CipherIS
asked on
HTTP 403 - VPN can't access internal website
Have a user who is VPNing into network. When they do they try to access a site (e.g. internal.mysite.com/items) . They are unable to access the site. They receive an HTTP 403 error.
The site is hosted on a Linux web server.
The site is hosted on a Linux web server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is what is in the .htaccess file.
Options -Indexes
RewriteEngine On
RewriteBase /
RewriteRule ^network(.*)$ /modules/network/ [NC]
RewriteRule ^network/(.*)$ /modules/network/$1 [NC]
RewriteRule ^phones(.*)$ /modules/internalpbx/ [NC]
RewriteRule ^phones/(.*)$ /modules/internalpbx/$1 [NC]
RewriteRule ^bsp(.*)$ /modules/bsp/ [NC]
RewriteRule ^itemsregion(.*)$ /modules/itemsregion/ [NC]
RewriteRule ^webissues(.*)$ /modules/webissues/ [NC]
Make sure the domain-name part of the URL users want to access is the same shown in browser address bar after clicking:
If he wants to access internal.mysite.com/items it should also show that in browser address bar. I assume he is able to see correct page at internal.mysite.com/ ?
Also make sure that client can translate domain-name part via his DNS - he should be using internal DNS servers to lookup internal domain-names and hostnames.
If all of these is correct, it might just be a matter of flushing the DNS cache on client computer - in windows terminal:
ipconfig -flushdns
If he wants to access internal.mysite.com/items it should also show that in browser address bar. I assume he is able to see correct page at internal.mysite.com/ ?
Also make sure that client can translate domain-name part via his DNS - he should be using internal DNS servers to lookup internal domain-names and hostnames.
If all of these is correct, it might just be a matter of flushing the DNS cache on client computer - in windows terminal:
ipconfig -flushdns
Most probably DNS resolution is still external, not internal, as hinted above.
I would test with nslookup internal.mysite.com and see to which IP it resolves.
I would test with nslookup internal.mysite.com and see to which IP it resolves.
ASKER
I don't understand most of what was suggested. Not a network person.
User logs into Wifi using the GUEST connection.
User VPN's into the network.
User attempts to access website and receives below 403 error.
I did use nslookup internal.mysite.com and the result was
Server: Unknown
Address: xx.xx.x.x
Non-authoritative user:
Name: internal.mysite.com
Address: xx.xxx.xxx.xx
The site is on a Linux (Ubuntu) Server. How can I check to see if the user's IP is blocked. User is located in another country.
User logs into Wifi using the GUEST connection.
User VPN's into the network.
User attempts to access website and receives below 403 error.
I did use nslookup internal.mysite.com and the result was
Server: Unknown
Address: xx.xx.x.x
Non-authoritative user:
Name: internal.mysite.com
Address: xx.xxx.xxx.xx
The site is on a Linux (Ubuntu) Server. How can I check to see if the user's IP is blocked. User is located in another country.
So you did the nslookup on the machine with the error, right? The IP address is the correct one?
Which web server is running on the Ubuntu? Apache, nginx? You should check the config file for the site, for apache it should be in /etc/apache2/sites-availab le/your-co nfig-file
Under the <Direcotory> setting, it is possible to secure on IP addresses
Also, check if there is a .htaccess file for your site - for apache this should be in /var/www/yoursite/.htacces s
Which web server is running on the Ubuntu? Apache, nginx? You should check the config file for the site, for apache it should be in /etc/apache2/sites-availab
Under the <Direcotory> setting, it is possible to secure on IP addresses
Also, check if there is a .htaccess file for your site - for apache this should be in /var/www/yoursite/.htacces
ASKER
Yes, nslookup on the machine with error. I can access the site but I'm internal. User who is external using VPN can't access the site.
I checked the .htaccess and posted it above.
How do I check if it is running Ubuntu, Apache? I believe it is Ubuntu. The connection was named Ubuntu in FileZilla.
What do you mean by
"it is possible to secure on IP address"?
How can I check to see if the User's IP is blocked from the site?
I checked the .htaccess and posted it above.
How do I check if it is running Ubuntu, Apache? I believe it is Ubuntu. The connection was named Ubuntu in FileZilla.
What do you mean by
"it is possible to secure on IP address"?
How can I check to see if the User's IP is blocked from the site?
ASKER
What is the difference with getting your IP from ipconfig or going to google and typing "My IP"?
If I check to see if the user's IP is blocked (which I don't know how to do yet), which IP am I checking for? IPConfig or the google IP?
If I check to see if the user's IP is blocked (which I don't know how to do yet), which IP am I checking for? IPConfig or the google IP?
ASKER
Do you add the persons IP with the following command?
iptables -A INPUT -s xxx.xxx.xx.xxx -j ACCEPT
If you add their IP with the above command and there is a rule that blocks IP's from their country would that enable the user to access the site?
iptables -A INPUT -s xxx.xxx.xx.xxx -j ACCEPT
If you add their IP with the above command and there is a rule that blocks IP's from their country would that enable the user to access the site?
Your .htaccess file is not blocking
In this file
/etc/apache2/sites-availab le/your-co nfig-file
it is possible to write code that will allow access to the site based on IP addresses, so check that file
The difference is that ipconfig -all shows the windows pc's private IP address, corresponding the local network it is on - the other one is the public IP address.. As he is using VPN, he would likely have an adapter with an IP address given by the VPN server - also a private IP address - this one is the one that should be opened for - if site is locked on IP addresses.. And this IP will also be shown with ipconfig -all or maybe in the VPN client software
In this file
/etc/apache2/sites-availab
it is possible to write code that will allow access to the site based on IP addresses, so check that file
The difference is that ipconfig -all shows the windows pc's private IP address, corresponding the local network it is on - the other one is the public IP address.. As he is using VPN, he would likely have an adapter with an IP address given by the VPN server - also a private IP address - this one is the one that should be opened for - if site is locked on IP addresses.. And this IP will also be shown with ipconfig -all or maybe in the VPN client software
check your iptables config with
iptables -L
if this is on and configured it might be blocking - iptables is a firewall
iptables -L
if this is on and configured it might be blocking - iptables is a firewall
ASKER
When I check my iptables config with iptables -L, what am I looking for?
I will get the user to run ipconfig on their machine and send me a screenshot.
I will get the user to run ipconfig on their machine and send me a screenshot.
well, first of all to see if it is enabled and configured with any rules.. if it just shows something like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Then it is not doing any blocking
If there is IP addresses and port numbers all over, it is, and you would have to make a new rule to support the VPN client subnet
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Then it is not doing any blocking
If there is IP addresses and port numbers all over, it is, and you would have to make a new rule to support the VPN client subnet
ASKER
Ok, thanks. As soon as I can get access to the server I will try that.
So, if it matches what you provided then it is a firewall issues, yes?
So, if it matches what you provided then it is a firewall issues, yes?
If it matches what I provided, then it is not an issue with iptables firewall in linux
ASKER
Ok, so NOT an iptables firewall issue.
What is the difference between iptables firewall and firewall?
What is the difference between iptables firewall and firewall?
iptables is just the firewall used on ubuntu and many other linux systems.. just like windows has its own firewall, called Windows Firewall..
hmm.. and you checked the configuration file for your site in the /etc/apache2/sites-availab le/ folder?
hmm.. and you checked the configuration file for your site in the /etc/apache2/sites-availab
ASKER
I'm trying to get to the configuration file.
I'm using PuTTY to try to connect to the server.
Let me see if I can find the file via FIleZilla.
I'm using PuTTY to try to connect to the server.
Let me see if I can find the file via FIleZilla.
Also, some more basic troubleshooting:
ping internal.mysite.com
tracert internal.mysite.com
and make sure that the IP address that it writes in the outcomes is the same as you would expect your internal server to use - eg. not a public one
ping internal.mysite.com
tracert internal.mysite.com
and make sure that the IP address that it writes in the outcomes is the same as you would expect your internal server to use - eg. not a public one
ASKER
Using filezilla I checked
www (root)
www/internal.mysite.com (.htaccess is there)
I checked all subfolders under internal.mysite.com and did NOT see a configuration file.
www (root)
www/internal.mysite.com (.htaccess is there)
I checked all subfolders under internal.mysite.com and did NOT see a configuration file.
the one I'm looking for is in
/etc/apache2/sites-availab le/
/etc/apache2/sites-availab
ASKER
I did perform the ping earlier and that seemed to work.
tracert is complete.
Don't see any issues with either two commands.
tracert is complete.
Don't see any issues with either two commands.
ASKER
Ok, I need to find /etc/apache2/sites-availab le.
I'll try to find it. Not showing up in filezilla.
I'll try to find it. Not showing up in filezilla.
Alright, and the IP address stems?
Try
telnet internal.mysite.com 80
and
telnet internal.mysite.com 443
Try
telnet internal.mysite.com 80
and
telnet internal.mysite.com 443
ASKER
I did
telnet internal.mysite.com 80 and the screen went blank
telnet internal.mysite.com 443 - could not open connection to the host on port 443
telnet internal.mysite.com 80 and the screen went blank
telnet internal.mysite.com 443 - could not open connection to the host on port 443
My last shot would be that config file - it could also be this one:
/etc/apache2/apache2.conf
otherwise do:
apache2ctl -S
on the server - you might need sudo in front of the command
and paste the output here
/etc/apache2/apache2.conf
otherwise do:
apache2ctl -S
on the server - you might need sudo in front of the command
and paste the output here
ASKER
well, is similar or same?
try from your pc to ask the dns server mentioned in his ipconfig of the ip address:
nslookup internal.mysite.com his.dns.ip.address
try from your pc to ask the dns server mentioned in his ipconfig of the ip address:
nslookup internal.mysite.com his.dns.ip.address
ASKER
Let's say my ip address is 10.0.0.01, his is 10.0.0.2.
I ran the nslookup internal.mysite.com 10.0.0.2 (example ip) and it returned
Server: Unknown
Address: 10.0.0.2
Non-authoritative answer:
Name: internal.mysite.com
Address: 64.xx.xx.xx
I ran the nslookup internal.mysite.com 10.0.0.2 (example ip) and it returned
Server: Unknown
Address: 10.0.0.2
Non-authoritative answer:
Name: internal.mysite.com
Address: 64.xx.xx.xx
Alright... so 10.0.0.2 is his dns server and 10.0.0.1 is yours?
an address starting with 64 is not an internal private one... is this the ip address you use from your side too?
an address starting with 64 is not an internal private one... is this the ip address you use from your side too?
ASKER
When I type nslookup internal.mysite.com with my ip (10.0.0.1 - example) I receive
Server: servername(I think).mysite.local
Address: 10.0.0.1
Non-authoritative answer:
Name: internal.mysite.com
Address: 64.xx.xx.xx
I noticed I used the DCHP server IP and not DNS IP when running my IP
Server: servername(I think).mysite.local
Address: 10.0.0.1
Non-authoritative answer:
Name: internal.mysite.com
Address: 64.xx.xx.xx
I noticed I used the DCHP server IP and not DNS IP when running my IP
ASKER
When I use my DNS IP I get a similar result as the user
Server: unknown
Address: 10.0.0.1
Non-authoritative answer:
Name: internal.mysite.com
Address: 64.xx.xx.xx
Server: unknown
Address: 10.0.0.1
Non-authoritative answer:
Name: internal.mysite.com
Address: 64.xx.xx.xx
Okay
On the computer where you can access the site, do
ping the.server.name.you.want.t o.test
and
nslookup the.server.name.you.want.t o.test
Compare these, and compare with the ones from the computer that can't reach the site
If all IP addresses are correct, it is not DNS issue
I have to ask, if you are actually trying to reach a site called internal.mysite.com?
On the computer where you can access the site, do
ping the.server.name.you.want.t
and
nslookup the.server.name.you.want.t
Compare these, and compare with the ones from the computer that can't reach the site
If all IP addresses are correct, it is not DNS issue
I have to ask, if you are actually trying to reach a site called internal.mysite.com?
ASKER
no. Mysite is replaced with the actual name. It is internal.xxxxxx.com.
could you please list results from the commands, for both working and not working machine?
ASKER
I don't have access to the users computer but I'm comparing my ipconfig to theirs.
The DNS Server is exactly the same:
10.0.0.1 (example)
The DHCP Server is different
Theirs 172.xx.xx.xx
Mine 10.x.x.x
The DNS Server is exactly the same:
10.0.0.1 (example)
The DHCP Server is different
Theirs 172.xx.xx.xx
Mine 10.x.x.x
we still haven't looked in the apache config file?
ASKER
No, trying to log into the server. Waiting for credentials.
Alright alright :)
ASKER
I was provided the credentials and seem to be having issues logging in with putty.
When I type nslookup internal.mysite.com I get
Server: Unknown
Addess: 10.xx.xx.3
Naon-authoritative answer
Name: internal.mysite.com
Address: 64.xxx.xxx.xxx
When I connect to putty and select an existing profile and load it it states the ip is 10.xx.xx.13.
Unable to use credentials (access denied via putty.)
I'm told those are the correct credentials but I can't login with them. I tried typing them in and copy and Right-click for pasting. No success.
When I type nslookup internal.mysite.com I get
Server: Unknown
Addess: 10.xx.xx.3
Naon-authoritative answer
Name: internal.mysite.com
Address: 64.xxx.xxx.xxx
When I connect to putty and select an existing profile and load it it states the ip is 10.xx.xx.13.
Unable to use credentials (access denied via putty.)
I'm told those are the correct credentials but I can't login with them. I tried typing them in and copy and Right-click for pasting. No success.
You probably shouldn't use a profile in putty, but just type in the ip address or hostname and connect directly
Where was this nslookup performed from?
Where was this nslookup performed from?
ASKER
nslookup is performed from my machine. The profile in putty was created by someone else.
I ask you to not use the profile in putty. Just write the IP of the server and hit connect - you know the Ubuntu server IP address, don't you?
ASKER
Still trying to get the credentials to log onto the server.
ASKER
Yes. I also tried it without the profile in putty. I'm getting an access denied with the credentials I was provided. Still trying to get the correct credentials.
When I put the IP with port 22 it does provide me with login.
When I put the IP with port 22 it does provide me with login.
It still sounds like the webserver is responsible for the forbidden message. Could you post your httpd.conf file here?
Will need to list the main httpd.conf and any ssl.conf or virtualhosts.conf if in seperate files.
Colin
Will need to list the main httpd.conf and any ssl.conf or virtualhosts.conf if in seperate files.
Colin
ASKER
I'm trying to get access to the IPTables and files. I can't see them in Filezilla. I'm trying to log onto the server. As soon as I can login I will post those files.
Thanks
Thanks
oo, my last post didn't appear - I'll say it again, sorry if 2 suddenly appear.
This issue is not firewall (IPtables) as you are getting a valid response from the webserver.
This issue is not routing/DNS related as you are getting a valid response from the webserver.
The response is HTTP 403 which indicates a permissions problem for the requested URL.
If I can see the webserver configuration files (all of them, as this setting can be placed anywhere).
If it's running Apache webserver then the config files are normally named with .conf extensions. Can you post these?
The other piece of info that would be helpful is to know whether the VPN connection is Dial In user or Site-Site type?
Colin
This issue is not firewall (IPtables) as you are getting a valid response from the webserver.
This issue is not routing/DNS related as you are getting a valid response from the webserver.
The response is HTTP 403 which indicates a permissions problem for the requested URL.
If I can see the webserver configuration files (all of them, as this setting can be placed anywhere).
If it's running Apache webserver then the config files are normally named with .conf extensions. Can you post these?
The other piece of info that would be helpful is to know whether the VPN connection is Dial In user or Site-Site type?
Colin
ASKER
I'm trying to get the files.
An update.
I had another user who is located in the same office as I attempt to access the website. He is working remotely today and tried it and he also receives the 403 error.
So, when the user is here he can access the site but when he is connected VPN he receives forbidden.
An update.
I had another user who is located in the same office as I attempt to access the website. He is working remotely today and tried it and he also receives the 403 error.
So, when the user is here he can access the site but when he is connected VPN he receives forbidden.
ASKER
Ok, finally got credentials. Error.log says
[Wed Mar 01 09:26:53.012926 2017] [authz_core:error] [pid 2929] [client xx.xx.xx.xx:1160] AH01630: client denied by server configuration: /home/webserver/www/intern al.mysite. com/items
Looking for other files.
[Wed Mar 01 09:26:53.012926 2017] [authz_core:error] [pid 2929] [client xx.xx.xx.xx:1160] AH01630: client denied by server configuration: /home/webserver/www/intern
Looking for other files.
If you have access now, would you please write following commands:
cat /etc/apache2/apache2.conf
ls /etc/apache2/sites-enabled
and post both outputs here
cat /etc/apache2/apache2.conf
ls /etc/apache2/sites-enabled
and post both outputs here
ASKER
cat /etc/apache2/apache2.conf
Result -> Permission Denied
ls /etc/apache2/sites-enabled
Result -> 000-default.conf
Result -> Permission Denied
ls /etc/apache2/sites-enabled
Result -> 000-default.conf
Okay, put 'sudo' in front of the first command, without the '
And also show us output of
sudo cat /etc/apache2/sites-availab le/000-def ault.conf
And also show us output of
sudo cat /etc/apache2/sites-availab
ASKER
000-default.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
And the other file please
ASKER
Here is the other (attached). I saw in the text file the following. (Changed some values). Looks like it is blocking hte VPN IP?
<VirtualHost *:80>
DocumentRoot "/home/webserver/www/internal.mysite.com"
ServerName internal.mysite.com
<Directory "/home/webserver/www/internal.mysite.com">
Require ip 10.0.0.0/255.0.0.0
Require ip 127.0.0.1
</Directory>
</VirtualHost>
conf.txt
Exactly what you there it finally is
Put
Require ip and the ip of your VPN subnet just under the last line
Put
Require ip and the ip of your VPN subnet just under the last line
ASKER
With the SUDO code I will be able to update and save?
And restart apache
sudo systemctl daemon-reload
And
sudo service apache2 restart
sudo systemctl daemon-reload
And
sudo service apache2 restart
okay you do
sudo nano /etc/apache2/apache2.conf
then put a new require ip line for your vpn subnet
hit ctrl+x and then Y for save
now use the two commands from above to restart apache
sudo nano /etc/apache2/apache2.conf
then put a new require ip line for your vpn subnet
hit ctrl+x and then Y for save
now use the two commands from above to restart apache
Did it finally work? Can I ask you to check answer as correct if that is the case?
ASKER
I was out yesterday. Working on it now. So, what I received from IT is the below IP for the VPN subnet
172.0.2.0/24 (example)
Do I just add it as displayed above with the /24? It isn't 24.0.0.0?
Just want to make sure I entered it correctly before I reload and restart. I entered 172.0.2.0/24.
Thanks
172.0.2.0/24 (example)
Do I just add it as displayed above with the /24? It isn't 24.0.0.0?
Just want to make sure I entered it correctly before I reload and restart. I entered 172.0.2.0/24.
Thanks
Yes 172.0.2.0/24 is the correct format (it will allow 172.0.2.1 - 172.0.2.254 inclusive)
Colin
Colin
ASKER
I ran below
sudo systemctl daemon-reload
And receveid "systemctl" not found.
Can I just run sudo service apache2 restart ?
sudo systemctl daemon-reload
And receveid "systemctl" not found.
Can I just run sudo service apache2 restart ?
depends which Linux distro it is.
Centos and possibly others can do
sudo service httpd restart
Centos and possibly others can do
sudo service httpd restart
ASKER
So do I run
sudo service apache2 restart
and not worry about
sudo systemctl daemon-reload
or is there something else I need to run before sudo service apache2 restart
Thanks
sudo service apache2 restart
and not worry about
sudo systemctl daemon-reload
or is there something else I need to run before sudo service apache2 restart
Thanks
No, as long as you've edited the conf file to add the extra IP.
Then restart Apache using whatever is required for your Linux version (if you don't know restarting the whole server will do ;) )
Colin
Then restart Apache using whatever is required for your Linux version (if you don't know restarting the whole server will do ;) )
Colin
ASKER
Ok, followed all of the above instructions. Trying to get a user to test.
ASKER
Seems to still not be working. I added the IP
<VirtualHost *:80>
DocumentRoot "/home/webserver/www/inter nal.mysite .com"
ServerName internal.mysite.com
<Directory "/home/webserver/www/inter nal.mystie .com">
Require ip 10.0.0.0./255.0.0.0
Require ip 127.0.0.1
Require ip 172.0.2.0/24
</Directory
</VirtualHost>
Restarted with sudo service apache2 restart
User still receives HTTP 403 error.
<VirtualHost *:80>
DocumentRoot "/home/webserver/www/inter
ServerName internal.mysite.com
<Directory "/home/webserver/www/inter
Require ip 10.0.0.0./255.0.0.0
Require ip 127.0.0.1
Require ip 172.0.2.0/24
</Directory
</VirtualHost>
Restarted with sudo service apache2 restart
User still receives HTTP 403 error.
ASKER
I have a question. I'm looking at the screenshot the user sent me of the ipconfig /all.
users IP is 172.0.2.5 so
172.0.2.0/24
Should include the User's IP, correct?
Also, don't know if it maters but the error is "FORBIDDEN". You don't have permission to access .......
Should I also add the IP's for the Wireless LAN?
192.168.1.x?
Also, the first line has 10.0.0.0./255.0.0.0. Do I need to add the 255.0.0.0 to the 172.x.x.x/24 IP?
<VirtualHost *:80>
DocumentRoot "/home/webserver/www/inter nal.mysite .com"
ServerName internal.mysite.com
<Directory "/home/webserver/www/inter nal.mystie .com">
Require ip 10.0.0.0./255.0.0.0
Require ip 127.0.0.1
Require ip 172.0.2.0/24
</Directory
</VirtualHost>
users IP is 172.0.2.5 so
172.0.2.0/24
Should include the User's IP, correct?
Also, don't know if it maters but the error is "FORBIDDEN". You don't have permission to access .......
Should I also add the IP's for the Wireless LAN?
192.168.1.x?
Also, the first line has 10.0.0.0./255.0.0.0. Do I need to add the 255.0.0.0 to the 172.x.x.x/24 IP?
<VirtualHost *:80>
DocumentRoot "/home/webserver/www/inter
ServerName internal.mysite.com
<Directory "/home/webserver/www/inter
Require ip 10.0.0.0./255.0.0.0
Require ip 127.0.0.1
Require ip 172.0.2.0/24
</Directory
</VirtualHost>
Is this simply a typo here or is this a mistake in the conf file?
<Directory "/home/webserver/www/inter nal.mystie .com">
Notice mystie instead of mysite?
Require ip 10.0.0.0./255.0.0.0
Also this network shouldn't have a trailing '.'
Colin
<Directory "/home/webserver/www/inter
Notice mystie instead of mysite?
Require ip 10.0.0.0./255.0.0.0
Also this network shouldn't have a trailing '.'
Colin
ASKER
Those are typo's. Mysite is NOT the actual site name.
Also 10.0.0.0/255.0.0.0 does not have a period at the end it is as I just typed it.
Also 10.0.0.0/255.0.0.0 does not have a period at the end it is as I just typed it.
ASKER
Just did a test. In the network I can ping the server and perform an NSLook up.
Disconnect from the network and VPN into the network. I can perform nslookup but CAN'T ping the server.
Any idea what the issue is and how to resolve?
Disconnect from the network and VPN into the network. I can perform nslookup but CAN'T ping the server.
Any idea what the issue is and how to resolve?
Unfortunately the ping test may not help that much, as the VPN design may not permit ping.
It sounds as though there are a lot of issues getting confused here.
The fact that you get a valid HTTP response from the web server whilst connected to the VPN means you are connecting to the server and getting a valid response (albeit not the response you want). It doesn't look like a problem with the VPN, more like a httpd config issue.
To test if you are looking at the correct conf details you could remove all the restrictions (comment out all the require lines) and restart Apache. That should then allow access, if you still get permission denied then there is most likely another setting in a conf file (or another .htaccess in the destination directory).
It sounds as though there are a lot of issues getting confused here.
The fact that you get a valid HTTP response from the web server whilst connected to the VPN means you are connecting to the server and getting a valid response (albeit not the response you want). It doesn't look like a problem with the VPN, more like a httpd config issue.
To test if you are looking at the correct conf details you could remove all the restrictions (comment out all the require lines) and restart Apache. That should then allow access, if you still get permission denied then there is most likely another setting in a conf file (or another .htaccess in the destination directory).
ASKER
If I change
The required all allows me to reach the website. When I add the IP's again I am blocked.
<VirtualHost *:80>
DocumentRoot "/home/webserver/www/internal.mysite.com"
ServerName internal.mysite.com
<Directory "/home/webserver/www/internal.mystie.com">
Require ip 10.0.0.0./255.0.0.0
Require ip 127.0.0.1
Require ip 172.0.2.0/24
</Directory
</VirtualHost>
To<VirtualHost *:80>
DocumentRoot "/home/webserver/www/internal.mysite.com"
ServerName internal.mysite.com
<Directory "/home/webserver/www/internal.mystie.com">
Require all granted
</Directory
</VirtualHost>
The required all allows me to reach the website. When I add the IP's again I am blocked.
Then I'd guess you have not been given the correct IP address of the VPN device.
If you look at the request logs for the webserver you will see the IP address that is being used by the VPN client, as it will log it's access.
Once you know what IP it is you can add it to the configuration to get security back.
Colin
If you look at the request logs for the webserver you will see the IP address that is being used by the VPN client, as it will log it's access.
Once you know what IP it is you can add it to the configuration to get security back.
Colin
ASKER
The IT Dept says they gave me the correct IP address for the VPN.
Can you tell me where the request log is so I can check?
It is definitely blocking the IP of the VPN I believe.
Can you tell me where the request log is so I can check?
It is definitely blocking the IP of the VPN I believe.
ASKER
The IT Dept says that it could be an LDAP issue blocking the VPN. Is that possible?
It will be listed in the Apache .conf file, can be anywhere depending on who set it up.
Look in the .conf file for any error log paths.
The Virtual host section could have its own, or it could be using a single log file, but it will be in there somewhere - or you could send me the file and I'll tell you where the logs are.
And don't forget it is not the IP address of the VPN physical device, it is the IP address given to the client when accessing your LAN via the VPN (unless it is a site-site VPN instead of a dial-in VPN). If it is a site-site VPN then the IP address used will be whatever the remote user setup their end.
Colin
Look in the .conf file for any error log paths.
The Virtual host section could have its own, or it could be using a single log file, but it will be in there somewhere - or you could send me the file and I'll tell you where the logs are.
And don't forget it is not the IP address of the VPN physical device, it is the IP address given to the client when accessing your LAN via the VPN (unless it is a site-site VPN instead of a dial-in VPN). If it is a site-site VPN then the IP address used will be whatever the remote user setup their end.
Colin
ASKER
Ok, this is what I did. I went to site http://www.showmemyip.com/. I took the IP that is displayed there and added it
The above 166.x.x.x addition allows me to access the site. I shouldn't have to do this, correct?
Will the 166.x.x.x IP change? Can it ever be, let's say 125.x.x.x?
<VirtualHost *:80>
DocumentRoot "/home/webserver/www/internal.mysite.com"
ServerName internal.mysite.com
<Directory "/home/webserver/www/internal.mystie.com">
Require ip 10.0.0.0./255.0.0.0
Require ip 127.0.0.1
Require ip 172.0.2.0/24
Require ip 166.0.0.0/24 (as an example).
</Directory
</VirtualHost>
The above 166.x.x.x addition allows me to access the site. I shouldn't have to do this, correct?
Will the 166.x.x.x IP change? Can it ever be, let's say 125.x.x.x?
Going to a website won't show you your IP address, it will show the public interface used by whatever setup you are running.
The webserver logs will show exactly what IP's are requesting data.
Look in the http access log, find the correct IP (may need to tail it while refreshing the browser) then add that IP (or the whole subnet if preferred) to the restrictions.
Colin
The webserver logs will show exactly what IP's are requesting data.
Look in the http access log, find the correct IP (may need to tail it while refreshing the browser) then add that IP (or the whole subnet if preferred) to the restrictions.
Colin
ASKER
Ok, I'm not a network person and thumbing through apache.
Can you please tell me where is the "webserver log"? Is that the name of the log?
Where is the http access log? What is tail it? The whole subnet is 255.x.x.x?
Can you please tell me where is the "webserver log"? Is that the name of the log?
Where is the http access log? What is tail it? The whole subnet is 255.x.x.x?
The log file locations are usually listed as CustomLog, eg:
If you look for the Access Log the filename will usually be something like access_log - the path will tell you where it is.
These logs get big, so you'll need to make a request from the VPN user, then grab the logs a few seconds later.
Then look towards the end of the log for the URL that you requested. It should list the IP the request came from. Thats the IP to add to the access restrictions found earlier.
Colin
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog /path/to/log/file combined
If you look for the Access Log the filename will usually be something like access_log - the path will tell you where it is.
These logs get big, so you'll need to make a request from the VPN user, then grab the logs a few seconds later.
Then look towards the end of the log for the URL that you requested. It should list the IP the request came from. Thats the IP to add to the access restrictions found earlier.
Colin
ASKER
I have a question about VPN's. When you log into a VPN you are in the network, correct? Users are using OpenVPN to log in.
On my apache server for my website I added user's IP Require ip 166.0.0.0/24 (as an example). I have to do this for multiple users.
When logged in the VPN shouldn't it allow you to access websites inside the network? Will I still need to add the user's IP to allow them access in addition to the VPN IP?
Example
On my apache server for my website I added user's IP Require ip 166.0.0.0/24 (as an example). I have to do this for multiple users.
When logged in the VPN shouldn't it allow you to access websites inside the network? Will I still need to add the user's IP to allow them access in addition to the VPN IP?
Example
<VirtualHost *:80>
DocumentRoot "/home/webserver/www/internal.mysite.com"
ServerName internal.mysite.com
<Directory "/home/webserver/www/internal.mysite.com">
Require ip 10.0.0.0./255.0.0.0
Require ip 127.0.0.1
Require ip 172.0.2.0/24 (VPN)
Require ip 166.0.0.0/24 (User IP as an example).
</Directory
</VirtualHost>
There are many ways of configuring VPN's, and there are many different types of VPN. This means there are a lot of different options for what IP is assigned to the user, or used by the user.
You need to find the request in the request_log and add that IP to the directory restriction in the .conf file.
You need to find the request in the request_log and add that IP to the directory restriction in the .conf file.
ASKER
Where is the request_log?
This is the correct answer, but the user did not understand operation of the webserver that needs re-configuring.
ASKER
"you may need to add the remote LAN IP to the restrictions"
I will look for .htaccess. How do I find Server Directives?
Thanks