So my im having difficulties with a website server. When i try to access it, i get the error "You don't have permission to access /index.html on this server."
However i've given rights to the folders and the files exactly as ive done with a different server that does the same thing. Only way ive found to get rid of the error is with a command :
chcon -R -t httpd_sys_content_t /var/www/html/
However the solution is not permanent, it seems to go away each time i use a jenkins build on the server.
<VirtualHost *:80>
Redirect / servername
</Virtualhost>
<Virtualhost _default_:80>
ServerName localhost
<Location "/server-status">
Require all granted
SetHandler server-status
Order Allow,Deny
Allow from ::1
Allow from 127.0.0.1
Allow from 192.168****/23
Allow from 192.168****
</Location>
ErrorLog logs/error.log
SetEnvIf Remote_Addr "::1" dontlog
SetEnvIf User-Agent ".*internal dummy connection.*" dontlog
CustomLog /var/log/httpd/access.log combined env=!dontlog
</VirtualHost>
Problem diverted.
I managed to solve this by editing /etc/selinux/config file in Centos 7 and turn selinux disabled. Reboot and problem went away for good.
I have the following problem:
I want to access a mono application via ssl. I want it to be not accessible without ssl.
I am using apache2.4 and mod-mono-server4.exe 3.0.0.0
At the moment I have a working configuration like this:
<VirtualHost *:80>
DocumentRoot /srv/www/htdocs/my-mono-app
#SSLEngine on
#SSLCertificateFile /path/to/key.pem
#SSLCertificateKeyFile /path/to/key.pem
MonoAutoApplication disabled
MonoServerPath my-mono-app "/usr/bin/mod-mono-server4"
MonoApplications my-mono-app "/my-mono-app:/srv/www/htdocs/my-mono-app"
<Directory /srv/www/htdocs/my-mono-app>
Require all granted
MonoSetServerAlias my-mono-app
SetHandler mono
</Directory>
</VirtualHost>
But as soon as I turn the SSLEngine on and change the port to 443 it does not work anymore. It just says: Object not found! if i navigate to the address.
It does not record any errors in the logs.
Can you help me with this please?
PS: Here is the complete not working configuration:
<VirtualHost *:443>
DocumentRoot /srv/www/htdocs/my-mono-app
SSLEngine on
SSLCertificateFile /path/to/key.pem
SSLCertificateKeyFile /path/to/key.pem
MonoAutoApplication disabled
MonoServerPath my-mono-app "/usr/bin/mod-mono-server4"
MonoApplications my-mono-app "/my-mono-app:/srv/www/htdocs/my-mono-app"
<Directory /srv/www/htdocs/my-mono-app>
Require all granted
MonoSetServerAlias my-mono-app
SetHandler mono
</Directory>
</VirtualHost>
I used mono 5.x once. From that experience what I can recall, mod_mono.conf needed modification for directory path. I reached that solution from Apache access and error logs. I tried many ways before that searching the whole earth - symlinking, purge installation and building from source etc. You may try my way keeping a backup of mod_mono.conf.
<IfModule !mono_module>
LoadModule mono_module "libexec/apache2/mod_mono.so"
</IfModule>
<IfModule mono_module>
AddType application/x-asp-net .config .cs .csproj .dll .resources .resx .sln .vb .vbproj
AddType application/x-asp-net .asax .ascx .ashx .asmx .aspx .axd .browser .licx .master .rem .sitemap .skin .soap .webinfo
MonoAutoApplication enabled
MonoDebug true
MonoServerPath "/usr/bin/mod-mono-server4"
MonoSetEnv LANG=fr_FR.UTF-8
MonoUnixSocket "/tmp/.mod_mono"
<IfModule dir_module>
DirectoryIndex Default.aspx
</IfModule>
<DirectoryMatch "/(bin|App_Code|App_Data|App_GlobalResources|App_LocalResources)/">
Order deny,allow
Deny from all
</DirectoryMatch>
<Location "/my-mono-app">
Order deny,allow
Deny from all
Allow from 127.0.0.1 ::1
SetHandler mono-ctrl
</Location>
</IfModule>
It was too bigger to write as comment, it is possibly not 100% warranted answer, depends on your try. That thing in your config is correct :
Require all granted
MonoSetServerAlias my-mono-app
SetHandler mono
Without that stanza odd errors appear.
I cannot get allow and deny directives to work from an htaccess file within any directory in my web root. I am at a loss as to where I should look to configure this. I have checked the obvious (authz modules are loaded, allow overrides is set to all) Any ideas? Here are my configuration details.
I have an Apache 2.2 server running on RHEL. Within this server I have an IP based VirtualHost that is configured like where myipaddr and myserver are the actual IP address and host name respectively:
<VirtualHost myipaddr:80>
ServerName myserver
TransferLog /var/log/httpd/myserver.access
LogFormat loadbalanced
ErrorLog /var/log/httpd/myserver.error
DocumentRoot /var/www/myserver
<Directory /var/www/myserver>
Options -Indexes FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
I have tried more complex directives but even a simple .htaccess file that should deny everything has no effect.
Order deny,allow
Deny from all
It turns out the was a configuration file in /etc/httpd/conf.d that I did not realize was getting loaded and it was trumping the denies and allows within specific directories.
<Location />
Order allow,deny
Allow from all
<LimitExcept GET POST PUT DELETE>
Deny from all
</LimitExcept>
</Location>
Today I was updated Ubuntu server 13.04 (Raring Ringtail) → 13.10 (Saucy Salamander).
And my Apache 2 installation is broken.
Here my configuration:
File error.log
[Fri Oct 18 10:48:07.237170 2013] [:notice] [pid 8292:tid 139804677900160] FastCGI: process manager initialized (pid 8292)
[Fri Oct 18 10:48:07.241185 2013] [mpm_event:notice] [pid 8289:tid 139804677900160] AH00489: Apache/2.4.6 (Ubuntu) mod_fastcgi/mod_fastcgi-SNAP-0910052141 configured -- resuming normal operations
[Fri Oct 18 10:48:07.241652 2013] [core:notice] [pid 8289:tid 139804677900160] AH00094: Command line: '/usr/sbin/apache2'
[Fri Oct 18 10:48:28.313923 2013] [authz_core:error] [pid 8294:tid 139804573181696] [client 81.219.59.75:3536] AH01630: client denied by server configuration: /usr/lib/cgi-bin/php5-fcgi
File default.conf
#EU
<VirtualHost *:80>
#ServerName
DocumentRoot /var/www/dev_stable
DirectoryIndex index.php index.html index.htm
<Directory /var/www/dev_stable>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Require all granted
</Directory>
</VirtualHost>
File mods-enabled/fastcgi.conf
#<IfModule mod_fastcgi.c>
# AddHandler fastcgi-script .fcgi
# FastCgiWrapper /usr/lib/apache2/suexec
# FastCgiIpcDir /var/lib/apache2/fastcgi
#</IfModule>
<IfModule mod_fastcgi.c>
AddHandler php5-fcgi .php
Action php5-fcgi /php5-fcgi
Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -socket /var/run/php5-fpm.sock -pass-header Authorization
</Ifmodule>
When I trying to load the file via the browser I got:
site_name/TEST/
Forbidden
You don't have permission to access /php5-fcgi/TEST/index.php on this server.
What should I to fix it?
I have exactly the same issue. I ran a couple of virtual hosts on my local machine for developing.
First, I changed /etc/apache2/conf-available/php5-fpm.conf. I replaced every
Order Deny,Allow
Deny from all
to
Require all granted
The configuration has to be enabled by a2enconf php5-fpm. I did the same with my virtual hosts configurations and made the replacements.
I think this is not advised for security reasons, but as long as I use my server for local purposes only I can live with it.
I ran into this exact issue upon a new install of Apache 2.4. After a few hours of googling and testing I finally found out that I also had to allow access to the directory that contains the (non-existent) target of the Alias directive. That is, this worked for me:
# File: /etc/apache2/conf-available/php5-fpm.conf
<IfModule mod_fastcgi.c>
AddHandler php5-fcgi .php
Action php5-fcgi /php5-fcgi
Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -socket /var/run/php5-fpm.sock -pass-header Authorization
# NOTE: using '/usr/lib/cgi-bin/php5-cgi' here does not work,
# it doesn't exist in the filesystem!
<Directory /usr/lib/cgi-bin>
Require all granted
</Directory>
</Ifmodule>
I ran into a similar problem today (but with mod_wsgi). It might be an Apache 2.2-to-2.4 problem. A comprehensive list of changes can be found here.
For me, it helped to add an additional <Directory>-entry for every path the error-log was complaining about and filling the section with Require all granted.
So in your case you could try
<Directory /usr/lib/cgi-bin/php5-fcgi>
Require all granted
Options FollowSymLinks
</Directory>
and I had to move my configuration file from folder conf.d to folder sites-enabled.
All in all, that did the trick for me, but I don't guarantee it works in your case as well.
I recently ran into the same problem. I had to change my virtual hosts from:
<VirtualHost *:80>
ServerName local.example.com
DocumentRoot /home/example/public
<Directory />
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
To:
<VirtualHost *:80>
ServerName local.example.com
DocumentRoot /home/example/public
<Directory />
Options All
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
In apache2.conf, replace or delete <Directory /> AllowOverride None Require all denied </Directory>, like suggested Jan Czarny.
For example:
<Directory />
Options FollowSymLinks
AllowOverride None
#Require all denied
Require all granted
</Directory>
This worked in Ubuntu 14.04 (Trusty Tahr).
Your virtualhost filename should be mysite.com.conf and should contain this info
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName mysite.com
ServerAlias www.mysite.com
ServerAdmin info#mysite.com
DocumentRoot /var/www/mysite
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory "/var/www/mysite">
Options All
AllowOverride All
Require all granted
</Directory>
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
I don't think that replacing "Require all denied" with "Require all granted" in this directive:
<Directory>
Options FollowSymLinks
AllowOverride None
#Require all denied
Require all granted
</Directory>
as suggested by Jan Czarny and seonded by user3801675 is the most secure way of solving this problem.
According to the Apache configuration files, that line denies access to the entirety of your server's filesystem. Replacing it might indeed allow access to your virtual host folders but at the price of allowing access to your entire computer as well!
Gev Balyan's approach seems to be the most secure approach here. It was the answer to the "access denied problems" plaguing me after setting up my new Apache server this morning.
And I simply got this error because I used a totally different DocumentRoot directory.
My main DocumentRoot was the default /var/www/html
and on the VirtualHost I used /sites/example.com
I have created a link on /var/www/html/example.com (to /sites/example.com).
DocumentRoot was set to /var/www/html/example.com
It worked like a charm.
I had the same issue after upgrading my system.
In my case, the problem was caused by the order of loading configuration files.
In the /etc/httpd/httpd.confinitally it was defined as follows:
IncludeOptional conf.d/*.conf
IncludeOptional sites-enabled/*.conf
After some hours of attempts, I tried the following order:
IncludeOptional sites-enabled/*.conf
IncludeOptional conf.d/*.conf
And it works fine now.
I had the following configuration in my httpd.conf that denied executing the wpadmin/setup-config.php file from wordpress. Removing the |-config part solved the problem.
I think this httpd.conf is from plesk but it could be some default suggested config from wordpress, i don't know. Anyway, I could safely add it back after the setup finished.
<LocationMatch "(?i:(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html)))">
Require all denied
</LocationMatch>
For those of you on AWS (Amazon Web Services), remember to add a rule for your SSL port (in my case 443) to your security groups. I was getting this error because I forgot to open the port.
3 hours of tearing my hair out later...
I have a web2py application run under Apache via mod_wsgi. How do I restrict access to the admin page (www.myapp.com/admin) based on source IP?
Ideally, I do it directly within Apache for two reasons: 1) I assume that Apache has more effective access to the source IP [citation needed] and 2) I don't feel like modifying the stock admin page in web2py to block specific IPs.
My (abridged) configuration looks something like this:
<VirtualHost *:80>
WSGIDaemonProcess web2py user=myapp group=myapp
WSGIProcessGroup web2py
WSGIScriptAlias / /home/myapp/myapp/wsgihandler.py
TimeOut 45
ServerName myapp.com
ServerAlias www.myapp.com
<Directory /home/myapp/myapp>
AllowOverride None
Order Allow,Deny
Deny from all
<Files wsgihandler.py>
Allow from all
</Files>
</Directory>
#======================================
# THIS IS WHAT I TRIED THAT DIDN'T WORK
<Directory /home/myapp/myapp/admin>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Directory>
#======================================
AliasMatch ^/static/(.*) \
/home/myapp/myapp/applications/myapp/static/$1
<Directory /home/myapp/myapp/applications/myapp/static/>
Options -Indexes
Order Allow,Deny
Allow from all
</Directory>
# HTTPS enforcement
# Out of convenience, forward /a* to https, covers /admin /appadmin and /a (front facing admin)
RedirectMatch ^/a(.*) https://myapp.com/a$1
RedirectMatch ^/c/(.*) https://myapp.com/c/$1
RedirectMatch ^/w/user/login(?:/(.*)|$) https://myapp.com/w/user/login/$1
RedirectMatch ^/w/user/register(?:/(.*)|$) https://myapp.com/w/user/register/$1
CustomLog /var/log/apache2/access.log common
ErrorLog /var/log/apache2/error.log
</VirtualHost>
Note that I have a similar VirtualHost for port 443. I just didn't include it for the sake of redundancy.
Normally, it is my understanding that I could use something like the directory notation to deny access to certain directories. However, the above didn't work and I wonder if it has to do with the WSGIScriptAlias directive.
Use:
<Location /admin>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Location>