Topic: Forbidden You don't have permission to access /server-manag

[Michel-Andre]

https://my_name_for_my_sme_server.dyndns.org/server-manager

I would like to connect through the internet from outside.
I can connect from my local lan with no problem.

I looked through the forum, the manual etc...

Thank you for your time...

michelandre@videotron.ca

[Dan Brown]

RTFM again, particularly http://www.e-smith.org/docs/manual/5.1/admin.html.

[Jon Blakely]

Once you have taken Dan's advice and RTFM again, read this

http://www.e-smith.org/docs/howto/remote-mgr-access-howto.html

and it will explain how to allow remote access via SSL to the server manager

Jon

[Michel-André]

Thank you for your deep knowledge but at the same time you should RTF? (replace manual with question)
As I wrote, I can access locally throught the LAN but I am receiving the "Forbidden..." answer if I acces throught the internet.

[Michel-Andre]

Re: no access via SSH or server-manager
  Author: trevorb (trevorbatley_AT_optushome.com.au)
  Date:   03-25-02 17:34

  I don't think this answers your question, but it may give you something else to look at.

  You can only use the server-manager pages from within your local network (there are ways around this with ssh tunnels etc., but lets not digress). Have you set up
  your sme server as part of your local network?

************************
...there are ways around this ...
************************

The question comes from this answer on the forum.
When I went through the search I found that.
So I thaught someone knows a way to encapsulate the GUI into a tunnel.
That is why I posted the question.

[Dan Brown]

The manual section I posted tells you that you aren't supposed to be able to connect from outside--that is, what you're posting isn't a "problem" in the sense of SME behaving like it isn't supposed to.  The link Jon posted explains how to change that fact.

[David Hardy]

If you really want to connect to the /server-manager from the internet add the ip range 0.0.0.0 / 0.0.0.0 to the local networks section.

But I don't recommend it 'cos when you can connect like that, so can everyone else!

Or add the IP of the remote end if its a fixed IP. 123.123.123.123 / 255.255.255.240 etc. (I guess, I haven't tried this myself, though I have tried, briefly, the 0.0.0.0 / 0.0.0.0 setting).

[trevorb]

I was talking about using SSH tunnel to run the server-manager pages on a PC that is not part of you network.

Look at the end of Darrell May's Howto on using MindTerm. You can use any SSH client that supports tunnels. It works for 5.1.2 (and later versions of MindTerm).

http://myezserver.com/downloads/mitel/howto/mindterm-howto.html

Trevor B

Michel-Andre wrote:
>
>  Re: no access via SSH or server-manager
>   Author: trevorb (trevorbatley_AT_optushome.com.au)
>   Date:   03-25-02 17:34
>
>   I don't think this answers your question, but it may give
> you something else to look at.
>
>   You can only use the server-manager pages from within your
> local network (there are ways around this with ssh tunnels
> etc., but lets not digress). Have you set up
>   your sme server as part of your local network?
>
> ************************
> ...there are ways around this ...
> ************************
>
> The question comes from this answer on the forum.
> When I went through the search I found that.
> So I thaught someone knows a way to encapsulate the GUI into
> a tunnel.
> That is why I posted the question.

[trevorb]

And also look at
http://geocities.com/mrfragger/e-smith/ssh-remotewebadmin.html
Trevor B

[Michel-André]

Thank you "trevorb". This is a real professional answer.

As for "Dan Brown", your RTFM doesn't answer everything.
So next time if you have nothing better to write then just shut up.

Michel-André

[Dan Brown]

Michel-Andre, both of your messages on this thread gave the impression that you thought this behavior wasn't how SME was supposed to act.  This is incorrect; it's _exactly_ how it's supposed to work.  For security reasons, it doesn't allow access to the server manager from outside of your LAN.  

The link Jon posted (http://www.e-smith.org/docs/howto/remote-mgr-access-howto.html in case you've forgotten) explains how to allow access from anywhere you want.  Trevor's solution may also work; there's often more than one way to accomplish what you're trying to do.  Either one, however, makes your system a bit less secure.

Now, if you want to open up your server, that's certainly your option.  But flaming someone who's trying to explain that your system's working exactly as designed just might not be the brightest response.

[Michael Smith]

Gotta speak up on the side of Mr. Brown, who has contributed MUCHLY to the e-smith community and whose howtos and contribs have directly benefited so many of us.

Michel-Andre, what exactly have YOU done for us, except insulted someone who's greatly respected around here?

[Rob Wellesley]

Try this..

Remote Access of the Server-Manager - if you are using a dialup to access then you will need to use ValidFrom all if you are accessing from a static IP then use ValidFrom

To allow access from any machine anywhere via SSL

Login as root and type the following. CHECK SPELLING AND SPACES before you press enter

    /sbin/e-smith/db configuration setprop httpd-admin ValidFrom all

Expand the change into the httpd.conf file

    /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf

Gracefully restart Apache

    /etc/e-smith/events/actions/restart-httpd-graceful

Access the Server Manager from a remote system with https not http


To disable SSL access to the server manager, follow the steps outlined below.

Delete the ValidFrom property for httpd-admin from the configuration database:

    /sbin/e-smith/db configuration delprop httpd-admin ValidFrom

Expand the httpd.conf template:

    /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf

Gracefully restart apache:

    /etc/e-smith/events/actions/restart-httpd-graceful

[Michel-Andre]

Some of the comments are getting out of proportion here.
I'll wait a few days and see what else will come up.

[Arby Edi]

Michel-Andre:  

I don't think you'll see anymore activity here beyond this.  The last messages give exactly what you're looking for.  If you have a static IP at "home" and want to access your SME server-manager from there then login through telnet or whatever securely, then issue the commands in the previous messages starting with:
/sbin/e-smith/db configuration setprop httpd-admin ValidFrom all
but replace the "all" with your IP address.   This will allow your IP address only to come on in (or anyone who wants to spoof your address) to https://xxx.xxx.com/server-manager.

I had the same issue when I started and it was thanks to everyone here to help me out....and RTFM is pretty funny and shouldn't offend anyone...especially when it makes sense (as I didn't read it either at the time).