From owner-freebsd-questions@freebsd.org Tue Mar 31 23:22:06 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E225027221B for ; Tue, 31 Mar 2020 23:22:06 +0000 (UTC) (envelope-from freebsd@dreamchaser.org) Received: from nightmare.dreamchaser.org (ns.dreamchaser.org [66.109.141.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "dreamchaser.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48sQMc0P3Fz49Qh for ; Tue, 31 Mar 2020 23:22:02 +0000 (UTC) (envelope-from freebsd@dreamchaser.org) Received: from breakaway.dreamchaser.org (breakaway [192.168.151.122]) by nightmare.dreamchaser.org (8.15.2/8.15.2) with ESMTP id 02VNLpvE067250; Tue, 31 Mar 2020 17:21:52 -0600 (MDT) (envelope-from freebsd@dreamchaser.org) Reply-To: freebsd@dreamchaser.org Subject: Re: weird 403 (forbidden) website access issue To: Norman Gray Cc: FreeBSD Mailing List References: From: Gary Aitken Message-ID: <1f345a1d-f0c8-688c-c3e5-3a6b09ff1fa9@dreamchaser.org> Date: Tue, 31 Mar 2020 17:20:15 -0600 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (nightmare.dreamchaser.org [192.168.151.101]); Tue, 31 Mar 2020 17:21:52 -0600 (MDT) X-Rspamd-Queue-Id: 48sQMc0P3Fz49Qh X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd@dreamchaser.org designates 66.109.141.57 as permitted sender) smtp.mailfrom=freebsd@dreamchaser.org X-Spamd-Result: default: False [-5.57 / 15.00]; ARC_NA(0.00)[]; HAS_REPLYTO(0.00)[freebsd@dreamchaser.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[dreamchaser.org]; REPLYTO_ADDR_EQ_FROM(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; IP_SCORE(-3.27)[ip: (-8.57), ipnet: 66.109.128.0/19(-4.29), asn: 21947(-3.43), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:21947, ipnet:66.109.128.0/19, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2020 23:22:07 -0000 On 3/31/20 3:12 PM, Norman Gray wrote: > > Gary, greetings. Thanks for helping, Norman. > On 31 Mar 2020, at 21:33, Gary Aitken wrote: > >> The addr (www.ovandoschool.org) resolves to 69.175.87.226 >> >> If I type in 69.175.87.226 in the address bar, I get a 403 error >> with a note 69.175.87.226/cp_errordocument.shtml (port 80) Seems to >> be accessible fine from windows machines going through the same >> fbsd 11.3-RELEASE-P6 gateway (not the same system as the one with >> the browser having the problem). >> >> If I manually access from the failing fbsd system, it works: >> >> $ telnet 69.175.87.226 80 Trying 69.175.87.226... Connected to >> chi-node42.websitehostserver.net. Escape character is '^]'. GET / >> HTTP/1.1 Host: www.ovandoschool.org > > If you type the IP address in to the address bar, then the browser > will either send that as the 'Host' request header, or won't send the > header at all. Thus the server, presuming it's set up to serve > multiple hosts, won't know which website to send back. Makes sense. > An alternative route to the same conclusion is that HTTP 1.1 requires > the 'Host' request header, so if it's missing (or possibly if it's an > IP address, or if it's not one of the hosts the server has been > configured to handle), then... error document. > > If this works with any browser, then it _might_ be that the browser > is being clever, doing a reverse lookup of the IP address, and > sending the result as the 'Host' request header. In that case, a bit > of tcpdump will clarify. A reverse dns shows chi-node42.websitehostserver.net. so that obviously would be a problem. > Apologies if this is obvious, but if this isn't the problem, you > might need to elaborate. So the actual problem is the errors show up when the website url is entered: http://www.ovandoschool.org/ I was using the IP to try to simplify the problem, but obviously that won't work in this case. Since the site displays on windows machines when using the proper url, but not on the fbsd machine, it feels like something messed up in my fbsd environment. A tcpdump from the gateway for a successful (windows) access shows: IP 66.109.141.60.55271 > 69.175.87.226.80: Flags [S], seq 983728199, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], lengt h 0 IP 69.175.87.226.80 > 66.109.141.60.55271: Flags [S.], seq 4210427857, ack 983728200, win 29200, options [mss 1400,nop,nop,sackOK,no p,wscale 7], length 0 IP 66.109.141.60.55271 > 69.175.87.226.80: Flags [.], ack 1, win 16450, length 0 IP 66.109.141.60.55271 > 69.175.87.226.80: Flags [P.], seq 1:375, ack 1, win 16450, length 374: HTTP: GET / HTTP/1.1 IP 69.175.87.226.80 > 66.109.141.60.55271: Flags [.], ack 375, win 237, length 0 IP 69.175.87.226.80 > 66.109.141.60.55271: Flags [.], seq 1:1401, ack 375, win 237, length 1400: HTTP: HTTP/1.1 200 OK IP 69.175.87.226.80 > 66.109.141.60.55271: Flags [.], seq 1401:2801, ack 375, win 237, length 1400: HTTP IP 69.175.87.226.80 > 66.109.141.60.55271: Flags [P.], seq 2801:2850, ack 375, win 237, length 49: HTTP IP 69.175.87.226.80 > 66.109.141.60.55271: Flags [P.], seq 2850:3109, ack 375, win 237, length 259: HTTP IP 69.175.87.226.80 > 66.109.141.60.55271: Flags [P.], seq 3109:3114, ack 375, win 237, length 5: HTTP IP 66.109.141.60.55271 > 69.175.87.226.80: Flags [.], ack 3114, win 16450, length 0 IP 66.109.141.60.55271 > 69.175.87.226.80: Flags [P.], seq 375:814, ack 3114, win 16450, length 439: HTTP: GET /wp-content/themes/tw entythirteen/fonts/genericons.css?ver=2.09 HTTP/1.1 On the machine that fails, the tcpdump on the gateway shows: IP 66.109.141.62.12350 > 69.175.87.226.80: Flags [S], seq 1576349922, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 336582 5370 ecr 0], length 0 IP 69.175.87.226.80 > 66.109.141.62.12350: Flags [S.], seq 4093820683, ack 1576349923, win 28960, options [mss 1400,sackOK,TS val 25 42931075 ecr 3365825370,nop,wscale 7], length 0 IP 66.109.141.62.12350 > 69.175.87.226.80: Flags [.], ack 1, win 1028, options [nop,nop,TS val 3365825433 ecr 2542931075], length 0 IP 66.109.141.62.12350 > 69.175.87.226.80: Flags [P.], seq 1:341, ack 1, win 1028, options [nop,nop,TS val 3365825523 ecr 2542931075 ], length 340: HTTP: GET / HTTP/1.1 IP 69.175.87.226.80 > 66.109.141.62.12350: Flags [.], ack 341, win 235, options [nop,nop,TS val 2542931231 ecr 3365825523], length 0 IP 69.175.87.226.80 > 66.109.141.62.12350: Flags [P.], seq 1:1048, ack 341, win 235, options [nop,nop,TS val 2542931232 ecr 33658255 23], length 1047: HTTP: HTTP/1.1 403 Forbidden IP 66.109.141.62.12350 > 69.175.87.226.80: Flags [.], ack 1048, win 1028, options [nop,nop,TS val 3365825697 ecr 2542931232], length 0 On the machine actually making the request, a tcpdump shows: 192.168.151.122.24498 > 69.175.87.226.80: Flags [S], cksum 0xf5e2 (incorrect -> 0x059c), seq 3235489561, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 683891704 ecr 0], length 0 192.168.151.122.21254 > 69.175.87.226.80: Flags [S], cksum 0xf5e2 (incorrect -> 0x13bb), seq 2862645472, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 4284596312 ecr 0], length 0 69.175.87.226.80 > 192.168.151.122.24498: Flags [S.], cksum 0x8738 (correct), seq 30361359, ack 3235489562, win 28960, options [mss 1400,sackOK,TS val 2544446693 ecr 683891704,nop,wscale 7], length 0 192.168.151.122.24498 > 69.175.87.226.80: Flags [.], cksum 0xf5da (incorrect -> 0x21cf), ack 1, win 1028, options [nop,nop,TS val 683891982 ecr 2544446693], length 0 192.168.151.122.24498 > 69.175.87.226.80: Flags [P.], cksum 0xf748 (incorrect -> 0x172f), seq 1:367, ack 1, win 1028, options [nop,nop,TS val 683891982 ecr 2544446693], length 366: HTTP, length: 366 GET / HTTP/1.1 Host: www.ovandoschool.org User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 69.175.87.226.80 > 192.168.151.122.21254: Flags [S.], cksum 0x9745 (correct), seq 1337325334, ack 2862645473, win 28960, options [mss 1400,sackOK,TS val 2544446729 ecr 4284596312,nop,wscale 7], length 0 192.168.151.122.21254 > 69.175.87.226.80: Flags [.], cksum 0xf5da (incorrect -> 0x32b4), ack 1, win 1028, options [nop,nop,TS val 4284596374 ecr 2544446729], length 0 69.175.87.226.80 > 192.168.151.122.24498: Flags [.], cksum 0x2337 (correct), ack 367, win 235, options [nop,nop,TS val 2544446760 ecr 683891982], length 0 69.175.87.226.80 > 192.168.151.122.24498: Flags [P.], cksum 0xcf9c (correct), seq 1:1048, ack 367, win 235, options [nop,nop,TS val 2544446760 ecr 683891982], length 1047: HTTP, length: 1047 HTTP/1.1 403 Forbidden Connection: Keep-Alive Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html Content-Length: 698 Date: Tue, 31 Mar 2020 22:47:03 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff 403 Forbidden

403

Forbidden

Access to this resource on the server is denied!

I'm out of my depth here... (Aside: What's with the incorrect checksum flags?) Comparing the gateway dumps, the difference is in the first four lines. I've interlaced them below, with the lines from the successful request first: IP 66.109.141.60.55271 > 69.175.87.226.80: Flags [S], seq 983728199, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 IP 66.109.141.62.12350 > 69.175.87.226.80: Flags [S], seq 1576349922, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 3365825370 ecr 0], length 0 IP 69.175.87.226.80 > 66.109.141.60.55271: Flags [S.], seq 4210427857, ack 983728200, win 29200, options [mss 1400,nop,nop,sackOK,nop,wscale 7], length 0 IP 69.175.87.226.80 > 66.109.141.62.12350: Flags [S.], seq 4093820683, ack 1576349923, win 28960, options [mss 1400,sackOK,TS val 2542931075 ecr 3365825370,nop,wscale 7], length 0 IP 66.109.141.60.55271 > 69.175.87.226.80: Flags [.], ack 1, win 16450, length 0 IP 66.109.141.62.12350 > 69.175.87.226.80: Flags [.], ack 1, win 1028, options [nop,nop,TS val 3365825433 ecr 2542931075], length 0 IP 66.109.141.60.55271 > 69.175.87.226.80: Flags [P.], seq 1:375, ack 1, win 16450, length 374: HTTP: GET / HTTP/1.1 IP 66.109.141.62.12350 > 69.175.87.226.80: Flags [P.], seq 1:341, ack 1, win 1028, options [nop,nop,TS val 3365825523 ecr 2542931075], length 340: HTTP: GET / HTTP/1.1 IP 69.175.87.226.80 > 66.109.141.60.55271: Flags [.], ack 375, win 237, length 0 IP 69.175.87.226.80 > 66.109.141.62.12350: Flags [.], ack 341, win 235, options [nop,nop,TS val 2542931231 ecr 3365825523], length 0 IP 69.175.87.226.80 > 66.109.141.60.55271: Flags [.], seq 1:1401, ack 375, win 237, length 1400: HTTP: HTTP/1.1 200 OK IP 69.175.87.226.80 > 66.109.141.62.12350: Flags [P.], seq 1:1048, ack 341, win 235, options [nop,nop,TS val 2542931232 ecr 3365825523], length 1047: HTTP: HTTP/1.1 403 Forbidden Thoughts? Thanks, Gary