Mark: On Fri, Nov 12, 2010 at 10:15 AM, Mark Phillips wrote: > > > On Fri, Nov 12, 2010 at 2:35 AM, Lisa Kachold wrote: > >> >> >> On Thu, Nov 11, 2010 at 8:47 PM, Bryan O'Neal < >> Bryan.ONeal@theonealandassociates.com> wrote: >> >>> Ok - let us review what you are acomplishing here - >>> You deny from everyone (Check) >>> You Allow from your local lan 192.168.25.x (Check) >>> You allow from some WAN ip (Fail) >>> If you web ip is say 72.168.54.32 then that should work - What do you >>> have in your error logs? If nothing else it should give you the ip >>> address of what is being blocked so you can compare what you think is >>> the correct IP - I would say make sure that you do not have a latter >>> allow / deny statement set as Apache belies the last set always wins - >>> And make sure you restart the service on every conf change ;) >>> >>> >>> If you give me the errors I will look at those too. >>> >>> >>> >>> >>> On Thu, Nov 11, 2010 at 4:00 PM, Mark Phillips >>> wrote: >>> > I have a web server at webIP off site. I have a second server for >>> photos >>> > running a php photo gallery app behind apache at photoIP on my local >>> LAN. I >>> > have a page on the web server that uses iframes to the photo server's >>> > images. >>> > >>> > I am trying to restrice access to the photo server to requests from the >>> web >>> > server using apache Allowoverride on the photo server. Here is what I >>> have: >>> > >>> > >>> > >>> > DocumentRoot /var/www/gallery >>> > >>> > >>> > Options FollowSymLinks >>> > AllowOverride None >>> > >>> > >>> > >>> > Options Indexes FollowSymLinks MultiViews >>> > AllowOverride All FileInfo Options >>> > Order allow,deny >>> > Deny from all >>> > # internal access >>> > Allow from 192.168.25.0/24 >>> > Allow from 127 >>> > # Web server >>> > Allow from webIP >>> > >>> > >>> > ErrorLog /var/log/apache2/hammerhead/error.log >>> > >>> > # Possible values include: debug, info, notice, warn, error, >>> crit, >>> > # alert, emerg. >>> > LogLevel debug >>> > >>> > CustomLog /var/log/apache2/access.log combined >>> > >>> > >>> > >>> > I can access the photos from a machine on my local LAN, but not from >>> hosts >>> > off my LAN. The only way to get it to work is to change Deny from all >>> to >>> > Allow from all. What am I doing wrong? >>> > >>> > Thanks! >>> > >>> > Mark >>> > >>> >>> >> Hi Mark; >> >> Verify via your access logs after accessing from externally with the Allow >> all on, that you are presenting with a truely EXTERNAL source address. Some >> configurations might strip off source address and rewrite header for NAT. >> > > Test #1 - Allow all, access from same LAN as photo server, via the external > web server: - access allowed to the photos > 192.168.25.1 - - [12/Nov/2010:09:54:38 -0700] "GET / HTTP/1.1" 200 21440 " > http://azheatwavesoftball.net/photos" "Mozilla/5.0 (X11; U; Linux x86_64; > en-US; rv:1.9.1.15) Gecko/20101028 Firefox/3.5.6 (like Firefox/3.5.15)" > 192.168.25.1 - - [12/Nov/2010:09:54:40 -0700] "GET > /var/thumbs/Game-10-21-2011/.album.jpg?m=1289170124 HTTP/1.1" 304 - " > http://68.231.183.70:8080/" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; > rv:1.9.1.15) Gecko/20101028 Firefox/3.5.6 (like Firefox/3.5.15)" > 192.168.25.1 - - [12/Nov/2010:09:54:40 -0700] "GET > /var/thumbs/10-25-2011/.album.jpg?m=1289170158 HTTP/1.1" 304 - " > http://68.231.183.70:8080/" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; > rv:1.9.1.15) Gecko/20101028 Firefox/3.5.6 (like Firefox/3.5.15)" > 192.168.25.1 - - [12/Nov/2010:09:54:40 -0700] "GET > /var/thumbs/10-28-2011/.album.jpg?m=1289170174 HTTP/1.1" 304 - " > http://68.231.183.70:8080/" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; > rv:1.9.1.15) Gecko/20101028 Firefox/3.5.6 (like Firefox/3.5.15)" > > Test #2 Allow all, access from external browser over internat via web > server - access allowed to the phots > 64.255.180.191 - - [12/Nov/2010:10:04:31 -0700] "GET / HTTP/1.1" 200 10286 > "http://www.azheatwavesoftball.net/photos" "Opera/9.80 (J2ME/MIDP; Opera > Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54" > 64.255.180.191 - - [12/Nov/2010:10:04:32 -0700] "GET > /index.php/combined/javascript/4b582c13e016ee148d2deee42299be4a HTTP/1.1" > 200 71962 "http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera > Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54" > 64.255.180.191 - - [12/Nov/2010:10:04:32 -0700] "GET /lib/images/logo.png > HTTP/1.1" 200 10222 "http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; > Opera Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54" > 64.255.180.191 - - [12/Nov/2010:10:04:32 -0700] "GET > /index.php/combined/css/dc455552ce6612b070d7db2abcf6fc54 HTTP/1.1" 200 14588 > "http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera > Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54" > 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET > /var/thumbs/10-25-2011/.album.jpg?m=1289170158 HTTP/1.1" 200 25767 " > http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera > Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54" > 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET > /var/thumbs/Game-10-17-2010/.album.jpg?m=1289170105 HTTP/1.1" 200 33033 " > http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera > Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54" > 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET > /var/thumbs/10-28-2011/.album.jpg?m=1289170174 HTTP/1.1" 200 35119 " > http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera > Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54" > 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET > /var/thumbs/Game-10-16-2010/.album.jpg?m=1289170082 HTTP/1.1" 200 25374 " > http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera > Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54" > 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET > /themes/wind/css/themeroller/images/ui-bg_glass_85_dfeffc_1x400.png > HTTP/1.1" 200 123 "http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; > Opera Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54" > 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET > /themes/wind/images/ico-album.png HTTP/1.1" 200 397 " > http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera > Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54" > 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET > /themes/wind/css/themeroller/images/ui-icons_469bdd_256x240.png HTTP/1.1" > 200 5399 "http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera > Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54" > 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET > /themes/wind/images/ico-view-slideshow.png HTTP/1.1" 200 960 " > http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera > Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54" > 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET > /var/thumbs/Game-10-21-2011/.album.jpg?m=1289170124 HTTP/1.1" 200 40077 " > http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera > Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54" > > Test #3 - deny all - access from local LAN vi the web server - Access > denied to the photos > 192.168.25.1 - - [12/Nov/2010:10:11:18 -0700] "GET /index.php/ HTTP/1.1" > 403 212 "http://68.231.183.70:8080/" "Mozilla/5.0 (X11; U; Linux x86_64; > en-US; rv:1.9.1.15) Gecko/20101028 Firefox/3.5.6 (like Firefox/3.5.15)" > > Test #4 deny all - access from external browser to webserver - access > denied to the photos > 64.255.180.191 - - [12/Nov/2010:10:12:47 -0700] "GET / HTTP/1.1" 403 202 " > http://www.azheatwavesoftball.net/photos" "Opera/9.80 (J2ME/MIDP; Opera > Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54" > > >> Your external address IP's (matching the logs) should be added to your >> configuration file: >> >> >> VirtualHost photoIP:8080> >> >> DocumentRoot /var/www/gallery >> >> >> Options FollowSymLinks >> AllowOverride None >> >> >> >> Options Indexes FollowSymLinks MultiViews >> AllowOverride All FileInfo Options >> Order allow,deny >> Deny from all >> # internal access >> Allow from 192.168.25.0/24 >> Allow from 127 >> # Web server >> Allow from 69.50.203.0/24 >> >> >> AND verify: >> >> a) That your Cox or DSL connection does not limit inbound port 8080 >> addresses. >> > > verified > >> b) Port 8080 is forwarded inbound on your router, like 80 would need to >> be. >> > verified > >> >> Make sense? >> > HEY? I don't see that you have tested ALLOWING the exerrnal IP range? VirtualHost photoIP:8080> DocumentRoot /var/www/gallery Options FollowSymLinks AllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride All FileInfo Options Order allow,deny Deny from all # internal access Allow from 192.168.25.0/24 Allow from 127 # Web server Allow from 64.255.180.191 Does that fix her? Thanks > -- >> Network Operations Center Engineer >> Atjeu Hosting >> >> (503) 754-4452 >> (623) 688-3392 >> >> http://www.it-clowns.com | http://www.obnosis.com >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- Network Operations Center Engineer Atjeu Hosting (503) 754-4452 (623) 688-3392 http://www.it-clowns.com | http://www.obnosis.com