Jump to content
Welcome to our new Citrix community!

NSG, random 403 error, URL is forbidden


Joe Primus

Recommended Posts

Trying to pin down an error that I am seeing.  Randomly and at different times of the day, I'll get a notification from a user or our site monitor that there is a 403 error, URL is forbidden.

 

I have not been able to pinpoint the actual cause.  I have not noticed any errors or problems.  The site does have two custom links done with rewrites and uses a custom X1 theme which just shows the company logo prelogin.  The Netscaler is running 12.53.22.  While this is a little older code, there were some issues when we did try to upgrade it previously so we stuck at this version for now.  

Link to comment
Share on other sites

  • 7 months later...

I too have this issue randomly. /var/log/httperror.log shows this error during the few minutes that the login page is down:

 

[error] [client ::] client denied by server configuration: /netscaler/ns_gui/vpn/index.html, 

 

I am using NetScaler Gateway 12.0.57.24. 

 

Everything else appears to be fine at the time of the issue. 

Link to comment
Share on other sites

  • 3 months later...

I have also the same issue!

We use the version : NS12.1: Build 48.13.nc

 

[Fri Mar 01 14:37:59 2019] [error] [client ::] client denied by server configuration: /var/netscaler/logon/LogonPoint/index.html, referer: https://<FQDN>/Citrix/ReceiverWeb/
[Fri Mar 01 14:38:06 2019] [error] [client ::] client denied by server configuration: /netscaler/ns_gui/vpn/index.html
[Fri Mar 01 14:38:17 2019] [error] [client ::] client denied by server configuration: /netscaler/ns_gui/vpn/index.html
[Fri Mar 01 14:38:22 2019] [error] [client ::] client denied by server configuration: /netscaler/ns_gui/vpn/index.html

Link to comment
Share on other sites

If the 403 error appears, i can see this log entry in htaccess.log:

:: - - [05/Mar/2019:15:06:47 +0100] "GET /vpn/index.html HTTP/1.1" 403 216 "-"
:: - - [05/Mar/2019:15:06:56 +0100] "GET /vpn/index.html HTTP/1.1" 403 216 "-"

The the ip address is missing.

 

a correct request should looks like this: 

127.0.0.2 - - [05/Mar/2019:15:06:16 +0100] "GET /vpn/index.html HTTP/1.1" 200 3382 "-" 

 

in /etc/httpd.conf file the configurations are correct. it is configured to deny from all and allow form 127.0.0

 

<Directory "/netscaler/ns_gui/vpn">
        Options FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0
</Directory>

    Alias /logon/ "/var/netscaler/logon/"
<Directory "/var/netscaler/logon">
        Options FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0
</Directory>

<Directory "/netscaler/ns_gui/vpns">
        Options FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0
</Directory>


Actually the error message is correct. the reason is the ip address is missing in request.  

 

Link to comment
Share on other sites

  • 6 months later...
  • 3 months later...

I'm wondering if the lines in the httpaccess.log, which look like this:

 

:: - - [10/Jan/2020:08:28:25 +0000] "GET /vpn/index.html HTTP/1.1" 403

 

...when the problem happens show that the requests are coming from an IPv6 local interface (the '::' in place of 127.0.0.2 suggests it is). If this is so, then would adding an "allow from ::" line (or similar) to the httpd.conf file help?

 

Failing that, I could disable IPv6 as we're not using it.

Link to comment
Share on other sites

  • 4 weeks later...
On 1/10/2020 at 2:47 AM, Stephen Courtney said:

I'm wondering if the lines in the httpaccess.log, which look like this:

 

:: - - [10/Jan/2020:08:28:25 +0000] "GET /vpn/index.html HTTP/1.1" 403

 

...when the problem happens show that the requests are coming from an IPv6 local interface (the '::' in place of 127.0.0.2 suggests it is). If this is so, then would adding an "allow from ::" line (or similar) to the httpd.conf file help?

 

Failing that, I could disable IPv6 as we're not using it.

Any followup on whether this helped?  I'm also seeing this in our Mission Critical environment.  It's EXTREMELY intermittent.  We have a monitoring account that hits the website every five minutes and out of the last week we've seen this same error once in 2,016 runs (288 5min runs a day).

 

from my logs:  [Mon Feb 03 21:15:01 2020] [error] [client ::] client denied by server configuration: /netscaler/ns_gui/vpn/index.html 

 

Now, the httpaccess logs have rolled off before I could get to them but I'm going to assume it's the same issue of not seeing the IP in the logs.

 

Our Global default authorization access global setting is set to DENY, but the gateway site is set to ALLOW.  However, that is the session policy and I'm not sure we're even getting to that point.  

 

Our gateway has authentication enabled and we perform LDAP auth as the primary (only) authentication requirement with SSON to Storefront.

 

Going to have to open a case with Citrix on this.  I'll try to reply soon.

Link to comment
Share on other sites

  • 1 month later...

Did you open a case? As others have pointed out :: doesn't mean no IP address, it means the local host in IPv6.

 

I could alter /etc/http.conf to the following, but to make this permanent, I need to copy it to /nsconfig and then remember that I've done on every upgrade to avoid problems like https://support.citrix.com/article/CTX234948

Allow from 127.0.0 ::

 

Link to comment
Share on other sites

  • 2 weeks later...

I opened up a support case and this is the solution they gave, which worked for me:

 

Modify httpd.conf to allow request from All from current setting which is to allow from 127.0.0.*

Steps:

1. Copy /etc/httpd.conf in /nsconfig.
2. Modify the httpd.conf in /nsconfig and make the below changes:

From:
<Directory "/netscaler/ns_gui/vpn">
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0
</Directory>

and

<Directory "/netscaler/ns_gui/vpns">
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0
</Directory>

To:

<Directory "/netscaler/ns_gui/vpn">
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from all
</Directory>

and

<Directory "/netscaler/ns_gui/vpns">
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from all
</Directory>

4. Reboot the NetScaler. The changes should be reflected in /etc/httpd.conf

 

Thanks.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...