Accessing vhost from host only works with port forwarding

[NReilingh]

I've been testing different networking configurations for vagrant so that I can access the guest server from a browser on the host machine. So far, the only thing I've gotten to work is if I use config.vm.network :forwarded_port, guest: 80, host: 4321, and then access http://localhost:4321 in a browser.

If I try to access 127.0.0.1:4321 in a browser, I get a 403 forbidden error. If I use a private_network setup with a hostname instead of forwarded_port, I get the same 403 error when accessing by IP, but accessing by the set hostname gets me Apache's default host (files in /usr/local/apache2/htdocs).

Ideally I would like to use a local hostname like dreambox.dev so that the project I'm working on can pretend that it has a hostname, but I haven't been able to figure out how to change apache's vhost configuration so that the /home/user DocumentRoot is served in all instances. I think that would be best because we can't guess at which networking configuration people will try to use.

[goodguyry]

If I try to access 127.0.0.1:4321 in a browser, I get a 403 forbidden error. If I use a private_network setup with a hostname instead of forwarded_port, I get the same 403 error when accessing by IP

I'm seeing this, too. I believe it's some misconfiguration with Apache. I'll look into it.

accessing by the set hostname gets me Apache's default host (files in /usr/local/apache2/htdocs).

This sounds like the user_setup script either isn't configured correctly or is erroring out somewhere. Apache should be serving files from /home/user/domain.

I haven't been able to figure out how to change apache's vhost configuration so that the /home/user DocumentRoot is served in all instances. I think that would be best because we can't guess at which networking configuration people will try to use.

Again, user_setup should be taking care of this. I'm going to add some sample Vagrantfiles once I get a few other things out of the way, which should help make user_setup more clear and easier to use.

---

As a side note, you don't have to choose between :forwarded_port and :private_network; I use both and everything works as expected.

config.vm.network :forwarded_port, guest: 80, host: 8080, auto_correct: true
config.vm.network :private_network, ip: 192.168.5.22

I'll start troubleshooting what may be going on here, but showing me the Vagrantfile config for each scenario would help a lot, just so I know for sure I'm getting the same results you are. Thanks!

[NReilingh]

I did a little digging on the 403 error and found the following error message to be pretty descriptive:

[Wed May 11 05:35:14 2016] [error] [client 192.168.12.1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache2/modsecurity-crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "192.168.12.34"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.12.34"] [uri "/"] [unique_id "VzLEkn8AAQEAAAX0D5AAAAAE"]

So evidently there's a rule in place somewhere that kills requests that identify the host by IP.