Forbidden from internet but not internal

tshemon · September 18, 2024, 1:32am

Get Forbidden any time I try to access from public IP’s

"Forbidden
You don’t have permission to access this resource.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request."

Nextcloud version (eg, 29.0.5): 29.0.7
Operating system and version (eg, Ubuntu 24.04): Unutiu 22.04
Apache or nginx version (eg, Apache 2.4.25): Not sure
PHP version (eg, 8.3): 8.1.2

Is this the first time you’ve seen this error? Y just noticed today

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'passwordsalt' => 'XXXXXXXXXXXXXX',
  'secret' => 'XXXXXXXXXXXXXXXXXXXXXXX,
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'LocalIP',
    2 => 'PublicURL',
    3 => '*.domain.com',
  ),
  'datadirectory' => '/mnt/ncdata',
  'dbtype' => 'pgsql',
  'version' => '29.0.7.1',
  'overwrite.cli.url' => 'https://PublicURL/',
  'dbname' => 'nextcloud_db',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud_db_user',
  'dbpassword' => 'XXXXXXXXXXXXXXXXXXXXX',
  'installed' => true,
  'instanceid' => 'oc88bbv2avvq',
  'upgrade.disable-web' => true,
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'loglevel' => '2',
  'log.condition' =>
  array (
    'apps' =>
    array (
      0 => 'admin_audit',
    ),
  ),
  'mail_smtpmode' => 'smtp',
  'remember_login_cookie_lifetime' => '7200',
 'mail_smtpmode' => 'smtp',
  'remember_login_cookie_lifetime' => '7200',
  'log_rotate_size' => '10485760',
  'trashbin_retention_obligation' => 'auto, 60',
  'versions_retention_obligation' => 'auto, 180',
  'activity_expire_days' => '120',
  'simpleSignUpLink.shown' => false,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'filelocking.enabled' => true,
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 0.5,
    'dbindex' => 0,
    'password' => 'XXXXXXXXXXXXXXXXXXXXX',
  ),
  'default_phone_region' => 'us',
  'logtimezone' => 'Etc/UTC',
  'htaccess.RewriteBase' => '/',
  'session_lifetime' => '7200',
  'session_keepalive' => 'false',
  'maintenance' => false,
  'app_install_overwrite' =>
  array (
    0 => 'impersonate',
    1 => 'ransomware_detection',
    2 => 'nextbackup',
  ),
  'mail_from_address' => 'noreply',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'EMAIL domain',
  'mail_smtphost' => 'SMTPIP',
  'mail_smtpport' => '25',

The output of your Apache/nginx/system log in /var/log/____:

[Wed Sep 18 00:00:03.446132 2024] [:error] [pid 1280:tid 133972941277056] [mod_geoip]: Error while opening data file /usr/share/GeoIP/GeoIPv4.dat
[Wed Sep 18 00:00:03.453001 2024] [mpm_event:notice] [pid 1280:tid 133972941277056] AH00489: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 configured -- res>
[Wed Sep 18 00:00:03.453027 2024] [core:notice] [pid 1280:tid 133972941277056] AH00094: Command line: '/usr/sbin/apache2'
[Wed Sep 18 00:00:03.456882 2024] [:error] [pid 2950:tid 133972941277056] [mod_geoip]: Error while opening data file /usr/share/GeoIP/GeoIPv4.dat
[Wed Sep 18 00:00:03.457031 2024] [:error] [pid 2950:tid 133972941277056] [mod_geoip]: Error while opening data file /usr/share/GeoIP/GeoIPv4.dat
[Wed Sep 18 00:00:03.457099 2024] [:error] [pid 2950:tid 133972941277056] [mod_geoip]: Error while opening data file /usr/share/GeoIP/GeoIPv4.dat
[Wed Sep 18 00:00:03.458891 2024] [:error] [pid 2951:tid 133972941277056] [mod_geoip]: Error while opening data file /usr/share/GeoIP/GeoIPv4.dat
[Wed Sep 18 00:00:03.459144 2024] [:error] [pid 2951:tid 133972941277056] [mod_geoip]: Error while opening data file /usr/share/GeoIP/GeoIPv4.dat
[Wed Sep 18 00:00:03.459225 2024] [:error] [pid 2951:tid 133972941277056] [mod_geoip]: Error while opening data file /usr/share/GeoIP/GeoIPv4.dat
[Wed Sep 18 00:12:21.811061 2024] [access_compat:error] [pid 2951:tid 133972749190720] [remote 104.145.207.161:62681] AH01797: client denied by server configuration: /var/www/nextcloud/
[Wed Sep 18 00:12:21.811316 2024] [access_compat:error] [pid 2951:tid 133972749190720] [remote 104.145.207.161:62681] AH01797: client denied by server configuration: /var/www/nextcloud/index.php
[Wed Sep 18 00:12:49.780833 2024] [access_compat:error] [pid 2951:tid 133972916962880] [remote 104.145.207.161:62681] AH01797: client denied by server configuration: /var/www/nextcloud/favicon.ico
[Wed Sep 18 00:12:49.781203 2024] [access_compat:error] [pid 2951:tid 133972916962880] [remote 104.145.207.161:62681] AH01797: client denied <by server configuration: /var/www/nextcloud/index.php

wwe · September 18, 2024, 6:20am

sounds you tried to setup kind of geo-blocking but you server has no access to the IP database…

tshemon · September 18, 2024, 12:58pm

So I disabled GeoBlocking and that error is no longer showing up in Access.log but still getting
AH01797: client denied by server configuration by server configuration: /var/www/nextcloud/favicon.ico
AH01797: client denied by server configuration by server configuration: /var/www/nextcloud/index.php

This is very frustrating as this is the only errors I can find and not sure how to correct it. I don’t want to rebuild server as I have connections from a few different locations.

wwe · September 18, 2024, 1:52pm

please use search - there are few topics regarding this and different apache config hints…

tshemon · September 18, 2024, 3:43pm

So I have search tring to find anything but I have not found anything that point to issue. It acts like the geoblocker is still affecting it as I can access site from internal network just not external.
I see some about looking at .conf file in Apache2 folder.
Here is what I have seen but it looks to be correct.

<Directory /var/www/nextcloud>
Options Indexes FollowSymLinks
AllowOverride All
### include all .htaccess
Include /var/www/nextcloud/.htaccess
Include /var/www/nextcloud/config/.htaccess
Include /mnt/ncdata/.htaccess
###
Require all granted
Satisfy Any

Site had been working without issue until Friday or Monday.
Thanks

tshemon · September 18, 2024, 6:06pm

Fixed it
Had to go to /etc/apach2/apache2.conf
at the end of the config as the Geoblocking settings and I # out all the settings.

#<IfModule mod_geoip.c>
#  GeoIPEnable Off
#  GeoIPDBFile /usr/share/GeoIP/GeoIPv4.dat
#  GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat
#</IfModule>
#<Location />
#  SetEnvIf GEOIP_CONTINENT_CODE    NA AllowCountryOrContinent
#  SetEnvIf GEOIP_CONTINENT_CODE_V6 NA AllowCountryOrContinent
#  SetEnvIf GEOIP_COUNTRY_CODE    US AllowCountryOrContinent
#  SetEnvIf GEOIP_COUNTRY_CODE_V6 US AllowCountryOrContinent
#  Allow from env=AllowCountryOrContinent
#  Allow from 127.0.0.1/8
#  Allow from 192.168.0.0/16
#  Allow from 172.16.0.0/12
#  Allow from 10.0.0.0/8
#  Allow from scan.nextcloud.com
#   Allow scans from observatory.mozilla.org:
#  Allow from 63.245.208.0/24
#  Allow from Any
#  Order Deny,Allow
#  Deny from all
#</Location>

system · September 26, 2024, 6:06pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.