On Fri, Nov 12, 2010 at 2:35 AM, Lisa Kachold <
lisakachold@obnosis.com>wrote:
>
>
> On Thu, Nov 11, 2010 at 8:47 PM, Bryan O'Neal <
> Bryan.ONeal@theonealandassociates.com> wrote:
>
>> Ok - let us review what you are acomplishing here -
>> You deny from everyone (Check)
>> You Allow from your local lan 192.168.25.x (Check)
>> You allow from some WAN ip (Fail)
>> If you web ip is say 72.168.54.32 then that should work - What do you
>> have in your error logs? If nothing else it should give you the ip
>> address of what is being blocked so you can compare what you think is
>> the correct IP - I would say make sure that you do not have a latter
>> allow / deny statement set as Apache belies the last set always wins -
>> And make sure you restart the service on every conf change ;)
>>
>>
>> If you give me the errors I will look at those too.
>>
>>
>>
>>
>> On Thu, Nov 11, 2010 at 4:00 PM, Mark Phillips
>> <mark@phillipsmarketing.biz> wrote:
>> > I have a web server at webIP off site. I have a second server for photos
>> > running a php photo gallery app behind apache at photoIP on my local
>> LAN. I
>> > have a page on the web server that uses iframes to the photo server's
>> > images.
>> >
>> > I am trying to restrice access to the photo server to requests from the
>> web
>> > server using apache Allowoverride on the photo server. Here is what I
>> have:
>> >
>> > <VirtualHost photoIP:8080>
>> >
>> > DocumentRoot /var/www/gallery
>> >
>> > <Directory />
>> > Options FollowSymLinks
>> > AllowOverride None
>> > </Directory>
>> >
>> > <Directory /var/www/gallery>
>> > Options Indexes FollowSymLinks MultiViews
>> > AllowOverride All FileInfo Options
>> > Order allow,deny
>> > Deny from all
>> > # internal access
>> > Allow from 192.168.25.0/24
>> > Allow from 127
>> > # Web server
>> > Allow from webIP
>> > </Directory>
>> >
>> > ErrorLog /var/log/apache2/hammerhead/error.log
>> >
>> > # Possible values include: debug, info, notice, warn, error,
>> crit,
>> > # alert, emerg.
>> > LogLevel debug
>> >
>> > CustomLog /var/log/apache2/access.log combined
>> >
>> > </VirtualHost>
>> >
>> > I can access the photos from a machine on my local LAN, but not from
>> hosts
>> > off my LAN. The only way to get it to work is to change Deny from all to
>> > Allow from all. What am I doing wrong?
>> >
>> > Thanks!
>> >
>> > Mark
>> >
>>
>>
> Hi Mark;
>
> Verify via your access logs after accessing from externally with the Allow
> all on, that you are presenting with a truely EXTERNAL source address. Some
> configurations might strip off source address and rewrite header for NAT.
>
Test #1 - Allow all, access from same LAN as photo server, via the external
web server: - access allowed to the photos
192.168.25.1 - - [12/Nov/2010:09:54:38 -0700] "GET / HTTP/1.1" 200 21440 "
http://azheatwavesoftball.net/photos" "Mozilla/5.0 (X11; U; Linux x86_64;
en-US; rv:1.9.1.15) Gecko/20101028 Firefox/3.5.6 (like Firefox/3.5.15)"
192.168.25.1 - - [12/Nov/2010:09:54:40 -0700] "GET
/var/thumbs/Game-10-21-2011/.album.jpg?m=1289170124 HTTP/1.1" 304 - "
http://68.231.183.70:8080/" "Mozilla/5.0 (X11; U; Linux x86_64; en-US;
rv:1.9.1.15) Gecko/20101028 Firefox/3.5.6 (like Firefox/3.5.15)"
192.168.25.1 - - [12/Nov/2010:09:54:40 -0700] "GET
/var/thumbs/10-25-2011/.album.jpg?m=1289170158 HTTP/1.1" 304 - "
http://68.231.183.70:8080/" "Mozilla/5.0 (X11; U; Linux x86_64; en-US;
rv:1.9.1.15) Gecko/20101028 Firefox/3.5.6 (like Firefox/3.5.15)"
192.168.25.1 - - [12/Nov/2010:09:54:40 -0700] "GET
/var/thumbs/10-28-2011/.album.jpg?m=1289170174 HTTP/1.1" 304 - "
http://68.231.183.70:8080/" "Mozilla/5.0 (X11; U; Linux x86_64; en-US;
rv:1.9.1.15) Gecko/20101028 Firefox/3.5.6 (like Firefox/3.5.15)"
Test #2 Allow all, access from external browser over internat via web server
- access allowed to the phots
64.255.180.191 - - [12/Nov/2010:10:04:31 -0700] "GET / HTTP/1.1" 200 10286 "
http://www.azheatwavesoftball.net/photos" "Opera/9.80 (J2ME/MIDP; Opera
Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
64.255.180.191 - - [12/Nov/2010:10:04:32 -0700] "GET
/index.php/combined/javascript/4b582c13e016ee148d2deee42299be4a HTTP/1.1"
200 71962 "
http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
64.255.180.191 - - [12/Nov/2010:10:04:32 -0700] "GET /lib/images/logo.png
HTTP/1.1" 200 10222 "
http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP;
Opera Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
64.255.180.191 - - [12/Nov/2010:10:04:32 -0700] "GET
/index.php/combined/css/dc455552ce6612b070d7db2abcf6fc54 HTTP/1.1" 200 14588
"
http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
/var/thumbs/10-25-2011/.album.jpg?m=1289170158 HTTP/1.1" 200 25767 "
http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
/var/thumbs/Game-10-17-2010/.album.jpg?m=1289170105 HTTP/1.1" 200 33033 "
http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
/var/thumbs/10-28-2011/.album.jpg?m=1289170174 HTTP/1.1" 200 35119 "
http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
/var/thumbs/Game-10-16-2010/.album.jpg?m=1289170082 HTTP/1.1" 200 25374 "
http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
/themes/wind/css/themeroller/images/ui-bg_glass_85_dfeffc_1x400.png
HTTP/1.1" 200 123 "
http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
/themes/wind/images/ico-album.png HTTP/1.1" 200 397 "
http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
/themes/wind/css/themeroller/images/ui-icons_469bdd_256x240.png HTTP/1.1"
200 5399 "
http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
/themes/wind/images/ico-view-slideshow.png HTTP/1.1" 200 960 "
http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
/var/thumbs/Game-10-21-2011/.album.jpg?m=1289170124 HTTP/1.1" 200 40077 "
http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
Test #3 - deny all - access from local LAN vi the web server - Access denied
to the photos
192.168.25.1 - - [12/Nov/2010:10:11:18 -0700] "GET /index.php/ HTTP/1.1" 403
212 "
http://68.231.183.70:8080/" "Mozilla/5.0 (X11; U; Linux x86_64; en-US;
rv:1.9.1.15) Gecko/20101028 Firefox/3.5.6 (like Firefox/3.5.15)"
Test #4 deny all - access from external browser to webserver - access denied
to the photos
64.255.180.191 - - [12/Nov/2010:10:12:47 -0700] "GET / HTTP/1.1" 403 202 "
http://www.azheatwavesoftball.net/photos" "Opera/9.80 (J2ME/MIDP; Opera
Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
> Your external address IP's (matching the logs) should be added to your
> configuration file:
>
>
> VirtualHost photoIP:8080>
>
> DocumentRoot /var/www/gallery
>
> <Directory />
> Options FollowSymLinks
> AllowOverride None
> </Directory>
>
> <Directory /var/www/gallery>
> Options Indexes FollowSymLinks MultiViews
> AllowOverride All FileInfo Options
> Order allow,deny
> Deny from all
> # internal access
> Allow from 192.168.25.0/24
> Allow from 127
> # Web server
> Allow from 69.50.203.0/24
> </Directory>
>
> AND verify:
>
> a) That your Cox or DSL connection does not limit inbound port 8080
> addresses.
>
verified
> b) Port 8080 is forwarded inbound on your router, like 80 would need to
> be.
>
verified
>
> Make sense?
> --
> Network Operations Center Engineer
> Atjeu Hosting
>
> (503) 754-4452
> (623) 688-3392
>
> http://www.it-clowns.com | http://www.obnosis.com
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss