You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by o haya <oh...@yahoo.com> on 2011/02/10 00:56:22 UTC
[users@httpd] Problem configuring proxy (forbidden error locally)
We are trying to use the Apache (2.0.x) that comes with Redhat to reverse-proxy.
We have a pretty simple configuration. Basically, we have just 1 <VirtualHost>, with a bunch of ProxyPass/ProxyPassReverse directive-pairs, in <Location> sections, e.g.:
<Location /Foo>
ProxyPass http://test.host.com/Foo
ProxyPassReverse http://test.host.com/Foo
</Location>
However, when we try to browse to http://<proxy.host.com/Foo, we get a
403/Forbidden response.
We know from looking at the logs on test.host.com that nothing is hitting it, but we have also confirmed, by various tests that we've done, that we can connect and communicate with test.host.com from the proxy machine, so the 403 is coming from the Apache proxy itself (e.g., we can telnet to test.host.com from the proxy machine and do a "GET" manually, and get a response).
We normally build our own Apache binaries, and usually don't have a problem
setting up a proxy, so I was wondering if there is something about using the Apache from the RPM that needs to be configured "differently" to avoid getting this 403/Forbidden problem with proxy inside a VirtualHost?
Thanks,
Jim
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Problem solved was Re: [users@httpd] Problem configuring proxy (forbidden error locally)
Posted by o haya <oh...@yahoo.com>.
Hi,
We figured out the problem.
As mentioned earlier, we were using the Redhat Apache 2.0.52 (httpd) RPM.
Apparently, that doesn't come with mod_ssl support (either built-in or DSO), but we had the ProxyPass/ProxyPassReverse directives pointing to SSO/https URLs, i.e., the Apache2 had no support for SSL at all.
We modified the ProxyPass/ProxyPassReverse directives to point to non-SSL URLs, and that eliminated the 403/Forbidden errors.
So, the bottom line was that pointing the ProxyPass/ProxyPassReverse to SSL URLs, when the Apache didn't have SSL support, causes Apache2 to respond with 403/Forbidden responses...
Thanks,
Jim
--- On Wed, 2/9/11, o haya <oh...@yahoo.com> wrote:
> From: o haya <oh...@yahoo.com>
> Subject: Re: [users@httpd] Problem configuring proxy (forbidden error locally)
> To: users@httpd.apache.org
> Date: Wednesday, February 9, 2011, 11:09 PM
> Hi,
>
> BTW, to help guide me on what to look for, my understanding
> is that there are basically two things that can cause Apache
> to provide the 403/Forbidden response:
>
> - Linux permissions
> - Something in the Apache .conf files that sets a "deny"
>
> For the former, and assuming the we don't have any local
> resources in the <VirtualHost>s (i.e., no
> <DocumentRoot>), and only a bunch of
> ProxyPass/ProxyPassReverse directives, I think that the
> <VirtualHost> would "inherit" the <DocumentRoot>
> from the server configuration, so what we'd have to do is to
> look at where the <DocumentRoot> is pointing to, and
> confirm that the user and group specified in the User and
> Group directives in the Apache .conf files have
> read/write/execute perms on that and all of its parent
> directories.
>
> Is that correct?
>
> For the latter, we need to look for all "deny", and check
> that none of them apply to the <Location> directives
> in the <VirtualHost> sections.
>
> Is that correct?
>
> Thanks,
> Jim
>
>
> --- On Wed, 2/9/11, o haya <oh...@yahoo.com>
> wrote:
>
> > From: o haya <oh...@yahoo.com>
> > Subject: Re: [users@httpd] Problem configuring proxy
> (forbidden error locally)
> > To: users@httpd.apache.org
> > Date: Wednesday, February 9, 2011, 10:23 PM
> > Eric,
> >
> > Sorry for that. The system is at work, so I'll have
> > to get that tomorrow.
> >
> > Jim
> >
> >
> > --- On Wed, 2/9/11, Eric Covener <co...@gmail.com>
> > wrote:
> >
> > > From: Eric Covener <co...@gmail.com>
> > > Subject: Re: [users@httpd] Problem configuring
> proxy
> > (forbidden error locally)
> > > To: users@httpd.apache.org
> > > Date: Wednesday, February 9, 2011, 9:58 PM
> > > On Wed, Feb 9, 2011 at 8:26 PM, o
> > > haya <oh...@yahoo.com>
> > > wrote:
> > > >
> > > > Hi Eric and Igor,
> > > > The Apache proxy logs show "403" errors.
> > >
> > > Don't paraphrase the logs. Include them verbatim
> in
> > your
> > > response.
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > The official User-To-User support forum of the
> Apache
> > HTTP
> > > Server Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more
> > > info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > >
> >
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache
> HTTP
> > Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more
> > info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more
> info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem configuring proxy (forbidden error locally)
Posted by o haya <oh...@yahoo.com>.
Hi,
BTW, to help guide me on what to look for, my understanding is that there are basically two things that can cause Apache to provide the 403/Forbidden response:
- Linux permissions
- Something in the Apache .conf files that sets a "deny"
For the former, and assuming the we don't have any local resources in the <VirtualHost>s (i.e., no <DocumentRoot>), and only a bunch of ProxyPass/ProxyPassReverse directives, I think that the <VirtualHost> would "inherit" the <DocumentRoot> from the server configuration, so what we'd have to do is to look at where the <DocumentRoot> is pointing to, and confirm that the user and group specified in the User and Group directives in the Apache .conf files have read/write/execute perms on that and all of its parent directories.
Is that correct?
For the latter, we need to look for all "deny", and check that none of them apply to the <Location> directives in the <VirtualHost> sections.
Is that correct?
Thanks,
Jim
--- On Wed, 2/9/11, o haya <oh...@yahoo.com> wrote:
> From: o haya <oh...@yahoo.com>
> Subject: Re: [users@httpd] Problem configuring proxy (forbidden error locally)
> To: users@httpd.apache.org
> Date: Wednesday, February 9, 2011, 10:23 PM
> Eric,
>
> Sorry for that. The system is at work, so I'll have
> to get that tomorrow.
>
> Jim
>
>
> --- On Wed, 2/9/11, Eric Covener <co...@gmail.com>
> wrote:
>
> > From: Eric Covener <co...@gmail.com>
> > Subject: Re: [users@httpd] Problem configuring proxy
> (forbidden error locally)
> > To: users@httpd.apache.org
> > Date: Wednesday, February 9, 2011, 9:58 PM
> > On Wed, Feb 9, 2011 at 8:26 PM, o
> > haya <oh...@yahoo.com>
> > wrote:
> > >
> > > Hi Eric and Igor,
> > > The Apache proxy logs show "403" errors.
> >
> > Don't paraphrase the logs. Include them verbatim in
> your
> > response.
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache
> HTTP
> > Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more
> > info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more
> info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem configuring proxy (forbidden error locally)
Posted by o haya <oh...@yahoo.com>.
Eric,
Sorry for that. The system is at work, so I'll have to get that tomorrow.
Jim
--- On Wed, 2/9/11, Eric Covener <co...@gmail.com> wrote:
> From: Eric Covener <co...@gmail.com>
> Subject: Re: [users@httpd] Problem configuring proxy (forbidden error locally)
> To: users@httpd.apache.org
> Date: Wednesday, February 9, 2011, 9:58 PM
> On Wed, Feb 9, 2011 at 8:26 PM, o
> haya <oh...@yahoo.com>
> wrote:
> >
> > Hi Eric and Igor,
> > The Apache proxy logs show "403" errors.
>
> Don't paraphrase the logs. Include them verbatim in your
> response.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more
> info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem configuring proxy (forbidden error locally)
Posted by Eric Covener <co...@gmail.com>.
On Wed, Feb 9, 2011 at 8:26 PM, o haya <oh...@yahoo.com> wrote:
>
> Hi Eric and Igor,
> The Apache proxy logs show "403" errors.
Don't paraphrase the logs. Include them verbatim in your response.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem configuring proxy (forbidden error locally)
Posted by o haya <oh...@yahoo.com>.
Hi,
According to:
http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxyrequests
the default for ProxyRequests is "Off"?
Jim
--- On Wed, 2/9/11, Igor Cicimov <ic...@gmail.com> wrote:
From: Igor Cicimov <ic...@gmail.com>
Subject: Re: [users@httpd] Problem configuring proxy (forbidden error locally)
To: users@httpd.apache.org
Date: Wednesday, February 9, 2011, 9:56 PM
First un-comment the
#ProxyRequests On
and make it
ProxyRequests Off
if you want to run reverse proxy.
On Thu, Feb 10, 2011 at 12:26 PM, o haya <oh...@yahoo.com> wrote:
Hi Eric and Igor,
The Apache proxy logs show "403" errors.
I've been hunting down all the deny/allows and <Directory> directives/sections, and these are all that I found in the httpd.conf:
<Directory />
Options
FollowSymLinks
AllowOverride None
</Directory>
<Directory “/var/www/html”>
Options Indexes
FollowSymLinks
AllowOverride None
Order Allow,deny
Allow from all
</Directory>
<Directory “/var/www/icons”>
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory “/var/www/cgi-bin”>
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
<Directory “/var/www/error”>
AllowOverride None
Options IncludeNoExec
AddOutputFilter Include html
AddHandler type-map var
Order allow,deny
Allow from all
LanguagePriority en es de fr
ForceLanguagePriority Prefer Fallback
</Directory>
My understanding is the above would only apply to physical directories on the proxy machine, plus it doesn't seem like any of them would cause a "deny"?
There's also an <IfModule>:
#<IfModule
mod_proxy.c>
#ProxyRequests
On
#<Proxy
*>
# Order deny,allow
# Deny from all
# Allow from .example.com
#</Proxy>
But, that was commented out already in the httpd.conf, so it wouldn't affect anything?
I think that if uncommented that <IfModule>, and changed it to allow:
<IfModule
mod_proxy.c>#ProxyRequests On
<Proxy *> Order allow,deny
Allow from all
</Proxy>
that might fix the problem, but, and maybe I'm being stubborn, I'd really rather find exactly what is causing the deny (it always worries me when I don't understand exactly why something is not doing what I think it should).
This is Apache 2.0.x, so there's not the "extras" directory and files, just the httpd.conf and ssl.conf, so any ideas about what ELSE might be causing JUST the proxying to get a deny (note: we CAN access resources that are LOCAL on the proxy Apache server).
Thanks,Jim
--- On Wed, 2/9/11, Igor Cicimov <ic...@gmail.com> wrote:
From: Igor Cicimov <ic...@gmail.com>
Subject: Re: [users@httpd] Problem configuring proxy (forbidden error locally)
To: users@httpd.apache.org
Date: Wednesday, February 9, 2011, 7:55 PM
have you tried the Order statement and putting "Allow from All" ?
On Thu, Feb 10, 2011 at 11:07 AM, Eric Covener <co...@gmail.com> wrote:
> so the 403 is coming from the Apache proxy itself
What do the proxy logs say?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem configuring proxy (forbidden error locally)
Posted by Igor Cicimov <ic...@gmail.com>.
First un-comment the
#ProxyRequests On
and make it
ProxyRequests Off
if you want to run reverse proxy.
On Thu, Feb 10, 2011 at 12:26 PM, o haya <oh...@yahoo.com> wrote:
> Hi Eric and Igor,
>
> The Apache proxy logs show "403" errors.
>
> I've been hunting down all the deny/allows and <Directory>
> directives/sections, and these are all that I found in the httpd.conf:
>
> <Directory />
>
> Options FollowSymLinks
>
> AllowOverride None
>
> </Directory>
>
>
>
> <Directory “/var/www/html”>
>
> Options Indexes FollowSymLinks
>
> AllowOverride None
>
> Order Allow,deny
>
> Allow from all
>
> </Directory>
>
>
>
> <Directory “/var/www/icons”>
>
> Options Indexes MultiViews
>
> AllowOverride None
>
> Order allow,deny
>
> Allow from all
>
> </Directory>
>
>
>
> <Directory “/var/www/cgi-bin”>
>
> AllowOverride None
>
> Options None
>
> Order allow,deny
>
> Allow from all
>
> </Directory>
>
>
>
> <Directory “/var/www/error”>
>
> AllowOverride None
>
> Options IncludeNoExec
>
> AddOutputFilter Include html
>
> AddHandler type-map var
>
> Order allow,deny
>
> Allow from all
>
> LanguagePriority en es de fr
>
> ForceLanguagePriority Prefer Fallback
>
> </Directory>
>
>
> My understanding is the above would only apply to physical directories on
> the proxy machine, plus it doesn't seem like any of them would cause a
> "deny"?
>
> There's also an <IfModule>:
>
> #<IfModule mod_proxy.c>
>
> #ProxyRequests On
>
>
>
> #<Proxy *>
>
> # Order deny,allow
>
> # Deny from all
>
> # Allow from .example.com
>
> #</Proxy>
>
>
> But, that was commented out already in the httpd.conf, so it wouldn't
> affect anything?
>
>
> I think that if uncommented that <IfModule>, and changed it to allow:
>
> <IfModule mod_proxy.c>
>
> #ProxyRequests On
>
>
>
> <Proxy *>
>
> Order allow,deny
>
> Allow from all
>
> </Proxy>
>
> that might fix the problem, but, and maybe I'm being stubborn, I'd really
> rather find exactly what is causing the deny (it always worries me when I
> don't understand exactly why something is not doing what I think it should).
>
>
> This is Apache 2.0.x, so there's not the "extras" directory and files, just
> the httpd.conf and ssl.conf, so any ideas about what ELSE might be causing
> JUST the proxying to get a deny (note: we CAN access resources that are
> LOCAL on the proxy Apache server).
>
> Thanks,
> Jim
>
>
> --- On *Wed, 2/9/11, Igor Cicimov <ic...@gmail.com>* wrote:
>
>
> From: Igor Cicimov <ic...@gmail.com>
> Subject: Re: [users@httpd] Problem configuring proxy (forbidden error
> locally)
> To: users@httpd.apache.org
> Date: Wednesday, February 9, 2011, 7:55 PM
>
>
> have you tried the Order statement and putting "Allow from All" ?
>
> On Thu, Feb 10, 2011 at 11:07 AM, Eric Covener <co...@gmail.com>
> > wrote:
>
> > so the 403 is coming from the Apache proxy itself
>
> What do the proxy logs say?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org<ht...@httpd.apache.org>
> " from the digest: users-digest-unsubscribe@httpd.apache.org<ht...@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org<ht...@httpd.apache.org>
>
>
>
>
Re: [users@httpd] Problem configuring proxy (forbidden error locally)
Posted by o haya <oh...@yahoo.com>.
Hi Eric and Igor,
The Apache proxy logs show "403" errors.
I've been hunting down all the deny/allows and <Directory> directives/sections, and these are all that I found in the httpd.conf:
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory “/var/www/html”>
Options Indexes FollowSymLinks
AllowOverride None
Order Allow,deny
Allow from all
</Directory>
<Directory “/var/www/icons”>
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory “/var/www/cgi-bin”>
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
<Directory “/var/www/error”>
AllowOverride None
Options IncludeNoExec
AddOutputFilter Include html
AddHandler type-map var
Order allow,deny
Allow from all
LanguagePriority en es de fr
ForceLanguagePriority Prefer Fallback
</Directory>
My understanding is the above would only apply to physical directories on the proxy machine, plus it doesn't seem like any of them would cause a "deny"?
There's also an <IfModule>:
#<IfModule
mod_proxy.c>
#ProxyRequests
On
#<Proxy
*>
# Order deny,allow
# Deny from all
# Allow from .example.com
#</Proxy>
But, that was commented out already in the httpd.conf, so it wouldn't affect anything?
I think that if uncommented that <IfModule>, and changed it to allow:
<IfModule mod_proxy.c>#ProxyRequests On <Proxy *> Order allow,deny Allow from all</Proxy>
that might fix the problem, but, and maybe I'm being stubborn, I'd really rather find exactly what is causing the deny (it always worries me when I don't understand exactly why something is not doing what I think it should).
This is Apache 2.0.x, so there's not the "extras" directory and files, just the httpd.conf and ssl.conf, so any ideas about what ELSE might be causing JUST the proxying to get a deny (note: we CAN access resources that are LOCAL on the proxy Apache server).
Thanks,Jim
--- On Wed, 2/9/11, Igor Cicimov <ic...@gmail.com> wrote:
From: Igor Cicimov <ic...@gmail.com>
Subject: Re: [users@httpd] Problem configuring proxy (forbidden error locally)
To: users@httpd.apache.org
Date: Wednesday, February 9, 2011, 7:55 PM
have you tried the Order statement and putting "Allow from All" ?
On Thu, Feb 10, 2011 at 11:07 AM, Eric Covener <co...@gmail.com> wrote:
> so the 403 is coming from the Apache proxy itself
What do the proxy logs say?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem configuring proxy (forbidden error locally)
Posted by Igor Cicimov <ic...@gmail.com>.
have you tried the Order statement and putting "Allow from All" ?
On Thu, Feb 10, 2011 at 11:07 AM, Eric Covener <co...@gmail.com> wrote:
> > so the 403 is coming from the Apache proxy itself
>
> What do the proxy logs say?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Problem configuring proxy (forbidden error locally)
Posted by Eric Covener <co...@gmail.com>.
> so the 403 is coming from the Apache proxy itself
What do the proxy logs say?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org