From owner-freebsd-questions@freebsd.org  Fri Apr  3 03:20:07 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 51A0D271DC8
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Fri,  3 Apr 2020 03:20:07 +0000 (UTC)
 (envelope-from freebsd@dreamchaser.org)
Received: from nightmare.dreamchaser.org (ns.dreamchaser.org [66.109.141.57])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (Client CN "dreamchaser.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48tlY9015Pz48rx
 for <freebsd-questions@freebsd.org>; Fri,  3 Apr 2020 03:19:56 +0000 (UTC)
 (envelope-from freebsd@dreamchaser.org)
Received: from breakaway.dreamchaser.org (breakaway [192.168.151.122])
 by nightmare.dreamchaser.org (8.15.2/8.15.2) with ESMTP id 0333JiY8075765;
 Thu, 2 Apr 2020 21:19:44 -0600 (MDT)
 (envelope-from freebsd@dreamchaser.org)
Subject: Re: weird 403 (forbidden) website access issue
From: Gary Aitken <freebsd@dreamchaser.org>
To: Mike Clarke <jmc-freebsd2@milibyte.co.uk>, freebsd-questions@freebsd.org
Reply-To: freebsd@dreamchaser.org, freebsd@dreamchaser.org
References: <ba457b4a-3362-d9e0-4b8a-c6204937819d@dreamchaser.org>
 <1f345a1d-f0c8-688c-c3e5-3a6b09ff1fa9@dreamchaser.org>
 <f3a7de61-162a-1196-eae1-16bd22124ebb@dreamchaser.org>
 <1807716.EnoYUHA41c@curlew>
 <2038d71a-e939-bbf3-77ad-d132a77e31e2@dreamchaser.org>
Message-ID: <0a2c4c08-b459-544b-5ad3-cd58da9759e7@dreamchaser.org>
Date: Thu, 2 Apr 2020 21:18:09 -0600
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101
 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <2038d71a-e939-bbf3-77ad-d132a77e31e2@dreamchaser.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2
 (nightmare.dreamchaser.org [192.168.151.101]);
 Thu, 02 Apr 2020 21:19:44 -0600 (MDT)
X-Rspamd-Queue-Id: 48tlY9015Pz48rx
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of freebsd@dreamchaser.org designates
 66.109.141.57 as permitted sender) smtp.mailfrom=freebsd@dreamchaser.org
X-Spamd-Result: default: False [-5.58 / 15.00]; ARC_NA(0.00)[];
 HAS_REPLYTO(0.00)[freebsd@dreamchaser.org];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain];
 RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[dreamchaser.org];
 REPLYTO_ADDR_EQ_FROM(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 RCPT_COUNT_TWO(0.00)[2];
 IP_SCORE(-3.28)[ip: (-8.60), ipnet: 66.109.128.0/19(-4.30), asn: 21947(-3.44),
 country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:21947, ipnet:66.109.128.0/19, country:US];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 03:20:07 -0000

On 4/2/20 10:02 AM, Gary Aitken wrote:
> On 4/2/20 2:50 AM, Mike Clarke wrote:
>> On Wednesday, 1 April 2020 06:03:05 BST Gary Aitken wrote:
>>
>>> How likely is it that the small window size (1028) in the 4th pair
>>> (HTTP: GET request) is causing the server to refuse the request? If
>>> so, is this a firefox issue or an underlying tcp issue?
>>
>> It's not just Firefox. I've tried Firefox, Chrome, Midori and
>> Konqueror and get the 403 code with them all from my FreeBSD box but
>> no problem with Firefox, Chrome and Edge on Windows 10.
>>
>> But I think I've found a clue to the cause. I tried Lynx with its
>> default settings and it worked fine but when I changed the user agent
>> header to
>>
>> Mozilla/5.0 (X11; FreeBSD amd64; rv:74.0) Gecko/ 20100101 Firefox/74.0
>> I got a 403 error.
>>
>> Looks like the server is only accepting requests from a restricted
>> range of browser and OS combinations
>>
>> Lynx/2.8.9rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.1.1d-freebsd
>> is accepted but
>> Mozilla/5.0 (X11; FreeBSD amd64; rv:74.0) Gecko/20100101 Firefox/74.0
>> appears to be regarded as 'dangerous'.
> 
> Thank you!
> I will see what the hosting service has to say from there.
> I got similar refusals from some sites such as lowes.com as well.

Apparently the hosting service has some special rule which was
triggering this.  They wouldn't tell me the rule so I don't really
know what it was, unfortunately.  They disabled the rule for this
particular site, but whether that same rule is being applied to
other domains I don't know.  The rule was a ModSecurity #70200 but
that's in the local/private range so it's not a well-known rule.

Gary