I am working with Apache .conf files on Fedora 30.
In /etc/httpd/conf/httpd.conf, there is :
<Directory />
AllowOverride none
Require all denied
</Directory>
There is also :
DocumentRoot "/var/www/html"
That means that "localhost" starts from this "/var/www/html" repertory.
Question 1 : What is the use of "Require all denied" for Directory "/" whereas DocumentRoot is at a lower level (so the server will not serve any files in higher level repertories) ?
At the end of httpd.conf, there is :
IncludeOptional conf.d/*.conf
So I create a personal.conf in "/etc/httpd/conf.d" ; inside I set :
<Directory "/var/www">
AllowOverride None
Require all denied
</Directory>
I restart Apache (systemctl restart httpd.service) but the localhost/index.html (aka "DocumentRoot"/index.html or "/var/www/html"/index.html) is still available.
It acts as if this Directive in httpd.conf was prioritary :
<Directory "/var/www/html">
Require all granted
</Directory>
Question 2 : So what is the use of "Require all denied" on a higher level repository ?
Thank you for your help :)
Question 1 : What is the use of "Require all denied" for Directory "/" whereas DocumentRoot is at a lower level (so the server will not serve any files in higher level repertories) ?
Question 2 : So what is the use of "Require all denied" on a higher level repository ?
The server could easily serve files below the document root if the Require all denied wasn't there, you only need a small misconfiguration in your server. Imagine for example an Alias like
Alias /etc /etc
which would allow you to read the password file from http://localhost/etc/passwd or other sensitive stuff. With the default configuration you would need an explicit override like
<Directory /etc>
Require all granted
</Directory>
to do this.
The directive
<Directory />
AllowOverride none
Require all denied
</Directory>
is used to prevent any access below your /var/www/html directory as a security mechanism ("be as restrictive as possible").
thank you for your answer.
Now for question 2 ; let's imagine a house : outdoor [door 1] hall [door 2] corridor [door 3] living-room.
In /etc/httpd/conf/httpd.conf, I close the front door [door 1] of the house
<Directory />
AllowOverride none
Require all denied
</Directory>
I open the door between the hall and the corridor [door 2]
<Directory "/var/www">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
I open the door between the corridor and the living-room [door 3]
<Directory "/var/www/html">
AllowOverride None
Require all granted
</Directory>
Then in a personal.conf file in "/etc/httpd/conf.d" I close the door between the hall and the corridor [door 2] :
<Directory "/var/www">
AllowOverride None
Require all denied
</Directory>
Why is the living-room still accessible (localhost/index.html or /var/www/html/index.html is accessible) whereas the [door 2] is closed ?
I need to be explicit :
<Directory "/var/www/html">
AllowOverride None
Require all denied
</Directory>
in personal.conf
To get the "Forbidden You don't have permission to access this resource." message...
Thanks again.
Related
I'm running httpd on fedora server 35 and want to use it to serve files on my local network. It works fine for files stored under the /var/www/html directory directly (e.g. /var/www/html/videos/video.mp4 can be accessed with http://IP/videos/video.mp4 on any local device).
I want to serve files stored in other locations in the file system. My plan was to create symbolic links to those locations. When I do that, I run into forbidden errors when trying to access the files (e.g. A video file /files/videos/video.mp4 linked with a sym link /var/www/html/videos-link -> /files/videos/ so that I would (theoretically) access it with http://IP/videos-link/video.mp4
I can navigate to http://IP/videos-link fine (an Index of DIRECTORY page, but no files are listed), but trying to access the file (http://IP/videos-link/video.mp4) gives me 403 forbidden.
My config (/etc/httpd/conf/httpd.conf) looks like this (it's a bit messy since I've been trying to fix this myself):
<Directory />
Options FollowSymLinks Indexes
AllowOverride All
Require all granted
</Directory>
...
<Directory "/var/www">
Options +FollowSymLinks +Indexes
AllowOverride All
Require all granted
</Directory>
...
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
...
<Directory "/files/videos">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
In attempts to make it work I've made sure the sym link and all the directories have the same owner and that their all 777 so ownership/read perms shouldn't be an issue. Would greatly appreciate some help, thanks.
My issue was with SELinux. To get it working immediately I was able to set SELinux to permissive mode with
# setenforce 0
That refreshes on boot and is probably insecure, so the permanent fix (to just let httpd through) would be:
# semanage permissive -a httpd_t
More details on SELinux in Fedora can be found here: https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/
I was trying installing roundcube on my apache2,ISPCONFIG3 server, on my LAN using :
https://www.howtoforge.com/using-roundcube-webmail-with-ispconfig-3-on-debian-wheezy-apache2
with the following changes :
remoteuser roundcube
pass password809098
and
https://www.rosehosting.com/blog/how-to-install-roundcube-webmail-on-ubuntu-20-04/
with these changes :
GRANT ALL PRIVILEGES ON roundcube.* TO roundcubeuser#localhost IDENTIFIED BY 'password';
nano /etc/apache2/sites-available/roundcube.jungsf.tv.conf
a2ensite roundcube.jungsf.tv
<VirtualHost *:80>
ServerName roundcube.jungsf.tv
DocumentRoot /var/www/roundcube/
ErrorLog ${APACHE_LOG_DIR}/roundcube.jungsf.tv_error.log
CustomLog ${APACHE_LOG_DIR}/roundcube.jungsf.tv_access.log combined
Options FollowSymLinks
<Directory "/var/www/roundcube/">
AllowOverride All
</Directory>
Options FollowSymLinks MultiViews
<Directory "/var/www/roundcube/">
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
I managed at end to get the roundcube web interface through http://jungsf.tv/webmail
but it still doesn't log in, I don't know which password/username should be,
I tried all combinations roundcube/roundcubeuser/email .... password,PASSWORD,password809098
how can I find the user/pass or how can I delet everything to reinstall it ?
I saw this plugin to set pass, but how can I use it ?
https://github.com/saas-dev/roundcube-forgot_password
I managed to work it by creating mailbox in ispconfig3, there I entered email and pass which are used to login in roundcube.
I have Apache 2.4 installed using Homebrew on my Mac. The following does not work, it allows access to the entire filesystem:
<Directory />
AllowOverride None
Require all denied
</Directory>
If I enable access_compat_module then change the above block to the block below, it works as expected. I didn't make any other changes to httpd.conf.
<Directory />
AllowOverride None
Order deny,allow
Deny from all
</Directory>
I thought these were equivalent but clearly something is not working. I have authz_core_module enabled in both cases. Any ideas what I am doing wrong? Thanks.
if you want only share '/path/to/share'
then you need not to touch
< Directory / >
instead update the
< Directory "/Library/WebServer/Documents" >
to let it be:
< Directory "/Library/WebServer/Documents" >
Options FollowSymLinks Indexes
MultiviewsMatch Any
AllowOverride None
Require all granted
< /Directory >
then you can create a soft link under the
/Library/WebServer/Documents
to let it point to
/path/to/share
and give the
/path
/path/to
/path/to/share
enough permission to make it possible to access from
http://<your domain name>/
this is System level to share some special directory.
there is also other ways to share some special directory in your server
, e.g. Alias or user level
http://<your domain name>/~<username>
reference documents
I am trying to get OpenDLP to work on my system. For those not familiar with this, only think of it as a perl website.
I mostly prepared everything, except that UI gives errors.
After some digging and debugging, I found out that my Perl scripts are running under directory '/'! And when pages try to read '../etc/db_admin' they won't find it and throw error.
My vhost config for this ui:
<VirtualHost opendlp.local:443>
ServerAdmin vahid.fazl2000#engineer.com
DocumentRoot "/home/vahid/Downloads/OpenDLP-0.5.1/OpenDLP/web/bin"
ServerName opendlp.local:443
ErrorLog "/var/log/httpd/opendlp-error_log"
CustomLog "/var/log/httpd/opendlp-access_log" common
Include conf/extra/httpd-opendlp.conf
<Directory "/home/vahid/Downloads/OpenDLP-0.5.1/OpenDLP/web/bin">
AddHandler perl-script .pl .html
PerlResponseHandler ModPerl::Registry
Options +ExecCGI
PerlOptions +ParseHeaders
AllowOverride All
Options All
Require method GET POST OPTIONS
</Directory>
</VirtualHost>
and here is httpd.opendlp.conf
Alias /OpenDLP/images/ /home/vahid/Downloads/OpenDLP-0.5.1/OpenDLP/web/bin/images
<Directory "/home/vahid/Downloads/OpenDLP-0.5.1/OpenDLP/web/bin/images/">
Options FollowSymLinks
AllowOverride None
order allow,deny
allow from all
#AuthType Basic
#AuthName "OpenDLP"
#AuthUserFile /etc/apache2/.htpasswd.dlp.user
#Require user dlpuser
</Directory>
ScriptAlias /OpenDLP/ "/home/vahid/Downloads/OpenDLP-0.5.1/OpenDLP/web/bin/"
ScriptAlias /cgi-bin/ "/home/vahid/Downloads/OpenDLP-0.5.1/OpenDLP/web/bin/"
<Directory "/home/vahid/Downloads/OpenDLP-0.5.1/OpenDLP/web/bin/results/">
Options FollowSymLinks
AllowOverride None
order allow,deny
allow from all
#AuthType Basic
#AuthName "OpenDLP"
#AuthUserFile /etc/apache2/.htpasswd.dlp.agent
#Require user ddt
</Directory>
<Directory "/home/vahid/Downloads/OpenDLP-0.5.1/OpenDLP/web/bin/">
Options FollowSymLinks
AllowOverride None
order allow,deny
allow from all
#AuthType Basic
#AuthName "OpenDLP"
#AuthUserFile /etc/apache2/.htpasswd.dlp.user
#Require user dlpuser
</Directory>
#Also add this stuff to the Apache config file:
# taken from http://hausheer.osola.com/docs/9
SSLEngine on
#SSLVerifyClient require
SSLCertificateFile /home/vahid/Downloads/OpenDLP-0.5.1/OpenDLP/server.crt
SSLCertificateKeyFile /home/vahid/Downloads/OpenDLP-0.5.1/OpenDLP/server.key
SSLCACertificateFile /home/vahid/Downloads/OpenDLP-0.5.1/OpenDLP/server.crt
I haven't tried Perl for web before, and I am not familiar with mod_perl and its options. I have googled for this, but it seems that I don't know where to look (except here, of course :-) )
BTW, I'm on Arch Linux x64 if it matters.
Thanks in advance
EDIT: Here is some more info on errors.
This is the error I get when I visit https://opendlp.local/profiles-manage.html
No such file or directory at /home/vahid/Downloads/OpenDLP-0.5.1/OpenDLP/web/bin/profiles-manage.html line 29.
And here is line 29 (and around it) of file:
use CGI qw/:standard/;
use DBI;
use Cwd qw();
my $version = get_version();
my $db_admin_file = "../etc/db_admin";
my( $db_username, $db_password ) = "";
open( DB, $db_admin_file ) or die $!; # LINE 29
my $db_line = <DB>;
close( DB );
chomp $db_line;
($db_username, $db_password) = split( ":", $db_line );
header();
print "<heading>Manage existing scan profiles</heading><normal><br><br>\n";
I have added use Cwd myself (googled, actually) and checked working directory, which is /.
Change DocumentRoot to
/home/vahid/Downloads/OpenDLP-0.5.1/OpenDLP/web
instead of
/home/vahid/Downloads/OpenDLP-0.5.1/OpenDLP/web/bin"
Then in your script:
my $db_admin_file = "etc/db_admin";
You have "cannot find file" error because your code runs on a virtual host where the directory you set as Document Root is regarded as root directory (/). You cannot "go behind" a root directory,
I have a directory structure like the following for a website on Ubuntu 14.04, running apache 2.4.7:
/websites/mywebsite/index.htm
/websites/mywebsite/private.htm
/websites/myqwbsite/folder/privatefile.ext
/websites/mywebsite/folder/subfolder/publicfile.ext
In the Apache config for the site, I have
<Directory /websites/mywebsite/>
AllowOverride Limit
Require all granted
</Directory>
I want to use .htaccess files in the site folder such that the private.htm and privatefile.ext files are Require all denied but everything else is granted.
I tried the following two .htaccess files:
/websites/mywebsite/.htaccess:
<FilesMatch (private.*.htm)$>
Require all denied
</FilesMatch>
/websites/mywebsite/folder/.htaccess:
Require all denied
/websites/mywebsite/folder/subfolder/.htaccess:
Require all granted
However, apache gives a 500 - "Require not allowed here" for /websites/mywebsite/.htaccess
How can I make what I want happen with apache 2.4-compatible configuration (ie I do not want to load mod_access_compat and use the old style config)?
In the apache config for the site, you have to extend AllowOverride properties. Add: FileInfo and AuthConfig. Or set "AllowOverride All"
I had same problem, fixed with this config :
<Directory /websites/mywebsite/>
Options +FollowSymLinks +SymLinksIfOwnerMatch
AllowOverride FileInfo AuthConfig
</Directory>