Until recently, an internal Bugzilla install was working fine. Now, all requests to pages inside the http://example.com/bugzilla directory return 403/Forbidden. Pages outside that directory, for instance at http://example.com/test.html or http://example.com/test/index.html work as expected. This is the .htaccess file for the bugzilla directory, which is unchanged from the original:
# Don't allow people to retrieve non-cgi executable files or our private data
<FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
deny from all
</FilesMatch>
<IfModule mod_expires.c>
<IfModule mod_headers.c>
<IfModule mod_env.c>
<FilesMatch (\.js|\.css)$>
ExpiresActive On
# According to RFC 2616, "1 year in the future" means "never expire".
# We change the name of the file's URL whenever its modification date
# changes, so browsers can cache any individual JS or CSS URL forever.
# However, since all JS and CSS URLs involve a ? in them (for the changing
# name) we have to explicitly set an Expires header or browsers won't
# *ever* cache them.
ExpiresDefault "now plus 1 years"
Header append Cache-Control "public"
</FilesMatch>
# This lets Bugzilla know that we are properly sending Cache-Control
# and Expires headers for CSS and JS files.
SetEnv BZ_CACHE_CONTROL 1
</IfModule>
</IfModule>
</IfModule>
AddHandler cgi-script .cgi .pl
DirectoryIndex index.cgi
This is the .htaccess file for the directory above the bugzilla directory. This is the public_html web root:
DirectoryIndex index.html
This is the Apache configuration file for the site:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/default/public_html
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/default/public_html>
DirectoryIndex index.cgi
AllowOverride Limit FileInfo Indexes
AddHandler cgi-script .cgi
Options Indexes FollowSymLinks MultiViews +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
Note that even non-Bugzilla static HTML files in that directory are affected. For instance, I create /bugzilla/test.html in VIM, then I try to access it in the browser and see that it is also returning 403/Forbidden. All files, both in and outside that directory, have the same user ubuntu and the same permissions 644. The bugzilla directory itself has permissions 755, as does its parent public_html.
No 'control panels' such as Plesk are installed on the server, all configuration is done in Apache config files. Why might Apache have decided that I may not be authorized to view the bugzilla directory? This is on a public webserver hosted in Amazon Web Services, on Ubuntu Server 12.04 LTS.
Check the error_log file, it usually has very detailed information about why it returns a 403 Forbidden.
(It looks like a debian server? If you post questions like this, always mention the OS.)
I suspect it to be a rights issue - wrong owner. For debian/ubuntu, the given folder and its files should be owned by user "www-data". For Centos/Redhat I believe it should be "nobody". Check it, change it if necessary.
sudo chown -R www-data:www-data test
NB: If you're unsure about changing rights, make a copy first. Change the owner of the copy, as copying in itself probably changes the owner. Or use rsync to make a copy of the folder, as rsync preserves owner and rights.
Related
I'm setting up a virtual host for nagios with Apache 2.4 using mod_proxy_fcgi to forawrd php requests to php-fpm.
I wonder if it's the ProxyPassMatch that is making all of the local resources including images,js,css won't load when I go to 200.000.00:22222/nagios/index.php.
All of the resources are interpreted as Content-Type:text/html; charset=iso-8859-1 as shown in the response headers. They show 403 Forbidden error and in the error log it shows AH01630: client denied by server configuration.
/etc/httpd/conf.d/nagio.conf:
Listen 22222
<VirtualHost *:22222>
ServerName {IP}:22222
AddType image/jpeg jpeg jpg jpe
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
DocumentRoot "/usr/local/nagios"
<Directory "/usr/local/nagios/sbin">
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
AllowOverride None
Require all granted
</Directory>
<LocationMatch "/nagios/((.*\.php)(/.*)?)$">
ProxyPassMatch "fcgi://localhost:9000/usr/local/nagios/share/$1"
</LocationMatch>
<Directory "/usr/local/nagios/share">
Options None
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
You need a <Directory /usr/local/nagios> section that permits Apache to serve from that directory. Basically, you need one of these for every Alias or DocumentRoot that isn't under an existing one.
Usually you just need "require all granted" or "order deny,allow (2.2.x and older) in the Directory section -- but check the ones for your existing DocumentRoot's
I am trying to setup a site with mod_autoindex and FancyIndexing that places my custom header above the directory listing. The problem that I am running into is that my system is acting as though my HEADER.html doesn't exist regardless of whether I tell it to use the one in the current directory or one in a fixed location like /repos/HEADER.html.
The config file autoindex.conf has
ReadmeName README.html
HeaderName HEADER.html
in it and I also tried adding these lines to the /repo directory section of my vhost but noting changed. This setup is on on CentOS 6.6 using Apache 2.4.6 and PHP 5.4.16 from CentOS's scl repo. Below is a copy of my vhost config for reference. Any help or suggestions would be greatly appreciated.
<VirtualHost 10.0.2.15:8080>
ServerName reflector.localdomain
## Vhost docroot
DocumentRoot "/opt/rh/httpd24/root/var/www/html"
## Alias declarations for resources outside the DocumentRoot
Alias /icons "/opt/rh/httpd24/root/usr/share/httpd/icons"
## Directories, there should at least be a declaration for /opt/rh/httpd24/root/var/www/html
<Directory "/opt/rh/httpd24/root/var/www/html">
Options FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Directory>
<Directory "/opt/rh/httpd24/root/var/www/html/repos">
Options Indexes FollowSymLinks MultiViews
IndexOptions FancyIndexing FoldersFirst IgnoreCase SuppressDescription VersionSort XHTML
AllowOverride None
Require all granted
DirectoryIndex disabled
</Directory>
## Logging
ErrorLog "/var/log/httpd24/MainSite_error.log"
ServerSignature Off
CustomLog "/var/log/httpd24/MainSite_access.log" combined
## Custom fragment
ProxyPassMatch "^/(.*\.php(/.*)?)$" "fcgi://127.0.0.1:9000/opt/rh/httpd24/root/var/www/html/$1"
</VirtualHost>
It turns out that mod_mime is needed for this. All I had to do was add include ::apache::mod::mime to my Puppet manifest and wala, it worked. I have verified this on the original setup of CentOS 6 + scl and on CentOS 7.
I worked with Wamp Server for my work . today I manipulate httpd.config for connect directly to the directory. since I removed this line , wamp server doesn't go online , after I change to previous state and restart wamp , it's still offline. I use Windows 7 and Apache version 2.4.7
<Directory C:\wamp\www\Zend\workspaces\test\public>
DirectoryIndex index.php
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
could you try that ?
DocumentRoot "C:/wamp/www/Zend/workspaces"
ServerName local-portail.com
DirectoryIndex index.php
#AllowOverride All
#Allow from all
#Require all granted
or this
DocumentRoot "C:/wamp/www/Zend/workspaces"
ServerName local-portail.com
DirectoryIndex index.php
#AllowOverride All
#Allow from all
#Require all granted
<IfModule dir_module>
DirectoryIndex index.php
</IfModule>
Is this the section of httpd.conf that you changed?
<Directory "c:/wamp/www">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
AllowOverride All
#
# Controls who can get stuff from this server.
#
# onlineoffline tag - don't remove
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
Allow from localhost
</Directory>
If you want to make another directory the Directory root then a better way is to create a Virtual Host, or many virtual hosts, one for each project.
See this post for how to do that. Ignore the title, it is a post that describes how to setup Virtual Hosts. Project Links do not work on Wamp Server
I have a directory where users can upload files.
To avoid security issues (e.g. somebody uploading a malicious php script), I currently change the files' extension by appending .data for example, but then when downloading the file, they have to manually remove the .data.
Another common solution is to upload the files in a directory that is not served by Apache, and have a php script manage all downloads by calling readfile().
What I'd like to do is to simply disallow execution of any scripts (php, perl, cgi scripts, whatever I may install in the future) in the upload folder. This SO answer suggests adding the following line in a .htaccess file in that folder:
SetHandler default-handler
However, in my case this has no effect (the example php script I put in that folder is still executed). What am I doing wrong?
Apache configuration
The machine is a VPS (Virtual Private Server) running Debian GNU/Linux 6.0.7 (squeeze), and as far as I can remember (I note down all commands I run on that server, so my "memory" should be pretty accurate), I dindn't change anything in apache2 configuration, appart from running sudo apt-get install php5, and creating the the file /etc/apache2/sites-enabled/mysite.com with the following contents:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName mysite.com
ServerAlias www.mysite.com
DocumentRoot /home/me/www/mysite.com/www/
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /home/me/www/mysite.com/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Put this in your .htaccess:
<Files *>
# #mivk mentionned in the comments that this may break
# directory indexes generated by Options +Indexes.
SetHandler default-handler
</Files>
But this has a few security holes: one can upload a .htaccess in a subdirectory, and override these settings, and they might also overwrite the .htaccess file itself!
If you're paranoid that the behaviour of the option should change in the future, put this in your /etc/apache2/sites-enabled/mysite.com
<Directory /home/me/www/upload/>
# Important for security, prevents someone from
# uploading a malicious .htaccess
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
<Files *>
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
</Directory>
If you can't modify the apache configuration, then put the files in a .htaccess with the following directory structure:
/home/me/www/
|- myuploadscript.php
|- protected/
|- .htaccess
|- upload/
|- Uploaded files go here
That way, nobody should be able to overwrite your .../protected/.htaccess file since their uploads go in a subdirectory of .../protected, not in protected itself.
AFAICT, you should be pretty safe with that.
My Godaddy setup wont allow me to edit the httpd.conf files, and the php_flag command doesn't work due to how they've implemented php for me.
I was able to use this in my .htaccess file:
SetHandler default-handler
AddType text/plain php
I put this in the directory above where my FTP user is allowed to access, which forces all PHP files in that directory, as well as all sub-directories to show php as plain text.
This will work for other file types as well. All you need to do is add another line with whatever extension of file you want to be forced to display in plain text. AddType text/plain cgi for example
I have enabled alias_module and cgi_module in my apache 2.2 installation. I have added a section:
<IfModule alias_module>
ScriptAlias /digin-cgi/ "/opt/openbdjam/webroot1/push20/digin-cgi/"
</IfModule>
my scripts are 'x' executable permissioned and live in the file system directory /opt/openbdjam/webroot1/push20/digin-cgi. However, when i go to my webserver (something like the address below) in a browser i just get a 404 not found:
http://myserver.com/digin-cgi/test.cgi
In case it matters - my server root is set to:
DocumentRoot "/opt/openbdjam/webroot1"
no amount of restarting helps!
any ideas?
I beleive you'll need a directory declaration in there also. Since the cgi-bin is outside your document root, it isn't covered by the 'default'.
<Directory "/opt/openbdjam/webroot1/push20/digin-cgi/">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Alter your Options and AllowOverride settings as you see fit, but I imagine you'll want ExecCGI as a minimum.
More info here: http://httpd.apache.org/docs/current/mod/core.html#directory