[SOLVED] Random 403/Forbidden's when using Apache2 Proxy
Posted: Mon Sep 08, 2014 2:36 pmAlright, I am trying to keep the number of Ports that I expose to the internet as small as possible and the links as beautiful as possible on my NAS/Storage/Homeserver.
This means: I want to be able to access both owncloud and subsonic on port 443, and 443 only.
First off, my system:
Within my local subnet all ports are open, thus I can access Subsonic via "hostname:xxxx/subsonic" with no problems whatsoever. Port and subdir as configured in /etc/default/subsonic:
Apache for itself works fine. I have owncloud and a local copy of MiniSub running on it. Only port 443 is accessible from the internet and apart from different browsers having difficulties with the self-signed certificate everything works fine. Well, everything BUT the proxy to subsonic.
The proxy is implemented as mydyndns.com/subsonic as follows: (via seperate subsonicproxy.conf file)
This is what I gathered from some Blog postings concerning this exact use of the proxy module for Subsonic. The <Location > bit is more of a test, assuming it had anything to do with the default settings of Apache.
As I said before, hostname:xxxx/subsonic works fine. But as soon as I try to access hostname/subsonic (in my subnet both http and https are open and both have similar, i.e. failing behaviour) a sh*tload of 403's appears and it usually looks like this:
(Also see the Firefox Web Console if you scroll down..)
or this: (that is like 4-5 'Forbidden' popups one over the other)
The Logs in Subsonic's about page show absolutely no hint of this and in the /var/log/apache2/error.log this line is repeated numerous times for different paths:
I should mention that the MiniSub that I have hosted via Apache connects to mydyndns.com/subsonic and plays the songs with no problems. So the API via that Proxy does seem to work. Also I can get Subsonic to work via mydyndns.com/subsonic for a short while if I clear my Cookies and do a fresh reload. Usually problems start reappearing after 5 minutes or so or excessive browsing in folders with lots of artworks, e.g. my Movies folder.
Any ideas on this? I previously had a second port open to connect to Subsonic directly and that worked fine, but I would greatly prefer this implementation to work.
Cheers!
------------------
EDIT 1
As suggested in ( https://wiki.apache.org/httpd/ClientDen ... figuration ) I tried adding the following:
In subsonic.conf ( /etc/apache2/conf-available ):
.. and in apache2.conf:
And reloading apache with 'service apache2 reload'. But to no avail. The Errors still persist.
Wrong directory maybe?
------------------
EDIT 2
Yesterday I installed an sks keyserver and noticed that I also get 403 when I reload the page too often/quickly.
As it has nothing to do with Subsonic, I assume it is some problem with iptables probably?
I had recently installed fail2ban, but removed it again. Don't know whether I let it purge the config's though.
The rest of the Firewall rules I manage with ufw, which of course does not display any other possible leftovers from fail2ban.
I'll try to dig through the iptables files myself then...
This means: I want to be able to access both owncloud and subsonic on port 443, and 443 only.
First off, my system:
- Code: Select all
Ubuntu 14.04.1 LTS (Server, no GUI)
Apache/2.4.7 (Ubuntu)
Subsonic 5.0.beta1 (build 4048) – 24 May 2014
jetty-6.1.x, java 1.7.0_65, Linux (111.4 MB / 140.0 MB)
Within my local subnet all ports are open, thus I can access Subsonic via "hostname:xxxx/subsonic" with no problems whatsoever. Port and subdir as configured in /etc/default/subsonic:
- Code: Select all
SUBSONIC_ARGS="--max-memory=150 --port=xxxx --context-path=/subsonic"
Apache for itself works fine. I have owncloud and a local copy of MiniSub running on it. Only port 443 is accessible from the internet and apart from different browsers having difficulties with the self-signed certificate everything works fine. Well, everything BUT the proxy to subsonic.
The proxy is implemented as mydyndns.com/subsonic as follows: (via seperate subsonicproxy.conf file)
- Code: Select all
ProxyRequests Off
ProxyPreserveHost Off
SSLProxyEngine on
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location /subsonic >
AllowOverride All
</Location>
ProxyPass /subsonic http://localhost:xxxx/subsonic
ProxyPassReverse /subsonic http://localhost:xxxx/subsonic
This is what I gathered from some Blog postings concerning this exact use of the proxy module for Subsonic. The <Location > bit is more of a test, assuming it had anything to do with the default settings of Apache.
As I said before, hostname:xxxx/subsonic works fine. But as soon as I try to access hostname/subsonic (in my subnet both http and https are open and both have similar, i.e. failing behaviour) a sh*tload of 403's appears and it usually looks like this:
(Also see the Firefox Web Console if you scroll down..)
or this: (that is like 4-5 'Forbidden' popups one over the other)
The Logs in Subsonic's about page show absolutely no hint of this and in the /var/log/apache2/error.log this line is repeated numerous times for different paths:
- Code: Select all
[Mon Sep 08 15:40:01.883817 2014] [evasive20:error] [pid 32472] [client 192.168.0.100:52528] client denied by server configuration: proxy:http://localhost:xxxx/subsonic/dwr/call/plaincall/nowPlayingService.getNowPlayingForCurrentPlayer.dwr, referer: https://fractal/subsonic/playQueue.view?
I should mention that the MiniSub that I have hosted via Apache connects to mydyndns.com/subsonic and plays the songs with no problems. So the API via that Proxy does seem to work. Also I can get Subsonic to work via mydyndns.com/subsonic for a short while if I clear my Cookies and do a fresh reload. Usually problems start reappearing after 5 minutes or so or excessive browsing in folders with lots of artworks, e.g. my Movies folder.
Any ideas on this? I previously had a second port open to connect to Subsonic directly and that worked fine, but I would greatly prefer this implementation to work.
Cheers!
------------------
EDIT 1
As suggested in ( https://wiki.apache.org/httpd/ClientDen ... figuration ) I tried adding the following:
In subsonic.conf ( /etc/apache2/conf-available ):
- Code: Select all
<Location /subsonic >
AllowOverride All
Order allow,deny
Allow from all
</Location>
.. and in apache2.conf:
- Code: Select all
...
<Directory /var/subsonic>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
...
And reloading apache with 'service apache2 reload'. But to no avail. The Errors still persist.
Wrong directory maybe?
------------------
EDIT 2
Yesterday I installed an sks keyserver and noticed that I also get 403 when I reload the page too often/quickly.
As it has nothing to do with Subsonic, I assume it is some problem with iptables probably?
I had recently installed fail2ban, but removed it again. Don't know whether I let it purge the config's though.
The rest of the Firewall rules I manage with ufw, which of course does not display any other possible leftovers from fail2ban.
I'll try to dig through the iptables files myself then...
