Ubuntu
apache2 package

connection "forbidden" on localhost after wireless connected

Bug #631064 reported by Gerben on 2010-09-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	apache2 (Ubuntu)	Expired	Low	Unassigned

Bug Description

Binary package hint: apache2

1) ubuntu locid (32 bit??)
2) 2.2.14-5ubuntu8
3) expected a valid response, not the "forbidden" page
4) got presented the "forbidden" page

Details:
I've restricted a location to be accessed from only the localhost (e.g. 'apache status').

After booting my laptop, this site is available through "http://localhost/server-status" and the page as generated by this module is presented.
After my laptop connects to my wireless network, communication trhough "http://localhost/server-status" is blocked, with apache2 serving the page "Forbidden.. You don't have permission to access /server-status on this server."
Replacing localhost with the ip number "127.0.0.1" allows correct and normal access.

I've also had this problem withour being in the neighborhood of my wireless network.

After re-starting apache2 all access is as expected, using "localhost" to the restricted site is possible again.
To me it looks like (but I'm not internally known to apache) the localhost interface got re-initiated, generating a new "authorisation" key while apache2 only holds an old key for the localhost before it got re-instantiated.

This bug might be related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/37054
but I got lost in that.

This is reproducable by re-starting the laptop.
This problem might not be that urgent because server machines only have wired and fixed ethernet cards that are already connected at boot time.

<IfModule mod_status.c>
#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Uncomment and change the ".example.com" to allow
# access from other hosts.
#
ExtendedStatus On
SeeRequestTail On
<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
# Allow from hp8220
    Allow from localhost ip6-localhost
# Allow from .example.com
</Location>

</IfModule>

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: apache2.2-bin 2.2.14-5ubuntu8
ProcVersionSignature: Ubuntu 2.6.32-24.42-generic 2.6.32.15+drm33.5
Uname: Linux 2.6.32-24-generic i686
Architecture: i386
Date: Sun Sep 5 20:53:58 2010
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release i386 (20100429)
ProcEnviron:
LANG=en_US.utf8
SHELL=/bin/bash
SourcePackage: apache2

Tags:

Revision history for this message

Gerben (gerbgeus) wrote on 2010-09-05:

Dependencies.txt Edit (1.3 KiB, text/plain; charset="utf-8")

Revision history for this message

Mathias Gug (mathiaz) wrote on 2010-09-07:

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Could you provide apache2 access and error log files (found in /var/log/apache2) when the error occurs?

Changed in apache2 (Ubuntu):
importance:	Undecided → Low
status:	New → Incomplete

Revision history for this message

Gerben (gerbgeus) wrote on 2010-09-08:

Hi,
Here are the parts for error.log and access.log

Used wget to avoid firefox'es 'offline browsing'
To be seen:
one time successful using wget (before wireless network configured)
one time unsuccessful using wget (after '')
one time unsuccessful using firefox (after '')

access.log:
localhost - - [08/Sep/2010:05:00:49 +0200] "GET /server-info HTTP/1.0" 200 75989 "-" "Wget/1.12 (linux-gnu)"
localhost - - [08/Sep/2010:05:00:57 +0200] "GET /server-info HTTP/1.0" 403 529 "-" "Wget/1.12 (linux-gnu)"
localhost - - [08/Sep/2010:05:01:17 +0200] "GET /server-info HTTP/1.1" 403 500 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8"
localhost - - [08/Sep/2010:05:01:20 +0200] "GET /favicon.ico HTTP/1.1" 404 500 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8"

error.log:
[Wed Sep 08 05:00:57 2010] [error] [client ::1] client denied by server configuration: /var/www/server-info
[Wed Sep 08 05:01:17 2010] [error] [client ::1] client denied by server configuration: /var/www/server-info
[Wed Sep 08 05:01:20 2010] [error] [client ::1] File does not exist: /var/www/favicon.ico

Revision history for this message

Stefan Fritsch (sf-sfritsch) wrote on 2010-09-08:

Gerben, can you please also provide the output of the four commands

getent hosts ::1
getent hosts 127.0.0.1
getent hosts localhost
getent hosts ip6-localhost

both before and after wireless network is configured? Thanks.

Revision history for this message

Gerben (gerbgeus) wrote on 2010-09-09:

Hi,

In both situations the same list is produced:
BEFORE:
getent hosts ::1
::1 localhost ip6-localhost ip6-loopback
getent hosts 127.0.0.1
127.0.0.1 localhost
getent hosts localhost
::1 localhost ip6-localhost ip6-loopback
getent hosts ip6-localhost
::1 localhost ip6-localhost ip6-loopback

AFTER:
getent hosts ::1
::1 localhost ip6-localhost ip6-loopback
getent hosts 127.0.0.1
127.0.0.1 localhost
getent hosts localhost
::1 localhost ip6-localhost ip6-loopback
getent hosts ip6-localhost
::1 localhost ip6-localhost ip6-loopback

I've also altered on the hostnames used in the URL, and localhost ip6-localhost ip6-loopback all act the same as in pages fetches before wireless network got configured and access denied after.

I've tried a /etc/init.d/apache restart, and this still fails for ip6-localhost ip6-loopback, both translate only into ::1 which is not connected anymore (connection refused), whereas is would at leas provide a '403 forbidden' right after the wireless network got configured.

localhost succeeds, but has an extra translation first into ::1 and then 127.0.0.1
See selections for wget for localhost and ip6-localhost, (before wireless configured, after wireless configured, after apache restart):

BEFORE
wget http://localhost/server-info
--2010-09-09 07:43:24-- http://localhost/server-info
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:80... connected.
HTTP request sent, awaiting response... 200 OK

wget http://ip6-localhost/server-info
--2010-09-09 07:43:24-- http://ip6-localhost/server-info
Resolving ip6-localhost... ::1
Connecting to ip6-localhost|::1|:80... connected.
HTTP request sent, awaiting response... 200 OK

AFTER (wireless configured)
wget http://localhost/server-info
--2010-09-09 07:44:14-- http://localhost/server-info
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2010-09-09 07:44:14 ERROR 403: Forbidden.

wget http://ip6-localhost/server-info
--2010-09-09 07:44:14-- http://ip6-localhost/server-info
Resolving ip6-localhost... ::1
Connecting to ip6-localhost|::1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2010-09-09 07:44:14 ERROR 403: Forbidden.

APACHE RESTART
wget http://localhost/server-info
--2010-09-09 07:52:22-- http://localhost/server-info
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:80... failed: Connection refused.
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

wget http://ip6-localhost/server-info
--2010-09-09 07:54:56-- http://ip6-localhost/server-info
Resolving ip6-localhost... ::1
Connecting to ip6-localhost|::1|:80... failed: Connection refused.

Hi,

In both situations the same list is produced:
BEFORE:
getent hosts ::1
::1             localhost ip6-localhost ip6-loopback
getent hosts 127.0.0.1
127.0.0.1       localhost
getent hosts localhost
::1             localhost ip6-localhost ip6-loopback
getent hosts ip6-localhost
::1             localhost ip6-localhost ip6-loopback

AFTER:
getent hosts ::1
::1             localhost ip6-localhost ip6-loopback
getent hosts 127.0.0.1
127.0.0.1       localhost
getent hosts localhost
::1             localhost ip6-localhost ip6-loopback
getent hosts ip6-localhost
::1             localhost ip6-localhost ip6-loopback

I've also altered on the hostnames used in the URL, and localhost ip6-localhost ip6-loopback all act the same as in pages fetches before wireless network got configured and access denied after.

I've tried a /etc/init.d/apache restart, and this still fails for  ip6-localhost ip6-loopback, both translate only into ::1 which is not connected anymore (connection refused), whereas is would at leas provide a '403 forbidden' right after the wireless network got configured.

BEFORE
wget http://localhost/server-info
--2010-09-09 07:43:24--  http://localhost/server-info
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:80... connected.
HTTP request sent, awaiting response... 200 OK

wget http://ip6-localhost/server-info
--2010-09-09 07:43:24--  http://ip6-localhost/server-info
Resolving ip6-localhost... ::1
Connecting to ip6-localhost|::1|:80... connected.
HTTP request sent, awaiting response... 200 OK

AFTER  (wireless configured)
wget http://localhost/server-info
--2010-09-09 07:44:14--  http://localhost/server-info
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2010-09-09 07:44:14 ERROR 403: Forbidden.

wget http://ip6-localhost/server-info
--2010-09-09 07:44:14--  http://ip6-localhost/server-info
Resolving ip6-localhost... ::1
Connecting to ip6-localhost|::1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2010-09-09 07:44:14 ERROR 403: Forbidden.

APACHE RESTART
wget http://localhost/server-info
--2010-09-09 07:52:22--  http://localhost/server-info
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:80... failed: Connection refused.
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

wget http://ip6-localhost/server-info
--2010-09-09 07:54:56--  http://ip6-localhost/server-info
Resolving ip6-localhost... ::1
Connecting to ip6-localhost|::1|:80... failed: Connection refused.

Revision history for this message

Stefan Fritsch (sf-sfritsch) wrote on 2010-09-12:

Thanks for checking, Gerben.

Maybe this is related to bug #633981: Can you please check in the output of

ip a

before and after wireless is connected. Are there any inet6 addresses besides the loop-back entry "inet6 ::1/128 scope host"?
Do you use network manager for connecting to the wireless? Maybe some versions of network manager delete an existing IPv6 address when it creates the wireless connection.

Revision history for this message

Gerben (gerbgeus) wrote on 2010-09-15:

Hi,

This is a default Ubuntu desktop installation, and I've registered my network via the connections icon ->
"Connect to Hidden Wireless Network..." Every time the system starts it now gets auto-connected showing an animated circular icon with two dots going round.

netstat -na shows the following differences for LISTEN port 80:
BEFORE
tcp6 0 0 :::80 :::* LISTEN

AFTER
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN

ip -a shows only a difference for the configured network interface (3:):
BEFORE
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 00:14:c2:e2:8a:36 brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state DORMANT qlen 1000
    link/ether 00:15:00:4a:49:ff brd ff:ff:ff:ff:ff:ff
    inet6 fe80::215:ff:fe4a:49ff/64 scope link
       valid_lft forever preferred_lft forever
4: pan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
    link/ether 1e:9c:97:7c:cd:17 brd ff:ff:ff:ff:ff:ff

AFTER
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 00:14:c2:e2:8a:36 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:15:00:4a:49:ff brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.168/24 brd 10.0.0.255 scope global eth1
    inet6 fe80::215:ff:fe4a:49ff/64 scope link
       valid_lft forever preferred_lft forever
4: pan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
    link/ether 1e:9c:97:7c:cd:17 brd ff:ff:ff:ff:ff:ff

Hi,

This is a default Ubuntu desktop installation, and I've registered my network via the connections icon ->
  "Connect to Hidden Wireless Network..."  Every time the system starts it now gets auto-connected showing an animated circular icon with two dots going round.

netstat -na shows the following differences for LISTEN port 80:
BEFORE
tcp6       0      0 :::80                   :::*                    LISTEN

AFTER
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN

ip -a shows only a difference for the configured network interface (3:):
BEFORE
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 00:14:c2:e2:8a:36 brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state DORMANT qlen 1000
    link/ether 00:15:00:4a:49:ff brd ff:ff:ff:ff:ff:ff
    inet6 fe80::215:ff:fe4a:49ff/64 scope link 
       valid_lft forever preferred_lft forever
4: pan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN 
    link/ether 1e:9c:97:7c:cd:17 brd ff:ff:ff:ff:ff:ff

AFTER
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 00:14:c2:e2:8a:36 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:15:00:4a:49:ff brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.168/24 brd 10.0.0.255 scope global eth1
    inet6 fe80::215:ff:fe4a:49ff/64 scope link 
       valid_lft forever preferred_lft forever
4: pan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN 
    link/ether 1e:9c:97:7c:cd:17 brd ff:ff:ff:ff:ff:ff

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-12-19:

[Expired for apache2 (Ubuntu) because there has been no activity for 60 days.]

Changed in apache2 (Ubuntu):
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Dependencies.txt Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuapache2 package

connection "forbidden" on localhost after wireless connected

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
apache2 package