This is what I'm seeing in the error logs:
[Thu Mar 19 13:22:34.274686 2015] [authz_core:error] [pid 56979:tid
140005409228544] [client 216.178.108.232:63636] AH01630: client denied by
server configuration: /opt/apache2/htdocs/hcphp.nbc.com/server-status
But that error seems to be referencing another VHOST:
#Mod_status config
ExtendedStatus on
<Location /server-status>
SetHandler server-status
Require ip 10.10.10.5
#Require all granted
</Location>
<VirtualHost *>
ServerAdmin [email protected]
DocumentRoot /opt/apache2/htdocs/hcphp.nbc.com
ServerName hcphp.nbc.com
ServerAlias phphc.nbc.com 10.10.10.5 uszwsls00015la.dmz.tfayd.com
<Directory /*>
AddHandler cgi-script .cgi
Options -Indexes +FollowSymLinks +ExecCGI +Includes
AllowOverride All
Require all granted
</Directory>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
ExpiresActive On
ExpiresDefault "access plus 30 minutes"
</VirtualHost>
I'm still not sure why this is happening. Any help/clues would be
appreciated!
Tim
On Thu, Mar 19, 2015 at 3:42 PM, Daniel <[email protected]> wrote:
>
>
>
>
>>
>> On 3/19/2015 1:24 PM, Daniel wrote:
>>
>>
>>
>> 2015-03-19 18:06 GMT+01:00 Robert Webb <[email protected]>:
>>
>>> I don't agree with your analysis.
>>>
>>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li> is an href
>>> inside an html page that does nothing until clicked on by the client.
>>>
>>> This is all assuming that the access denied he is getting is from
>>> http://$(hostname>>-i)/server-status and "server-status" is the html
>>> page of the code he posted. Not when clicking on the healthcheck.php href
>>> link.
>>>
>>>
>>> Robert
>>>
>>>
>>> On Thu, 19 Mar 2015 17:57:09 +0100
>>> Daniel <[email protected]> wrote:
>>>
>>>> 2015-03-19 17:41 GMT+01:00 Tim Dunphy <[email protected]>:
>>>>
>>>> Hey all,
>>>>>
>>>>> I'm attempting to setup the server-status module and limit access to
>>>>> it
>>>>> by IP.
>>>>>
>>>>> So I have this block in my apache configuration file:
>>>>>
>>>>> #Mod_status config
>>>>> ExtendedStatus on
>>>>> <Location /server-status>
>>>>> SetHandler server-status
>>>>> Require ip 10.10.10.5 127.0.0.1
>>>>> </Location>
>>>>>
>>>>> And if I do a GET by IP, I'm getting permission denied
>>>>>
>>>>> [root@uszwslp00031la apache2]# GET http://$(hostname -i)/server-status
>>>>> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
>>>>> <html>
>>>>> <head>
>>>>> <title>Index of /</title>
>>>>> </head>
>>>>> <body>
>>>>> <h1>Index of /</h1>
>>>>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
>>>>> </ul>
>>>>> </body></html>
>>>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>>>> <html><head>
>>>>> <title>403 Forbidden</title>
>>>>> </head><body>
>>>>> <h1>Forbidden</h1>
>>>>> *<p>You don't have permission to access /server-status*
>>>>> on this server.<br />
>>>>> </p>
>>>>> </body></html>
>>>>>
>>>>> Can someone please let me know where I'm going wrong?
>>>>>
>>>>> Thanks
>>>>> Tim
>>>>>
>>>>> --
>>>>> GPG me!!
>>>>>
>>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>>>
>>>>>
>>>>> Hello,
>>>>
>>>> This shoud give you a tip:
>>>> <h1>Index of /</h1>
>>>> <ul><li><a href="healthcheck.php"> healthcheck.php</a></li>
>>>> <-------------
>>>> which has nothing to do with server-status
>>>>
>>>> make sure you are accessing the correct virtualhost
>>>>
>>>> --
>>>> *Daniel Ferradal*
>>>> IT Specialist
>>>>
>>>> email [email protected]
>>>> linkedin es.linkedin.com/in/danielferradal
>>>>
>>>
>>>
>>>
>> Should that be the case he still needs to check the error.log
>>
>>
>> --
>> *Daniel Ferradal*
>> IT Specialist
>>
>> email [email protected]
>> linkedin es.linkedin.com/in/danielferradal
>>
>> 2015-03-19 20:33 GMT+01:00 Larry Irwin <[email protected]>:
>>
>>> How about using this within a Directory entry:
>>> Order deny,allow
>>> Deny from all
>>> # Private IP ranges
>>> Allow from 127.0.0.1/32
>>> Allow from 10.0.0.5/32
>>> And then add the server status are under that Directory...
>>> Wouldn't that do it?
>>>
>> --
>> Larry Irwin
>> V.P. Development
>> CCA Medical
>> Ph: 864-233-2700 ext 225
>> Fax: 864-271-1755
>> Cell: 864-525-1322
>> Email: [email protected]
>>
>>
> He is using Require, so 2.4.x. Using deprecated directives in 2.4 is not
> recommended.
>
> The server-status uri will be a virtual path when you define the handler
> for it, not a real directory, so the logical way is calling it Location.
>
> Also if you need to define ranges in 2.4 (not sure about 2.2 know) I don't
> think you need to use CIDR notation, even less if you use /32 hostmask
> which is the same as the IP alone. In 2.4 with Require you can even just
> specify part of the ip to define ranges: aka "Require ip 10" to allow
> 10.0.0.0/8.
>
> He needs to check source ip and error.log to know why he is being denied
> access.
>
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email [email protected]
> linkedin es.linkedin.com/in/danielferradal
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
