Apache giving 403 forbidden errors - html

Ok, so i've previously set up two virtual hosts and they are working cool. they both house simple web projects and work fine with http://project1 and http://project2 in the browser.
Anyway, I've come to add another vhost. I edited the /etc/hosts file with 127.0.0.1 project3 and also updated the httpd-vhosts.conf file by copy and pasting the previous entries for project2 and editing the file path.
I've checked all the file and folder permissions (in fact I copied and pasted from project2) and simply put a "hello world" message in the index.php file.
I get a 403 forbidden permission denied message when accessing http://project3
Why is this, I just can figure out what step I've missed as everything seems to be set up correct.

Check that :
Apache can physically access the file (the user that run apache, probably www-data or apache, can access the file in the filesystem)
Apache can list the content of the folder (read permission)
Apache has a "Allow" directive for that folder. There should be one for /var/www/, you can check default vhost for example.
Additionally, you can look at the error.log file (usually located at /var/log/apache2/error.log) which will describe why you get the 403 error exactly.
Finally, you may want to restart apache, just to be sure all that configuration is applied.
This can be generally done with /etc/init.d/apache2 restart. On some system, the script will be called httpd. Just figure out.

I just fixed this issue after struggling for a few days. Here's what worked for me:
First, check your Apache error_log file and look at the most recent error message.
If it says something like:
access to /mySite denied (filesystem path
'/Users/myusername/Sites/mySite') because search permissions
are missing on a component of the path
then there is a problem with your file permissions. You can fix them by running these commands from the terminal:
$ cd /Users/myusername/Sites/mySite
$ find . -type f -exec chmod 644 {} \;
$ find . -type d -exec chmod 755 {} \;
Then, refresh the URL where your website should be (such as http://localhost/mySite).
If you're still getting a 403 error, and if your Apache error_log still says the same thing, then progressively move up your directory tree, adjusting the directory permissions as you go. You can do this from the terminal by:
$ cd ..
$ chmod 755 mySite
If necessary, continue with:
$ cd ..
$ chmod Sites
and, if necessary,
$ cd ..
$ chmod myusername
DO NOT go up farther than that. You could royally mess up your system.
If you still get the error that says search permissions are missing on a component of the path, I don't know what you should do. However, I encountered a different error (the one below) which I fixed as follows:
If your error_log says something like:
client denied by server configuration:
/Users/myusername/Sites/mySite
then your problem is not with your file permissions, but instead with your Apache configuration.
Notice that in your httpd.conf file, you will see a default configuration like this (Apache 2.4+):
<Directory />
AllowOverride none
Require all denied
</Directory>
or like this (Apache 2.2):
<Directory />
Order deny,allow
Deny from all
</Directory>
DO NOT change this! We will not override these permissions globally, but instead in your httpd-vhosts.conf file.
First, however, make sure that your vhost Include line in httpd.conf is uncommented. It should look like this. (Your exact path may be different.)
# Virtual hosts
Include etc/extra/httpd-vhosts.conf
Now, open the httpd-vhosts.conf file that you just Included. Add an entry for your webpage if you don't already have one. It should look something like this. The DocumentRoot and Directory paths should be identical, and should point to wherever your index.html or index.php file is located. For me, that's within the public subdirectory.
For Apache 2.2:
<VirtualHost *:80>
# ServerAdmin webmaster#dummy-host2.example.com
DocumentRoot "/Users/myusername/Sites/mySite/public"
ServerName mysite
# ErrorLog "logs/dummy-host2.example.com-error_log"
# CustomLog "logs/dummy-host2.example.com-access_log" common
<Directory "/Users/myusername/Sites/mySite/public">
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>
The lines saying
AllowOverride All
Require all granted
are critical for Apache 2.4+. Without these, you will not be overriding the default Apache settings specified in httpd.conf. Note that if you are using Apache 2.2, these lines should instead say
Order allow,deny
Allow from all
This change has been a major source of confusion for googlers of this problem, such as I, because copy-pasting these Apache 2.2 lines will not work in Apache 2.4+, and the Apache 2.2 lines are still commonly found on older help threads.
Once you have saved your changes, restart Apache. The command for this will depend on your OS and installation, so google that separately if you need help with it.
I hope this helps someone else!
PS: If you are having trouble finding these .conf files, try running the find command, such as:
$ find / -name httpd.conf

restorecon command works as below :
restorecon -v -R /var/www/html/

Notice that another issue that might be causing this is that, the "FollowSymLinks" option of a parent directory might have been mistakenly overwritten by the options of your project's directory. This was the case for me and made me pull my hair until I found out the cause!
Here's an example of such a mistake:
<Directory />
Options FollowSymLinks
AllowOverride all
Require all denied
</Directory>
<Directory /var/www/>
Options Indexes # <--- NOT OK! It's overwriting the above option of the "/" directory.
AllowOverride all
Require all granted
</Directory>
So now if you check the Apache's log message(tail -n 50 -f /var/www/html/{the_error_log_file_of_your_site}) you'll see such an error:
Options FollowSymLinks and SymLinksIfOwnerMatch are both off, so the RewriteRule directive
is also forbidden due to its similar ability to circumvent directory restrictions
That's because Indexes in the above rules for /var/www directory is overwriting the FolowSymLinks of the / directory. So now that you know the cause, in order to fix it, you can do many things depending on your need. For instance:
<Directory />
Options FollowSymLinks
AllowOverride all
Require all denied
</Directory>
<Directory /var/www/>
Options FollowSymLinks Indexes # <--- OK.
AllowOverride all
Require all granted
</Directory>
Or even this:
<Directory />
Options FollowSymLinks
AllowOverride all
Require all denied
</Directory>
<Directory /var/www/>
Options -Indexes # <--- OK as well! It will NOT cause an overwrite.
AllowOverride all
Require all granted
</Directory>
The example above will not cause the overwrite issue, because in Apache, if an option is "+" it will overwrite the "+"s only, and if it's a "-", it will overwrite the "-"s... (Don't ask me for a reference on that though, it's just my interpretation of an Apache's error message(checked through journalctl -xe) which says: Either all Options must start with + or -, or no Option may. when an option has a sign, but another one doesn't(E.g., FollowSymLinks -Indexes). So it's my personal conclusion -thus should be taken with a grain of salt- that if I've used -Indexes as the option, that will be considered as a whole distinct set of options by the Apache from the other option in the "/" which doesn't have any signs on it, and so no annoying rewrites will occur in the end, which I could successfully confirm by the above rules in a project directory of my own).
Hope that this will help you pull much less of your hair! :)

it doesn't, however, solve the problem, because on e.g. open SUSE Tumbleweed, custom source build is triggering the same 401 error on default web page, which is configured accordingly with Indexes and
Require all granted

The server may need read permission for your home directory and .htaccess therein

You can try disabling selinux and try once again using the following command
setenforce 0

In my case it was failing as the IP of my source server was not whitelisted in the target server.
For e.g. I was trying to access https://prodcat.ref.test.co.uk from application running on my source server.
On source server find IP by ifconfig
This IP should be whitelisted in the target Server's apache config file. If its not then get it whitelist.
Steps to add a IP for whitelisting (if you control the target server as well)
ssh to the apache server
sudo su -
cd /usr/local/apache/conf/extra (actual directories can be different based on your config)
Find the config file for the target application for e.g. prodcat-443.conf
RewriteCond %{REMOTE_ADDR} <YOUR Server's IP>
for e.g.
RewriteCond %{REMOTE_ADDR} !^192\.68\.2\.98
Hope this helps someone

Add
<Directory "/path/to/webroot">
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Order allow, deny
Allow from all
Require all granted
</Directory>
What this does is tell Apache2 to override any previous configs, and allow (200) from all before denying. (403) It also requires all requests to be granted. This code will have to go in every vhost file, but it does work. I have been using this for over a year.
to your config file (e.g. /etc/apache2/sites-enabled/000-default.conf)
Tested LAMP stack Debian 11

Related

Can not access to Server at Port 8080(Forbidden) Centos 6.5 Apache 2.2.15

I have a Lab server and made 27 accounts for students at /home/info02/
"info02" is a group name and info9042 is an account in example.
I'm info9042 and i wrote a simple html document in "/home/info02/info9042/public_html/index.html" but when i type URL in chrome(Window 10), I get message below.
enter image description here
Here is my "/etc/httpd/conf/httpd.conf" file.
What should i change code in conf file?
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"
#DocumentRoot "/home/nlp"
#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/var/www/html">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
## Options FileInfo AuthConfig Limit
AllowOverride None
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>
#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid. This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden
#
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
#UserDir disabled root
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disabled" line above, and uncomment
# the following line instead:
#
UserDir public_html
</IfModule>
#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
<Directory /home/*/*/public_html>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
OK, I see several issues here that could be causing your issue(s), moreso than just the httpd config file. So basically your index.html file is a web page (I'm assuming you want to give students access to or someone else). One of the possible problems with what you are doing is, you have the html file (website) located in a folder you made in the /home/ directory. When you created websites, particularly in Apache, they should go under the "/var/www/" directory, because Apache by default sets up security and server settings to use that directory as like a web server directory. So a start to solve your issue would be to move your files/folders under the /var/www folder (or the /var/www/html folder). This can be customized/configured accordingly.
Another problem you have is that, you have two directory initiatives in your httpd file (you should just have one I believe), and your document root is pointing to /var/www/html. A third problem that could be causing a conflict; typically apache/virtual host is configured to load web pages on port 80, which are you trying to access on port 8080 (localhost). You may nave never specified it to load on localhost, and you may not have the ports open either. Your httpd file (I haven't worked with centos two much) doesn't seem to have the Virtual Host surrounding tags I am familair with, but typically you create a virtual host container that specifies a port to load those web pages over.
I don't know, I hope that points you in the right direction. I would definitely start by putting those files into the /var/www/html folder if you intend on using this as a webserver/webpage, it's not good practice (not safe) to use the home folder for such applications. Change the config file to point to that directory. If you need to give students access to modify/execute files, you will need to assign their usergroup permissions to work with the files in the /var/ww/html folder.

XAMPP: Accessing html pages in subdirectories of root

This is most likely a beginner's issue, but I can't seem to find the fix anywhere, and the few posts I found dealing with it are unanswered (e.g. xampp in window 7 cannot access files in subfolder inside C:/xampp/htdocs).
So far I have a working localhost using XAMPP (had to change the port to 8080), located in a custom document root. I can load the index.html, but when I click on a link towards a subdirectoy:
<li></li>
I get the following error:
Service unavailable!
The server is temporarily unable to service your request due to
maintenance downtime or capacity problems. Please try again later.
If you think this is a server error, please contact the webmaster.
Error 503
localhost Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
Even if I type in the address (http://localhost:8080/examples/test.html) directly in the browser, it also doesn't work.
Could someone please indicate if this should be working? Or if I should specify something in the apache config file?
I could also note that when simply viewing the html files in my browser (outside of the localhost), the pages work fine and load regardless of their position in the directories. Thanks for any help!
Edit:
Here is my modified conf file DocumentRoot section:
#DocumentRoot "F:/Apps/xampp/htdocs"
DocumentRoot "F:/me/GitWorkDir/myproject_io"
<Directory "F:/me/GitWorkDir/myproject_io">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks Includes ExecCGI
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
AllowOverride All
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
It turns out the issue was due to an unlucky coincidence preventing a subdirectory to be called, precisely, "examples"...
See this page which discusses the issue and proposes a fix.
In short, you can:
Either go to the file C:\xampp\apache\conf\extra\httpd-ajp.conf
and add a "#" to comment out the conflicting line:
ProxyPass /examples ajp://127.0.0.1:8009/examples smax=0 ttl=60 retry=5
Or simply rename the "examples" directory differently (e.g. examples2)
Mostly if you install XAMPP on windows it runs without any problem. Only thing which give issue on windows is permission. which you could resolve by right click on htdocs folder and go to security tab and give all rights to everyone.

Reading magento 1.9x htaccess file

I've downloaded and installed Magento 1.9.x together with sample data on my Mac.
I've added an entry to my hosts file as follows:
127.0.0.1 local.magento.test
And in httpd-vhosts.conf I have the path to the web root set:
DocumentRoot "/Library/WebServer/Documents/vhosts/magento.test/httpdocs"
ServerName local.magento.test
I'm getting a 403 saying
Server unable to read htaccess file, denying access to be safe
If I look in the apache error log it seems that it is trying to read the .htaccess file from the magento.test directory, not httpdocs
Permission denied: ... /Library/WebServer/Documents/vhosts/magento.test/.htaccess
Any ideas or suggestions much appreciated
OK, problem solved. I needed to add the following to my virtual hosts entry:
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>

Editing httpd.conf (openshift.conf) to create an apache Alias

Is there a way to make a simple edit to (httpd.conf) with OpenShift and have it persist across restarts?
`${HOME}php/configuration/etc/conf.d/openshift.conf`
Here is what I would like to do:
I just need to make an apache directory alias (NOT a DNS alias) and define a directory with some permissions.
Here is what I've tried:
I manually edited the file on rhc and restarted the app from my local command prompt. This overwrote my edited file with the default cartridge file when the restart was complete.
$ rhc app restart
Added some herdoc statements to my deploy script, commited the change, and pushed to rhc (I didn't think this would work but tried it just in case.)
#.openshift/action_hooks/deploy
cat << EOF >> ${HOME}php/configuration/etc/conf.d/openshift.conf
all of my edits ...
EOF
Is there a smarter way to do this or must I build my own cartridge to make a simple edit to httpd.conf?
Thanks for your help is much appreciated!
Jay
Found the answer to my own question:
After looking through the documentation for creating a cartridge the answer was staring me in the face (section under first steps talks about creating a symlink to the modules directory.)
What I really wanted to do with the alias was to point to files outside of the ApacheDocument root. FollowSymLinks is enabled in the cartridge, so all I had to do was create a symlink and it did exactly what I was trying to accomplish with the Alias (not sure why I didn't see that sooner).
So instead of this in the apache conf file...
Alias /publicly-visible-alias "/some/path/outside/of/document/root"
<Directory "/some/path/outside/of/document/root">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
I used this in the .openshift/action_hooks/deploy
ln -s /some/path/outside/of/document/root ${OPENSHIFT_REPO_DIR}/sub-directory/publicly-visible-alias
The .htaccess file inside of /publicly-visible-alias directory took care of all the other details (mod_rewrites, document index, etc... etc...)
Hope this helps someone else.
Jay

Apache hangs with Django Application and Matplotlib

Very stuck here and I don't have a whole lot to go on. I had a django application up and running and I started playing around with graphing using NetworkX and Matplotlib to visualize some of the data for a poster. I then tried to use the site again and got the error:
'/var/www' is not a writable dir; you must set /var/www/.matplotlib to be a writable dir. You can also set environment variable MPLCONFIGDIR to any writable directory where you want matplotlib data stored
Which I resolved by chmod'ding the directory. The site's homepage then loads fine but when I try to load any other page that django renders apache just hangs. I set the log level to debug and tail'ed it but it's not showing any new requests or errors or anything, it just sorta hangs until the browser gives up. I then thought it must just be an error with something that I just did so I reverted back to a working version in my repo and am having the same problem. Django's test server is still running the site fine which is leading me to believe that it's a problem with apache (of the whole thing apache is the part I have the least experience with).
my httpd.conf looks like:
ServerName >> my server <<
TraceEnable off
AcceptFilter http none
AcceptFilter https none
EnableMMAP off
EnableSendfile off
<VirtualHost *:80>
ServerAdmin >> my email <<
ServerName >> my server <<
DocumentRoot /Web/public/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
WSGIScriptAlias / /home/$USER/$APP/$APP/wsgi.py
<Directory /Web/public/static>
Options -Indexes
</Directory>
Alias /static /Web/public/static
Alias /media /Web/public/media
ErrorLog /var/log/apache2/error.log
LogLevel debug
CustomLog /var/log/apache2/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
Please let me know if you have any thoughts, or need any more info.
Thanks!
I had the same problem; Apache/Django would not work but manage.py runserver would work fine. I tried making the default directory readable, and I tried changing MPLCONFIGDIR with export MPLCONFIGDIR=/stuff/, but the only thing that worked was placing
import os
os.environ[ 'MPLCONFIGDIR' ] = '/tmp/'
BEFORE importing matplotlib. Only one page uses MPL in my case, so placing this 'everywhere' was acceptable to me.
Taken from original solution by steko.