Re: [SLUG] Apache: why doesn't "allow from localhost work" ?
> Hi all, > > Just setting up Apache conf file and I have the following: > > > Options Indexes SymLinksIfOwnerMatch > AllowOverride None > # MRL added next 3 lines > order deny,allow > deny from all > allow from 130.10.11.12 # allow from my own IP addr > # allow from localhost # why does this not work? > > > I seem to have to put my static IP addr in there for it to work. > Putting localhost does not work in any of the directives. > It would be preferable in case my IP addr changes sometime. > Why? What am I doing wrong. Does it do DNS lookups? Perhaps 127.0.0.1 would be better than localhost. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Apache: why doesn't "allow from localhost work" ?
On Wed, Jun 27, 2001 at 05:12:59PM +1000, enterfornone wrote: > > Hi all, > > > > Just setting up Apache conf file and I have the following: > > > > > > Options Indexes SymLinksIfOwnerMatch > > AllowOverride None > > # MRL added next 3 lines > > order deny,allow > > deny from all > > allow from 130.10.11.12 # allow from my own IP addr > > # allow from localhost # why does this not work? > > > > > > I seem to have to put my static IP addr in there for it to work. > > Putting localhost does not work in any of the directives. > > It would be preferable in case my IP addr changes sometime. > > Why? What am I doing wrong. > > Does it do DNS lookups? Perhaps 127.0.0.1 would be better than localhost. To the first part, ? To the second part, no 127.0.0.1 also does not work. Mike -- When I was little, I went into a pet shop and they asked how big I'd get. -- Rodney Dangerfield Michael Lake, University of Technology, Sydney Work: [EMAIL PROTECTED] Ph: 02 9514 1724 Fx: 02 9514 1628 Home: http://www.speleonics.com.au Linux enthusiast, active caver and interested in anything technical. *** -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Apache: why doesn't "allow from localhost work" ?
On Wed, Jun 27, 2001 at 05:11:24PM +1000, Mike Lake wrote: > # allow from localhost # why does this not work? Are you pointing your browser at http://localhost/blah or at: http://mycomputername/blah ? At a guess, the first should work, and the second shouldn't. Your browser is free to bind to any local interface it likes when it creates a socket to connect to somewhere... default behaviour for sockets is to try pick an appropriate interface, so if you point your browser at a "real" IP addres, or a domain name that maps to one, it will connect from your internet connection's address, not your localhost one. I hope this helps (and I hope I'm making sense :) -Andrew. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Apache: why doesn't "allow from localhost work" ?
On Wed, Jun 27, 2001 at 05:21:30PM +1000, Mike Lake wrote: > On Wed, Jun 27, 2001 at 05:12:59PM +1000, enterfornone wrote: > > Does it do DNS lookups? Perhaps 127.0.0.1 would be better than localhost. > > To the first part, ? > To the second part, no 127.0.0.1 also does not work. Ok. my /etc/hosts says 127.0.0.1 localhost etc.some other machines so it should be able to understand localhost as 127.0.0.1 as I have # /etc/nsswitch.conf blah blah... hosts: files dns Now that line above should tell system to look at files first before trying to resolve via dns and my name server. But surely would not Apache know that 127.0.0.1 is this machine? Mike -- Weinberg's Second Law: If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization. Michael Lake, University of Technology, Sydney Work: [EMAIL PROTECTED] Ph: 02 9514 1724 Fx: 02 9514 1628 Home: http://www.speleonics.com.au Linux enthusiast, active caver and interested in anything technical. *** -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Apache: why doesn't "allow from localhost work" ?
On Wed, Jun 27, 2001 at 05:48:48PM +1000, Andrew Bennetts wrote: > On Wed, Jun 27, 2001 at 05:11:24PM +1000, Mike Lake wrote: > > # allow from localhost # why does this not work? > > Are you pointing your browser at > http://localhost/blah > or at: > http://mycomputername/blah When I point it at http://localhost/~mikel I get "Forbidden You don't have permission to access /~mikel on this server." AND the URL in the browser changes to: http://mycomputername.mydomain.edu.au/~mikel/ (That means that localhost is being resolved to mycomputer.mydomain I gather) When I point it at http://mycomputername/~mikel I get "Forbidden You don't have permission to access /~mikel on this server." > At a guess, the first should work, and the second shouldn't. Nope. neither. If I point it just to http://localhost I get: You don't have permission to access / on this server. If I point it to http://mycomputername I get the correct index.html file in /var/www > Your browser is free to bind to any local interface it likes when it creates > a socket to connect to somewhere... default behaviour for sockets is to > try pick an appropriate interface, so if you point your browser at a > "real" IP addres, or a domain name that maps to one, it will connect > from your internet connection's address, not your localhost one. > I hope this helps (and I hope I'm making sense :) Dont really follow about the binding. I understand about mapping to an address if it can loo up an addr from a name but not the bit about the "from" bit. Mike -- Don't worry if you're a kleptomaniac; you can always take something for it. Michael Lake, University of Technology, Sydney Work: [EMAIL PROTECTED] Ph: 02 9514 1724 Fx: 02 9514 1628 Home: http://www.speleonics.com.au Linux enthusiast, active caver and interested in anything technical. *** -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Apache: why doesn't "allow from localhost work" ?
On Wed, Jun 27, 2001 at 06:16:07PM +1000, Mike Lake wrote: > > When I point it at http://localhost/~mikel I get > "Forbidden You don't have permission to access /~mikel on this server." > > AND the URL in the browser changes to: > http://mycomputername.mydomain.edu.au/~mikel/ In your apache configuration search for UseCanonicalName and set it to off. Comments in the file explain what it means. > (That means that localhost is being resolved to mycomputer.mydomain I > gather) It apache is redirecting the browser to http://mycomputername.mydomain.edu.au/~mikel/ > Dont really follow about the binding. > I understand about mapping to an address if it can loo up an addr from a > name but not the bit about the "from" bit. try tcpdump -i lo then point your browser to http://localhost/ and then http://mycomputername. Look at how your source address changes depending on which address you point your browser to. -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Apache: why doesn't "allow from localhost work" ?
On Wed, Jun 27, 2001 at 05:48:48PM +1000, Andrew Bennetts wrote: > At a guess, the first should work, and the second shouldn't. Your > browser is free to bind to any local interface it likes when it creates > a socket to connect to somewhere... default behaviour for sockets is to > try pick an appropriate interface, so if you point your browser at a > "real" IP addres, or a domain name that maps to one, it will connect > from your internet connection's address, not your localhost one. Thats what I can't follow yet - that the "internet connection address" that my browser is connecting FROM is not the same as "localhost" which is me. My browser, in order for return packets to get back to my browser, sits on I gather mycomputer:80 ie port 80 on my machine. localhost is a "synonym" for 127.0.0.1 (cause /etc/hosts maps it) which is my machine but not a machine and a port ie its just a machine. Is that right? -- Nirvana? That's the place where the powers that be and their friends hang out. -- Zonker Harris Michael Lake, University of Technology, Sydney Work: [EMAIL PROTECTED] Ph: 02 9514 1724 Fx: 02 9514 1628 Home: http://www.speleonics.com.au Linux enthusiast, active caver and interested in anything technical. *** -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] Apache: why doesn't "allow from localhost work" ?
I don't think that it is an apache thing at all. If you are using a proxy address, put as exclusions in your browser proxy settings - 130.10.11.12 127.0.0.1 localhost Chris -Original Message- From: Mike Lake [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 27 June 2001 6:16 To: [EMAIL PROTECTED] Subject: Re: [SLUG] Apache: why doesn't "allow from localhost work" ? On Wed, Jun 27, 2001 at 05:48:48PM +1000, Andrew Bennetts wrote: > On Wed, Jun 27, 2001 at 05:11:24PM +1000, Mike Lake wrote: > > # allow from localhost # why does this not work? > > Are you pointing your browser at > http://localhost/blah > or at: > http://mycomputername/blah When I point it at http://localhost/~mikel I get "Forbidden You don't have permission to access /~mikel on this server." AND the URL in the browser changes to: http://mycomputername.mydomain.edu.au/~mikel/ (That means that localhost is being resolved to mycomputer.mydomain I gather) When I point it at http://mycomputername/~mikel I get "Forbidden You don't have permission to access /~mikel on this server." > At a guess, the first should work, and the second shouldn't. Nope. neither. If I point it just to http://localhost I get: You don't have permission to access / on this server. If I point it to http://mycomputername I get the correct index.html file in /var/www > Your browser is free to bind to any local interface it likes when it creates > a socket to connect to somewhere... default behaviour for sockets is to > try pick an appropriate interface, so if you point your browser at a > "real" IP addres, or a domain name that maps to one, it will connect > from your internet connection's address, not your localhost one. > I hope this helps (and I hope I'm making sense :) Dont really follow about the binding. I understand about mapping to an address if it can loo up an addr from a name but not the bit about the "from" bit. Mike -- Don't worry if you're a kleptomaniac; you can always take something for it. Michael Lake, University of Technology, Sydney Work: [EMAIL PROTECTED] Ph: 02 9514 1724 Fx: 02 9514 1628 Home: http://www.speleonics.com.au Linux enthusiast, active caver and interested in anything technical. *** -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Apache: why doesn't "allow from localhost work" ?
On Wed, Jun 27, 2001 at 06:25:30PM +1000, getadog wrote: > On Wed, Jun 27, 2001 at 06:16:07PM +1000, Mike Lake wrote: > > When I point it at http://localhost/~mikel I get > > "Forbidden You don't have permission to access /~mikel on this server." > > AND the URL in the browser changes to: > > http://mycomputername.mydomain.edu.au/~mikel/ > In your apache configuration search for UseCanonicalName > and set it to off. Comments in the file explain what it means. AH! thats it. http://localhost/~mikel now access my public_html directory with "allow from localhost". I can now convert all iinstances of my own static addr in the access file to localhost. # UseCanonicalName: (new for 1.3) With this setting turned on, whenever # Apache needs to construct a self-referencing URL (a url that refers back # to the server the response is coming from) it will use ServerName and # Port to form a "canonical" name. With this setting off, Apache will # use the hostname:port that the client supplied, when possible. This # also affects SERVER_NAME and SERVER_PORT in CGIs. #UseCanonicalName on So if I was using 'localhost' which is refering to a URL that the request comes from then it would use ServerName:Port ie b4114:80 ? (Real names here now.) With it off (ie just now I commented it out) what would it use as hostname for me gives b4114 Im a little confused between the server name and hostname. This machine here has name b4114 but its not listed in the Unis DNS. I have #ServerName new.host.name of course commented out. > > Dont really follow about the binding. > > I understand about mapping to an address if it can loo up an addr from a > > name but not the bit about the "from" bit. > > try tcpdump -i lo then point your browser to http://localhost/ > and then http://mycomputername. Look at how your source > address changes depending on which address you point your browser > to. Thats excellent. Yep run as root I can see it shows all the packets on the local interface and dumps lots when you use the browser at http://localhost etc. I'll have a play and see the diff with b4114. Mike -- The future is a myth created by insurance salesmen and high school counselors. Michael Lake, University of Technology, Sydney Work: [EMAIL PROTECTED] Ph: 02 9514 1724 Fx: 02 9514 1628 Home: http://www.speleonics.com.au Linux enthusiast, active caver and interested in anything technical. *** -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Apache: why doesn't "allow from localhost work" ?
On Wed, Jun 27, 2001 at 06:56:07PM +1000, Mike Lake wrote: > So if I was using 'localhost' which is refering to a URL that the request > comes from then it would use ServerName:Port ie b4114:80 ? > (Real names here now.) > With it off (ie just now I commented it out) what would it use as > hostname for me gives b4114 > Im a little confused between the server name and hostname. I'm not an apache expert, I could be wrong. If you set a ServerName and UseCanonicalName On apache will redirect your browser to what ever you set your ServerName to. If you don't set a ServerName and set UseCanonicalName On apache will redirect your browser to `hostname -f`. If you set UseCanonicalName Off (Commenting it out turned it on for me), apache won't redirect you at all. I think its easier to see whats happening with wget -S localhost/~mikel, Try setting: ServerName www.bogus.name UseCanonicalName On Then wget -S http://localhost/~mikel # ServerName www.bogus.name UseCanonicalName On Then wget -S http://localhost/~mikel # ServerName www.bogus.name UseCanonicalName Off Then wget -S http://localhost/~mikel > Thats excellent. Yep run as root I can see it shows all the packets on the > local interface and dumps lots when you use the browser at http://localhost > etc. I'll have a play and see the diff with b4114. Its probably easier to see with ping. tcpdump -i lo icmp then ping -c1 localhost And you should get: src address dst address 19:06:11.586106 localhost > localhost: icmp: echo request (DF) 19:06:11.586190 localhost > localhost: icmp: echo reply (DF) ping -c1 mycomputername 19:06:13.469223 mycomputername > mycomputername: icmp: echo request (DF) 19:06:13.469307 mycomputername > mycomputername: icmp: echo reply (DF) Your source address changes depending on which interface you are pinging. What I think was happening was you were pointing your browser to http://localhost/~mikel, and apache was redirecting it to http://mycomputername/~mikel, so when your browser tried to go to http://mycomputername/~mikel, it used as its soucre ip address mycomputername, which was denied. Clear as mud? :) -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Apache: why doesn't "allow from localhost work" ?
On Wed, Jun 27, 2001 at 08:10:01PM +1000, getadog wrote: > On Wed, Jun 27, 2001 at 06:56:07PM +1000, Mike Lake wrote: > > So if I was using 'localhost' which is refering to a URL that the request > > comes from then it would use ServerName:Port ie b4114:80 ? > > . > > Im a little confused between the server name and hostname. > If you set a ServerName and UseCanonicalName On apache will redirect > your browser to what ever you set your ServerName to. > If you don't set a ServerName and set UseCanonicalName On apache will > redirect your browser to `hostname -f`. > If you set UseCanonicalName Off (Commenting it out turned it on for me), > apache won't redirect you at all. > > I think its easier to see whats happening with wget -S localhost/~mikel, getadog suggested I try different combinations to see what happens - an excellent way to learn :-) Basically I tried all the combinations in httpd.conf with ServerName/UseCanonical and used wget to see the what reponded. Put the output to a file and pretty printed and read it on the train. Yeah Fun :-) I wont put the results here as its t long. Also used ping and the browser to try to resolve localhost and b4114a while doing a tcpdump -i lo and saved the output for each case. Have learnt a lot about how to use tcpdump and ping and wget to see whats being resolved to where and by whom. > Your source address changes depending on which interface you are pinging. Can see that sort of but still have to try and work out what I should have for that setting. > What I think was happening was you were pointing your browser to > http://localhost/~mikel, and apache was redirecting it to > http://mycomputername/~mikel, so when your browser tried to go to > http://mycomputername/~mikel, it used as its soucre ip address > mycomputername, which was denied. > Clear as mud? :) yep. I must say Im still a little confused but will have a play around more. Just to fill you in on why I am doing this; I wrote a kinetics experiment last year for the UTS Chemisty Dept which does a monte carlo simulation of some reactions for the students to play with. Gets 8 students out of the lab for 3 hours / week. It all ran from my RedHat Linux box with 32Meg RAM and was used by 8 students, accessing it via Netscape from Windows PC's. This year it will run again but I am changing it so it can be more easily installed and run from any server. I had lots of hard coded server specific stuff in it. It will now run from a Debian distro which put Apache things in different places to RedHat. My chnages will make it easier for others to install it and for me to maintain it. Mike -- Do you think that when they asked George Washington for ID that he just whipped out a quarter? -- Steven Wright Michael Lake, University of Technology, Sydney Work: [EMAIL PROTECTED] Ph: 02 9514 1724 Fx: 02 9514 1628 Home: http://www.speleonics.com.au Linux enthusiast, active caver and interested in anything technical. *** -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
