Re: [users@httpd] apache 2.4 allow by IP
2015-03-20 1:06 GMT+01:00 Tim Dunphy bluethu...@gmail.com: Do you also have the corresponding LoadModule directives in your config file? (shared modules need it to be effectively loaded). Affirmative: [root@uszwsls00015la apache2]# egrep status_module|authz_host conf/httpd.conf LoadModule authz_host_module modules/mod_authz_host.so LoadModule status_module modules/mod_status.so Thanks, Tim On Thu, Mar 19, 2015 at 7:57 PM, Yann Ylavic ylavic@gmail.com wrote: On Thu, Mar 19, 2015 at 9:51 PM, Tim Dunphy bluethu...@gmail.com wrote: mod_status loaded? Yep! [root@uszwsls00015la apache2]# apachectl -M | grep status status_module (shared) And so are mod_authz_host: [root@uszwsls00015la apache2]# apachectl -M | grep authz_host authz_host_module (shared) Do you also have the corresponding LoadModule directives in your config file? (shared modules need it to be effectively loaded). - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B Do not define VirtualHost * define it like VirtualHost *:80 Change Directory /* to point to your exact documentrootpath and then set AllowOverride none. Also use apachectl -S to check and make sure your virtualhosts are defined correctly. And now the most important thing, the log: [Thu Mar 19 13:22:34.274686 2015] [authz_core:error] [pid 56979:tid 140005409228544] [client216.178.108.232:63636] AH01630: client denied by server configuration: /opt/apache2/htdocs/hcphp.nbc.com/server-status Here it says you are reaching your server with IP 216.178.108.232, and you have Require ip 10.10.10.5. It will never let you in, even if you land in the correct context. -- *Daniel Ferradal* IT Specialist email dferra...@gmail.com linkedin es.linkedin.com/in/danielferradal
Re: [users@httpd] apache 2.4 allow by IP
Hello Kees, Thanks for that suggestion. Not sure if I understood you correctly, but this is what I tried: #Mod_status config ExtendedStatus on VirtualHost * ServerAdmin webmas...@nbcuni.com DocumentRoot/opt/apache2/htdocs/hcphp.nbc.com ServerName hcphp.nbc.com ServerAlias phphc.nbc.com 10.10.10.5 uszwsls00015la.dmz.tfayd.com Directory /* AddHandler cgi-script .cgi Options -Indexes +FollowSymLinks +ExecCGI +Includes AllowOverride All Require all granted /Directory RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] ExpiresActive On ExpiresDefault access plus 30 minutes Location /server-status SetHandler server-status Require ip 10.10.10.5 #Require all granted /Location /VirtualHost But that didn't change my result: [root@uszwsls00015la apache2]# GET http://$(hostname -i)/server-status !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 3.2 Final//EN html head titleIndex of //title /head body h1Index of //h1 ullia href=healthcheck.php healthcheck.php/a/li /ul /body/html !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title403 Forbidden/title /headbody h1Forbidden/h1 pYou don't have permission to access /server-status on this server.br / /p /body/html And the same entry was added to the error log as before: [Thu Mar 19 16:19:41.577437 2015] [authz_core:error] [pid 57932:tid 140005330646784] [client 10.10.10.5:30780] AH01630: client denied by server configuration: /opt/apache2/htdocs/hcphp.nbc.com/server-status Does anyeone have any other ideas? Would showing more of the config be helpful? Thanks Tim On Thu, Mar 19, 2015 at 6:59 PM, Kees Nuyt k.n...@zonnet.nl wrote: On Thu, 19 Mar 2015 16:26:28 -0400, you wrote: This is what I'm seeing in the error logs: [Thu Mar 19 13:22:34.274686 2015] [authz_core:error] [pid 56979:tid 140005409228544] [client 216.178.108.232:63636] AH01630: client denied by server configuration: /opt/apache2/htdocs/hcphp.nbc.com/server-status But that error seems to be referencing another VHOST: #Mod_status config ExtendedStatus on Location /server-status SetHandler server-status Require ip 10.10.10.5 #Require all granted /Location VirtualHost * ServerAdmin webmas...@somewhere.com DocumentRoot/opt/apache2/htdocs/hcphp.nbc.com ServerName hcphp.nbc.com ServerAlias phphc.nbc.com 10.10.10.5 uszwsls00015la.dmz.tfayd.com Directory /* AddHandler cgi-script .cgi Options -Indexes +FollowSymLinks +ExecCGI +Includes AllowOverride All Require all granted /Directory RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] ExpiresActive On ExpiresDefault access plus 30 minutes /VirtualHost I'm still not sure why this is happening. Any help/clues would be appreciated! Tim The first virtual host is the default servername. You could try to move the Location ... ... server-status ... /Location block into that VirtualHost ... /VirtualHost block. -- Regards, Cordialement, Groet, Kees Nuyt - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Re: [users@httpd] apache 2.4 allow by IP
On Thu, 19 Mar 2015 16:26:28 -0400, you wrote: This is what I'm seeing in the error logs: [Thu Mar 19 13:22:34.274686 2015] [authz_core:error] [pid 56979:tid 140005409228544] [client 216.178.108.232:63636] AH01630: client denied by server configuration: /opt/apache2/htdocs/hcphp.nbc.com/server-status But that error seems to be referencing another VHOST: #Mod_status config ExtendedStatus on Location /server-status SetHandler server-status Require ip 10.10.10.5 #Require all granted /Location VirtualHost * ServerAdmin webmas...@somewhere.com DocumentRoot/opt/apache2/htdocs/hcphp.nbc.com ServerName hcphp.nbc.com ServerAlias phphc.nbc.com 10.10.10.5 uszwsls00015la.dmz.tfayd.com Directory /* AddHandler cgi-script .cgi Options -Indexes +FollowSymLinks +ExecCGI +Includes AllowOverride All Require all granted /Directory RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] ExpiresActive On ExpiresDefault access plus 30 minutes /VirtualHost I'm still not sure why this is happening. Any help/clues would be appreciated! Tim The first virtual host is the default servername. You could try to move the Location ... ... server-status ... /Location block into that VirtualHost ... /VirtualHost block. -- Regards, Cordialement, Groet, Kees Nuyt - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] apache 2.4 allow by IP
Do you also have the corresponding LoadModule directives in your config file? (shared modules need it to be effectively loaded). Affirmative: [root@uszwsls00015la apache2]# egrep status_module|authz_host conf/httpd.conf LoadModule authz_host_module modules/mod_authz_host.so LoadModule status_module modules/mod_status.so Thanks, Tim On Thu, Mar 19, 2015 at 7:57 PM, Yann Ylavic ylavic@gmail.com wrote: On Thu, Mar 19, 2015 at 9:51 PM, Tim Dunphy bluethu...@gmail.com wrote: mod_status loaded? Yep! [root@uszwsls00015la apache2]# apachectl -M | grep status status_module (shared) And so are mod_authz_host: [root@uszwsls00015la apache2]# apachectl -M | grep authz_host authz_host_module (shared) Do you also have the corresponding LoadModule directives in your config file? (shared modules need it to be effectively loaded). - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Re: [users@httpd] apache 2.4 allow by IP
On Thu, Mar 19, 2015 at 9:51 PM, Tim Dunphy bluethu...@gmail.com wrote: mod_status loaded? Yep! [root@uszwsls00015la apache2]# apachectl -M | grep status status_module (shared) And so are mod_authz_host: [root@uszwsls00015la apache2]# apachectl -M | grep authz_host authz_host_module (shared) Do you also have the corresponding LoadModule directives in your config file? (shared modules need it to be effectively loaded). - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] apache 2.4 allow by IP
2015-03-19 18:06 GMT+01:00 Robert Webb rw...@ropeguru.com: I don't agree with your analysis. ullia href=healthcheck.php healthcheck.php/a/li is an href inside an html page that does nothing until clicked on by the client. This is all assuming that the access denied he is getting is from http:// $(hostname-i)/server-status and server-status is the html page of the code he posted. Not when clicking on the healthcheck.php href link. Robert On Thu, 19 Mar 2015 17:57:09 +0100 Daniel dferra...@gmail.com wrote: 2015-03-19 17:41 GMT+01:00 Tim Dunphy bluethu...@gmail.com: Hey all, I'm attempting to setup the server-status module and limit access to it by IP. So I have this block in my apache configuration file: #Mod_status config ExtendedStatus on Location /server-status SetHandler server-status Require ip 10.10.10.5 127.0.0.1 /Location And if I do a GET by IP, I'm getting permission denied [root@uszwslp00031la apache2]# GET http://$(hostname -i)/server-status !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 3.2 Final//EN html head titleIndex of //title /head body h1Index of //h1 ullia href=healthcheck.php healthcheck.php/a/li /ul /body/html !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title403 Forbidden/title /headbody h1Forbidden/h1 *pYou don't have permission to access /server-status* on this server.br / /p /body/html Can someone please let me know where I'm going wrong? Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B Hello, This shoud give you a tip: h1Index of //h1 ullia href=healthcheck.php healthcheck.php/a/li - which has nothing to do with server-status make sure you are accessing the correct virtualhost -- *Daniel Ferradal* IT Specialist email dferra...@gmail.com linkedin es.linkedin.com/in/danielferradal Should that be the case he still needs to check the error.log -- *Daniel Ferradal* IT Specialist email dferra...@gmail.com linkedin es.linkedin.com/in/danielferradal
Re: [users@httpd] apache 2.4 allow by IP
On 3/19/2015 1:24 PM, Daniel wrote: 2015-03-19 18:06 GMT+01:00 Robert Webb rw...@ropeguru.com: I don't agree with your analysis. ullia href=healthcheck.php healthcheck.php/a/li is an href inside an html page that does nothing until clicked on by the client. This is all assuming that the access denied he is getting is from http://$(hostname-i)/server-status and server-status is the html page of the code he posted. Not when clicking on the healthcheck.php href link. Robert On Thu, 19 Mar 2015 17:57:09 +0100 Daniel dferra...@gmail.com wrote: 2015-03-19 17:41 GMT+01:00 Tim Dunphy bluethu...@gmail.com: Hey all, I'm attempting to setup the server-status module and limit access to it by IP. So I have this block in my apache configuration file: #Mod_status config ExtendedStatus on Location /server-status SetHandler server-status Require ip 10.10.10.5 127.0.0.1 /Location And if I do a GET by IP, I'm getting permission denied [root@uszwslp00031la apache2]# GET http://$(hostname -i)/server-status !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 3.2 Final//EN html head titleIndex of //title /head body h1Index of //h1 ullia href=healthcheck.php healthcheck.php/a/li /ul /body/html !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title403 Forbidden/title /headbody h1Forbidden/h1 *pYou don't have permission to access /server-status* on this server.br / /p /body/html Can someone please let me know where I'm going wrong? Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B Hello, This shoud give you a tip: h1Index of //h1 ullia href=healthcheck.php healthcheck.php/a/li - which has nothing to do with server-status make sure you are accessing the correct virtualhost -- *Daniel Ferradal* IT Specialist email dferra...@gmail.com linkedin es.linkedin.com/in/danielferradal Should that be the case he still needs to check the error.log -- *Daniel Ferradal* IT Specialist email dferra...@gmail.com linkedin es.linkedin.com/in/danielferradal 2015-03-19 20:33 GMT+01:00 Larry Irwin larry.ir...@ccamedical.com: How about using this within a Directory entry: Order deny,allow Deny from all # Private IP ranges Allow from 127.0.0.1/32 Allow from 10.0.0.5/32 And then add the server status are under that Directory... Wouldn't that do it? -- Larry Irwin V.P. Development CCA Medical Ph: 864-233-2700 ext 225 Fax: 864-271-1755 Cell: 864-525-1322 Email: larry.ir...@ccamedical.com He is using Require, so 2.4.x. Using deprecated directives in 2.4 is not recommended. The server-status uri will be a virtual path when you define the handler for it, not a real directory, so the logical way is calling it Location. Also if you need to define ranges in 2.4 (not sure about 2.2 know) I don't think you need to use CIDR notation, even less if you use /32 hostmask which is the same as the IP alone. In 2.4 with Require you can even just specify part of the ip to define ranges: aka Require ip 10 to allow 10.0.0.0/8. He needs to check source ip and error.log to know why he is being denied access. -- *Daniel Ferradal* IT Specialist email dferra...@gmail.com linkedin es.linkedin.com/in/danielferradal
Re: [users@httpd] apache 2.4 allow by IP
How about using this within a Directory entry: Order deny,allow Deny from all # Private IP ranges Allow from 127.0.0.1/32 Allow from 10.0.0.5/32 And then add the server status are under that Directory... Wouldn't that do it? On 3/19/2015 1:24 PM, Daniel wrote: 2015-03-19 18:06 GMT+01:00 Robert Webb rw...@ropeguru.com mailto:rw...@ropeguru.com: I don't agree with your analysis. ullia href=healthcheck.php healthcheck.php/a/li is an href inside an html page that does nothing until clicked on by the client. This is all assuming that the access denied he is getting is from http://$(hostname-i)/server-status and server-status is the html page of the code he posted. Not when clicking on the healthcheck.php href link. Robert On Thu, 19 Mar 2015 17:57:09 +0100 Daniel dferra...@gmail.com mailto:dferra...@gmail.com wrote: 2015-03-19 17:41 GMT+01:00 Tim Dunphy bluethu...@gmail.com mailto:bluethu...@gmail.com: Hey all, I'm attempting to setup the server-status module and limit access to it by IP. So I have this block in my apache configuration file: #Mod_status config ExtendedStatus on Location /server-status SetHandler server-status Require ip 10.10.10.5 127.0.0.1 /Location And if I do a GET by IP, I'm getting permission denied [root@uszwslp00031la apache2]# GET http://$(hostname -i)/server-status !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 3.2 Final//EN html head titleIndex of //title /head body h1Index of //h1 ullia href=healthcheck.php healthcheck.php/a/li /ul /body/html !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title403 Forbidden/title /headbody h1Forbidden/h1 *pYou don't have permission to access /server-status* on this server.br / /p /body/html Can someone please let me know where I'm going wrong? Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net http://pool.sks-keyservers.net --recv-keys F186197B Hello, This shoud give you a tip: h1Index of //h1 ullia href=healthcheck.php healthcheck.php/a/li - which has nothing to do with server-status make sure you are accessing the correct virtualhost -- *Daniel Ferradal* IT Specialist email dferra...@gmail.com mailto:dferra...@gmail.com linkedin es.linkedin.com/in/danielferradal http://es.linkedin.com/in/danielferradal Should that be the case he still needs to check the error.log -- *Daniel Ferradal* IT Specialist email dferra...@gmail.com mailto:dferra...@gmail.com linkedin es.linkedin.com/in/danielferradal http://es.linkedin.com/in/danielferradal -- Larry Irwin V.P. Development CCA Medical Ph: 864-233-2700 ext 225 Fax: 864-271-1755 Cell: 864-525-1322 Email: larry.ir...@ccamedical.com
Re: [users@httpd] apache 2.4 allow by IP
How about using this within a Directory entry: Order deny,allow Deny from all # Private IP ranges Allow from 127.0.0.1/32 Allow from 10.0.0.5/32 And then add the server status are under that Directory... Wouldn't that do it? I believe that's the old pre-2.4 syntax. It's not recommended for the latest version of apache from what I understand. On Thu, Mar 19, 2015 at 3:33 PM, Larry Irwin larry.ir...@ccamedical.com wrote: How about using this within a Directory entry: Order deny,allow Deny from all # Private IP ranges Allow from 127.0.0.1/32 Allow from 10.0.0.5/32 And then add the server status are under that Directory... Wouldn't that do it? On 3/19/2015 1:24 PM, Daniel wrote: 2015-03-19 18:06 GMT+01:00 Robert Webb rw...@ropeguru.com: I don't agree with your analysis. ullia href=healthcheck.php healthcheck.php/a/li is an href inside an html page that does nothing until clicked on by the client. This is all assuming that the access denied he is getting is from http://$(hostname-i)/server-status and server-status is the html page of the code he posted. Not when clicking on the healthcheck.php href link. Robert On Thu, 19 Mar 2015 17:57:09 +0100 Daniel dferra...@gmail.com wrote: 2015-03-19 17:41 GMT+01:00 Tim Dunphy bluethu...@gmail.com: Hey all, I'm attempting to setup the server-status module and limit access to it by IP. So I have this block in my apache configuration file: #Mod_status config ExtendedStatus on Location /server-status SetHandler server-status Require ip 10.10.10.5 127.0.0.1 /Location And if I do a GET by IP, I'm getting permission denied [root@uszwslp00031la apache2]# GET http://$(hostname -i)/server-status !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 3.2 Final//EN html head titleIndex of //title /head body h1Index of //h1 ullia href=healthcheck.php healthcheck.php/a/li /ul /body/html !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title403 Forbidden/title /headbody h1Forbidden/h1 *pYou don't have permission to access /server-status* on this server.br / /p /body/html Can someone please let me know where I'm going wrong? Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B Hello, This shoud give you a tip: h1Index of //h1 ullia href=healthcheck.php healthcheck.php/a/li - which has nothing to do with server-status make sure you are accessing the correct virtualhost -- *Daniel Ferradal* IT Specialist email dferra...@gmail.com linkedin es.linkedin.com/in/danielferradal Should that be the case he still needs to check the error.log -- *Daniel Ferradal* IT Specialist email dferra...@gmail.com linkedin es.linkedin.com/in/danielferradal -- Larry Irwin V.P. Development CCA Medical Ph: 864-233-2700 ext 225 Fax: 864-271-1755 Cell: 864-525-1322 Email: larry.ir...@ccamedical.com -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Re: [users@httpd] apache 2.4 allow by IP
I don't agree with your analysis. ullia href=healthcheck.php healthcheck.php/a/li is an href inside an html page that does nothing until clicked on by the client. This is all assuming that the access denied he is getting is from http://$(hostname-i)/server-status and server-status is the html page of the code he posted. Not when clicking on the healthcheck.php href link. Robert On Thu, 19 Mar 2015 17:57:09 +0100 Daniel dferra...@gmail.com wrote: 2015-03-19 17:41 GMT+01:00 Tim Dunphy bluethu...@gmail.com: Hey all, I'm attempting to setup the server-status module and limit access to it by IP. So I have this block in my apache configuration file: #Mod_status config ExtendedStatus on Location /server-status SetHandler server-status Require ip 10.10.10.5 127.0.0.1 /Location And if I do a GET by IP, I'm getting permission denied [root@uszwslp00031la apache2]# GET http://$(hostname -i)/server-status !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 3.2 Final//EN html head titleIndex of //title /head body h1Index of //h1 ullia href=healthcheck.php healthcheck.php/a/li /ul /body/html !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title403 Forbidden/title /headbody h1Forbidden/h1 *pYou don't have permission to access /server-status* on this server.br / /p /body/html Can someone please let me know where I'm going wrong? Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B Hello, This shoud give you a tip: h1Index of //h1 ullia href=healthcheck.php healthcheck.php/a/li - which has nothing to do with server-status make sure you are accessing the correct virtualhost -- *Daniel Ferradal* IT Specialist email dferra...@gmail.com linkedin es.linkedin.com/in/danielferradal - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] apache 2.4 allow by IP
2015-03-19 17:41 GMT+01:00 Tim Dunphy bluethu...@gmail.com: Hey all, I'm attempting to setup the server-status module and limit access to it by IP. So I have this block in my apache configuration file: #Mod_status config ExtendedStatus on Location /server-status SetHandler server-status Require ip 10.10.10.5 127.0.0.1 /Location And if I do a GET by IP, I'm getting permission denied [root@uszwslp00031la apache2]# GET http://$(hostname -i)/server-status !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 3.2 Final//EN html head titleIndex of //title /head body h1Index of //h1 ullia href=healthcheck.php healthcheck.php/a/li /ul /body/html !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title403 Forbidden/title /headbody h1Forbidden/h1 *pYou don't have permission to access /server-status* on this server.br / /p /body/html Can someone please let me know where I'm going wrong? Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B Hello, This shoud give you a tip: h1Index of //h1 ullia href=healthcheck.php healthcheck.php/a/li - which has nothing to do with server-status make sure you are accessing the correct virtualhost -- *Daniel Ferradal* IT Specialist email dferra...@gmail.com linkedin es.linkedin.com/in/danielferradal
Re: [users@httpd] apache 2.4 allow by IP
This is what I'm seeing in the error logs: [Thu Mar 19 13:22:34.274686 2015] [authz_core:error] [pid 56979:tid 140005409228544] [client 216.178.108.232:63636] AH01630: client denied by server configuration: /opt/apache2/htdocs/hcphp.nbc.com/server-status But that error seems to be referencing another VHOST: #Mod_status config ExtendedStatus on Location /server-status SetHandler server-status Require ip 10.10.10.5 #Require all granted /Location VirtualHost * ServerAdmin webmas...@somewhere.com DocumentRoot/opt/apache2/htdocs/hcphp.nbc.com ServerName hcphp.nbc.com ServerAlias phphc.nbc.com 10.10.10.5 uszwsls00015la.dmz.tfayd.com Directory /* AddHandler cgi-script .cgi Options -Indexes +FollowSymLinks +ExecCGI +Includes AllowOverride All Require all granted /Directory RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] ExpiresActive On ExpiresDefault access plus 30 minutes /VirtualHost I'm still not sure why this is happening. Any help/clues would be appreciated! Tim On Thu, Mar 19, 2015 at 3:42 PM, Daniel dferra...@gmail.com wrote: On 3/19/2015 1:24 PM, Daniel wrote: 2015-03-19 18:06 GMT+01:00 Robert Webb rw...@ropeguru.com: I don't agree with your analysis. ullia href=healthcheck.php healthcheck.php/a/li is an href inside an html page that does nothing until clicked on by the client. This is all assuming that the access denied he is getting is from http://$(hostname-i)/server-status and server-status is the html page of the code he posted. Not when clicking on the healthcheck.php href link. Robert On Thu, 19 Mar 2015 17:57:09 +0100 Daniel dferra...@gmail.com wrote: 2015-03-19 17:41 GMT+01:00 Tim Dunphy bluethu...@gmail.com: Hey all, I'm attempting to setup the server-status module and limit access to it by IP. So I have this block in my apache configuration file: #Mod_status config ExtendedStatus on Location /server-status SetHandler server-status Require ip 10.10.10.5 127.0.0.1 /Location And if I do a GET by IP, I'm getting permission denied [root@uszwslp00031la apache2]# GET http://$(hostname -i)/server-status !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 3.2 Final//EN html head titleIndex of //title /head body h1Index of //h1 ullia href=healthcheck.php healthcheck.php/a/li /ul /body/html !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title403 Forbidden/title /headbody h1Forbidden/h1 *pYou don't have permission to access /server-status* on this server.br / /p /body/html Can someone please let me know where I'm going wrong? Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B Hello, This shoud give you a tip: h1Index of //h1 ullia href=healthcheck.php healthcheck.php/a/li - which has nothing to do with server-status make sure you are accessing the correct virtualhost -- *Daniel Ferradal* IT Specialist email dferra...@gmail.com linkedin es.linkedin.com/in/danielferradal Should that be the case he still needs to check the error.log -- *Daniel Ferradal* IT Specialist email dferra...@gmail.com linkedin es.linkedin.com/in/danielferradal 2015-03-19 20:33 GMT+01:00 Larry Irwin larry.ir...@ccamedical.com: How about using this within a Directory entry: Order deny,allow Deny from all # Private IP ranges Allow from 127.0.0.1/32 Allow from 10.0.0.5/32 And then add the server status are under that Directory... Wouldn't that do it? -- Larry Irwin V.P. Development CCA Medical Ph: 864-233-2700 ext 225 Fax: 864-271-1755 Cell: 864-525-1322 Email: larry.ir...@ccamedical.com He is using Require, so 2.4.x. Using deprecated directives in 2.4 is not recommended. The server-status uri will be a virtual path when you define the handler for it, not a real directory, so the logical way is calling it Location. Also if you need to define ranges in 2.4 (not sure about 2.2 know) I don't think you need to use CIDR notation, even less if you use /32 hostmask which is the same as the IP alone. In 2.4 with Require you can even just specify part of the ip to define ranges: aka Require ip 10 to allow 10.0.0.0/8. He needs to check source ip and error.log to know why he is being denied access. -- *Daniel Ferradal* IT Specialist email dferra...@gmail.com linkedin es.linkedin.com/in/danielferradal -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Re: [users@httpd] apache 2.4 allow by IP
On Thu, Mar 19, 2015 at 4:26 PM, Tim Dunphy bluethu...@gmail.com wrote: I'm still not sure why this is happening. Any help/clues would be appreciated! mod_status loaded? -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] apache 2.4 allow by IP
mod_status loaded? Yep! [root@uszwsls00015la apache2]# apachectl -M | grep status status_module (shared) And so are mod_authz_host: [root@uszwsls00015la apache2]# apachectl -M | grep authz_host authz_host_module (shared) So it's a litle puzzling.. On Thu, Mar 19, 2015 at 4:39 PM, Eric Covener cove...@gmail.com wrote: On Thu, Mar 19, 2015 at 4:26 PM, Tim Dunphy bluethu...@gmail.com wrote: I'm still not sure why this is happening. Any help/clues would be appreciated! mod_status loaded? -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B