Apache 2.4.6 on Ubuntu Server: Client denied by server configuration (PHP FPM) [While loading PHP file] - apache

Today I was updated Ubuntu server 13.04 (Raring Ringtail) → 13.10 (Saucy Salamander).
And my Apache 2 installation is broken.
Here my configuration:
File error.log
[Fri Oct 18 10:48:07.237170 2013] [:notice] [pid 8292:tid 139804677900160] FastCGI: process manager initialized (pid 8292)
[Fri Oct 18 10:48:07.241185 2013] [mpm_event:notice] [pid 8289:tid 139804677900160] AH00489: Apache/2.4.6 (Ubuntu) mod_fastcgi/mod_fastcgi-SNAP-0910052141 configured -- resuming normal operations
[Fri Oct 18 10:48:07.241652 2013] [core:notice] [pid 8289:tid 139804677900160] AH00094: Command line: '/usr/sbin/apache2'
[Fri Oct 18 10:48:28.313923 2013] [authz_core:error] [pid 8294:tid 139804573181696] [client 81.219.59.75:3536] AH01630: client denied by server configuration: /usr/lib/cgi-bin/php5-fcgi
File default.conf
#EU
<VirtualHost *:80>
#ServerName
DocumentRoot /var/www/dev_stable
DirectoryIndex index.php index.html index.htm
<Directory /var/www/dev_stable>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Require all granted
</Directory>
</VirtualHost>
File mods-enabled/fastcgi.conf
#<IfModule mod_fastcgi.c>
# AddHandler fastcgi-script .fcgi
# FastCgiWrapper /usr/lib/apache2/suexec
# FastCgiIpcDir /var/lib/apache2/fastcgi
#</IfModule>
<IfModule mod_fastcgi.c>
AddHandler php5-fcgi .php
Action php5-fcgi /php5-fcgi
Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -socket /var/run/php5-fpm.sock -pass-header Authorization
</Ifmodule>
When I trying to load the file via the browser I got:
site_name/TEST/
Forbidden
You don't have permission to access /php5-fcgi/TEST/index.php on this server.
What should I to fix it?

I have exactly the same issue. I ran a couple of virtual hosts on my local machine for developing.
First, I changed /etc/apache2/conf-available/php5-fpm.conf. I replaced every
Order Deny,Allow
Deny from all
to
Require all granted
The configuration has to be enabled by a2enconf php5-fpm. I did the same with my virtual hosts configurations and made the replacements.
I think this is not advised for security reasons, but as long as I use my server for local purposes only I can live with it.

I ran into this exact issue upon a new install of Apache 2.4. After a few hours of googling and testing I finally found out that I also had to allow access to the directory that contains the (non-existent) target of the Alias directive. That is, this worked for me:
# File: /etc/apache2/conf-available/php5-fpm.conf
<IfModule mod_fastcgi.c>
AddHandler php5-fcgi .php
Action php5-fcgi /php5-fcgi
Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -socket /var/run/php5-fpm.sock -pass-header Authorization
# NOTE: using '/usr/lib/cgi-bin/php5-cgi' here does not work,
# it doesn't exist in the filesystem!
<Directory /usr/lib/cgi-bin>
Require all granted
</Directory>
</Ifmodule>

I ran into a similar problem today (but with mod_wsgi). It might be an Apache 2.2-to-2.4 problem. A comprehensive list of changes can be found here.
For me, it helped to add an additional <Directory>-entry for every path the error-log was complaining about and filling the section with Require all granted.
So in your case you could try
<Directory /usr/lib/cgi-bin/php5-fcgi>
Require all granted
Options FollowSymLinks
</Directory>
and I had to move my configuration file from folder conf.d to folder sites-enabled.
All in all, that did the trick for me, but I don't guarantee it works in your case as well.

I recently ran into the same problem. I had to change my virtual hosts from:
<VirtualHost *:80>
ServerName local.example.com
DocumentRoot /home/example/public
<Directory />
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
To:
<VirtualHost *:80>
ServerName local.example.com
DocumentRoot /home/example/public
<Directory />
Options All
AllowOverride All
Require all granted
</Directory>
</VirtualHost>

In apache2.conf, replace or delete <Directory /> AllowOverride None Require all denied </Directory>, like suggested Jan Czarny.
For example:
<Directory />
Options FollowSymLinks
AllowOverride None
#Require all denied
Require all granted
</Directory>
This worked in Ubuntu 14.04 (Trusty Tahr).

Your virtualhost filename should be mysite.com.conf and should contain this info
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName mysite.com
ServerAlias www.mysite.com
ServerAdmin info#mysite.com
DocumentRoot /var/www/mysite
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory "/var/www/mysite">
Options All
AllowOverride All
Require all granted
</Directory>
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

I don't think that replacing "Require all denied" with "Require all granted" in this directive:
<Directory>
Options FollowSymLinks
AllowOverride None
#Require all denied
Require all granted
</Directory>
as suggested by Jan Czarny and seonded by user3801675 is the most secure way of solving this problem.
According to the Apache configuration files, that line denies access to the entirety of your server's filesystem. Replacing it might indeed allow access to your virtual host folders but at the price of allowing access to your entire computer as well!
Gev Balyan's approach seems to be the most secure approach here. It was the answer to the "access denied problems" plaguing me after setting up my new Apache server this morning.

And I simply got this error because I used a totally different DocumentRoot directory.
My main DocumentRoot was the default /var/www/html
and on the VirtualHost I used /sites/example.com
I have created a link on /var/www/html/example.com (to /sites/example.com).
DocumentRoot was set to /var/www/html/example.com
It worked like a charm.

I had the same issue after upgrading my system.
In my case, the problem was caused by the order of loading configuration files.
In the /etc/httpd/httpd.confinitally it was defined as follows:
IncludeOptional conf.d/*.conf
IncludeOptional sites-enabled/*.conf
After some hours of attempts, I tried the following order:
IncludeOptional sites-enabled/*.conf
IncludeOptional conf.d/*.conf
And it works fine now.

I had the following configuration in my httpd.conf that denied executing the wpadmin/setup-config.php file from wordpress. Removing the |-config part solved the problem.
I think this httpd.conf is from plesk but it could be some default suggested config from wordpress, i don't know. Anyway, I could safely add it back after the setup finished.
<LocationMatch "(?i:(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html)))">
Require all denied
</LocationMatch>

For those of you on AWS (Amazon Web Services), remember to add a rule for your SSL port (in my case 443) to your security groups. I was getting this error because I forgot to open the port.
3 hours of tearing my hair out later...

Related

Apache 2 Forbidden 403 Error despite "Require all granted"

I am getting the apparently infamous apache 2 forbidden error #403, and I tried following the guides on the subject, but none seem to be working.
I am using Ubuntu Server and Apache 2.4.41
My website structure looks like /var/www/html/index.html
My apache2.conf [/etc/apache2/apache2.conf]:
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/html>
Order allow,deny
Allow from all
Require all granted
</Directory>
My vhosts.conf [/etc/apache2/sites-available/000-default.conf]:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
Require all granted
</Directory>
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
From an Apache standpoint, your configuration seems ok.
Please verify the permissions on your /var/www/html directory. The user that runs Apache should have at least read and traversal (x) permission.
I gave the user running Apache2 permissions to the /var/www/html folder, and was then able to access the website.
Here is a URL with several permissions, I don't know specifically which one was responsible, but I believe it was sudo chmod g+w /var/www/html
https://askubuntu.com/questions/767504/permissions-problems-with-var-www-html-and-my-own-home-directory-for-a-website

apache + symlinks = 403

So I've been reading up a lot on the subject but can't figure out what I'm doing wrong, I also tried a couple solutions found here but still...
I have multilple vhosts set up with Apache, everything working fine serving different files from both /home/usr1/html and /home/usr2/html.
Now I symlinked /home/usr1/html/thisfolder to /home/usr2/html/thatfolder, double checked the FollowSymlinks option is enabled both in apache2.conf and in vhost.conf, but I'm getting a 403 Error.
Why should this be about permits? I mean, www-data can read without any problem from both folders, how is it that when symlinked it just doesn't?
Thanks
EDIT:
Error returned by Apache: (notice the missing script filename, only extension is provided)
[Wed Apr 20 12:13:11.297208 2016] [authz_core:error] [pid 19883] [client 192.168.0.1:12345] AH01630: client denied by server configuration: /home/usr2/html/thatfolder/.php
Virtual Host conf file:
<VirtualHost *:80>
ServerName server.domain.lan
ServerAdmin adm#lan
DocumentRoot /home/usr2/html
<Directory /home/usr2/html>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<Directory /home/usr1/html/thisfolder> // original folder
Require all granted
</Directory>
</VirtualHost>

Local resources (images/js/css) not showing in Virtual Host

I'm setting up a virtual host for nagios with Apache 2.4 using mod_proxy_fcgi to forawrd php requests to php-fpm.
I wonder if it's the ProxyPassMatch that is making all of the local resources including images,js,css won't load when I go to 200.000.00:22222/nagios/index.php.
All of the resources are interpreted as Content-Type:text/html; charset=iso-8859-1 as shown in the response headers. They show 403 Forbidden error and in the error log it shows AH01630: client denied by server configuration.
/etc/httpd/conf.d/nagio.conf:
Listen 22222
<VirtualHost *:22222>
ServerName {IP}:22222
AddType image/jpeg jpeg jpg jpe
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
DocumentRoot "/usr/local/nagios"
<Directory "/usr/local/nagios/sbin">
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
AllowOverride None
Require all granted
</Directory>
<LocationMatch "/nagios/((.*\.php)(/.*)?)$">
ProxyPassMatch "fcgi://localhost:9000/usr/local/nagios/share/$1"
</LocationMatch>
<Directory "/usr/local/nagios/share">
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
You need a <Directory /usr/local/nagios> section that permits Apache to serve from that directory. Basically, you need one of these for every Alias or DocumentRoot that isn't under an existing one.
Usually you just need "require all granted" or "order deny,allow (2.2.x and older) in the Directory section -- but check the ones for your existing DocumentRoot's

Apache in Debian Jessie - still get message You don't have permission to access / on this server

The same virtual config i apache wheezy works right.
For example:
ServerName lgbs
ServerAlias www.lgbs
DocumentRoot /home/vdomain/app/web
SetEnv APPLICATION_ENV "development"
<Directory /home/vdomain/app/web>
# enable the .htaccess rewrites
AllowOverride All
Order allow,deny
Allow from All
</Directory>
But on Debian testing 'Jessie' i still get message:
Forbidden You don't have permission to access / on this server.
Apache/2.4.9 (Debian) Server at test Port 80
Of course a check file permision and i set rwx for evryones and owner and group is www-data.
Thanks for help
This drove me crazy for a couple of hours. Apparently in 2.4.9 ( I upgraded from 2.2.2 ) there is a "Require all granted" that you need to add to each directory.
In my http.conf:
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
So basically what I had to do was:
<Directory "/Users/johndoe/Sites">
Require all granted
</Directory>

apache + fastcgi + fpm Why is suexec required?

So I have the following WORKING virtualhost:
<VirtualHost 192.168.128.20:80>
ServerName euclid.domain.tld
#LogLevel debug
ErrorLog /var/www/euclid/logs/error_log
SuexecUserGroup fastcgi www_euclid
FastCgiExternalServer /var/www/euclid/htdocs/cgi-bin -socket /var/run/php-fpm/euclid.sock -user fastcgi -group www_euclid
AddHandler php-fastcgi .php
Action php-fastcgi /cgi-bin
Alias /cgi-bin /var/www/euclid/htdocs/cgi-bin
<Location /cgi-bin>
Order Deny,Allow
Deny from All
# Prevent accessing this path directly
Allow from env=REDIRECT_STATUS
Options +ExecCGI +FollowSymLInks +SymLinksIfOwnerMatch
</Location>
DocumentRoot /var/www/euclid/htdocs
<Directory /var/www/euclid/htdocs>
AllowOverride all
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
What I cant seem to figure out is why I need to have either/both SuexecUserGroup fastcgi www_euclid and FastCgiExternalServer with the -user fastcgi -group www_euclid flags. FPM has pooling enabled and each pool is running under its own user/group. This works correctly, no issue. If i remove SuexecUserGroup and/or the -user fastcgi -group www_euclid arguments, I get the following error and I have no idea why. Additionally what uid and gid is used to access the socket file by fastcgi? Its certainly not fastcgi:ww_euclid.
(13)Permission denied: FastCGI: failed to connect to server
"/var/www/euclid/htdocs/cgi-bin": connect() failed FastCGI:
incomplete headers (0 bytes) received from server
"/var/www/euclid/htdocs/cgi-bin"
Ok I believe I have figured out what the problem was. The simple answer is; mod_fastcgi sucks. Its old, unmaintained and poorly documented. Why it keeps coming up when looking up how to run php-fpm is beyond me. Save your self the headache and just don't use it!
The real solution is rather simple:
<VirtualHost 192.168.128.20:80>
ServerName euclid.domain.tld
#LogLevel debug
ErrorLog /var/www/euclid/logs/error_log
<IfDefine PROXY>
#If you want to use mod_proxy (Probably the best option)
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://localhost:9000/var/www/euclid/htdocs/$1
</IfDefine>
<IfDefine FASTCGI_HANDLER>
#If you want to use mod_fastcgi_handler (3rd party)
AddHandler fcgi:/var/run/php-fpm-euclid.sock .php
</IfDefine>
DocumentRoot /var/www/euclid/htdocs
<Directory /var/www/euclid/htdocs>
AllowOverride all
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Were you by chance using SELinux? I encountered a similar problem that was caused by an SELinux security policy that prevented Apache from connecting to Django's fastcgi socket. Running setenforce Permissive allowed it to work.