Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: AllowFrom w/IPv6 occasionally fails AH01797 |
|
| Author |
|
newbieBiker
Joined: 04 Aug 2017
Posts: 1
Location: USA, Missoula
|
 Posted: Fri 03 Apr '20 22:51 Post subject: AllowFrom w/IPv6 occasionally fails AH01797 |
 |
|
Apache/2.4.41
I've been using the Allow from IP to control access to directories for years. Never had a problem with IPv4 and IPv6 was looking to be the same until this week. I've got a new person connecting and her IP changes pretty regularly.
Allow from 2600:6c67:6d7f:dd05:f13d:4b21:195b:3d1e
The access_log shows 91 GET entries for this IP today. The error_log has 11 hits "AH01797: client denied by server configuration". So one minute she's getting files and the next she'd denied by server config.
Not having a better idea I tried to expand the Allow from
Allow from 2600:6c67:6d7f:dd05::/64
Yeah, that didn't change the behavior. I didn't expect it would. I see the modern thing is to use Require. Maybe that'll help but I don't really have high hopes. What should I be considering?
Do I need to consider the port numbers?
IPs:port denied in error_log:
2600:6c67:6d7f:dd05:f13d:4b21:195b:3d1e:37150
2600:6c67:6d7f:dd05:f13d:4b21:195b:3d1e:28504
2600:6c67:6d7f:dd05:f13d:4b21:195b:3d1e:28504
2600:6c67:6d7f:dd05:f13d:4b21:195b:3d1e:22652
2600:6c67:6d7f:dd05:f13d:4b21:195b:3d1e:36716
2600:6c67:6d7f:dd05:f13d:4b21:195b:3d1e:28746
2600:6c67:6d7f:dd05:f13d:4b21:195b:3d1e:43700
2600:6c67:6d7f:dd05:f13d:4b21:195b:3d1e:56574
2600:6c67:6d7f:dd05:f13d:4b21:195b:3d1e:60000
2600:6c67:6d7f:dd05:f13d:4b21:195b:3d1e:56574
2600:6c67:6d7f:dd05:f13d:4b21:195b:3d1e:56574 |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Sat 04 Apr '20 0:14 Post subject: |
|
|
I do not have IPv6 to worry about so I cannot say much about that, but others I'm sure can.
What I can mention is my own experience. I also feel safe in saying those ports have nothing to do with it because those ports are outbound only and Apache picks those and tells the browser what port to expect the response on (simplified explanation).
mod_auth_compat seems to me to be mod_auth_mostly-compat. If you use all old style order/allow/deny/satisfy or all new style throughout your config things go just fine. The minute you start mixing old style here, new style there, you start to see strange results. If you use all new style, no need to load the module.
I know that mod_authz_host has problems with hostnames. I have a few 'Require not host hostname' and I see errors all over my error log about Apache being unable to translate the ip to hostname. When I look in the access log I can see not only the hostname but it getting the desired denial of access (403).
If you can match an error log entry to the access log entry it may show a 200 for that request and that error itself is false. |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
| Posted: Sat 04 Apr '20 10:46 Post subject: Re: AllowFrom w/IPv6 occasionally fails AH01797 |
|
|
| newbieBiker wrote: | Never had a problem with IPv4 and IPv6 was looking to be the same until this week. I've got a new person connecting and her IP changes pretty regularly.
|
By default, a Windows PC will assign a pseudo-random IPv6 address to a Windows machine. The reason for this is anonymousity. With IPv6, each device will have its own world-wide IP address thus all traffic originating from the address can easily be linked to one machine and often one person. For that reason, the pseudo-random algorithm on IPv6 addresses was created to make sure your machine will have a different IP address to the outside world after each reboot.
What this means from an administration perspective is that after every reboot, the IPv6 address that is presented to the network changes ….. which makes things like DNS / FW rules etc a nightmare to manage in a corporate / enterprise scenario where you really need to be able to have a stable addressing scheme.
Here on Windows server it is not randomly, IPv6 stays same. Not sure it is on Windows 10
More info to disable it https://blackundertone.wordpress.com/2011/08/04/disable-windows-7-ipv6-random-temporary-addresses/ |
|
| Back to top |
|
|
|
|
|
|
