Re: Need Help with Apache AllowOverride

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: Main PLUG discussion list
Subject: Re: Need Help with Apache AllowOverride
Mark:

On Fri, Nov 12, 2010 at 10:15 AM, Mark Phillips
<>wrote:

>
>
> On Fri, Nov 12, 2010 at 2:35 AM, Lisa Kachold <>wrote:
>
>>
>>
>> On Thu, Nov 11, 2010 at 8:47 PM, Bryan O'Neal <
>> > wrote:
>>
>>> Ok - let us review what you are acomplishing here -
>>> You deny from everyone (Check)
>>> You Allow from your local lan 192.168.25.x (Check)
>>> You allow from some WAN ip (Fail)
>>> If you web ip is say 72.168.54.32 then that should work - What do you
>>> have in your error logs? If nothing else it should give you the ip
>>> address of what is being blocked so you can compare what you think is
>>> the correct IP - I would say make sure that you do not have a latter
>>> allow / deny statement set as Apache belies the last set always wins -
>>> And make sure you restart the service on every conf change ;)
>>>
>>>
>>> If you give me the errors I will look at those too.
>>>
>>>
>>>
>>>
>>> On Thu, Nov 11, 2010 at 4:00 PM, Mark Phillips
>>> <> wrote:
>>> > I have a web server at webIP off site. I have a second server for
>>> photos
>>> > running a php photo gallery app behind apache at photoIP on my local
>>> LAN. I
>>> > have a page on the web server that uses iframes to the photo server's
>>> > images.
>>> >
>>> > I am trying to restrice access to the photo server to requests from the
>>> web
>>> > server using apache Allowoverride on the photo server. Here is what I
>>> have:
>>> >
>>> > <VirtualHost photoIP:8080>
>>> >
>>> >         DocumentRoot /var/www/gallery

>>> >
>>> >         <Directory />
>>> >                 Options FollowSymLinks
>>> >                 AllowOverride None
>>> >         </Directory>

>>> >
>>> >         <Directory /var/www/gallery>
>>> >                 Options Indexes FollowSymLinks MultiViews
>>> >                 AllowOverride All FileInfo Options
>>> >                 Order allow,deny
>>> >                 Deny from all
>>> >                 # internal access
>>> >                 Allow from 192.168.25.0/24
>>> >                 Allow from 127
>>> >                 # Web server
>>> >                 Allow from webIP
>>> >         </Directory>

>>> >
>>> >         ErrorLog /var/log/apache2/hammerhead/error.log

>>> >
>>> >         # Possible values include: debug, info, notice, warn, error,
>>> crit,
>>> >         # alert, emerg.
>>> >         LogLevel debug

>>> >
>>> >         CustomLog /var/log/apache2/access.log combined

>>> >
>>> > </VirtualHost>
>>> >
>>> > I can access the photos from a machine on my local LAN, but not from
>>> hosts
>>> > off my LAN. The only way to get it to work is to change Deny from all
>>> to
>>> > Allow from all. What am I doing wrong?
>>> >
>>> > Thanks!
>>> >
>>> > Mark
>>> >
>>>
>>>
>> Hi Mark;
>>
>> Verify via your access logs after accessing from externally with the Allow
>> all on, that you are presenting with a truely EXTERNAL source address. Some
>> configurations might strip off source address and rewrite header for NAT.
>>
>
> Test #1 - Allow all, access from same LAN as photo server, via the external
> web server: - access allowed to the photos
> 192.168.25.1 - - [12/Nov/2010:09:54:38 -0700] "GET / HTTP/1.1" 200 21440 "
> http://azheatwavesoftball.net/photos" "Mozilla/5.0 (X11; U; Linux x86_64;
> en-US; rv:1.9.1.15) Gecko/20101028 Firefox/3.5.6 (like Firefox/3.5.15)"
> 192.168.25.1 - - [12/Nov/2010:09:54:40 -0700] "GET
> /var/thumbs/Game-10-21-2011/.album.jpg?m=1289170124 HTTP/1.1" 304 - "
> http://68.231.183.70:8080/" "Mozilla/5.0 (X11; U; Linux x86_64; en-US;
> rv:1.9.1.15) Gecko/20101028 Firefox/3.5.6 (like Firefox/3.5.15)"
> 192.168.25.1 - - [12/Nov/2010:09:54:40 -0700] "GET
> /var/thumbs/10-25-2011/.album.jpg?m=1289170158 HTTP/1.1" 304 - "
> http://68.231.183.70:8080/" "Mozilla/5.0 (X11; U; Linux x86_64; en-US;
> rv:1.9.1.15) Gecko/20101028 Firefox/3.5.6 (like Firefox/3.5.15)"
> 192.168.25.1 - - [12/Nov/2010:09:54:40 -0700] "GET
> /var/thumbs/10-28-2011/.album.jpg?m=1289170174 HTTP/1.1" 304 - "
> http://68.231.183.70:8080/" "Mozilla/5.0 (X11; U; Linux x86_64; en-US;
> rv:1.9.1.15) Gecko/20101028 Firefox/3.5.6 (like Firefox/3.5.15)"
>
> Test #2 Allow all, access from external browser over internat via web
> server - access allowed to the phots
> 64.255.180.191 - - [12/Nov/2010:10:04:31 -0700] "GET / HTTP/1.1" 200 10286
> "http://www.azheatwavesoftball.net/photos" "Opera/9.80 (J2ME/MIDP; Opera
> Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
> 64.255.180.191 - - [12/Nov/2010:10:04:32 -0700] "GET
> /index.php/combined/javascript/4b582c13e016ee148d2deee42299be4a HTTP/1.1"
> 200 71962 "http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
> Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
> 64.255.180.191 - - [12/Nov/2010:10:04:32 -0700] "GET /lib/images/logo.png
> HTTP/1.1" 200 10222 "http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP;
> Opera Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
> 64.255.180.191 - - [12/Nov/2010:10:04:32 -0700] "GET
> /index.php/combined/css/dc455552ce6612b070d7db2abcf6fc54 HTTP/1.1" 200 14588
> "http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
> Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
> 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
> /var/thumbs/10-25-2011/.album.jpg?m=1289170158 HTTP/1.1" 200 25767 "
> http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
> Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
> 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
> /var/thumbs/Game-10-17-2010/.album.jpg?m=1289170105 HTTP/1.1" 200 33033 "
> http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
> Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
> 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
> /var/thumbs/10-28-2011/.album.jpg?m=1289170174 HTTP/1.1" 200 35119 "
> http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
> Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
> 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
> /var/thumbs/Game-10-16-2010/.album.jpg?m=1289170082 HTTP/1.1" 200 25374 "
> http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
> Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
> 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
> /themes/wind/css/themeroller/images/ui-bg_glass_85_dfeffc_1x400.png
> HTTP/1.1" 200 123 "http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP;
> Opera Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
> 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
> /themes/wind/images/ico-album.png HTTP/1.1" 200 397 "
> http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
> Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
> 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
> /themes/wind/css/themeroller/images/ui-icons_469bdd_256x240.png HTTP/1.1"
> 200 5399 "http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
> Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
> 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
> /themes/wind/images/ico-view-slideshow.png HTTP/1.1" 200 960 "
> http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
> Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
> 64.255.180.191 - - [12/Nov/2010:10:04:33 -0700] "GET
> /var/thumbs/Game-10-21-2011/.album.jpg?m=1289170124 HTTP/1.1" 200 40077 "
> http://68.231.183.70:8080/" "Opera/9.80 (J2ME/MIDP; Opera
> Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
>
> Test #3 - deny all - access from local LAN vi the web server - Access
> denied to the photos
> 192.168.25.1 - - [12/Nov/2010:10:11:18 -0700] "GET /index.php/ HTTP/1.1"
> 403 212 "http://68.231.183.70:8080/" "Mozilla/5.0 (X11; U; Linux x86_64;
> en-US; rv:1.9.1.15) Gecko/20101028 Firefox/3.5.6 (like Firefox/3.5.15)"
>
> Test #4 deny all - access from external browser to webserver - access
> denied to the photos
> 64.255.180.191 - - [12/Nov/2010:10:12:47 -0700] "GET / HTTP/1.1" 403 202 "
> http://www.azheatwavesoftball.net/photos" "Opera/9.80 (J2ME/MIDP; Opera
> Mini/4.2.14912/21.549; U; en) Presto/2.5.25 Version/10.54"
>
>
>> Your external address IP's (matching the logs) should be added to your
>> configuration file:
>>
>>
>> VirtualHost photoIP:8080>
>>
>>          DocumentRoot /var/www/gallery

>>
>>          <Directory />
>>                  Options FollowSymLinks
>>                  AllowOverride None
>>          </Directory>

>>
>>          <Directory /var/www/gallery>
>>                  Options Indexes FollowSymLinks MultiViews
>>                  AllowOverride All FileInfo Options
>>                  Order allow,deny
>>                  Deny from all
>>                  # internal access
>>                  Allow from 192.168.25.0/24
>>                  Allow from 127
>>                  # Web server
>>                  Allow from 69.50.203.0/24
>>          </Directory>

>>
>> AND verify:
>>
>> a) That your Cox or DSL connection does not limit inbound port 8080
>> addresses.
>>
>
> verified
>
>> b) Port 8080 is forwarded inbound on your router, like 80 would need to
>> be.
>>
> verified
>
>>
>> Make sense?
>>
>

HEY? I don't see that you have tested ALLOWING the exerrnal IP range?


VirtualHost photoIP:8080>

         DocumentRoot /var/www/gallery


         <Directory />
                 Options FollowSymLinks
                 AllowOverride None
         </Directory>


         <Directory /var/www/gallery>
                 Options Indexes FollowSymLinks MultiViews
                 AllowOverride All FileInfo Options
                 Order allow,deny
                 Deny from all
                 # internal access
                 Allow from 192.168.25.0/24
                 Allow from 127
                 # Web server
                 Allow from 64.255.180.191


Does that fix her?

Thanks

> --
>> Network Operations Center Engineer
>> Atjeu Hosting
>>
>> (503) 754-4452
>> (623) 688-3392
>>
>> http://www.it-clowns.com | http://www.obnosis.com
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list -
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>




--
Network Operations Center Engineer
Atjeu Hosting

(503) 754-4452
(623) 688-3392

http://www.it-clowns.com | http://www.obnosis.com
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss