Forum Index >  glFusion >  glFusion Support New Topic Post Reply
 403 error when trying to login via http://
   |  Printable Version
By: aa6qn (offline)  Dec 09 2008 23:21 pm (Read 1396 times)  
aa6qn

I have seemed to have created myself another problem where as when someone tries to login using http://[website]/users.php they get this message:
-----------
Error 403
We're sorry, but we could not fulfill your request for /users.php on this server.
You do not have permission to access this server. Data may not be posted from offsite forms
<more lines....>
-------
logging into the site using https://[website] works just fine.

Removed the .htaccess and still same thing. users.php Permissions are 644 and non-root.non-root

Just upgraded to 1.1.1 from 1.1.0 no change.

Thank you in advance

Forum Junior
Junior

Group Comfort
Level:
: 0

Registered: 06/24/08
Posts: 27

Profile Email Website  
  Quote
By: Mark (offline)  Dec 09 2008 23:36 pm  
Mark

It is the Bad Behavior plugin. What is happening is they are probably using http://yoursitehere.com/users.php, but the $_CONF['site_url'] is www.yoursitehere.com, to the URL in the header doesn't match what is in the form.

What I've done is setup a redirect in Apache so anything to glfusion.org redirects to www.glfusion.org.

Thanks!
Mark

Forum Admin
Admin

Group Comfort
Level:
: +111

Registered: 10/21/05
Posts: 6348
Location: The Great State of
Texas

Profile      
  Quote
By: aa6qn (offline)  Dec 10 2008 06:17 am  
aa6qn

Once again, thank you

Testing by disabling Bad-behavior things did work.

I have multiple differnet domains pointed to the same site which are quite different than my apache site name that is set in the gl_conf_values (site_url and site_admin_url). Guess I had better learn about doing redirects in apache.

On another note: I had in the past dropped the site_url and site_admin_url too:
site_url = s:0:""
site_admin_url = s:6:"/admin"

to enable access to the site, which sits in a outside DMZ, from internal trusted network. This kinda works as several admin functions do not work.

Not sure what the interaction would be with Bad_behavior as well.

JohnF

Forum Junior
Junior

Group Comfort
Level:
: 0

Registered: 06/24/08
Posts: 27

Profile Email Website  
  Quote
By: aa6qn (offline)  Dec 11 2008 07:14 am  
aa6qn

Looking at mod_alias and mod_rewrite for Redirect it seems that mod_alias is the simpler: "redirect permanent / http://www.[sitename.org]"

I can see in the apache 2.2 doc's docs of redirect changing things like resources but not URL's i.e. "redirect permanent /file-resource-1 http://www.[sitename.org]/file-resource-2"
I did not see anything that redirects [sitename.org] to www.[sitename.org] unless that is the first above redirect permanent statement?

Looking at mod_rewrite I did find a nice rule to change incoming http sessions to https which direct users into an SSL environment. (thank you CA-Cert.org for those server.crt's)

# Basic rewrite rule for http to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

I did not find rule yet to fulfill the [sitename.org] to www.[sitename.org] redirect. I would also want something to do [www.vhost1-sitename.org] to www.[sitename.org] and [www.vhost2-sitename.org] to www.[sitename.org]...

This is all new to me. Currently that only way I can get things to work is to disable Bad-behavior (which I did not want to do). I don't think this was an issue back in 1.0.2 or ealier (I could be wrong).

Still plugging away....
JohnF

Forum Junior
Junior

Group Comfort
Level:
: 0

Registered: 06/24/08
Posts: 27

Profile Email Website  
  Quote
By: aa6qn (offline)  Dec 11 2008 10:18 am  
aa6qn

Well the Rewrite rule does force the https session. It breaks the login (form flow?). To bad as I really like working in a secure connection.

I recreated the server.crt to match the site fully qualified url and now everything matches. I enabled Bad-behavior plugin and its all seems to work.

I keep digging a new hole. as originally I could start an X session on the servers console and login to the site (which resides on the box's localhost) using http://localhost or http://127.0.0.1 to connect. Now it tries to go out to the web looking for www.[sitename].org which means most likely its a /etc/hosts resolution fix on the local machine

I would really like to see/learn the proper method to redirect a series of different incoming url's to a single local url.

www.[sitename1.org] to http://www.[local-sitename].org
[sitename1.org] to http://www.[local-sitename].org
www.[sitename2.org] to http://www.[local-sitename].org
[sitename2.com] to http://www.[local-sitename].org
...

or how about redirection to a SSL connection?

www.[sitename1.org] to https://www.[local-sitename].org
[sitename1.org] to https://www.[local-sitename].org

www[sitename2.com] to https://www.[local-sitename].org
[sitename2.org] to https://www.[local-sitename].org

Forum Junior
Junior

Group Comfort
Level:
: 0

Registered: 06/24/08
Posts: 27

Profile Email Website  
  Quote
New Topic Post Reply


 All times are CST. The time is now 08:36 pm.
Normal Topic Normal Topic
Locked Topic Locked Topic
Sticky Topic Sticky Topic
New Post New Post
Sticky Topic w/ New Post Sticky Topic w/ New Post
Locked Topic w/ New Post Locked Topic w/ New Post
View Anonymous Posts 
Able to Post 
HTML Allowed 
Censored Content