HTTP 403 - VPN can't access internal website

Have a user who is VPNing into network.  When they do they try to access a site (e.g. internal.mysite.com/items).  They are unable to access the site.  They receive an HTTP 403 error.

The site is hosted on a Linux web server.
LVL 2
CipherISAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Colin_UKCommented:
Hi,

Does the webserver have any type of IP address restriction either by .htaccess or Server Directives?
If so, depending on your VPN Infrastructure, you may need to add the remote LAN IP to the restrictions.

Hope this helps
Colin
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CipherISAuthor Commented:
Can you please explain

"you may need to add the remote LAN IP to the restrictions"

I will look for .htaccess.  How do I find Server Directives?

Thanks
0
CipherISAuthor Commented:
This is what is in the .htaccess file.

Options -Indexes

RewriteEngine On
RewriteBase /

RewriteRule	^network(.*)$  /modules/network/  [NC]
RewriteRule	^network/(.*)$  /modules/network/$1  [NC]
RewriteRule	^phones(.*)$  /modules/internalpbx/  [NC]
RewriteRule	^phones/(.*)$  /modules/internalpbx/$1  [NC]
RewriteRule	^bsp(.*)$  /modules/bsp/  [NC]

RewriteRule	^itemsregion(.*)$  /modules/itemsregion/  [NC]
RewriteRule	^webissues(.*)$  /modules/webissues/  [NC]

Open in new window

0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

GammelgaardFreelancer - IT SpecialistCommented:
Make sure the domain-name part of the URL users want to access is the same shown in browser address bar after clicking:
If he wants to access  internal.mysite.com/items it should also show that in browser address bar. I assume he is able to see correct page at  internal.mysite.com/ ?

Also make sure that client can translate domain-name part via his DNS - he should be using internal DNS servers to lookup internal domain-names and hostnames.

If all of these is correct, it might just be a matter of flushing the DNS cache on client computer - in windows terminal:
ipconfig -flushdns
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Most probably DNS resolution is still external, not internal, as hinted above.
I would test with   nslookup internal.mysite.com    and see to which IP it resolves.
0
CipherISAuthor Commented:
I don't understand most of what was suggested.  Not a network person.  

User logs into Wifi using the GUEST connection.  
User VPN's into the network.
User attempts to access website and receives below 403 error.

403
I did use nslookup internal.mysite.com and the result was
Server:  Unknown
Address:  xx.xx.x.x

Non-authoritative user:
Name:  internal.mysite.com
Address:  xx.xxx.xxx.xx

The site is on a Linux (Ubuntu) Server.  How can I check to see if the user's IP is blocked.  User is located in another country.
0
GammelgaardFreelancer - IT SpecialistCommented:
So you did the nslookup on the machine with the error, right? The IP address is the correct one?

Which web server is running on the Ubuntu? Apache, nginx? You should check the config file for the site, for apache it should be in /etc/apache2/sites-available/your-config-file  
Under the <Direcotory> setting, it is possible to secure on IP addresses

Also, check if there is a .htaccess file for your site - for apache this should be in /var/www/yoursite/.htaccess
0
CipherISAuthor Commented:
Yes, nslookup on the machine with error.  I can access the site but I'm internal.  User who is external using VPN can't access the site.

I checked the .htaccess and posted it above.  

How do I check if it is running Ubuntu, Apache?  I believe it is Ubuntu.  The connection was named Ubuntu in FileZilla.

What do you mean by
"it is possible to secure on IP address"?

How can I check to see if the User's IP is blocked from the site?
0
CipherISAuthor Commented:
What is the difference with getting your IP from ipconfig or going to google and typing "My IP"?

If I check to see if the user's IP is blocked (which I don't know how to do yet), which IP am I checking for?  IPConfig or the google IP?
0
CipherISAuthor Commented:
Do you add the persons IP with the following command?

iptables -A INPUT -s xxx.xxx.xx.xxx -j ACCEPT    

If you add their IP with the above command and there is a rule that blocks IP's from their country would that enable the user to access the site?
0
GammelgaardFreelancer - IT SpecialistCommented:
Your .htaccess file is not blocking

In this file
/etc/apache2/sites-available/your-config-file

it is possible to write code that will allow access to the site based on IP addresses, so check that file

The difference is that ipconfig -all shows the windows pc's private IP address, corresponding the local network it is on - the other one is the public IP address.. As he is using VPN, he would likely have an adapter with an IP address given by the VPN server - also a private IP address - this one is the one that should be opened for - if site is locked on IP addresses.. And this IP will also be shown with ipconfig -all or maybe in the VPN client software
0
GammelgaardFreelancer - IT SpecialistCommented:
check your iptables config with
iptables -L

if this is on and configured it might be blocking - iptables is a firewall
0
CipherISAuthor Commented:
When I check my iptables config with iptables -L, what am I looking for?

I will get the user to run ipconfig on their machine and send me a screenshot.
0
GammelgaardFreelancer - IT SpecialistCommented:
well, first of all to see if it is enabled and configured with any rules.. if it just shows something like this:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Then it is not doing any blocking

If there is IP addresses and port numbers all over, it is, and you would have to make a new rule to support the VPN client subnet
0
CipherISAuthor Commented:
Ok, thanks.  As soon as I can get access to the server I will try that.

So, if it matches what you provided then it is a firewall issues, yes?
0
GammelgaardFreelancer - IT SpecialistCommented:
If it matches what I provided, then it is not an issue with iptables firewall in linux
0
CipherISAuthor Commented:
Ok, so NOT an iptables firewall issue.

What is the difference between iptables firewall and firewall?
0
GammelgaardFreelancer - IT SpecialistCommented:
iptables is just the firewall used on ubuntu and many other linux systems.. just like windows has its own firewall, called Windows Firewall..

hmm.. and you checked the configuration file for your site in the /etc/apache2/sites-available/ folder?
0
CipherISAuthor Commented:
I'm trying to get to the configuration file.  

I'm using PuTTY to try to connect to the server.

Let me see if I can find the file via FIleZilla.
0
GammelgaardFreelancer - IT SpecialistCommented:
Also, some more basic troubleshooting:

ping internal.mysite.com

tracert internal.mysite.com

and make sure that the IP address that it writes in the outcomes is the same as you would expect your internal server to use - eg. not a public one
0
CipherISAuthor Commented:
Using filezilla I checked

www (root)
www/internal.mysite.com (.htaccess is there)
I checked all subfolders under internal.mysite.com and did NOT see a configuration file.
0
GammelgaardFreelancer - IT SpecialistCommented:
the one I'm looking for is in

/etc/apache2/sites-available/
0
CipherISAuthor Commented:
I did perform the ping earlier and that seemed to work.

tracert is complete.

Don't see any issues with either two commands.
0
CipherISAuthor Commented:
Ok, I need to find /etc/apache2/sites-available.

I'll try to find it.  Not showing up in filezilla.
0
GammelgaardFreelancer - IT SpecialistCommented:
Alright, and the IP address stems?

Try

telnet internal.mysite.com 80
and
telnet internal.mysite.com 443
0
CipherISAuthor Commented:
I did

telnet internal.mysite.com 80 and the screen went blank

telnet internal.mysite.com 443 - could not open connection to the host on port 443
0
GammelgaardFreelancer - IT SpecialistCommented:
My last shot would be that config file - it could also be this one:

/etc/apache2/apache2.conf

otherwise do:

apache2ctl -S

on the server - you might need sudo in front of the command

and paste the output here
0
CipherISAuthor Commented:
Ok.  Trying to get the login info and trying to use putty.

In the meantime I had the user run ipconfig.  This is what the user provided.  I should be checking the DNS, correct?  User's DNS is similar to mine.  Starts with 10.

IPConfig
0
GammelgaardFreelancer - IT SpecialistCommented:
well, is similar or same?

try from your pc to ask the dns server mentioned in his ipconfig of the ip address:

nslookup internal.mysite.com his.dns.ip.address
0
CipherISAuthor Commented:
Let's say my ip address is 10.0.0.01, his is 10.0.0.2.

I ran the nslookup internal.mysite.com 10.0.0.2 (example ip) and it returned

Server:  Unknown
Address:  10.0.0.2

Non-authoritative answer:
Name:  internal.mysite.com
Address:  64.xx.xx.xx
0
GammelgaardFreelancer - IT SpecialistCommented:
Alright... so 10.0.0.2 is his dns server and 10.0.0.1 is yours?

an address starting with 64 is not an internal private one... is this the ip address you use from your side too?
0
CipherISAuthor Commented:
When I type nslookup internal.mysite.com with my ip (10.0.0.1 - example)  I receive

Server:  servername(I think).mysite.local
Address:  10.0.0.1

Non-authoritative answer:
Name:  internal.mysite.com
Address:  64.xx.xx.xx

I noticed I used the DCHP server IP and not DNS IP when running my IP
0
CipherISAuthor Commented:
When I use my DNS IP I get a similar result as the user

Server:  unknown
Address:  10.0.0.1

Non-authoritative answer:
Name:  internal.mysite.com
Address:  64.xx.xx.xx
0
GammelgaardFreelancer - IT SpecialistCommented:
Okay

On the computer where you can access the site, do
ping the.server.name.you.want.to.test
and
nslookup the.server.name.you.want.to.test

Compare these, and compare with the ones from the computer that can't reach the site

If all IP addresses are correct, it is not DNS issue

I have to ask, if you are actually trying to reach a site called internal.mysite.com?
0
CipherISAuthor Commented:
no.  Mysite is replaced with the actual name.  It is internal.xxxxxx.com.
0
GammelgaardFreelancer - IT SpecialistCommented:
could you please list results from the commands, for both working and not working machine?
0
CipherISAuthor Commented:
I don't have access to the users computer but I'm comparing my ipconfig to theirs.

The DNS Server is exactly the same:

10.0.0.1 (example)

The DHCP Server is different

Theirs 172.xx.xx.xx
Mine 10.x.x.x
0
GammelgaardFreelancer - IT SpecialistCommented:
we still haven't looked in the apache config file?
0
CipherISAuthor Commented:
No, trying to log into the server.  Waiting for credentials.
0
GammelgaardFreelancer - IT SpecialistCommented:
Alright alright :)
0
CipherISAuthor Commented:
I was provided the credentials and seem to be having issues logging in with putty.

When I type nslookup internal.mysite.com  I get

Server:  Unknown
Addess: 10.xx.xx.3

Naon-authoritative answer
Name:  internal.mysite.com
Address: 64.xxx.xxx.xxx

When I connect to putty and select an existing profile and load it it states the ip is 10.xx.xx.13.  

Unable to use credentials (access denied via putty.)

I'm told those are the correct credentials but I can't login with them.  I tried typing them in and copy and Right-click for pasting.  No success.
0
GammelgaardFreelancer - IT SpecialistCommented:
You probably shouldn't use a profile in putty, but just type in the ip address or hostname and connect directly

Where was this nslookup performed from?
0
CipherISAuthor Commented:
nslookup is performed from my machine.  The profile in putty was created by someone else.
0
GammelgaardFreelancer - IT SpecialistCommented:
I ask you to not use the profile in putty. Just write the IP of the server and hit connect - you know the Ubuntu server IP address, don't you?
0
CipherISAuthor Commented:
Still trying to get the credentials to log onto the server.
0
CipherISAuthor Commented:
Yes.  I also tried it without the profile in putty.  I'm getting an access denied with the credentials I was provided.  Still trying to get the correct credentials.  

When I put the IP with port 22 it does provide me with login.
0
Colin_UKCommented:
It still sounds like the webserver is responsible for the forbidden message. Could you post your httpd.conf file here?
Will need to list the main httpd.conf and any ssl.conf or virtualhosts.conf if in seperate files.

Colin
0
CipherISAuthor Commented:
I'm trying to get access to the IPTables and files.  I can't see them in Filezilla.  I'm trying to log onto the server.  As soon as I can login I will post those files.

Thanks
0
Colin_UKCommented:
oo, my last post didn't appear - I'll say it again, sorry if 2 suddenly appear.

This issue is not firewall (IPtables) as you are getting a valid response from the webserver.
This issue is not routing/DNS related as you are getting a valid response from the webserver.

The response is HTTP 403 which indicates a permissions problem for the requested URL.

If I can see the webserver configuration files (all of them, as this setting can be placed anywhere).
If it's running Apache webserver then the config files are normally named with .conf extensions. Can you post these?

The other piece of info that would be helpful is to know whether the VPN connection is Dial In user or Site-Site type?

Colin
0
CipherISAuthor Commented:
I'm trying to get the files.

An update.

I had another user who is located in the same office as I attempt to access the website.  He is working remotely today and tried it and he also receives the 403 error.

So, when the user is here he can access the site but when he is connected VPN he receives forbidden.
0
CipherISAuthor Commented:
Ok, finally got credentials.  Error.log says

[Wed Mar 01 09:26:53.012926 2017] [authz_core:error] [pid 2929] [client xx.xx.xx.xx:1160] AH01630: client denied by server configuration: /home/webserver/www/internal.mysite.com/items

Looking for other files.
0
CipherISAuthor Commented:
This is the app being used to VPN in.

VPN
0
GammelgaardFreelancer - IT SpecialistCommented:
If you have access now, would you please write following commands:

cat /etc/apache2/apache2.conf
ls /etc/apache2/sites-enabled

and post both outputs here
0
CipherISAuthor Commented:
cat /etc/apache2/apache2.conf
Result -> Permission Denied

ls /etc/apache2/sites-enabled
Result -> 000-default.conf
0
GammelgaardFreelancer - IT SpecialistCommented:
Okay, put 'sudo' in front of the first command, without the '

And also show us output of

sudo cat /etc/apache2/sites-available/000-default.conf
0
CipherISAuthor Commented:
000-default.conf
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

Open in new window

0
GammelgaardFreelancer - IT SpecialistCommented:
And the other file please
0
CipherISAuthor Commented:
Here is the other (attached).  I saw in the text file the following.  (Changed some values).  Looks like it is blocking hte VPN IP?  
<VirtualHost *:80>
        DocumentRoot "/home/webserver/www/internal.mysite.com"
        ServerName internal.mysite.com
        <Directory "/home/webserver/www/internal.mysite.com">
                Require ip 10.0.0.0/255.0.0.0
                Require ip 127.0.0.1
        </Directory>
</VirtualHost>

Open in new window

conf.txt
0
GammelgaardFreelancer - IT SpecialistCommented:
Exactly what you there it finally is

Put

Require ip and the ip of your VPN subnet just under the last line
0
CipherISAuthor Commented:
With the SUDO code I will be able to update and save?
0
GammelgaardFreelancer - IT SpecialistCommented:
And restart apache

sudo systemctl daemon-reload
And
sudo service apache2 restart
0
GammelgaardFreelancer - IT SpecialistCommented:
okay you do

sudo nano /etc/apache2/apache2.conf

then put a new require ip line for your vpn subnet

hit ctrl+x and then Y for save

now use the two commands from above to restart apache
0
GammelgaardFreelancer - IT SpecialistCommented:
Did it finally work? Can I ask you to check answer as correct if that is the case?
0
CipherISAuthor Commented:
I was out yesterday.  Working on it now.  So, what I received from IT is the below IP for the VPN subnet

172.0.2.0/24 (example)

Do I just add it as displayed above with the /24?  It isn't 24.0.0.0?

Just want to make sure I entered it correctly before I reload and restart.  I entered 172.0.2.0/24.

Thanks
0
Colin_UKCommented:
Yes 172.0.2.0/24 is the correct format (it will allow 172.0.2.1 - 172.0.2.254 inclusive)
Colin
0
CipherISAuthor Commented:
I ran below

sudo systemctl daemon-reload

And receveid "systemctl" not found.

Can I just run sudo service apache2 restart ?
0
Colin_UKCommented:
depends which Linux distro it is.
Centos and possibly others can do
sudo service httpd restart
0
CipherISAuthor Commented:
So do I run

sudo service apache2 restart

and not worry about

sudo systemctl daemon-reload

or is there something else I need to run before sudo service apache2 restart

Thanks
0
Colin_UKCommented:
No, as long as you've edited the conf file to add the extra IP.
Then restart Apache using whatever is required for your Linux version (if you don't know restarting the whole server will do ;) )

Colin
0
CipherISAuthor Commented:
Ok, followed all of the above instructions.  Trying to get a user to test.
0
CipherISAuthor Commented:
Seems to still not be working.  I added the IP

<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mystie.com">
       Require ip 10.0.0.0./255.0.0.0
       Require ip 127.0.0.1
       Require ip 172.0.2.0/24
   </Directory
</VirtualHost>

Restarted with sudo service apache2 restart

User still receives HTTP 403 error.
0
CipherISAuthor Commented:
I have a question.  I'm looking at the screenshot the user sent me of the ipconfig /all.

users IP is 172.0.2.5 so

172.0.2.0/24  

Should include the User's IP, correct?

Also, don't know if it maters but the error is "FORBIDDEN".  You don't have permission to access .......

Should I also add the IP's for the Wireless LAN?
192.168.1.x?

Also, the first line has 10.0.0.0./255.0.0.0.  Do I need to add the 255.0.0.0 to the 172.x.x.x/24 IP?

<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mystie.com">
       Require ip 10.0.0.0./255.0.0.0
       Require ip 127.0.0.1
       Require ip 172.0.2.0/24
   </Directory
</VirtualHost>
0
Colin_UKCommented:
Is this simply a typo here or is this a mistake in the conf file?

<Directory "/home/webserver/www/internal.mystie.com">
Notice mystie instead of mysite?

Require ip 10.0.0.0./255.0.0.0
Also this network shouldn't have a trailing '.'


Colin
0
CipherISAuthor Commented:
Those are typo's.  Mysite is NOT the actual site name.

Also 10.0.0.0/255.0.0.0 does not have a period at the end it is as I just typed it.
0
CipherISAuthor Commented:
Just did a test.  In the network I can ping the server and perform an NSLook up.

Disconnect from the network and VPN into the network.  I can perform nslookup but CAN'T ping the server.

Any idea what the issue is and how to resolve?
0
Colin_UKCommented:
Unfortunately the ping test may not help that much, as the VPN design may not permit ping.
It sounds as though there are a lot of issues getting confused here.

The fact that you get a valid HTTP response from the web server whilst connected to the VPN means you are connecting to the server and getting a valid response (albeit not the response you want). It doesn't look like a problem with the VPN, more like a httpd config issue.

To test if you are looking at the correct conf details you could remove all the restrictions (comment out all the require lines) and restart Apache. That should then allow access, if you still get permission denied then there is most likely another setting in a conf file (or another .htaccess in the destination directory).
0
CipherISAuthor Commented:
If I change
<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mystie.com">
       Require ip 10.0.0.0./255.0.0.0
       Require ip 127.0.0.1
       Require ip 172.0.2.0/24
   </Directory
</VirtualHost>

Open in new window

To
<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mystie.com">
       Require all granted
   </Directory
</VirtualHost>

Open in new window


The required all allows me to reach the website.  When I add the IP's again I am blocked.
0
Colin_UKCommented:
Then I'd guess you have not been given the correct IP address of the VPN device.

If you look at the request logs for the webserver you will see the IP address that is being used by the VPN client, as it will log it's access.

Once you know what IP it is you can add it to the configuration to get security back.

Colin
0
CipherISAuthor Commented:
The IT Dept says they gave me the correct IP address for the VPN.

Can you tell me where the request log is so I can check?

It is definitely blocking the IP of the VPN I believe.
0
CipherISAuthor Commented:
The IT Dept says that it could be an LDAP issue blocking the VPN.  Is that possible?
0
Colin_UKCommented:
It will be listed in the Apache .conf file, can be anywhere depending on who set it up.
Look in the .conf file for any error log paths.

The Virtual host section could have its own, or it could be using a single log file, but it will be in there somewhere - or you could send me the file and I'll tell you where the logs are.

And don't forget it is not the IP address of the VPN physical device, it is the IP address given to the client when accessing your LAN via the VPN (unless it is a site-site VPN instead of a dial-in VPN). If it is a site-site VPN then the IP address used will be whatever the remote user setup their end.

Colin
0
CipherISAuthor Commented:
Ok, this is what I did.  I went to site http://www.showmemyip.com/.  I took the IP that is displayed there and added it

<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mystie.com">
       Require ip 10.0.0.0./255.0.0.0
       Require ip 127.0.0.1
       Require ip 172.0.2.0/24
       Require ip 166.0.0.0/24 (as an example).
   </Directory
</VirtualHost>

Open in new window


The above 166.x.x.x addition allows me to access the site.  I shouldn't have to do this, correct?

Will the 166.x.x.x IP change?  Can it ever be, let's say 125.x.x.x?
0
Colin_UKCommented:
Going to a website won't show you your IP address, it will show the public interface used by whatever setup you are running.
The webserver logs will show exactly what IP's are requesting data.

Look in the http access log, find the correct IP (may need to tail it while refreshing the browser) then add that IP (or the whole subnet if preferred) to the restrictions.

Colin
0
CipherISAuthor Commented:
Ok, I'm not a network person and thumbing through apache.  

Can you please tell me where is the "webserver log"?  Is that the name of the log?

Where is the http access log?  What is tail it?  The whole subnet is 255.x.x.x?
0
Colin_UKCommented:
The log file locations are usually listed as CustomLog, eg:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog /path/to/log/file combined

Open in new window


If you look for the Access Log the filename will usually be something like access_log - the path will tell you where it is.

These logs get big, so you'll need to make a request from the VPN user, then grab the logs a few seconds later.
Then look towards the end of the log for the URL that you requested. It should list the IP the request came from. Thats the IP to add to the access restrictions found earlier.

Colin
0
CipherISAuthor Commented:
I have a question about VPN's. When you log into a VPN you are in the network, correct?  Users are using OpenVPN to log in.  

On my apache server for my website I added user's IP Require ip 166.0.0.0/24 (as an example).  I have to do this for multiple users.

When logged in the VPN shouldn't it allow you to access websites inside the network?  Will I still need to add the user's IP to allow them access in addition to the VPN IP?  

Example
<VirtualHost *:80>
   DocumentRoot "/home/webserver/www/internal.mysite.com"
   ServerName internal.mysite.com
   <Directory "/home/webserver/www/internal.mysite.com">
       Require ip 10.0.0.0./255.0.0.0
       Require ip 127.0.0.1  
       Require ip 172.0.2.0/24  (VPN)
       Require ip 166.0.0.0/24  (User IP as an example).
   </Directory
</VirtualHost>

Open in new window

0
Colin_UKCommented:
There are many ways of configuring VPN's, and there are many different types of VPN. This means there are a lot of different options for what IP is assigned to the user, or used by the user.

You need to find the request in the request_log and add that IP to the directory restriction in the .conf file.
0
CipherISAuthor Commented:
Where is the request_log?
0
Colin_UKCommented:
This is the correct answer, but the user did not understand operation of the webserver that needs re-configuring.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
HTTP Protocol

From novice to tech pro — start learning today.