This is my httpd.conf, as I followed step by step the readme file.
<IfModule geoip_module>
GeoIPEnable On
GeoIPEnableUTF8 On
GeoIPOutput Env
GeoIPScanProxyHeaders On
GeoIPDBFile GeoIP.dat
SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
Deny from env=BlockCountry
</IfModule>
I get this when I start apache2.4
AH00526: Syntax error on line 560 of httpd.conf: deny not allowed here (Deny from env=BlockCountry)
What now? How do I deny access to the WHOLE server (not by vhosts/htaccess please)? Would be great if someday someone could write a proper readme/install procedure...
cheers.
The Deny directive is only valid in directory and htaccess context. It's not valid in server context.
Putting it into directory context is easy, though:
<Directory />
Deny from env=BlockCountry
</Directory>
Related
I protect my HTTP(s) vhosts with geoIP
<Directory /srv/www/vhosts>
MaxMindDBEnable On
MaxMindDBFile DB /usr/local/share/maxminddb/GeoLite2-Country.mmdb
MaxMindDBEnv MM_COUNTRY_CODE DB/country/iso_code
SetEnvIf MM_COUNTRY_CODE ^(RU|CN|HK|IN) BlockCountry
Deny from env=BlockCountry
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
1.) Am I correct that I mix v2.2 Deny from env=BlockCountry and v2.4 Require all granted directives here.
If yes I searched the web to replace the Deny from env=BlockCountry with an apache2.4 alternative but cannot find one. How can I get rid of the old Deny directicve ?
2.) Am I correct that my GeoIP code in my apache2.conf works with this version inconsistent directives just by some "luck" , because I never set the order which rule ( Require or Deny ) comes first like I would do in v2.2 apache order allow deny
3.) Require env BlockCountry works but than all the blocked Countries have access and all the other not ( I test always with VPN )
So I tried Require not env BlockCountry but this leads to an error when I restart apache web server
You could negate your rule.
Instead of
SetEnvIf MM_COUNTRY_CODE ^(RU|CN|HK|IN) BlockCountry
Deny from env=BlockCountry
set.
SetEnvIf MM_COUNTRY_CODE !^(RU|CN|HK|IN) AllowCountry
Require env AllowCountry
I have an Ubuntu 14.04 server with LAMP stack already installed.
I have a directory /home/alex/checkhtml which included some testing php and html.
What I want is when I access http://localhost/checkhtml , the content of /home/alex/checkhtml will be showed (Actually /home/alex/checkhtml/index.html)
Here is what I did:
Go to: /etc/apache2/conf-available and create apache-php.conf file
Add these lines to apache-php.conf:
Alias ^/php "/home/alex/php"
<Directory /home/alex/php>
Order allow,deny
Require all granted
</Directory>
Go to /home/alex/checkhtml and create .htaccess and add these lines:
<FilesMatch ".">
Allow from all
</FilesMatch>
Enable apache-php.conf and restart apache
However, when I tried: http://localhost/checkhtml . The error appear:
The requested URL /checkhtml was not found on this server.
Does anyone know what I did wrong here ?
Thank you and best regards.
Alex
You should use Alias driective for exact URL matching. If you want to use Regex matching then use AliasMatch directive:
AliasMatch "^/checkhtml" "/home/alex/checkhtml"
<Directory /home/alex/checkhtml>
Require all granted
</Directory>
I haven't found the right answer that works for me in other questions.
This is how the httpd-xampp.conf looks like originally:
#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Require local
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
What should I do if I want to add another IP address besides the Require local?
For example, below Require local I have tried the following:
allow from xxx.xxx.xxx.xx
That is to say:
#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Require local
allow from xxx.xxx.xxx.xx
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
But it still blocks the access to that external IP.
How do I fix this?
How can I add more IP addresses to allow them access?
I am using XAMPP 5.6.3 under a Windows environment.
allow from all will not work along with Require local. Instead, try Require ip xxx.xxx.xxx.xx
For Example:
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Require local
Require ip 10.0.0.1
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
I tried this and it works. Be careful though. This means that anyone in your LAN can access it. Deepak Naik's answer is safer.
#
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
# Require local
Require all granted
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
<Directory "C:/xampp/">
AllowOverride AuthConfig Limit
Order allow,deny
Allow from all
Require all granted
</Directory>
This is what i added in the end of file \xampp\apache\conf\extra\httpd-xampp.conf file before tag
Add below code in to file d:\xampp\apache\conf\extra\httpd-xampp.conf:
<IfModule alias_module>
...
Alias / "d:/xampp/my/folder/"
<Directory "d:/xampp/my/folder">
AllowOverride AuthConfig Limit
Order allow,deny
Allow from all
Require all granted
</Directory>
Above config can access from http://127.0.0.1/
Note: someone suggest that replace from Require local to Require all granted but not work for me
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
# Require local
Require all granted
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
For Ubuntu xampp,
Go to /opt/lampp/etc/extra/
and open httpd-xampp.conf file and add below lines to get remote access,
Order allow,deny
Require all granted
Allow from all
in /opt/lampp/phpmyadmin section.
And restart lampp using, /opt/lampp/lampp restart
<LocationMatch "^/(?i:(?:xampp|licenses|phpmyadmin|webalizer|server-status|server-info))">
Order deny,allow
Deny from all
Allow from all
Allow from ::1 127.0.0.0/8
ErrorDocument 403 /error/HTTP_XAMPP_FORBIDDEN.html.var
add to txt file > httpd-xampp.conf
<Directory "E:/xampp/phpMyAdmin/">
AllowOverride AuthConfig Limit
Order allow,deny
Allow from all
Require all granted
In windows all you have to do is to go to windows search Allow an app through Windows Firewall.click on Allow another app select Apache and mark public and private both . Open cmd by pressing windows button+r write cmd than in cmd write ipconfig find out your ip . than open up your browser write down your ip http://172.16..x and you will be on the xampp startup page.if you want to access your local site simply put / infront of your ip e.g http://192.168.1.x/yousite. Now you are able to access your website in private network computers .
i hope this will resolve your problem
allow from all will not work along with Require local. Instead, try Require ip xxx.xxx.xxx.xx
For Example:
# New XAMPP security concept
#
<LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Require local
Require ip 10.0.0.1
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch>
Open for new app "HTTPD" (Apache server) in your Firewall
Take a look at this: https://www.youtube.com/watch?v=eqgUGF3NnuM
I have CentOS 6.1 server and I installed apache 2.2.15 on it.
Now When I try to access it from another pc (windows 7) from IE (http:/// (=centos ip)) I get the "You don't have permission to access / on this server." error. I even created phpinfo.php file with content of "" on "var/www/html" and when I try to access it by using "http://*/phpinfo.php" in IE, I get not found error. What should I do?
my httpd.conf for directiry is like this:
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Edit httpd.conf file, which is in /etc/httpd/conf/httpd.conf. Add the below code.
<Directory "/">
#Options FollowSymLinks
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride None
Allow from all
</Directory>
<Directory "/home/">
#Options FollowSymLinks
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride None
Allow from all
</Directory>
After the line no. 555 (in my case) . Check for the file permissions and restart the server.
service httpd restart
Now, it will work . Still you are facing the same problem, disable the seLinux in /etc/selinux/config change SELINUX=disabled and restart the server as mentioned above and try it.
Hope this helps
Set SELinux in Permissive Mode using the command below:
setenforce 0;
Check file permissions of the /var/www/html and the ALLOW directive in your apache conf
Make sure all files are readable by the webserver and the allow directive is like
<Directory "/var/www/html">
Order allow,deny
Allow from all
</Directory>
if you can see files then consider sorting the directive to be more restrictive
Fist check that apache is running. service httpd restart for restarting
CentOS 6 comes with SELinux activated, so, either change the policy or disabled it by editing /etc/sysconfig/selinux setting SELINUX=disabled. Then restart
Then check locally (from centos) if apache is working.
Try to use the following:
chmod +rx /home/*
If you set SELinux in permissive mode (command setenforce 0) and it works (worked for me) then you can run restorecon (sudo restorecon -Rv /var/www/html/) which set the correct context to the files in Apache directory permanently because setenforce is temporal. The context for Apache is httpd_sys_content_t and you can verify it running the command ls -Z /var/www/html/ that outputs something like:
-rwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 index.html
In case the file does not have the right context, appear something like this:
drwxr-xr-x. root root unconfined_u:object_r:user_home_t:s0 tests
Hope it can help you.
PD: excuse me my English
Create index.html or index.php file in root directory (in your case - /var/www/html, as #jabaldonedo mentioned)
Right click your www folder and click on properties. Navigate to permissions and change all to read and write then click on "Apply permission to enclosed files" and your are done!!
Maybe its too late but this will definitely help some other person
Check the apache User and Group setting in the httpd.conf. It should default to apache on AMI/RedHat or www-data on Debian.
grep '^Group\|^User' /etc/httpd/conf/httpd.conf
Then add the apache user to the group setting of your site's root directory.
sudo usermod -a -G <your-site-root-dir-group> apache
try to edit httpd.conf
<Directory "/usr/local/www/apache24/cgi-bin">
Options Indexes FollowSymLinks Includes ExecCGI
Require all granted
</Directory>
For CentOS 8 your /etc/httpd/conf.d/awstats.conf file needs to look like this and you need to stick in your IP address and restart your httpd service unless you want to whole world to have access to it!
#
# Directives to add to your Apache conf file to allow use of AWStats as a CGI.
# Note that path "/usr/share/awstats/" must reflect your AWStats install path.
#
Alias /awstatsclasses "/usr/share/awstats/wwwroot/classes/"
Alias /awstatscss "/usr/share/awstats/wwwroot/css/"
Alias /awstatsicons "/usr/share/awstats/wwwroot/icon/"
ScriptAlias /awstats/ "/usr/share/awstats/wwwroot/cgi-bin/"
#
# This is to permit URL access to scripts/files in AWStats directory.
#
<Directory "/usr/share/awstats/wwwroot">
Options None
AllowOverride None
<IfModule mod_authz_core.c>
# Apache 2.4
<RequireAny>
Require <Your IP Address here>
</RequireAny>
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Allow from <Your IP address here>
Allow from ::1
</IfModule>
</Directory>
# Additional Perl modules
<IfModule mod_env.c>
SetEnv PERL5LIB /usr/share/awstats/lib:/usr/share/awstats/plugins
</IfModule>
Remember that if you IP address changes you need to update the file and restart the httpd server. BTW you can see your ip address as it looks from the outside by simply googling "my ip"
Set required all granted in /etc/httpd/conf/httpd.conf
I am getting
[Tue Apr 24 12:12:55 2012] [error] [client 127.0.0.1] client denied by server configuration: /labs/Projects/Nebula/bin/
My directory structure looks like (I am using Symfony 2, should be similar structure for other web frameworks)
I have vhosts setup like:
<VirtualHost nebula:80>
DocumentRoot "/labs/Projects/Nebula/web/"
ServerName nebula
ErrorLog "/var/log/httpd/nebula-errors.log"
</VirtualHost>
<Directory "/labs/Projects/Nebula/">
Options All
AllowOverride All
Order allow,deny
Allow from 127.0.0 192.168.1 ::1 localhost
</Directory>
I wonder whats the problem and how do I fix it?
Apache 2.4.3 (or maybe slightly earlier) added a new security feature that often results in this error. You would also see a log message of the form "client denied by server configuration". The feature is requiring an authorized user identity to access a directory. It is turned on by DEFAULT in the httpd.conf that ships with Apache. You can see the enabling of the feature with the directive
Require all denied
This basically says to deny access to all users. To fix this problem, either remove the denied directive (or much better) add the following directive to the directories you want to grant access to:
Require all granted
as in
<Directory "your directory here">
Order allow,deny
Allow from all
# New directive needed in Apache 2.4.3:
Require all granted
</Directory>
OK I am using the wrong syntax, I should be using
Allow from 127.0.0.1
Allow from ::1
...
In Apache 2.4 the old access authorisation syntax has been deprecated and replaced by a new system using Require.
What you want then is something like the following:
<Directory "/labs/Projects/Nebula/">
Options All
AllowOverride All
<RequireAny>
Require local
Require ip 192.168.1
</RequireAny>
</Directory>
This will allow connections that originate either from the local host or from ip addresses that start with "192.168.1".
There is also a new module available that makes Apache 2.4 recognise the old syntax if you don't want to update your configuration right away:
sudo a2enmod access_compat
I had this issue using Vesta CP and for me, the trick was remove .htaccess and try to access to any file again.
That resulted on regeneration of .htaccess file and then I was able to access to my files.
Can you try changing "Allow from 127.0.0 192.168.1 ::1 localhost" to "Allow from all".
If that fixes your problem, you need to be less restrict about where content can be requested from
Here's my symfony 1.4 virtual host file on debian, which works fine.
<Directory /var/www/sf_project/web/>
Options All Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
If you wan't to restrict access to a specific ip range, e.g. localhost use this:
Allow from 127.0.0.0/8
The mod_authz_host is responsible for filtering ip ranges. You can look up detailed things in there.
But maybe the problem could be related to some kind of misconfiguration in your "apache2.conf".
On what OS is the apache running?
if you are having the
Allow from All
in httpd.conf then make sure us have
index.php
like in the below line in httpd.conf
DirectoryIndex index.html index.php
In my case the key was:
AllowOverride All
in vhost definition.
I hope it helps someone.
This code worked for me..
<Location />
Allow from all
Order Deny,Allow
</Location>
Hope this helps others