Colin
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42033045
Ok, followed all of the above instructions.  Trying to get a user to test.
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42033104
Seems to still not be working.  I added the IP

<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mystie.com">
       Require ip 10.0.0.0./255.0.0.0
       Require ip 127.0.0.1
       Require ip 172.0.2.0/24
   </Directory
</VirtualHost>

Restarted with sudo service apache2 restart

User still receives HTTP 403 error.
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42033137
I have a question.  I'm looking at the screenshot the user sent me of the ipconfig /all.

users IP is 172.0.2.5 so

172.0.2.0/24  

Should include the User's IP, correct?

Also, don't know if it maters but the error is "FORBIDDEN".  You don't have permission to access .......

Should I also add the IP's for the Wireless LAN?
192.168.1.x?

Also, the first line has 10.0.0.0./255.0.0.0.  Do I need to add the 255.0.0.0 to the 172.x.x.x/24 IP?

<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mystie.com">
       Require ip 10.0.0.0./255.0.0.0
       Require ip 127.0.0.1
       Require ip 172.0.2.0/24
   </Directory
</VirtualHost>
0
 
LVL 5

Expert Comment

by:Colin_UK
ID: 42035722
Is this simply a typo here or is this a mistake in the conf file?

<Directory "/home/webserver/www/internal.mystie.com">
Notice mystie instead of mysite?

Require ip 10.0.0.0./255.0.0.0
Also this network shouldn't have a trailing '.'


Colin
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42035954
Those are typo's.  Mysite is NOT the actual site name.

Also 10.0.0.0/255.0.0.0 does not have a period at the end it is as I just typed it.
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42036060
Just did a test.  In the network I can ping the server and perform an NSLook up.

Disconnect from the network and VPN into the network.  I can perform nslookup but CAN'T ping the server.

Any idea what the issue is and how to resolve?
0
 
LVL 5

Expert Comment

by:Colin_UK
ID: 42036093
Unfortunately the ping test may not help that much, as the VPN design may not permit ping.
It sounds as though there are a lot of issues getting confused here.

The fact that you get a valid HTTP response from the web server whilst connected to the VPN means you are connecting to the server and getting a valid response (albeit not the response you want). It doesn't look like a problem with the VPN, more like a httpd config issue.

To test if you are looking at the correct conf details you could remove all the restrictions (comment out all the require lines) and restart Apache. That should then allow access, if you still get permission denied then there is most likely another setting in a conf file (or another .htaccess in the destination directory).
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42036414
If I change
<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mystie.com">
       Require ip 10.0.0.0./255.0.0.0
       Require ip 127.0.0.1
       Require ip 172.0.2.0/24
   </Directory
</VirtualHost>

Open in new window

To
<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mystie.com">
       Require all granted
   </Directory
</VirtualHost>

Open in new window


The required all allows me to reach the website.  When I add the IP's again I am blocked.
0
 
LVL 5

Expert Comment

by:Colin_UK
ID: 42036541
Then I'd guess you have not been given the correct IP address of the VPN device.

If you look at the request logs for the webserver you will see the IP address that is being used by the VPN client, as it will log it's access.

Once you know what IP it is you can add it to the configuration to get security back.

Colin
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42036544
The IT Dept says they gave me the correct IP address for the VPN.

Can you tell me where the request log is so I can check?

It is definitely blocking the IP of the VPN I believe.
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42036545
The IT Dept says that it could be an LDAP issue blocking the VPN.  Is that possible?
0
 
LVL 5

Expert Comment

by:Colin_UK
ID: 42036561
It will be listed in the Apache .conf file, can be anywhere depending on who set it up.
Look in the .conf file for any error log paths.

The Virtual host section could have its own, or it could be using a single log file, but it will be in there somewhere - or you could send me the file and I'll tell you where the logs are.

And don't forget it is not the IP address of the VPN physical device, it is the IP address given to the client when accessing your LAN via the VPN (unless it is a site-site VPN instead of a dial-in VPN). If it is a site-site VPN then the IP address used will be whatever the remote user setup their end.

Colin
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42036566
Ok, this is what I did.  I went to site http://www.showmemyip.com/.  I took the IP that is displayed there and added it

<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mystie.com">
       Require ip 10.0.0.0./255.0.0.0
       Require ip 127.0.0.1
       Require ip 172.0.2.0/24
       Require ip 166.0.0.0/24 (as an example).
   </Directory
</VirtualHost>

Open in new window


The above 166.x.x.x addition allows me to access the site.  I shouldn't have to do this, correct?

Will the 166.x.x.x IP change?  Can it ever be, let's say 125.x.x.x?
0
 
LVL 5

Expert Comment

by:Colin_UK
ID: 42037321
Going to a website won't show you your IP address, it will show the public interface used by whatever setup you are running.
The webserver logs will show exactly what IP's are requesting data.

Look in the http access log, find the correct IP (may need to tail it while refreshing the browser) then add that IP (or the whole subnet if preferred) to the restrictions.

Colin
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42037727
Ok, I'm not a network person and thumbing through apache.  

Can you please tell me where is the "webserver log"?  Is that the name of the log?

Where is the http access log?  What is tail it?  The whole subnet is 255.x.x.x?
0
 
LVL 5

Expert Comment

by:Colin_UK
ID: 42038245
The log file locations are usually listed as CustomLog, eg:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog /path/to/log/file combined

Open in new window


If you look for the Access Log the filename will usually be something like access_log - the path will tell you where it is.

These logs get big, so you'll need to make a request from the VPN user, then grab the logs a few seconds later.
Then look towards the end of the log for the URL that you requested. It should list the IP the request came from. Thats the IP to add to the access restrictions found earlier.

Colin
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42041934
I have a question about VPN's. When you log into a VPN you are in the network, correct?  Users are using OpenVPN to log in.  

On my apache server for my website I added user's IP Require ip 166.0.0.0/24 (as an example).  I have to do this for multiple users.

When logged in the VPN shouldn't it allow you to access websites inside the network?  Will I still need to add the user's IP to allow them access in addition to the VPN IP?  

Example
<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mysite.com">
       Require ip 10.0.0.0./255.0.0.0
       Require ip 127.0.0.1  
       Require ip 172.0.2.0/24  (VPN)
       Require ip 166.0.0.0/24  (User IP as an example).
   </Directory
</VirtualHost>

Open in new window

0
 
LVL 5

Expert Comment

by:Colin_UK
ID: 42042537
There are many ways of configuring VPN's, and there are many different types of VPN. This means there are a lot of different options for what IP is assigned to the user, or used by the user.

You need to find the request in the request_log and add that IP to the directory restriction in the .conf file.
0
 
LVL 1

Author Comment

by:CipherIS
ID: 42043071
Where is the request_log?
0
 
LVL 5

Expert Comment

by:Colin_UK
ID: 42076065
This is the correct answer, but the user did not understand operation of the webserver that needs re-configuring.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Change in PHP Behavior with Session Write Short Circuit (http://php.net/manual/en/book.session.php#116217) (Winter 2014)** With the release of PHP 5.6 the session handler changed in a way that many think should be considered a bug.  See the note …
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question