This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Forbidden - You don't have permission to access / on this server.

Hi there

 

I am getting the below error when trying to access an external DNS address eg..   www.xxxx.co.uk 

 

The site is running on IIS, and has a host header for the correct URL . I have tried enabling/disabling URL rewrite and pass host headers, and also tried no firewall profile but with no luck. I cant seem to figure out where im going wrong, any ideas?

 

Thanks 

 

 

 

 

 

Virtual server setup:

 

 

 

 

 

 

 

 

 



This thread was automatically locked due to age.
Parents
  • WAF Logs (editted the domain name part)

     

     

    2018:07:02-22:59:07 ids httpd[13391]: [url_hardening:error] [pid 13391:tid 4013390704] [client 172.18.175.138:32796] Hostname in HTTP request (172.18.175.138) does not match the server name (files.xxxx.co.uk)
    2018:07:02-22:59:07 ids httpd: id="0299" srcip="172.18.175.138" localip="172.18.175.138" size="209" user="-" host="172.18.175.138" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="163" url="/" server="files.xxxxxx.co.uk" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WzquO6wSr4oAADRPrvAAAABy"
    2018:07:02-22:59:07 ids httpd: id="0299" srcip="125.236.212.159" localip="172.18.175.138" size="183" user="-" host="125.236.212.159" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="1004" url="/" server="files.xxxxxx.co.uk" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WzquO6wSr4oAADRPru8AAABx"
Reply
  • WAF Logs (editted the domain name part)

     

     

    2018:07:02-22:59:07 ids httpd[13391]: [url_hardening:error] [pid 13391:tid 4013390704] [client 172.18.175.138:32796] Hostname in HTTP request (172.18.175.138) does not match the server name (files.xxxx.co.uk)
    2018:07:02-22:59:07 ids httpd: id="0299" srcip="172.18.175.138" localip="172.18.175.138" size="209" user="-" host="172.18.175.138" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="163" url="/" server="files.xxxxxx.co.uk" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WzquO6wSr4oAADRPrvAAAABy"
    2018:07:02-22:59:07 ids httpd: id="0299" srcip="125.236.212.159" localip="172.18.175.138" size="183" user="-" host="125.236.212.159" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="1004" url="/" server="files.xxxxxx.co.uk" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="WzquO6wSr4oAADRPru8AAABx"
Children
  • zzzp8 said:

     Hostname in HTTP request (172.18.175.138) does not match the server name (files.xxxx.co.uk)

    It appears that in stead of using the registered name, an application is using the IP-address directly which is forbidden (status 403).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Thanks for the reply

     

    I still dont quite get it tho?

     

    In IIS, I have bindings setup to service files.xxxx.co.uk on port 80 , and the setup in the WAF itself on the sophos looks to be ok (i think)

     

    Im simply just browsing from a browser to files.xxxx.co.uk  and I get the Forbidden you dont have permission to access / on this server. 

     

    Any ideas?

  • Sorry to be a noob, does anybody have any other ideas Im struggling abit on this one

  • Under virtual server > interface

    I have always used the interface I would be connecting to from the client. This normally being the one connected to the internet.

    Is internal the correct one?

  • Thanks for the reply.

     

    I'm using it on AWS so it only displays an internal interface. Im not sure the firewall is actually aware of its external interface as AWS does networking abit differently if I understand correctly e.g. software defined 

  • Setting up WAF takes some effort.  It looks like you've just drastically modified the "Basic Protection" Profile instead of starting it in "Monitor" mode and making sure you can connect first.  The log is confusing me because you don't have 'Static URL hardening' selected.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks. 

     

    I have set the Basic profile as follows:

     

     

    And retaken a capture of the logs here:

     

    2018:07:09-01:05:34 ids httpd[416]: [url_hardening:error] [pid 416:tid 4063746928] [client 125.236.212.159:19506] No signature found, URI: http://files.xxxxx.co.uk/
    2018:07:09-01:05:34 ids httpd[416]: [url_hardening:error] [pid 416:tid 4055354224] [client 172.18.175.138:33718] Hostname in HTTP request (172.18.175.138) does not match the server name (files.xxxxx.co.uk)
    2018:07:09-01:05:34 ids httpd: id="0299" srcip="172.18.175.138" localip="172.18.175.138" size="209" user="-" host="172.18.175.138" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="412" url="/" server="files.xxxxx.co.uk" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="W0K03qwSr4oAAAGgAeIAAAA7"
    2018:07:09-01:05:34 ids httpd: id="0299" srcip="125.236.212.159" localip="172.18.175.138" size="177" user="-" host="125.236.212.159" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="2850" url="/" server="files.xxxxx.co.uk" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="W0K03qwSr4oAAAGgAeEAAAA6"
    2018:07:09-01:05:35 ids httpd[416]: [url_hardening:error] [pid 416:tid 4046961520] [client 125.236.212.159:19510] No signature found, URI: files.xxxxx.co.uk/favicon.ico
    2018:07:09-01:05:35 ids httpd[416]: [url_hardening:error] [pid 416:tid 4038568816] [client 172.18.175.138:33719] Hostname in HTTP request (172.18.175.138) does not match the server name (files.xxxxx.co.uk)
    2018:07:09-01:05:35 ids httpd: id="0299" srcip="172.18.175.138" localip="172.18.175.138" size="220" user="-" host="172.18.175.138" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="419" url="/favicon.ico" server="files.xxxxx.co.uk" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="W0K036wSr4oAAAGgAeQAAAA9"
    2018:07:09-01:05:35 ids httpd: id="0299" srcip="125.236.212.159" localip="172.18.175.138" size="185" user="-" host="125.236.212.159" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="2247" url="/favicon.ico" server="files.xxxxx.co.uk" port="80" query="" referer="-" cookie="-" set-cookie="-" uid="W0K036wSr4oAAAGgAeMAAAA8

     

     

     

     

  • This is screen I get when I browse to the URL:

     

  • I suspect that you have no such problem if 'Static URL hardening' is not selected.  If so, then since you've already tried enabling/disabling URL rewrite and pass host headers, this would indicate that your website is returning URLs that contain fixed IPs - can you check that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Ok thanks alot for the reply

     

    Any idea how I can check if my web server is returning an IP address?