You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Kaushal Shriyan <ka...@gmail.com> on 2006/02/27 14:38:04 UTC

[users@httpd] Forbidden

Hi

I have this below tag in httpd.conf

<Location /server-status>
   SetHandler server-status
   Order deny,allow
   Deny from all
   Allow from .blue.com
</Location>

when I access http://bdc5353.test.abc.com/server-status
It gives

Forbidden
You don't have permission to access /server-status on this server.

Thanks in Advance

Regards

Kaushal

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Forbidden

Posted by Eugene <li...@fsck.net>.

On Mon, Feb 27, 2006 at 08:24:10AM CST, Kaushal Shriyan <ka...@gmail.com> wrote:
: On 2/27/06, Joshua Slive <jo...@slive.ca> wrote:
: > On 2/27/06, Kaushal Shriyan <ka...@gmail.com> wrote:
: > >
: > > I have this below tag in httpd.conf
: > >
: > > <Location /server-status>
: > >    SetHandler server-status
: > >    Order deny,allow
: > >    Deny from all
: > >    Allow from .blue.com
: > > </Location>
: > >
: > > when I access http://bdc5353.test.abc.com/server-status
: > > It gives
: > >
: > > Forbidden
: > > You don't have permission to access /server-status on this server.
: >
: > What do the error and access logs say?
: 
: [Mon Feb 27 09:07:24 2006] [error] [client 192.168.1.20] client denied by server configuration: /home/qrq/httpd-2.0.55_dir/htdocs/server-status
: 
: below is access logs
: 192.168.1.20 - - [27/Feb/2006:09:07:24 -0500] "GET /server-status HTTP/1.1" 403 398

Your machine, 192.168.1.20, does not resolve to anything in the
BLUE.COM domain.  If your setup is behind some NAT that assigns
your machine a 192.168.* IP address, then you should adjust your
httpd.conf settings and append a "Allow from 192.168" directive
in that <Location> block.


-- 
Eugene

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Forbidden

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

Joshua Slive wrote:
> On 2/27/06, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> 
>>Isn't 10.10.10. safer than 10.10.10 - given that the later syntax can
>>lead to matching 10.10.10x.xxx - a result that wasn't expected?
> 
> I believe the use of apr_ipsubnet_test in mod_access means that those
> two won't match.  But I haven't tested it.

I'm near certain that in 1.3 they would, so it's a (healthy) habit I guess,
even if the behavior changed in 2.0.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Forbidden

Posted by Joshua Slive <jo...@slive.ca>.

On 2/27/06, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> Isn't 10.10.10. safer than 10.10.10 - given that the later syntax can
> lead to matching 10.10.10x.xxx - a result that wasn't expected?

I believe the use of apr_ipsubnet_test in mod_access means that those
two won't match.  But I haven't tested it.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Forbidden

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

Isn't 10.10.10. safer than 10.10.10 - given that the later syntax can
lead to matching 10.10.10x.xxx - a result that wasn't expected?

Bill

Joshua Slive wrote:
> On 2/27/06, Jonathan S. Abrams <j....@nutmegaudiopost.com> wrote:
> 
> 
>>Is it possible to use wildcards with IP addresses in that directive?
>>Could you have a line that reads
>>
>>Allow from 123.456.789.***
>>
>>With the goal being that any IP in the *** section that matches
>>123.456.789 is able to check server-status?
> 
> 
> Yes, just use
> Allow from 123.456.789
> 
> This question could be answered by looking in the mod_access docs, by the way.
> 
> Joshua.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> .
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Forbidden

Posted by Joshua Slive <jo...@slive.ca>.

On 2/27/06, Jonathan S. Abrams <j....@nutmegaudiopost.com> wrote:

> Is it possible to use wildcards with IP addresses in that directive?
> Could you have a line that reads
>
> Allow from 123.456.789.***
>
> With the goal being that any IP in the *** section that matches
> 123.456.789 is able to check server-status?

Yes, just use
Allow from 123.456.789

This question could be answered by looking in the mod_access docs, by the way.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Forbidden

Posted by "Jonathan S. Abrams" <j....@nutmegaudiopost.com>.

Joshua Slive wrote:

>On 2/27/06, Kaushal Shriyan <ka...@gmail.com> wrote:
>  
>
>>Hi Joshua
>>
>>[Mon Feb 27 09:07:24 2006] [error] [client 192.168.1.20] client denied
>>by server configuration:
>>/home/qrq/httpd-2.0.55_dir/htdocs/server-status
>>
>>below is access logs
>>192.168.1.20 - - [27/Feb/2006:09:07:24 -0500] "GET /server-status
>>HTTP/1.1" 403                                               398
>>    
>>
>
>  
>
>>>><Location /server-status>
>>>>   SetHandler server-status
>>>>   Order deny,allow
>>>>   Deny from all
>>>>   Allow from .blue.com
>>>></Location>
>>>>        
>>>>
>
>The access_log tells us that the server cannot resolve your IP
>address, so it doesn't match .blue.com.  Try using an IP address in
>the Allow from directive.
>
Is it possible to use wildcards with IP addresses in that directive?  
Could you have a line that reads

Allow from 123.456.789.***

With the goal being that any IP in the *** section that matches 
123.456.789 is able to check server-status?

-Jonathan

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Forbidden

Posted by Joshua Slive <jo...@slive.ca>.

On 2/27/06, Kaushal Shriyan <ka...@gmail.com> wrote:
> Hi Joshua
>
> [Mon Feb 27 09:07:24 2006] [error] [client 192.168.1.20] client denied
> by server configuration:
> /home/qrq/httpd-2.0.55_dir/htdocs/server-status
>
> below is access logs
> 192.168.1.20 - - [27/Feb/2006:09:07:24 -0500] "GET /server-status
> HTTP/1.1" 403                                               398

> > > <Location /server-status>
> > >    SetHandler server-status
> > >    Order deny,allow
> > >    Deny from all
> > >    Allow from .blue.com
> > > </Location>

The access_log tells us that the server cannot resolve your IP
address, so it doesn't match .blue.com.  Try using an IP address in
the Allow from directive.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Forbidden

Posted by Kaushal Shriyan <ka...@gmail.com>.

Hi Joshua

[Mon Feb 27 09:07:24 2006] [error] [client 192.168.1.20] client denied
by server configuration:
/home/qrq/httpd-2.0.55_dir/htdocs/server-status

below is access logs
192.168.1.20 - - [27/Feb/2006:09:07:24 -0500] "GET /server-status
HTTP/1.1" 403                                               398

Regards

Kaushal


On 2/27/06, Joshua Slive <jo...@slive.ca> wrote:
> On 2/27/06, Kaushal Shriyan <ka...@gmail.com> wrote:
> > Hi
> >
> > I have this below tag in httpd.conf
> >
> > <Location /server-status>
> >    SetHandler server-status
> >    Order deny,allow
> >    Deny from all
> >    Allow from .blue.com
> > </Location>
> >
> > when I access http://bdc5353.test.abc.com/server-status
> > It gives
> >
> > Forbidden
> > You don't have permission to access /server-status on this server.
>
> What do the error and access logs say?
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Forbidden

Posted by Joshua Slive <jo...@slive.ca>.

On 2/27/06, Kaushal Shriyan <ka...@gmail.com> wrote:
> Hi
>
> I have this below tag in httpd.conf
>
> <Location /server-status>
>    SetHandler server-status
>    Order deny,allow
>    Deny from all
>    Allow from .blue.com
> </Location>
>
> when I access http://bdc5353.test.abc.com/server-status
> It gives
>
> Forbidden
> You don't have permission to access /server-status on this server.

What do the error and access logs say?

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org