Local resources (images/js/css) not showing in Virtual Host - apache

I'm setting up a virtual host for nagios with Apache 2.4 using mod_proxy_fcgi to forawrd php requests to php-fpm.
I wonder if it's the ProxyPassMatch that is making all of the local resources including images,js,css won't load when I go to 200.000.00:22222/nagios/index.php.
All of the resources are interpreted as Content-Type:text/html; charset=iso-8859-1 as shown in the response headers. They show 403 Forbidden error and in the error log it shows AH01630: client denied by server configuration.
/etc/httpd/conf.d/nagio.conf:
Listen 22222
<VirtualHost *:22222>
ServerName {IP}:22222
AddType image/jpeg jpeg jpg jpe
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
DocumentRoot "/usr/local/nagios"
<Directory "/usr/local/nagios/sbin">
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
AllowOverride None
Require all granted
</Directory>
<LocationMatch "/nagios/((.*\.php)(/.*)?)$">
ProxyPassMatch "fcgi://localhost:9000/usr/local/nagios/share/$1"
</LocationMatch>
<Directory "/usr/local/nagios/share">
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>

You need a <Directory /usr/local/nagios> section that permits Apache to serve from that directory. Basically, you need one of these for every Alias or DocumentRoot that isn't under an existing one.
Usually you just need "require all granted" or "order deny,allow (2.2.x and older) in the Directory section -- but check the ones for your existing DocumentRoot's

Related

How to properly set the allow and deny for apache 2.4 conf and vhosts

I need some advice on how to properly setup the vhosts file directives preferably without changing the apache2.conf contents. This is for apache 2.4.
Currently, I get AH01797: client denied by server configuration probably caused by the Require all denied in the apache2.conf.
apache2.conf:
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
Require all denied
</Directory>
vhosts file:
<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerName sub.example.com
ServerAlias sub.example.com
<Directory /var/www/sub.example.com>
AllowOverride None
Allow from all
Require all granted
</Directory>
</VirtualHost>
</IfModule>
Thank you!
UPDATE
Adding this to the apache2.conf works, it just doesn't work in vhosts file. Any idea why?
<Directory /var/www/sub.example.com>
AllowOverride None
Allow from all
Require all granted
</Directory>
In 2.4, you shouldn't use Order, Deny, or Allow at all. Purge them and replace with Require.
UPDATE Adding this to the apache2.conf works, it just doesn't work in vhosts file. Any idea why?
Maybe the vhosts file isn't included in your configuration, or mod_ssl is not loaded so the whole thing is commented out? The IfModule doesn't make much sense here.

php-fpm apache2 403 error on .css .js files

I'm trying to setup an apache2 server on debian jessie with multiple vhosts. I want each one of them to have a different FastCgiExternalServer. I'm using the php version from php5-fpm package on jessie with default /etc/php5/fpm configuration files.
Basic apache configuration is working fine :
<VirtualHost *:80>
ServerName lalala.org
DocumentRoot "/path/to/app/www"
<Directory "/path/to/app/www">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
Require all granted
</Directory>
FastCgiExternalServer /path/to/app/www -socket /var/run/php5-fpm.sock
AddHandler php-fcgi .php
Action php-fcgi /path/to/app/www
</VirtualHost>
However, I got 403 errors on .css, .js files. I read this article : http://whocares.de/fastcgiexternalserver-demystified/8/, but even with this configuration :
FastCgiExternalServer /path/to/app/www -socket /var/run/php5-fpm.sock
AddHandler php-fcgi .php
Action php-fcgi /virtualpath
Alias /virtualpath /path/to/app/fcgi-uri
(/path/to/app/fcgi-uri is a symlink to /path/to/app/www)
It doesn't work. It's as if I had a local problem but can't figure out what.
Thanks
EDIT :
I found a solution that makes fastcgi execution work :
<FilesMatch \.php$>
SetHandler "proxy:unix:/path/to/sock/socket.sock|fcgi://localhost"
</FilesMatch>
But I think this is more a workaround than a solution.

What could cause deny,allow directive to be ignored in .htaccess?

I cannot get allow and deny directives to work from an htaccess file within any directory in my web root. I am at a loss as to where I should look to configure this. I have checked the obvious (authz modules are loaded, allow overrides is set to all) Any ideas? Here are my configuration details.
I have an Apache 2.2 server running on RHEL. Within this server I have an IP based VirtualHost that is configured like where myipaddr and myserver are the actual IP address and host name respectively:
<VirtualHost myipaddr:80>
ServerName myserver
TransferLog /var/log/httpd/myserver.access
LogFormat loadbalanced
ErrorLog /var/log/httpd/myserver.error
DocumentRoot /var/www/myserver
<Directory /var/www/myserver>
Options -Indexes FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
I have tried more complex directives but even a simple .htaccess file that should deny everything has no effect.
Order deny,allow
Deny from all
It turns out the was a configuration file in /etc/httpd/conf.d that I did not realize was getting loaded and it was trumping the denies and allows within specific directories.
<Location />
Order allow,deny
Allow from all
<LimitExcept GET POST PUT DELETE>
Deny from all
</LimitExcept>
</Location>

Why might Apache forbid me from visiting this page?

Until recently, an internal Bugzilla install was working fine. Now, all requests to pages inside the http://example.com/bugzilla directory return 403/Forbidden. Pages outside that directory, for instance at http://example.com/test.html or http://example.com/test/index.html work as expected. This is the .htaccess file for the bugzilla directory, which is unchanged from the original:
# Don't allow people to retrieve non-cgi executable files or our private data
<FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
deny from all
</FilesMatch>
<IfModule mod_expires.c>
<IfModule mod_headers.c>
<IfModule mod_env.c>
<FilesMatch (\.js|\.css)$>
ExpiresActive On
# According to RFC 2616, "1 year in the future" means "never expire".
# We change the name of the file's URL whenever its modification date
# changes, so browsers can cache any individual JS or CSS URL forever.
# However, since all JS and CSS URLs involve a ? in them (for the changing
# name) we have to explicitly set an Expires header or browsers won't
# *ever* cache them.
ExpiresDefault "now plus 1 years"
Header append Cache-Control "public"
</FilesMatch>
# This lets Bugzilla know that we are properly sending Cache-Control
# and Expires headers for CSS and JS files.
SetEnv BZ_CACHE_CONTROL 1
</IfModule>
</IfModule>
</IfModule>
AddHandler cgi-script .cgi .pl
DirectoryIndex index.cgi
This is the .htaccess file for the directory above the bugzilla directory. This is the public_html web root:
DirectoryIndex index.html
This is the Apache configuration file for the site:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/default/public_html
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/default/public_html>
DirectoryIndex index.cgi
AllowOverride Limit FileInfo Indexes
AddHandler cgi-script .cgi
Options Indexes FollowSymLinks MultiViews +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
Note that even non-Bugzilla static HTML files in that directory are affected. For instance, I create /bugzilla/test.html in VIM, then I try to access it in the browser and see that it is also returning 403/Forbidden. All files, both in and outside that directory, have the same user ubuntu and the same permissions 644. The bugzilla directory itself has permissions 755, as does its parent public_html.
No 'control panels' such as Plesk are installed on the server, all configuration is done in Apache config files. Why might Apache have decided that I may not be authorized to view the bugzilla directory? This is on a public webserver hosted in Amazon Web Services, on Ubuntu Server 12.04 LTS.
Check the error_log file, it usually has very detailed information about why it returns a 403 Forbidden.
(It looks like a debian server? If you post questions like this, always mention the OS.)
I suspect it to be a rights issue - wrong owner. For debian/ubuntu, the given folder and its files should be owned by user "www-data". For Centos/Redhat I believe it should be "nobody". Check it, change it if necessary.
sudo chown -R www-data:www-data test
NB: If you're unsure about changing rights, make a copy first. Change the owner of the copy, as copying in itself probably changes the owner. Or use rsync to make a copy of the folder, as rsync preserves owner and rights.

Apache2 Option index on centos 6.3

On a newly installed Centos 6.3
I imported the config from Ubuntu for a virtualhost. Here is the piece of config
DocumentRoot /otherhome/test.cofares.net
ServerName test.cofares.net
<Directory "/otherhome/test.cofares.net">
allow from all
Options +Indexes
</Directory>
A request to the http://test.cofares.net I get the folowwing error in the error log
Directory index forbidden by Options directive: /otherhome/test.cofares.net/
The directory index worked for a sub directory http://test.cofares.net/test is OK
Any suggestions what is missing?
The same config work well with Ubuntu Server 12.04.
Try this. And make sure to restart apache after applying:
<Directory "/otherhome/test.cofares.net">
Options +Indexes FollowSymLinks
AllowOverride all
Order Allow, Deny
Allow from All
Satisfy All
</Directory>
And perhaps try this with Satisfy Any instead:
<Directory "/otherhome/test.cofares.net">
Options +Indexes FollowSymLinks
AllowOverride all
Order Allow, Deny
Allow from All
Satisfy Any
</Directory>
EDIT: Those didn’t seem to work? Then try this. Note I am setting up the whole <VirtualHost> directive & removed quotes from the <Directory> directive:
<VirtualHost *:80>
DocumentRoot /otherhome/test.cofares.net
ServerName test.cofares.net
<Directory /otherhome/test.cofares.net>
Options Indexes FollowSymLinks
Allow from All
</Directory>
</VirtualHost>
After digging a little I noticed that thire is a global rule (in conf.d/welcome.conf) that prevent indexing the / directory of any virtual server
By removing it it is now ok
Here is the rule that must be change
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /error/noindex.html
</LocationMatch>