LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Apache Denied IPs getting Test Page (http://www.linuxquestions.org/questions/linux-server-73/apache-denied-ips-getting-test-page-914257/)

buee 11-18-2011 10:12 AM

Apache Denied IPs getting Test Page
 
I recently added a speedtest server to my Apache virtual hosts. I have put in the Order Deny, Allow and specified a number of subnets to allow and deny the rest.

It all works beautifully, but IPs that are not allowed to access the server attempt to, they get the Apache 2 Test Page. I think it should be the normal 403 Forbidden Page and I would prefer it that way. Anyone know how to do that?

TenTenths 11-18-2011 10:30 AM

If they are accessing the server by IP address then check that your allow/deny is covering the whole scope of your server and not just a particular vhost.

bathory 11-18-2011 03:40 PM

Hi,

Quote:

It all works beautifully, but IPs that are not allowed to access the server attempt to, they get the Apache 2 Test Page. I think it should be the normal 403 Forbidden Page and I would prefer it that way. Anyone know how to do that?
Getting a 403 error is the normal behavior, but without the apache config file(s), I can only guess that maybe your 403 error page is pointing to the apache test page. So search for an "ErrorDocument 403 ..." directive, or post here your config file.

Regards

buee 11-21-2011 08:23 AM

Quote:

Originally Posted by TenTenths (Post 4527617)
If they are accessing the server by IP address then check that your allow/deny is covering the whole scope of your server and not just a particular vhost.

That part of it is working fine. I can put my subnet in the allow section, reload config, and I can get in. I take it out, reload, and I get the test page. Regardless of whether I'm allowed to view that vhost or not, I can view all other sites for the server, which is exactly how the allow/deny is supposed to work. What I don't want is the test page, I would take the 403 Forbidden or even make my own custom page if needed, but I don't want the outside world seeing the test page.

buee 11-21-2011 08:57 AM

Quote:

Originally Posted by bathory (Post 4527848)
Hi,


Getting a 403 error is the normal behavior, but without the apache config file(s), I can only guess that maybe your 403 error page is pointing to the apache test page. So search for an "ErrorDocument 403 ..." directive, or post here your config file.

Regards

I found that section of the conf file. All of the error documents were commented out. I uncommented them and restarted httpd to no avail. Below is the section of the httpd.conf file regarding error docs. All /opt/www paths are correct, rather than /var/www. I checked /opt/www/error and all files are in there. The ownership was root:root. I changed it to apache:apache as a test, still getting the test page.

Code:

Alias /error/ "/opt/www/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
    <Directory "/opt/www/error">
        AllowOverride None
        Options IncludesNoExec
        AddOutputFilter Includes html
        AddHandler type-map var
        Order allow,deny
        Allow from all
        LanguagePriority en es de fr
        ForceLanguagePriority Prefer Fallback
    </Directory>

    ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
    ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
    ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
    ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
    ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
    ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
    ErrorDocument 410 /error/HTTP_GONE.html.var
    ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
    ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
    ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
    ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
    ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
    ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
    ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
    ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
    ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
    ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var

</IfModule>
</IfModule>


bathory 11-21-2011 12:34 PM

Doh, maybe you have some rewrite rules that rewrite the 403 error document to the index page.
Check the apache config files and/or any .htaccess files for something like:
Code:

RewriteEngine On
RewriteRule ^error(.*)$ /index.html


buee 11-21-2011 12:57 PM

Quote:

Originally Posted by bathory (Post 4529856)
Doh, maybe you have some rewrite rules that rewrite the 403 error document to the index page.
Check the apache config files and/or any .htaccess files for something like:
Code:

RewriteEngine On
RewriteRule ^error(.*)$ /index.html


I found the issue. I picked out particular text from the test page and searched for it in the /error folder. I found a file called noindex.html that contained the text. Moved it somewhere else and I get the Forbidden page now. However, I created my own forbidden page, and I cannot seem to get that one displayed. I put it in the /error folder with the HTML extension. Changed my .conf file to reflect the new forbidden page filename, but it still pulls up the default one. Frustrating...

bathory 11-21-2011 01:30 PM

Quote:

However, I created my own forbidden page, and I cannot seem to get that one displayed. I put it in the /error folder with the HTML extension. Changed my .conf file to reflect the new forbidden page filename, but it still pulls up the default one. Frustrating
...
I guess that you mean the apache default 403 error message.
If you used:
Code:

ErrorDocument 403 /error/myforbidden-page.html
is should work, so clear your browser cache and try again

Regards

buee 11-21-2011 04:25 PM

Quote:

Originally Posted by bathory (Post 4529897)
...
I guess that you mean the apache default 403 error message.
If you used:
Code:

ErrorDocument 403 /error/myforbidden-page.html
is should work, so clear your browser cache and try again

Regards

Yes, I get the default with a "Additionally, 404 blah blah blah".
I did use that code snipet
Did clear my cache
Doesn't pull the correct page, still the Apache test page.

bathory 11-21-2011 04:51 PM

Quote:

Yes, I get the default with a "Additionally, 404 blah blah blah".
That means that apache can't find your 403-error page.
You are supposed to replace:
Quote:

ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
with the code in my previous post.
Also you can check the error_log to see where it's looking for it.

buee 11-22-2011 09:51 AM

Quote:

Originally Posted by bathory (Post 4530115)
That means that apache can't find your 403-error page.
You are supposed to replace:
with the code in my previous post.
Also you can check the error_log to see where it's looking for it.

Did all that.

Code:

Alias /error/ "/opt/www/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
    <Directory "/opt/www/error">
        AllowOverride None
        Options IncludesNoExec
        AddOutputFilter Includes html
        AddHandler type-map var
        Order allow,deny
        Allow from all
        LanguagePriority en es de fr
        ForceLanguagePriority Prefer Fallback
    </Directory>

    ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
    ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
    ErrorDocument 403 /error/HTTP_CUS_FORBIDDEN.html
    ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
    ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
    ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
    ErrorDocument 410 /error/HTTP_GONE.html.var
    ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
    ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
    ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
    ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
    ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
    ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
    ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
    ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
    ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
    ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var

</IfModule>
</IfModule>

Code:

ls -l /opt/www/error/
total 228
-rw-r--r-- 1 root root  4256 Nov 13  2005 contact.html.var
-rw-r--r-- 1 root root  9108 Nov 13  2005 HTTP_BAD_GATEWAY.html.var
-rw-r--r-- 1 root root  6633 Nov 13  2005 HTTP_BAD_REQUEST.html.var
-rw-r--r-- 1 root root  352 Nov 21 11:34 HTTP_CUS_FORBIDDEN.html
-rw-r--r-- 1 root root 11193 Nov 13  2005 HTTP_FORBIDDEN.html.var
-rw-r--r-- 1 root root 12700 Nov 13  2005 HTTP_GONE.html.var
-rw-r--r-- 1 root root 12846 Nov 13  2005 HTTP_INTERNAL_SERVER_ERROR.html.var
-rw-r--r-- 1 root root  7539 Nov 13  2005 HTTP_LENGTH_REQUIRED.html.var
-rw-r--r-- 1 root root  6773 Nov 13  2005 HTTP_METHOD_NOT_ALLOWED.html.var
-rw-r--r-- 1 root root 13255 Nov 13  2005 HTTP_NOT_FOUND.html.var
-rw-r--r-- 1 root root  6336 Nov 13  2005 HTTP_NOT_IMPLEMENTED.html.var
-rw-r--r-- 1 root root  6565 Nov 13  2005 HTTP_PRECONDITION_FAILED.html.var
-rw-r--r-- 1 root root  7802 Nov 13  2005 HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
-rw-r--r-- 1 root root  7099 Nov 13  2005 HTTP_REQUEST_TIME_OUT.html.var
-rw-r--r-- 1 root root  7103 Nov 13  2005 HTTP_REQUEST_URI_TOO_LARGE.html.var
-rw-r--r-- 1 root root  7822 Nov 13  2005 HTTP_SERVICE_UNAVAILABLE.html.var
-rw-r--r-- 1 root root 13035 Nov 13  2005 HTTP_UNAUTHORIZED.html.var
-rw-r--r-- 1 root root  6353 Nov 13  2005 HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
-rw-r--r-- 1 root root  7009 Nov 13  2005 HTTP_VARIANT_ALSO_VARIES.html.var
drwxr-xr-x 2 root root  4096 Jun 24 08:20 include
-rw-r--r-- 1 root root 24083 Jun  7 08:18 lr_300.jpg
-rw-r--r-- 1 root root  1979 Jul 11  2006 README
-rw-r--r-- 1 root root  5043 May  4  2011 temp.html

Restarted HTTPD, went to visit the page from an IP that is not allowed:

Code:

[Tue Nov 22 09:48:33 2011] [notice] caught SIGTERM, shutting down
[Tue Nov 22 09:48:34 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Nov 22 09:48:34 2011] [notice] Digest: generating secret for digest authentication ...
[Tue Nov 22 09:48:34 2011] [notice] Digest: done
[Tue Nov 22 09:48:34 2011] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Tue Nov 22 09:48:34 2011] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations

0_o

bathory 11-22-2011 11:27 AM

Hi,

Quote:

Restarted HTTPD, went to visit the page from an IP that is not allowed:
Well, I don't see any evidence in error_log that you got a "Forbidden" error. There should be a "client denied by server configuration ..." message in error_log and a 403 error code in access_log
Are you sure the host restriction works?

buee 11-22-2011 11:47 AM

Quote:

Originally Posted by bathory (Post 4530779)
Hi,


Well, I don't see any evidence in error_log that you got a "Forbidden" error. There should be a "client denied by server configuration ..." message in error_log and a 403 error code in access_log
Are you sure the host restriction works?

Yes sir, the restriction works. I now see what you're going for though, I have custom logs set up. Me thinks you're looking for the following:

Code:

[Tue Nov 22 10:00:20 2011] [error] [client 192.168.168.1] client denied by server configuration: /opt/www/speedtest/
[Tue Nov 22 10:00:20 2011] [error] [client 192.168.168.1] File does not exist: /opt/www/error/noindex.html


bathory 11-22-2011 12:06 PM

Quote:

[Tue Nov 22 10:00:20 2011] [error] [client 192.168.168.1] File does not exist: /opt/www/error/noindex.html
So apache still looks for noindex.html when it wants to show a 403 error.
You can search again all your configuration files and see where noindex.html is used, or rename your HTTP_CUS_FORBIDDEN.html to noindex.html

Regards

buee 11-22-2011 12:43 PM

Quote:

Originally Posted by bathory (Post 4530802)
So apache still looks for noindex.html when it wants to show a 403 error.
You can search again all your configuration files and see where noindex.html is used, or rename your HTTP_CUS_FORBIDDEN.html to noindex.html

Regards

That got it. The culprit was a line in /etc/httpd/conf.d/welcome.conf:

Code:

#
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL.  To disable the Welcome page, comment
# out all the lines below.
#
<LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /error/noindex.html
</LocationMatch>

I commented that out, restarted httpd and that was all she wrote. Thanks for the help!


All times are GMT -5. The time now is 05:23 AM.