I have an PHP-app on an iis installed on a domain-member-server.
The app can be called from the internet (https://myapp.com) and also by 192.168...
When app-user submits a form (https://myapp.com/edit.php) 403 comes up:
You don't have permission to access /edit.php on this server.
Interestingly this error does not come up, when working in LAN on https://192.168...
It also does not come up, when a domain-admin is logged in any domain computer on which the browser calls https://myapp.com
Related
I'm getting a 403 error, a forbidden access error on some pages after I have added AdSense to my website. Error sometimes happens to one page, sometimes to other ones, but it has something to do with the sessions ie. the same pages are/are not working in the same browser session. Everything was working perfectly before adding AdSense.
The server used is LiteSpeed.
Having a very confusing issue with passport and our node/express/react application using a domain name we purchased.
On our ip address for the server, we can access the app fine, the post for the /login works, each user gets their own passport session, and can use the logout post fine.
However when we use Microsoft IIS to reverse proxy to http:localhost:3000/ the website will show using the domain, but when we try to login it takes almost 30 seconds before it succeeds, you will have to refresh the page and the user will have their auth and can visit the site. /logout post acts the exact same way. All of the gets work fine.
This is the cache-related issue you could solve the issue by disabling the cache and kernel cache in iis.
1)Open iis manager, select your site.
2)Double click on the output caching from the middle pane.
3)On the right side under Actions, click on Edit Feature Settings
4)Uncheck Enable Cache and Enable kernel cache
5)Click OK
You could also disable client cache in iis:
Client Cache
I'm using IIS 8 on Windows 2012 server. I have a site set up to serve as an API for HTTPS traffic on a custom port (4443). I have installed a wildcard SSL certificate, which is functioning properly. Our network firewall is routing all public inbound traffic on port 4443 to this server internally, which is then being handled by IIS.
From the server itself, everything works fine. I am not using localhost, and do not have a hosts file entry looping the traffic back internally. Going to https://api.blahblahblah.com:4443 returns what I want.
However, from external to the network, I am getting a 403 Forbidden error. I know the traffic is making it to the server because I get the correct custom "X-Powered-By" response header that I have set on that server.
I have tried setting the permissions on the folder that contains the site files to allow Full Control to "Everyone", but no luck. The site has Anonymous Authentication enabled for the user "IUSR". Directory browsing is disabled.
What's going on? I'm assuming it's a permissions error with the file system, but I figured having the Everyone permission would eliminate that. Also, there is nothing special about the internal traffic (from the server itself) in terms of an authenticated session or anything. It's just a plain request with no bells or whistles.
Please help! Thanks.
=======UPDATE=======
Here is a sample log entry showing the substatus code of 16:
2018-02-08 17:56:58 10.1.10.11 GET /favicon.ico - 4443 - 184.4.143.229 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36 https://api.blahblahblah.com:4443/data/countyList 403 16 2148204809 97
Apparently this is a client certificate trust issue? Upon further testing, I am able to access the site without issue on another device, just not my primary development PC.
I just set the site to Ignore Client Certificates in the SSL Settings, and it is working as expected again.
A 403 error could occur due to multiple reasons. Could you please share the substatus code. You can find it in IIS logs. Default location - C:\inetpub\logs\logfiles\w3svc_websiteID.
Once you have the substatus code, please share it here.
You can also capture FREB logs by following this article - https://learn.microsoft.com/en-us/iis/troubleshoot/using-failed-request-tracing/troubleshooting-failed-requests-using-tracing-in-iis
Just modify step #10 in this article and don't uncheck anything in your case (leave everything to default). This will clearly tell you what's going on in the IIS pipeline.
If its 403.14, just add a default document in IIS and you should be good to go.
I have viewed numerous StackOverflow, and SerFault, questions which touch on this very problem. However, none of those answers have helped me out. Here's my situation.
I have an ASP.NET MVC 3 website which has an Area configured. That Area has Anon Authentication and Windows Authentication enabled. The site root only has Anon Authorization enabled. There are no web.config changes which control the authorization of the Area - we simply wanted to control security from IIS.
When I navigate to a url in the Area, instead of being prompted with a login prompt, I am shown a 401.0 error page.
HTTP Error 401.0 - Unauthorized You do not have permission to view
this directory or page.
The login prompt did appear before, both on my PC and the test server, but now both websites are no longer displaying the login prompt. I did apply some VS2010 updates to my PC the other day, so I thought that was at fault, but the test server is still the same config - nothing has changed, so I ruled out the updates as being at fault.
I generated an IIS log where most of it wasn't very helpful. The only interesting part was this warning:
-MODULE_SET_RESPONSE_ERROR_STATUS
ModuleName ManagedPipelineHandler Notification 128 HttpStatus 401
HttpReason Unauthorized HttpSubStatus 0 ErrorCode 0
ConfigExceptionInfo
Notification EXECUTE_REQUEST_HANDLER
ErrorCode The operation completed successfully. (0x0)
I've tried Chrome, IE and FireFox and neither of them display the login prompt, so it's not an issue isolated to a specific browser.
I'm really stuck here, any help would be appreciated.
We've just set up a new dedicated server at hostgator, running Windows 2008 Server, IIS7 and ColdFusion 8 ENT.
On browsing the homepage, sometimes the site works, sometimes, part of the site runs and I can see a 403 error in Firebug. At other times, I only get an IIS error page saying:
"403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied."
The site is http://www.asia-buy.com. It might run first time, but if you refresh it a few times, you'll probably encounter the problem.
There is a lot of ajax and JSON stuff going on under the hood and I'm wondering if that has any bearing on the problem.
Would appreciate advice from anyone who may have solved a similar issue in the past.
Resolved: Hostgator says this is actually a security setting in IIS to attempt to prevent DDOS attacks on the website. A a developer, I use CTRL-F5 a lot. A normal user would not.
Full error:
HTTP Error 403.502 - Forbidden
The IP address from which you are browsing is not permitted to access the requested Web site because it has made too many requests over short period of time.
Open IIS Manager.
Go to your website.
Go to Features/IP Address and Domain Restrictions/Dynamic IP Restriction Settings
Uncheck the boxes, or change the values, as needed