I have installed IBM HTTP on a Red Hat Linux server . The installation was successful but I was not able to view the home page . Whenever I tried to view the home page , it always displayed ' Forbidden ' message like ' You don't have permission to access / on this server. ' On checking the logs , it showed an error the following error message ----
[Fri May 11 03:18:34.955151 2018] [core:error] [pid 23748:tid 140394669549312] (13)Permission denied: [client 172.16.100.25:56320] AH00035: access to / denied (filesystem path '/root/IHS') because search permissions are missing on a component of the path
Can anybody help me in this ?
Don't install to /root since it is normally not readable/executable by non-root users such as the webserver processes that handle requests. Reinstall in e.g. /opt.
Apache-based servers like IHS generally start as root then transition to a lower-privileged users to handle requests -- like "nobody" or "www-data".
Apache requires not just read access to the file being served and execute access to the document root, but read and execute access to EVERY directory between the root of the filesystem and the document root.
Related
I'm trying to restrict an url called by Docusign event when a document is completed.
I want to only give access to this url by Docusign host or ip but i'm unable to do so because of my limited skills on Apache.
By following this documentation https://www.docusign.com/trust/security/esignature
I've tried to add this line in my vhost :
<LocationMatch "^/souscription/api/[^/].*/callback/.*$">
Require host docusign.com docusign.net
</LocationMatch>
But I have this error in apache log:
[Wed Jul 29 12:59:09.663648 2020] [authz_host:error] [pid 32671] [client 162.248.186.11:50836] AH01753: access check of 'docusign.com docusign.net' to /souscription/api/1.0/callback/118/completed failed, reason: unable to get the remote host name
What's wrong with my config ?
For Apache questions, use superuser.com
When building a listening server for receiving DocuSign webhook messages, filtering by IP is not recommended since it leads to a brittle installation that can fail at exactly the wrong time. Instead:
Use the combination of the Basic Authentication and HMAC features to assure yourself that the message really came from DocuSign.
Or better, use an intermediate PaaS service to queue the notification messages. The additional feature is that you can receive the notification messages from behind your firewall with no changes to the firewall. See the example repo and associated blog posts.
When i want to edit a page of my pmwiki, i get a screen containing this message:
PmWiki can't process your request
Cannot acquire lockfile
We are sorry for any inconvenience.
More information
Return to http://aim-bigfoot.uzh.ch/~morpho
The message in apache's error_log is
[Tue Aug 13 12:17:51.969802 2019] [php7:warn] [pid 28521] [client xxx.xxx.xxx.xxx:34994] PHP Warning: fopen(wiki.d/.flock): failed to open stream: Permission denied in /server2/home/morpho/public_html/wiki/pmwiki.php on line 579, referer: http://server1.loc.ch/~morpho/
If i delete .flock, and try again, the same error is reported.
This happens for all pages in this particular pmwiki.
The permissions for the wiki.d directory
drwxrwxrwx. 2 morpho morpho 4096 Aug 13 12:17 /server2/home/morpho/public_html/pmwiki/wiki.d/
The security context for this directory:
drwxrwxrwx. morpho morpho unconfined_u:object_r:httpd_sys_rw_content_t:s0 /server2/home/morpho/public_html/pmwiki/wiki.d/
If i disable SELinux with sudo setenforce 0, the page can be edited.
I have a second pmwiki system with the same permissions and security contexts, differing only in the user name, where editing is not a problem.
How can i make this pmwiki editable (with enforced SELinux)?
This question is not about PmWiki engine, it is about PHP writing permission on your server. The problem is that PHP is unable to create files in /wiki.d and probably other directories.
To point the problem, you can create simple php-script like:
<?php
touch( __DIR__ . '/test.file' );
?>
When executed, it should create file /test.file , but on your server this will not work, and this is a real problem to solve.
I suggest asking your hosting provider support for help to solve this problem.
I have recently installed Google Drive File System (Google's new Backup and Sync) on my Mac. It runs on /Volumes/GoogleDrive/
Looking to move all my local /dev/ to /Volumes/GoogleDrive/My\ Drive/dev/ to keep everything in sync in the cloud. So far so good.
Apache on MAMP won't recognize /Volumes/GoogleDrive/
[Wed Dec 20 14:22:38 2017] [error] [client ::1] File does not exist: /Volumes/GoogleDrive
..so I created a symlink on the local drive hoping this would work. I get a 403 error now (Forbidden).
[Wed Dec 20 14:43:13 2017] [error] [client ::1] Symbolic link not allowed or link target not accessible: /Users/sergiupoenaru/Documents/dev
One more thing I did was noticing the permissions are 700 and can't change them to anything else. Read somewhere on the web that you can't chmod a NTFS drive.
Any tips on either how to set the proper permissions or a workaround?
Upon upgrading to the latest MAMP, I could use the following PATH successfully:
<Directory "/Volumes/GoogleDrive/My Drive/dev/">
I have a instance of Oracle Access Manager set up on Server A and a copy of WebGate set up on Apache on Server B which should be working but isn't. When I try to access http(s)://hostname:port/access/oblix/apps/ webgate/bin/webgate.cgi?progid=1 as specified in the directions after everything is set up, I get a web page that says:
No Response from Application Web Server
There was no response from the application web server for the page you requested.
Please notify the site's webmaster and try your request again later.
I get the same error message when accessing other pages which are set up to be protected by WebGate with LocationMatch in Apache's httpd.conf.
Also, I'm not getting any output in webgate/access/oblix/logs/oblog.log even though webgate/access/oblix/conf/oblog_config_wg.xml has the log level set to LOGLEVEL_TRACE.
Does anyone have thoughts on what config files to check that could be causing this problem?
Edit 1: I've found that when I access a page protected by WebGate, the Apache error_log has this:
[Thu Oct 8 09:44:23 2009] [notice] child pid 4970 exit signal Segmentation fault (11)
Edit 2: Also, for some reason, pages which are to be protected by WebGate don't trigger an update to Apache's access_log, even though they do return that error message.
Ah the joy of the webgate install. Here are the usual questions I ask myself:
Does the apache user also own the directory where webgate is installed?
Are you running this on an OS and Apache version verified by Oracle?
Is your httpd.conf correctly setup with the WebGate configs?
Did you put
LD_ASSUME_KERNEL=2.4.19
export LD_ASSUME_KERNEL
in your init.d/httpd file?
Are you clocks in sync between the Access server and the apache host?
Reinstalling Webgate fixed the problem. Not sure what screwed it up.
i got
[2014-03-27T04:41:51.2101+05:30] [OHS] [NOTIFICATION:16] [OHS-9999] [core.c] [pid: 14931] [tid: 139749613860672] [user: root] [VirtualHost: main] child pid 14952 exit signal Segmentation fault (11)
along with
Directory does not exist for read/write [.../oracle/middleware/Oracle_WT1/log] []
in OHS_HOME/network/log/sqlnet.log
After changing file permission of OHS directory appropriately. This issue got resolved for me.
I have been trying to follow the guidelines in this Microsoft article to authenticate
against Apache with Kerberos and AD. I have successfully tested the communication between the apache server and the AD server with kinit. However when I attempt to access a restricted page on the server with IE I get an Internal server error and the following appears in the apache error log.
[Wed Sep 24 14:18:15 2008] [debug] src/mod_auth_kerb.c(1483): [client 172.31.37.38] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 24 14:18:15 2008] [debug] src/mod_auth_kerb.c(1174): [client 172.31.37.38] Acquiring creds for HTTP/srvnfssol1.dev.local#DEV.LOCAL
[Wed Sep 24 14:18:15 2008] [error] [client 172.31.37.38] gss_acquire_cred() failed: Miscellaneous failure (see text) (Key table entry not found)
I have run a truss on the apache process and confirmed that it is in fact loading up the keytab file ok. I am wondering if there is something wrong with the format of the keytab file...
HTTP/srvnfssol1.dev.local#DEV.LOCAL
I am not sure what I am missing though. Or what other things to check.
Any suggestions?
Thanks
Peter
Ok. Keytabs are supposed to contain the Service principal name, in this case "HTTP/srvnfssol1.dev.local#DEV.LOCAL" and the encryption key. I see where the MS docs say just to echo that to a file, but I don't think that's right.
You'll need to use the ktpass utility to create the keytab. The MS docs are here.
In particular, you'll need to specify KRB5_NT_SRV_HST, and most of the rest of the options can be default.
Sample of it on my machine:
C:\>ktpass /out test.keytab /princ HTTP/srvnfssol1.dev.local#DEV.LOCAL
/ptype KRB5_NT_SRV_HST /pass *
Type the password for HTTP/srvnfssol1.dev.local:
Key created.
Output keytab to test.keytab:
Keytab version: 0x502
keysize 62 HTTP/srvnfssol1.dev.local#DEV.LOCAL
ptype 3 (KRB5_NT_SRV_HST) vno 1 etype 0x1 (DES-CBC-CRC)
keylength 8 (0xa7f1fb38041c199e)
If the active directory server is the KDC, you'll need to use the /map <name> argument, where <name> is the computer account in active directory representing the server.
Some details on how all this works. When you browse to the website it should respond with a WWW-Authenticate: Negotiate header, and your browser will send a request to the KDC (active directory server) to get a kerberos ticket for the service. The AD server will look up the encryption key for the ticket using the service principal name, and send an encrypted service ticket back to the browser. Once the browser has the service ticket, it'll reissue the HTTP request with an authenticate header containing the ticket. The apache server will look up its key in the keytab, decrypt the ticket, and grant access.
The "key table entry not found" error happens because apache isn't finding itself in the keytab. Can also happen if the name resolution/realms aren't set up right.
You should be able to see all the kerberos requests AP-REQ/AP-REP/TGS-REQ/TGS-REP using wireshark on the client, tcp or udp port 88.