Link to home
Start Free TrialLog in
Avatar of CipherIS
CipherISFlag for United States of America

asked on

HTTP 403 - VPN can't access internal website

Have a user who is VPNing into network.  When they do they try to access a site (e.g. internal.mysite.com/items).  They are unable to access the site.  They receive an HTTP 403 error.

The site is hosted on a Linux web server.
ASKER CERTIFIED SOLUTION
Avatar of Colin_UK
Colin_UK
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of CipherIS

ASKER

Can you please explain

"you may need to add the remote LAN IP to the restrictions"

I will look for .htaccess.  How do I find Server Directives?

Thanks
This is what is in the .htaccess file.

Options -Indexes

RewriteEngine On
RewriteBase /

RewriteRule	^network(.*)$  /modules/network/  [NC]
RewriteRule	^network/(.*)$  /modules/network/$1  [NC]
RewriteRule	^phones(.*)$  /modules/internalpbx/  [NC]
RewriteRule	^phones/(.*)$  /modules/internalpbx/$1  [NC]
RewriteRule	^bsp(.*)$  /modules/bsp/  [NC]

RewriteRule	^itemsregion(.*)$  /modules/itemsregion/  [NC]
RewriteRule	^webissues(.*)$  /modules/webissues/  [NC]

Open in new window

Make sure the domain-name part of the URL users want to access is the same shown in browser address bar after clicking:
If he wants to access  internal.mysite.com/items it should also show that in browser address bar. I assume he is able to see correct page at  internal.mysite.com/ ?

Also make sure that client can translate domain-name part via his DNS - he should be using internal DNS servers to lookup internal domain-names and hostnames.

If all of these is correct, it might just be a matter of flushing the DNS cache on client computer - in windows terminal:
ipconfig -flushdns
Avatar of Qlemo
Most probably DNS resolution is still external, not internal, as hinted above.
I would test with   nslookup internal.mysite.com    and see to which IP it resolves.
I don't understand most of what was suggested.  Not a network person.  

User logs into Wifi using the GUEST connection.  
User VPN's into the network.
User attempts to access website and receives below 403 error.

User generated image
I did use nslookup internal.mysite.com and the result was
Server:  Unknown
Address:  xx.xx.x.x

Non-authoritative user:
Name:  internal.mysite.com
Address:  xx.xxx.xxx.xx

The site is on a Linux (Ubuntu) Server.  How can I check to see if the user's IP is blocked.  User is located in another country.
So you did the nslookup on the machine with the error, right? The IP address is the correct one?

Which web server is running on the Ubuntu? Apache, nginx? You should check the config file for the site, for apache it should be in /etc/apache2/sites-available/your-config-file  
Under the <Direcotory> setting, it is possible to secure on IP addresses

Also, check if there is a .htaccess file for your site - for apache this should be in /var/www/yoursite/.htaccess
Yes, nslookup on the machine with error.  I can access the site but I'm internal.  User who is external using VPN can't access the site.

I checked the .htaccess and posted it above.  

How do I check if it is running Ubuntu, Apache?  I believe it is Ubuntu.  The connection was named Ubuntu in FileZilla.

What do you mean by
"it is possible to secure on IP address"?

How can I check to see if the User's IP is blocked from the site?
What is the difference with getting your IP from ipconfig or going to google and typing "My IP"?

If I check to see if the user's IP is blocked (which I don't know how to do yet), which IP am I checking for?  IPConfig or the google IP?
Do you add the persons IP with the following command?

iptables -A INPUT -s xxx.xxx.xx.xxx -j ACCEPT    

If you add their IP with the above command and there is a rule that blocks IP's from their country would that enable the user to access the site?
Your .htaccess file is not blocking

In this file
/etc/apache2/sites-available/your-config-file

it is possible to write code that will allow access to the site based on IP addresses, so check that file

The difference is that ipconfig -all shows the windows pc's private IP address, corresponding the local network it is on - the other one is the public IP address.. As he is using VPN, he would likely have an adapter with an IP address given by the VPN server - also a private IP address - this one is the one that should be opened for - if site is locked on IP addresses.. And this IP will also be shown with ipconfig -all or maybe in the VPN client software
check your iptables config with
iptables -L

if this is on and configured it might be blocking - iptables is a firewall
When I check my iptables config with iptables -L, what am I looking for?

I will get the user to run ipconfig on their machine and send me a screenshot.
well, first of all to see if it is enabled and configured with any rules.. if it just shows something like this:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Then it is not doing any blocking

If there is IP addresses and port numbers all over, it is, and you would have to make a new rule to support the VPN client subnet
Ok, thanks.  As soon as I can get access to the server I will try that.

So, if it matches what you provided then it is a firewall issues, yes?
If it matches what I provided, then it is not an issue with iptables firewall in linux
Ok, so NOT an iptables firewall issue.

What is the difference between iptables firewall and firewall?
iptables is just the firewall used on ubuntu and many other linux systems.. just like windows has its own firewall, called Windows Firewall..

hmm.. and you checked the configuration file for your site in the /etc/apache2/sites-available/ folder?
I'm trying to get to the configuration file.  

I'm using PuTTY to try to connect to the server.

Let me see if I can find the file via FIleZilla.
Also, some more basic troubleshooting:

ping internal.mysite.com

tracert internal.mysite.com

and make sure that the IP address that it writes in the outcomes is the same as you would expect your internal server to use - eg. not a public one
Using filezilla I checked

www (root)
www/internal.mysite.com (.htaccess is there)
I checked all subfolders under internal.mysite.com and did NOT see a configuration file.
the one I'm looking for is in

/etc/apache2/sites-available/
I did perform the ping earlier and that seemed to work.

tracert is complete.

Don't see any issues with either two commands.
Ok, I need to find /etc/apache2/sites-available.

I'll try to find it.  Not showing up in filezilla.
Alright, and the IP address stems?

Try

telnet internal.mysite.com 80
and
telnet internal.mysite.com 443
I did

telnet internal.mysite.com 80 and the screen went blank

telnet internal.mysite.com 443 - could not open connection to the host on port 443
My last shot would be that config file - it could also be this one:

/etc/apache2/apache2.conf

otherwise do:

apache2ctl -S

on the server - you might need sudo in front of the command

and paste the output here
Ok.  Trying to get the login info and trying to use putty.

In the meantime I had the user run ipconfig.  This is what the user provided.  I should be checking the DNS, correct?  User's DNS is similar to mine.  Starts with 10.

User generated image
well, is similar or same?

try from your pc to ask the dns server mentioned in his ipconfig of the ip address:

nslookup internal.mysite.com his.dns.ip.address
Let's say my ip address is 10.0.0.01, his is 10.0.0.2.

I ran the nslookup internal.mysite.com 10.0.0.2 (example ip) and it returned

Server:  Unknown
Address:  10.0.0.2

Non-authoritative answer:
Name:  internal.mysite.com
Address:  64.xx.xx.xx
Alright... so 10.0.0.2 is his dns server and 10.0.0.1 is yours?

an address starting with 64 is not an internal private one... is this the ip address you use from your side too?
When I type nslookup internal.mysite.com with my ip (10.0.0.1 - example)  I receive

Server:  servername(I think).mysite.local
Address:  10.0.0.1

Non-authoritative answer:
Name:  internal.mysite.com
Address:  64.xx.xx.xx

I noticed I used the DCHP server IP and not DNS IP when running my IP
When I use my DNS IP I get a similar result as the user

Server:  unknown
Address:  10.0.0.1

Non-authoritative answer:
Name:  internal.mysite.com
Address:  64.xx.xx.xx
Okay

On the computer where you can access the site, do
ping the.server.name.you.want.to.test
and
nslookup the.server.name.you.want.to.test

Compare these, and compare with the ones from the computer that can't reach the site

If all IP addresses are correct, it is not DNS issue

I have to ask, if you are actually trying to reach a site called internal.mysite.com?
no.  Mysite is replaced with the actual name.  It is internal.xxxxxx.com.
could you please list results from the commands, for both working and not working machine?
I don't have access to the users computer but I'm comparing my ipconfig to theirs.

The DNS Server is exactly the same:

10.0.0.1 (example)

The DHCP Server is different

Theirs 172.xx.xx.xx
Mine 10.x.x.x
we still haven't looked in the apache config file?
No, trying to log into the server.  Waiting for credentials.
Alright alright :)
I was provided the credentials and seem to be having issues logging in with putty.

When I type nslookup internal.mysite.com  I get

Server:  Unknown
Addess: 10.xx.xx.3

Naon-authoritative answer
Name:  internal.mysite.com
Address: 64.xxx.xxx.xxx

When I connect to putty and select an existing profile and load it it states the ip is 10.xx.xx.13.  

Unable to use credentials (access denied via putty.)

I'm told those are the correct credentials but I can't login with them.  I tried typing them in and copy and Right-click for pasting.  No success.
You probably shouldn't use a profile in putty, but just type in the ip address or hostname and connect directly

Where was this nslookup performed from?
nslookup is performed from my machine.  The profile in putty was created by someone else.
I ask you to not use the profile in putty. Just write the IP of the server and hit connect - you know the Ubuntu server IP address, don't you?
Still trying to get the credentials to log onto the server.
Yes.  I also tried it without the profile in putty.  I'm getting an access denied with the credentials I was provided.  Still trying to get the correct credentials.  

When I put the IP with port 22 it does provide me with login.
It still sounds like the webserver is responsible for the forbidden message. Could you post your httpd.conf file here?
Will need to list the main httpd.conf and any ssl.conf or virtualhosts.conf if in seperate files.

Colin
I'm trying to get access to the IPTables and files.  I can't see them in Filezilla.  I'm trying to log onto the server.  As soon as I can login I will post those files.

Thanks
oo, my last post didn't appear - I'll say it again, sorry if 2 suddenly appear.

This issue is not firewall (IPtables) as you are getting a valid response from the webserver.
This issue is not routing/DNS related as you are getting a valid response from the webserver.

The response is HTTP 403 which indicates a permissions problem for the requested URL.

If I can see the webserver configuration files (all of them, as this setting can be placed anywhere).
If it's running Apache webserver then the config files are normally named with .conf extensions. Can you post these?

The other piece of info that would be helpful is to know whether the VPN connection is Dial In user or Site-Site type?

Colin
I'm trying to get the files.

An update.

I had another user who is located in the same office as I attempt to access the website.  He is working remotely today and tried it and he also receives the 403 error.

So, when the user is here he can access the site but when he is connected VPN he receives forbidden.
Ok, finally got credentials.  Error.log says

[Wed Mar 01 09:26:53.012926 2017] [authz_core:error] [pid 2929] [client xx.xx.xx.xx:1160] AH01630: client denied by server configuration: /home/webserver/www/internal.mysite.com/items

Looking for other files.
This is the app being used to VPN in.

User generated image
If you have access now, would you please write following commands:

cat /etc/apache2/apache2.conf
ls /etc/apache2/sites-enabled

and post both outputs here
cat /etc/apache2/apache2.conf
Result -> Permission Denied

ls /etc/apache2/sites-enabled
Result -> 000-default.conf
Okay, put 'sudo' in front of the first command, without the '

And also show us output of

sudo cat /etc/apache2/sites-available/000-default.conf
000-default.conf
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

Open in new window

And the other file please
Here is the other (attached).  I saw in the text file the following.  (Changed some values).  Looks like it is blocking hte VPN IP?  
<VirtualHost *:80>
        DocumentRoot "/home/webserver/www/internal.mysite.com"
        ServerName internal.mysite.com
        <Directory "/home/webserver/www/internal.mysite.com">
                Require ip 10.0.0.0/255.0.0.0
                Require ip 127.0.0.1
        </Directory>
</VirtualHost>

Open in new window

conf.txt
Exactly what you there it finally is

Put

Require ip and the ip of your VPN subnet just under the last line
With the SUDO code I will be able to update and save?
And restart apache

sudo systemctl daemon-reload
And
sudo service apache2 restart
okay you do

sudo nano /etc/apache2/apache2.conf

then put a new require ip line for your vpn subnet

hit ctrl+x and then Y for save

now use the two commands from above to restart apache
Did it finally work? Can I ask you to check answer as correct if that is the case?
I was out yesterday.  Working on it now.  So, what I received from IT is the below IP for the VPN subnet

172.0.2.0/24 (example)

Do I just add it as displayed above with the /24?  It isn't 24.0.0.0?

Just want to make sure I entered it correctly before I reload and restart.  I entered 172.0.2.0/24.

Thanks
Yes 172.0.2.0/24 is the correct format (it will allow 172.0.2.1 - 172.0.2.254 inclusive)
Colin
I ran below

sudo systemctl daemon-reload

And receveid "systemctl" not found.

Can I just run sudo service apache2 restart ?
depends which Linux distro it is.
Centos and possibly others can do
sudo service httpd restart
So do I run

sudo service apache2 restart

and not worry about

sudo systemctl daemon-reload

or is there something else I need to run before sudo service apache2 restart

Thanks
No, as long as you've edited the conf file to add the extra IP.
Then restart Apache using whatever is required for your Linux version (if you don't know restarting the whole server will do ;) )

Colin
Ok, followed all of the above instructions.  Trying to get a user to test.
Seems to still not be working.  I added the IP

<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mystie.com">
       Require ip 10.0.0.0./255.0.0.0
       Require ip 127.0.0.1
       Require ip 172.0.2.0/24
   </Directory
</VirtualHost>

Restarted with sudo service apache2 restart

User still receives HTTP 403 error.
I have a question.  I'm looking at the screenshot the user sent me of the ipconfig /all.

users IP is 172.0.2.5 so

172.0.2.0/24  

Should include the User's IP, correct?

Also, don't know if it maters but the error is "FORBIDDEN".  You don't have permission to access .......

Should I also add the IP's for the Wireless LAN?
192.168.1.x?

Also, the first line has 10.0.0.0./255.0.0.0.  Do I need to add the 255.0.0.0 to the 172.x.x.x/24 IP?

<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mystie.com">
       Require ip 10.0.0.0./255.0.0.0
       Require ip 127.0.0.1
       Require ip 172.0.2.0/24
   </Directory
</VirtualHost>
Is this simply a typo here or is this a mistake in the conf file?

<Directory "/home/webserver/www/internal.mystie.com">
Notice mystie instead of mysite?

Require ip 10.0.0.0./255.0.0.0
Also this network shouldn't have a trailing '.'


Colin
Those are typo's.  Mysite is NOT the actual site name.

Also 10.0.0.0/255.0.0.0 does not have a period at the end it is as I just typed it.
Just did a test.  In the network I can ping the server and perform an NSLook up.

Disconnect from the network and VPN into the network.  I can perform nslookup but CAN'T ping the server.

Any idea what the issue is and how to resolve?
Unfortunately the ping test may not help that much, as the VPN design may not permit ping.
It sounds as though there are a lot of issues getting confused here.

The fact that you get a valid HTTP response from the web server whilst connected to the VPN means you are connecting to the server and getting a valid response (albeit not the response you want). It doesn't look like a problem with the VPN, more like a httpd config issue.

To test if you are looking at the correct conf details you could remove all the restrictions (comment out all the require lines) and restart Apache. That should then allow access, if you still get permission denied then there is most likely another setting in a conf file (or another .htaccess in the destination directory).
If I change
<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mystie.com">
       Require ip 10.0.0.0./255.0.0.0
       Require ip 127.0.0.1
       Require ip 172.0.2.0/24
   </Directory
</VirtualHost>

Open in new window

To
<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mystie.com">
       Require all granted
   </Directory
</VirtualHost>

Open in new window


The required all allows me to reach the website.  When I add the IP's again I am blocked.
Then I'd guess you have not been given the correct IP address of the VPN device.

If you look at the request logs for the webserver you will see the IP address that is being used by the VPN client, as it will log it's access.

Once you know what IP it is you can add it to the configuration to get security back.

Colin
The IT Dept says they gave me the correct IP address for the VPN.

Can you tell me where the request log is so I can check?

It is definitely blocking the IP of the VPN I believe.
The IT Dept says that it could be an LDAP issue blocking the VPN.  Is that possible?
It will be listed in the Apache .conf file, can be anywhere depending on who set it up.
Look in the .conf file for any error log paths.

The Virtual host section could have its own, or it could be using a single log file, but it will be in there somewhere - or you could send me the file and I'll tell you where the logs are.

And don't forget it is not the IP address of the VPN physical device, it is the IP address given to the client when accessing your LAN via the VPN (unless it is a site-site VPN instead of a dial-in VPN). If it is a site-site VPN then the IP address used will be whatever the remote user setup their end.

Colin
Ok, this is what I did.  I went to site http://www.showmemyip.com/.  I took the IP that is displayed there and added it

<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mystie.com">
       Require ip 10.0.0.0./255.0.0.0
       Require ip 127.0.0.1
       Require ip 172.0.2.0/24
       Require ip 166.0.0.0/24 (as an example).
   </Directory
</VirtualHost>

Open in new window


The above 166.x.x.x addition allows me to access the site.  I shouldn't have to do this, correct?

Will the 166.x.x.x IP change?  Can it ever be, let's say 125.x.x.x?
Going to a website won't show you your IP address, it will show the public interface used by whatever setup you are running.
The webserver logs will show exactly what IP's are requesting data.

Look in the http access log, find the correct IP (may need to tail it while refreshing the browser) then add that IP (or the whole subnet if preferred) to the restrictions.

Colin
Ok, I'm not a network person and thumbing through apache.  

Can you please tell me where is the "webserver log"?  Is that the name of the log?

Where is the http access log?  What is tail it?  The whole subnet is 255.x.x.x?
The log file locations are usually listed as CustomLog, eg:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog /path/to/log/file combined

Open in new window


If you look for the Access Log the filename will usually be something like access_log - the path will tell you where it is.

These logs get big, so you'll need to make a request from the VPN user, then grab the logs a few seconds later.
Then look towards the end of the log for the URL that you requested. It should list the IP the request came from. Thats the IP to add to the access restrictions found earlier.

Colin
I have a question about VPN's. When you log into a VPN you are in the network, correct?  Users are using OpenVPN to log in.  

On my apache server for my website I added user's IP Require ip 166.0.0.0/24 (as an example).  I have to do this for multiple users.

When logged in the VPN shouldn't it allow you to access websites inside the network?  Will I still need to add the user's IP to allow them access in addition to the VPN IP?  

Example
<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mysite.com">
       Require ip 10.0.0.0./255.0.0.0
       Require ip 127.0.0.1  
       Require ip 172.0.2.0/24  (VPN)
       Require ip 166.0.0.0/24  (User IP as an example).
   </Directory
</VirtualHost>

Open in new window

There are many ways of configuring VPN's, and there are many different types of VPN. This means there are a lot of different options for what IP is assigned to the user, or used by the user.

You need to find the request in the request_log and add that IP to the directory restriction in the .conf file.
Where is the request_log?
This is the correct answer, but the user did not understand operation of the webserver that needs re-configuring.