Apache won't follow symlinks (403 Forbidden) - apache

I'm having some trouble setting up Apache on Ubuntu. I've been following this guide.
# /usr/sbin/apache2 -v
Server version: Apache/2.2.17 (Ubuntu)
Server built: Feb 22 2011 18:33:02
My public directory, /var/www, can successfully serve up and execute PHP pages that are placed in it. However, I want to create a symlink in /var/www that points to a directory in my home folder and serve pages there.
[root /var/www]# ll
total 36
drwxr-xr-x 3 root root 4096 2011-09-11 14:22 .
drwxr-xr-x 14 root root 4096 2011-06-04 22:49 ..
lrwxrwxrwx 1 root root 16 2011-09-11 13:21 about -> /root/site/about
When I try to access /about on browser, I get
Forbidden
You don't have permission to access /about on this server.
As far as I know, I gave sufficient privileges to the files I want to serve:
[root ~/site/about]# ll
total 24
drwxr-xr-x 5 root root 4096 2011-09-11 13:20 .
drwxr--r-- 3 root root 4096 2011-09-11 13:19 ..
drwxr-xr-x 2 root root 4096 2011-09-11 13:21 contact
-rwxr-xr-x 1 root root 1090 2011-09-11 13:19 index.php
drwxr-xr-x 2 root root 4096 2011-09-11 13:20 me
drwxr-xr-x 2 root root 4096 2011-09-11 13:21 resume
I'm aware of the FollowSymLinks option, and I believe it's set in my /etc/apache2/sites-enabled/000-default file:
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options FollowSymLinks Indexes MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
Any idea what I could be missing?

Check that Apache has execute rights for /root, /root/site and /root/site/about.
Run:
chmod o+x /root /root/site /root/site/about
You can find a more secure way in Elijah's answer.

The 403 error may also be caused by an encrypted file system, e.g. a symlink to an encrypted home folder.
If your symlink points into the encrypted folder, the apache user (e.g. www-data) cannot access the contents, even if apache and file/folder permissions are set correctly. Access of the www-data user can be tested with such a call:
sudo -u www-data ls -l /var/www/html/<your symlink>/
There are workarounds/solutions to this, e.g. adding the www-data user to your private group (exposes the encrypted data to the web user) or by setting up an unencrypted rsynced folder (probably rather secure). I for myself will probably go for an rsync solution during development.
https://askubuntu.com/questions/633625/public-folder-in-an-encrypted-home-directory
A convenient tool for my purposes is lsyncd. This allows me to work directly in my encrypted home folder and being able to see changes almost instantly in the apache web page. The synchronization is triggered by changes in the file system, calling an rsync. As I'm only working on rather small web pages and scripts, the syncing is very fast. I decided to use a short delay of 1 second before the rsync is started, even though it is possible to set a delay of 0 seconds.
Installing lsyncd (in Ubuntu):
sudo apt-get install lsyncd
Starting the background service:
lsyncd -delay 1 -rsync /home/<me>/<work folder>/ /var/www/html/<web folder>/

I was having a similar problem that I could not resolve for a long time on my new server. In addition to palacsint's answer, a good question to ask is: are you using Apache 2.4? In Apache 2.4 there is a different mechanism for setting the permissions that do not work when done using the above configuration, so I used the solution explained in this blog post.
Basically, what I needed to do was convert my config file from:
Alias /demo /usr/demo/html
<Directory "/usr/demo/html">
Options FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
</Directory>
to:
Alias /demo /usr/demo/html
<Directory "/usr/demo/html">
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
Note how the Order and allow lines have been replaced by Require all granted

Related to this question, I just figured out why my vhost was giving me that 403.
I had tested ALL possibilities on this question and others without luck. It almost drives me mad.
I am setting up a server with releases deployment similar to Capistrano way through symlinks and when I tried to access the DocRoot folder (which is now a symlink to current release folder) it gave me the 403.
My vhost is:
DocumentRoot /var/www/site.com/html
<Directory /var/www/site.com/html>
AllowOverride All
Options +FollowSymLinks
Require all granted
</Directory>
and my main httpd.conf file was (default Apache 2.4 install):
DocumentRoot "/var/www"
<Directory "/var/www">
Options -Indexes -FollowSymLinks -Includes
(...)
It turns out that the main Options definition was taking precedence over my vhosts fiel (for me that is counter intuitive). So I've changed it to:
DocumentRoot "/var/www"
<Directory "/var/www">
Options -Indexes +FollowSymLinks -Includes
(...)
and Eureka! (note the plus sign before FollowSymLinks in MAIN httpd.conf file.
Hope this help some other lost soul.

As recommended on this discussion on the Arch wiki, the default approach of setting the whole path for the other group using:
chmod o+x /root /root/site /root/site/about
is not the most secure way, since any user with access to the server will be able to access and execute files on the path exposed.
Preferably, you should set permissions to a particular user using ACL permissions.
In the case of the Apache HTTP server, that user would be "http", and permissions could be set by doing (in arch, you will need the acl package installed):
setfacl -m "u:http:--x" /path/to/directory"
You will have to set this recursively (first to /path, then /path/to, etc).
Compared to the most voted solution, only a particular user will be able to access this directory, so security is increased.
Bonus tip: if the path is mounted on a zfs pool, you will need to add the option acltype in your zpool configuration. This can be done with:
zfs set acltype=posixacl your_zpool
Then, by restarting the machine, the volume will be mounted again with the correct configuration, and the code above will work.

In addition to changing the permissions as the other answers have indicated, I had to restart apache for it to take effect:
sudo service apache2 restart

There is another way that symbolic links may fail you, as I discovered in my situation. If you have an SELinux system as the server and the symbolic links point to an NFS-mounted folder (other file systems may yield similar symptoms), httpd may see the wrong contexts and refuse to serve the contents of the target folders.
In my case the SELinux context of /var/www/html (which you can obtain with ls -Z) is unconfined_u:object_r:httpd_sys_content_t:s0. The symbolic links in /var/www/html will have the same context, but their target's context, being an NFS-mounted folder, are system_u:object_r:nfs_t:s0.
The solution is to add fscontext=unconfined_u:object_r:httpd_sys_content_t:s0 to the mount options (e.g. # mount -t nfs -o v3,fscontext=unconfined_u:object_r:httpd_sys_content_t:s0 <IP address>:/<server path> /<mount point>). rootcontext is irrelevant and defcontext is rejected by NFS. I did not try context by itself.

First disable selinux (vim /etc/selinux/config)
vim /etc/httpd/conf/httpd.conf edit following lines for symlinks and directory indexing:
documentroot /var/www/html
<directory /var/www/html>
Options Indexes FollowSymLinks
AllowOverride None
</directory>
If .htaccess file then AllowOverride all

For anyone having trouble after upgrading to 14.04
https://askubuntu.com/questions/452042/why-is-my-apache-not-working-after-upgrading-to-ubuntu-14-04
as
root changed
before upgrade = /var/www
after upgrade = /var/www/html

With the option FollowSymLinks enabled:
$ rg "FollowSymLinks" /etc/httpd/
/etc/httpd/conf/httpd.conf
269: Options Indexes FollowSymLinks
you need all the directories in symlink to be executable by the user httpd is using.
so for this general use case:
cd /path/to/your/web
sudo ln -s $PWD /srv/http/
You can check owner an permissions with namei:
$ namei -m /srv/http/web
f: /srv/http/web
drwxr-xr-x /
drwxr-xr-x srv
drwxr-xr-x http
lrwxrwxrwx web -> /path/to/your/web
drwxr-xr-x /
drwxr-xr-x path
drwx------ to
drwxr-xr-x your
drwxr-xr-x web
In my case to directory was only executable for my user:
Enable execution by others solve it:
chmod o+x /path/to
See the non executable directory could be different, or you need to affect groups instead others, that depends on your case.

Yet another subtle pitfall, in case you need AllowOverride All:
Somewhere deep in the fs tree, an old .htaccess having
Options Indexes
instead of
Options +Indexes
was all it took to nonchalantly disable the FollowSymLinks set in the server config, and cause a mysterious 403 here.

In my case, all of the above function, except that SElinux was blocking all symlink request. Additionally to httpd.conf, grp and file permissions, and lsyncd, I also set SELinux to permissive and it works!

In my case I was having symlinks in my /Sites folder which suddenly stopped working and resulting in a 403.
If you're on a Mac, check the Security & Privacy screen and see if http has access to your folder.
The checkbox under Files and Folders for httpd was somehow unchecked. (Perhaps due to an update, since it seems I have 2 httpd's).
Enabling the checkbox fixed the issue.

a little bit late but to give general permission for all other users is not a good idea
better to add the apache user, in my case "www-data" to the group ofthe user whose files you want to access:
usermod -a -G group_of_target_user www-data

Related

Is it possible to change Apache web root directory on Ubuntu except home directory?

Can't change Apache web root directory on Ubuntu.
file exists in sites-enabled folder
I changed /etc/apache2/sites-enabled/mynewsite.conf file document root
<Directory /media/saptarshi/BAAA7114AA70CDFF/webdev>
Options Indexes FollowSymLinks
Allow from all
AllowOverride None
Require all granted
</Directory>
and, also I changed /etc/apache2/apache2.conf file document root
<Directory /media/saptarshi/BAAA7114AA70CDFF/webdev>
Options Indexes FollowSymLinks
AllowOverride None
Allow from all
Require all granted
</Directory>
After changing those I restart the apache then it not worked. Shows
403 error. Forbidden
You don't have permission to access this resource. Apache/2.4.41 (Ubuntu) Server at localhost Port 80
But magically when I change the path within the home directory(/home/saptarshi/test) then it work. So , Is it possible to change apache root directory outside the home folder in ubuntu?
Two things I would like to mention. Firstly, because of something isn't working, don't write the same configurations into multiple apache config files. It will create more problems rather than solving one. Secondly, you should always edit the respective site config file in the /etc/apache2/sites-available/ directory rather than editing the file in the /etc/apache2/sites-enabled/ directory. It's a symlink, so, it's always better to edit the main file and reload the config.
Now your problem might or might not be related to directory path only. It might be a user permission related problem as well. Could you please attach the entire apache2.conf file and the mynewsite.conf file? Also, what's the host you're trying to access it with?

Forbidden You don't have permission to access on this server. Centos 6 / Laravel 4

i got a problem after i finish to set up LAMP and installed my laravel 4 application. Everything seem went well, when i go on my ip address url, it show me the first page of my application correctly, but all the rest of the page throw me an 404 error The requested URL was not found on this server.
So I added to my httpd.conf (under the virtual host of my project) -
AllowOverride All
Order allow,deny
<VirtualHost *:80>
ServerName VPS-IP-ADDRESS
DocumentRoot /var/www/html/nextmatch/public_html/public/
<Directory /var/www/html/nextmatch/public_html/public/>
AllowOverride all
Order allow,deny
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
</Directory>
</VirtualHost>
And now when i try to navigate instead the 404 error i got Forbidden
You don't have permission to access this server.
I set up with chmod 775 -R path/laravel/ and the folder storage with 777 but still i got the same error any suggest please? I cannot figure out to this problem i'm getting crazy! Thank you for any help.
The webserver starts as a daemon (service) under a particular user. That user is defined in httpd.conf. By default that user will be apache. Don't confuse the apache user with the httpd process. The latter is a webserver daemon and the former is the user under which it is going to run. If the folder you created belongs to root or a user other than the one defined in httpd.conf then apache won't be able to access it. The way to identify this problem is to go to the folder and do ls -l. If the user define in httpd.conf is apache then in order for it to access the folder, you should see:
drwxr-xr-x. 2 apache apache 4096 Jan 8 2013 public_folder
Note, it says 'apache apache', meaning it belongs to the apache user and group. If you created it via root then you will probably see:
drwxr-xr-x. 2 root root 4096 Jan 8 2013 public_folder
The apache user cannot access the folder defined by root. To solve this problem run the command:
chown -R apache:apache myfolder
The -R option is recursive, so it will update ownership for ALL folders and files within that folder to the apache user.
If your ownership if fine, then trying 'temporarily' turning off selinux. On centos you do:
setenforce 0
Which will turn off selinux till the next restart. Ideally, you will want to leave selinux on for additional security and set a valid context for your apache files and folders.
If turning off selinux does work, then you probably have the wrong security context for your files and folders. run the following command to restore your security contexts:
restorecon -R -v /var/www/
If you're using CentOS it could be an issue with selinux. Check to see if selinux is enabled with 'sestatus'. If it is enabled, you can check to see if that is the issue (temporarily) using 'sudo setenforce 0'. If apache can serve the site, then you just need to change the context of the files recursively using 'sudo chcon -R -t httpd_sys_content_t' (you can check the existing context using 'ls -Z'.
Selinux may not be the issue, but it's worth checking on.
try this inside the folder:
chcon -R -t httpd_sys_content_t *
chcon -R -t httpd_sys_content_t *
did the trick for me.
from php5.conf in /etc/apache2/mods-available
# Running PHP scripts in user directories is disabled by default
#
# To re-enable PHP in user directories comment the following lines
# (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it
# prevents .htaccess files from disabling it.
#<IfModule mod_userdir.c>
# <Directory /home/*/public_html>
# php_admin_value engine Off
# </Directory>
#</IfModule>

Apache Permission denied for /srv/www: unable to check .htaccess file but not for /var/www

I've hit a problem on Centos 6.5:
[Mon Dec 28 12:10:52 2012] [a] [client 127.0.0.1] (13) Permission denied: /srv/www/website/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
Basically, I was building a brand new server and trying to migrate all of my websites over into /srv/www folder instead of /var/www as it appears to be the future standard (there is a whole discussion about it so just google).
What I did:
1) added a new group (groupadd developers)
2) added users a (gid 501), root, apache, nobody to the above group
(usermod -G develoeprs a && usermod -G develoeprs apache && usermod -G develoeprs root && usermod -G develoeprs nobody)
3) copied all folders & files into /srv/www
4) changed ownership of entire /srv/www to apache:developers (chown -R apache:developers /srv/www)
5) changed mode so /srv/www is group readable/writable/searchable (chmod -R 2775 /srv/www)
6) added 'umask 002' to the end of /etc/sysconfig/httpd so it runs in group writable mode
7) added virtual host(s) and to /etc/httpd/conf.d/vhosts.conf (service httpd configtest throws OK)
NameVirtualHost *:80
NameVirtualHost *:443
SSLStrictSNIVHostCheck off
<VirtualHost *:443>
ServerAdmin webmaster#domain.ext
DocumentRoot /srv/www/test
ServerName test.domain.com
ServerAlias test.domain
SSLEngine on
SSLCertificateFile /etc/httpd/certs/domain.com/server.crt
SSLCertificateKeyFile /etc/httpd/certs/domain.com/server.key
<Directory /srv/www/test>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
8) restarted the server
9) started httpd manually because it asks for SSL certificate password otherwise autostart fails (need to look into how to start it automatically after rebooting)
I am still getting the same above error message.
Then, I tried changing the home folder in /etc/passwd for apache user to /srv/www (server restart) but still no joy i.e. Permission denied. I even renamed the old /var/www folder and created a symlink in /var/www to /srv/www. Another attempt was to chown back to root:root, apache:apache and :developers group for both.
/srv/www/ [NOT WORKING]
drwxr-xr-x. 2 root root (cgi-bin, error, html,icons)
drwxrwsr-x. 5 apache developers (all other website folders)
-rwxrwsr-x. 1 apache developers (all files)
/srv/
drwxrwsr-x. 4 apache developers www
/var/www [WORKING]
drwxr-xr-x. 2 root root (cgi-bin, error, html,icons)
drwxrwxr-x. 3 apache developers (all other website folders)
-rwxrwxr-x. 1 apache developers (all website files)
Then, as soon as I copy my one of my website's folder into /var/www and point paths in /etc/httpd/conf.d/vhosts.conf it starts to work fine!
DOES ANYONE KNOW WHY IT'S NOT WORKING IN /SRV/WWW folder??
I finally got to the bottom of the problem. It's caused by SELinux policies overriding basic traditional discretionary access control (DAC) methods such as file permissions or access control lists (ACLs) normally used to control the file access of users!
$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
$ setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
$ setenforce Permissive
$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
More info on SELinux at Centos. As soon as I switched to Permissive mode my /srv/ started working.
If you know what and why you are doing this then you can permanently disable SELinux in /etc/selinux/config by changing the following line:
SELINUX=enforcing
to
SELINUX=disabled
Restart your server and you should have it disabled permanently.
Note: When switching from Disabled to either Permissive or Enforcing
mode, it is highly recommended that the system be rebooted and the
filesystem relabeled.
Are you sure that the user "apache" can cross the folder "/src" ?
What's the owner and the permission of the folder "/src" ?

Virtual host showing apache test page and everything else in doc root is forbidden

I am using a new CentOS 6.3 minimal install with fresh httpd installed
When I go to my virtual host it is showing me the apache test page, and then if I go to mydomain.co.uk/index.html (That I have just set up to test with) it says forbidden. All the usual answers to this don't seem to be working and I have honestly looked through tons of forums and other people questions/answers and nothing seems to be working for me.
I have created a group called 'www' that I have added the user 'apache' to.. This is my root directory in httpd.conf file, I have left it pretty open just for testing:
<Directory />
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from All
</Directory>
This is my vhosts file:
NameVirtualHost *:80
<VirtualHost *:80>
DocumentRoot /var/www/html/
</VirtualHost>
<VirtualHost *:80>
ServerName domain.co.uk
ServerAlias www.domain.co.uk
DocumentRoot /home/domain/public_html
<Directory "/home/domain/public_html">
Options Indexes FollowSymLinks ExecCGI
AllowOverride AuthConfig FileInfo
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
From /home/ onwards I have set the group to www
When ls -lA on home folder I get
drwxrwsr-x. 5 root www 4096 Feb 5 20:57 home
The error I am getting in my logs file is a permission one:
[Wed Feb 06 10:24:42 2013] [error] [client 62.254.7.226] (13)Permission denied: access to /index.html denied (filesystem path '/home/domain/public_html/index.html') because search permissions are missing on a component of the path
As is everything else in that folder. I really don't know what to try next. I have come to the point of needing to ask for my specific setup as following other tutorials or answers has not worked for me. Any help is greatly appreciated!
Error 13 means that the user/group specified in your apache configuration (httpd.conf) didn't have permission to access the files. The files, and all the directories above them, need to have permission that allow for that user and group.
One of the trickier bits can be extended permissions. If you are running selinux, the server user could be denied because of the extended permissions on the file. To check for this, run (from the command line):
setenforce 0
If the problem goes away (i.e. the page is visible) then your extended permissions are blocking access.
See http://wiki.apache.org/httpd/13PermissionDenied for details.
Selinux is not expecting the http server to access files under /home/domain since it is not a standard path.
You can change it with following command:
chcon -R --type=httpd_sys_rw_content_t /home/domain/public_html/

Fixing 403 Forbidden on alias directory with Apache

I am trying to setup an alias to point to some directory on my filesystem not in DocumentRoot. Now I get a 403 Forbidden response. These are the steps taken:
1. edit http.conf, adding:
Alias /example "/Users/user/Documents/example"
then...
<Directory "/Users/user/Documents/example">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all</Directory>
2. setting permissions with chmod in terminal:
chmod 755 /Users/user/Documents/example
Now it should work? instead I get the access forbidden. This is the output from error_log:
[Sun Jul 24 06:57:57 2011] [error] [client xx.xx.xx.xx] (13)Permission denied: access to /example denied
I was having this issue on OS X too. It turned out gliptak was right, but I've some more detail to add.
We're both attempting to configure a virtual directory for a folder under a user's home folder; I think this is why we're having the problem. In my case, I had the following setup:
Home folder is /Users/calrion.
Virtual directory folder is /Users/calrion/Path/to/www.
There's a symlink /Users/calrion/Path pointing to /Volumes/Other/Users/calrion/Path.
The problem was the user and group _www (which Apache runs as on OS X) lacked execute access to /Users/calrion and /Volumes/Other/Users/calrion.
Running chmod o+x /Users/calrion and chmod o+x /Volumes/Other/Users/calrion resolved the issue (on OS X 10.7.4).
The rule here is that Apache requires execute access to all folders in the path in order to serve files. Without this, you'll get a HTTP 403 (forbidden).
The last straw ;) Required local in the Directory Entry...
like
<Directory "/Users/user/Documents/example">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require local
Order allow,deny
Allow from all
</Directory>
if everything else doesn't work (correct Alias, Directory Entry in httpd.conf and correct mod/usr/grp).
keep in mind: if you put your site in user-space the apache user (running httpd) needs access to your home!
Check permission on /Users/user/Documents/, /Users/user/ (higher level permissions are enforced first ...)
/bin/su into the user running Apache (like www, www-data) and cat a file in the /Users/user/Documents/example directory. That might point you to permission problems with your setup.
These are all very good answers.
None of them worked for me.
I have an alias specified in OSX server pointing to a user directory. I spent a long while chmodding and messing with _www user, adding executable permissions recursively, uninstalling macports and all sorts of stuff trying to get this to work. I tried 777. Nope. No idea why it wasn't working.
Eventually, I just checked the "shared folder" checkbox in the Finder for that folder, and it worked, on the specified domain, with php active, the way I wanted it to. :/ ...so that was easy.
I was just having this exact same issue. What I found was SE_Linux was enabled, and the security context of the files in my Aliased directory was incorrect, missing httpd_sys_content_t.
You can view the security context with ls -Z. If your files/folders don't have httpd_sys_content_t then apache won't server them up! You can add the proper context with something like chcon -R --type=httpd_sys_content_t /new_html_directory. This will change the context of the files currently in the directory, but not any files that are added afterwards (for that you'll need to work with semanage). Your other option is to just leave the files under /var/www.
Here's what fixed it for me:
in /etc/apache2/httpd.conf
<Directory />
Options FollowSymLinks
AllowOverride None
# REMOVE THESE LINES
#Order deny,allow
#Deny from all
# ADD THIS LINE
Require all denied
</Directory>
This change implements changes made in the apache update from 2.2 to 2.4. The OSX Yosemite update brought the apache update with it (PSA: if you're planning on upgrading to Yosemite, budget yourself a week to fix everything it breaks).
The weird thing is that I already got apache 2.4 working, and suddenly it breaks again....
PSA: if you're planning on upgrading to Yosemite, budget yourself a week to fix everything it breaks
After lots of time waste i fixed the issue and i wanted to share to save your time.
All the gentelmen above and on other posts has some correct parts in their answers but below is the sum
In your "/etc/apache2/httpd.conf" file:
1- change your document root
Original: DocumentRoot "/Library/WebServer/Documents"
Change to: DocumentRoot "/Users/yourname/www"
2- change
Original:
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
Change to:
<Directory /Users/yourname/www>
Options FollowSymLinks Includes ExecCGI
AllowOverride None
Order deny,allow
Deny from all
</Directory>
3- Change:
Original:
<Directory "/Library/WebServer/Documents">
Change to:
<Directory "/Users/yourname/www">
4- Finally, you might not need this step if you are the supper user, this is to set the right permition on your new root folder
chmod 755 /Users/yourname/www
Hope this will help
It certainly does look right, do a sanity check.
you restarted apache
check group and user ownership
I think the quotes can be removed
there is something in /Users/user/Documents/example ?
try 777
-sean
SELinux was the culprit for me. If you're having this issue on a linux box and your alias and file permissions are correct than try doing a "setenforce 0" to put SELinux into permissive mode. That did the trick for me.
I had to revert my apache config file and then set up the server again. found this useful:
https://apple.stackexchange.com/questions/41143/how-to-revert-default-mac-apache-install-to-original
Quick Solution:
Use these commands as root on Linux:
find /var/www -type d -exec chmod 755 {} \;
find /var/www -type f -exec chmod 644 {} \;