This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Forbidden

Hi All,

i'm trying to publish my internal file sharing web server trough the web server protection, but it always redirect me on a page 403 Forbidden and the below is the error message displayed in the web page.

Forbidden

You don't have permission to access / on this server.

Regards,



This thread was automatically locked due to age.
  • Please show a representative line from the Web Filtering log file.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Dear BAlfson,

    there is nothing in the web filtering log file, no request appeared in that lines,

    i will inform you how i create the settings and please inform if something missing

    i've my internal site with configured to use Private ip, i configure sophos utm Web Protection as the below:

    1- Create new virtual servers with HTTPS and Local Cert without Firewall Profile.
    2- Create new Real Web Server, with HTTPS and the HOST IP Address.
    3- edit the site path by entering the path of the internal website ( i Try also to remove it and keep it as is blank after config but nothing happened).

    any advise?
  • Hi,

    the web filter log is for web filtering.
    Here, we're talking about the Webserver Protection feature and the log is called reverseproxy.log.

    If you change the site path route '/' to anything but not '/', you cannot access '/'.
    I think you're trying to rewrite the path from '/' to '/yourpath' but that does not work.

    Sabine
  • i left it as is and nothing change still i'm getting the same error

    Forbiden
  • I edited your original post from "web protection" to "web server protection."

    In WebAdmin, check the Web Application Firewall log and show us a representative line from there when you get the Forbidden screen in the client.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 2016:02:05-10:04:16 lebutm-1 reverseproxy: [Fri Feb 05 10:04:16.629081 2016] [core:warn] [pid 6123:tid 4148180672] AH00111: Config variable ${URLHardening_HTTP_Hostname} is not defined
    2016:02:05-10:04:17 lebutm-1 reverseproxy: [Fri Feb 05 10:04:17.000474 2016] [mpm_worker:notice] [pid 6123:tid 4148180672] AH00292: Apache/2.4.10 (Unix) OpenSSL/1.0.1k configured -- resuming normal operations
    2016:02:05-10:04:17 lebutm-1 reverseproxy: [Fri Feb 05 10:04:17.000509 2016] [core:notice] [pid 6123:tid 4148180672] AH00094: Command line: '/usr/apache/bin/httpd'
    2016:02:05-10:04:17 lebutm-1 reverseproxy: [Fri Feb 05 10:04:17.000554 2016] [mpm_worker:warn] [pid 6123:tid 4148180672] AH00291: long lost child came home! (pid 17320)
    2016:02:05-10:04:17 lebutm-1 reverseproxy: [Fri Feb 05 10:04:17.000592 2016] [mpm_worker:warn] [pid 6123:tid 4148180672] AH00291: long lost child came home! (pid 17325)
    2016:02:05-10:04:17 lebutm-1 reverseproxy: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="56" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1301" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
    2016:02:05-10:04:35 lebutm-1 reverseproxy: [Fri Feb 05 10:04:35.751537 2016] [url_hardening:error] [pid 22336:tid 4047461232] [client 10.160.2.101:62045] Hostname in HTTP request (194.126.141.186) does not match the server name (utm)
    2016:02:05-10:04:35 lebutm-1 reverseproxy: id="0299" srcip="10.160.2.101" localip="194.126.141.186" size="209" user="-" host="10.160.2.101" method="GET" statuscode="403" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken" time="11101" url="/" server="utm" referer="-" cookie="-" set-cookie="lbsfbnrudskric_cookie=;Max-Age=0;path=/;httponly;secure"
    2016:02:05-10:04:35 lebutm-1 reverseproxy: [Fri Feb 05 10:04:35.806090 2016] [url_hardening:error] [pid 22336:tid 4047461232] [client 10.160.2.101:62045] Hostname in HTTP request (194.126.141.186) does not match the server name (utm), referer: https://194.126.141.186/
    2016:02:05-10:04:35 lebutm-1 reverseproxy: id="0299" srcip="10.160.2.101" localip="194.126.141.186" size="220" user="-" host="10.160.2.101" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="3725" url="/favicon.ico" server="utm" referer="https://194.126.141.186/" cookie="-" set-cookie="lbsfbnrudskric_cookie=;Max-Age=0;path=/;httponly;secure"
    2016:02:05-10:05:04 lebutm-1 reverseproxy: [Fri Feb 05 10:05:04.947398 2016] [url_hardening:error] [pid 22336:tid 4072639344] [client 10.160.2.101:62062] Hostname in HTTP request (194.126.141.186) does not match the server name (utm)
    2016:02:05-10:05:04 lebutm-1 reverseproxy: id="0299" srcip="10.160.2.101" localip="194.126.141.186" size="209" user="-" host="10.160.2.101" method="GET" statuscode="403" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken" time="1862" url="/" server="utm" referer="-" cookie="-" set-cookie="lbsfbnrudskric_cookie=;Max-Age=0;path=/;httponly;secure"
    2016:02:05-10:05:04 lebutm-1 reverseproxy: [Fri Feb 05 10:05:04.969642 2016] [url_hardening:error] [pid 22336:tid 4072639344] [client 10.160.2.101:62062] Hostname in HTTP request (194.126.141.186) does not match the server name (utm), referer: https://194.126.141.186/
    2016:02:05-10:05:04 lebutm-1 reverseproxy: id="0299" srcip="10.160.2.101" localip="194.126.141.186" size="220" user="-" host="10.160.2.101" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" time="905" url="/favicon.ico" server="utm" referer="https://194.126.141.186/" cookie="-" set-cookie="lbsfbnrudskric_cookie=;Max-Age=0;path=/;httponly;secure"
  • "Hostname in HTTP request (194.126.141.186) does not match the server name (utm)"

    The certificate used in the Virtual Server determines the FQDN that must be used in the HTTPS request. If that doesn't help, please Use rich formatting and insert a picture of the edit of your Virtual Server wit 'Advanced' open.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Sorry for sort of hijacking this thread.

    What exactly is the IP listed between the brackets? I'm having HTTP DDoS attacks that fill the reverseproxy log at a very fast rate, but the IP listed not in our public range?

  • Harro, (194.126.141.186) above would appear to be the public IP that his Virtual Server uses.  I wanted to see if he had either 'Rewrite HTML' or 'Pass host header' selected.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    Thanks, I thought so.

    My issue is that in the reverseproxy.log lines I have an unknown IP. Not only not a virtual server, not even an IP in one of our ranges. So this must be a fake/constructed HTTP header, since the "Host" header contains a different IP from the virtual server that is being connected to.

    Is there a way to have the firewall or the WAF drop all these url_hardening errors? Now I have to add host entries for each of the abusers source IP's so I can block them in my blackhole route. And since they are a different set every day (we get attached on a daily basis), thats a lot of manual work...