We Keep Coding

Apache multiple sites, one works, other doesn't

I've tried everything on similar questions but no luck.
I'm getting "You don't have permission to access X on this server." on all requests.
I have two sites on the same IP, the apache config files are identical, the file permissions are identical, however, one works and the other doesn't.
The config file:
<VirtualHost x.x.xxx.xx:80>
ServerName site2.example.com
ServerAlias site2.example.com
Redirect / https://site2.example.com/
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
</VirtualHost>
<VirtualHost x.x.xxx.xx:443>
Protocols h2 http/1.1
ServerName site2.example.com
ServerAlias site2.example.com
ServerAdmin it#example.com
SetEnv ENVIRONMENT production
DocumentRoot /data/www/site2.example.com
<Directory /data/www/site2.example.com>
Options -Indexes +FollowSymLinks
AllowOverride All
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
Require all granted
</Directory>
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
ErrorLog /var/log/apache2/site2_error.log
LogLevel warn
KeepAlive On
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/site2.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/site2.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
Header add Strict-Transport-Security "max-age=15768000"
# Add File Caching
<filesMatch ".(js|css|png|jpeg|jpg|gif|ico|pdf)$">
Header set Cache-Control "max-age=31536000, public"
</filesMatch>
# Disable slower encryption on older versions of IE
SetEnvIf User-Agent ".*MSIE [1-5].*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SetEnvIf User-Agent ".*MSIE [6-9].*" \
ssl-unclean-shutdown
</VirtualHost>
What could I be missing?
The permission commands used:
sudo chown -R www-data:www-data /data/www/site2.example.com
sudo find /data/www/site2.example.com -type f -exec chmod 644 {} \;
sudo find /data/www/site2.example.com -type d -exec chmod 775 {} \;
I've already restarted apache.

So the problem was that for SSL the config file above wasn't being used. I've found the problem by listing the sites enabled sudo apache2ctl -S which returned:
port 443 namevhost site2.example.com (/etc/apache2/sites-enabled/site2-le-ssl.conf:2)
Which is a file created when setting up letsencrypt. I fixed the issue by disabling the config file, sudo a2dissite site2-le-ssl.conf.

Maybe the problem is not the config. Many other modifiers (including .htaccess) impact the server response.
To isolate the problem, use the failing website config file but use the working website directory path and see if it works.

Apache 2.4 compression not working when using alias and reverse proxy

Problem:
I have an alias directory for a url sub path that pulls static data. I can get this to gzip compress just fine. However, when I add proxy to other paths and add an exception for my static data, compression stops.
Environment
Windows x64
Apache 2.4
Key Configuration in httpd.conf
<Directory "${SRVROOT}/static">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
# I have used FilterProvider as well an know this just does javascript at the moment
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
SetOutputFilter DEFLATE
<IfModule alias_module>
Alias "/static" "${SRVROOT}/static"
ScriptAlias /cgi-bin/ "${SRVROOT}/cgi-bin/"
</IfModule>
With this configuration and a "static" folder under SRVROOT, I place a file bundle.js (3M of data). Polling this file at http://localhost/static/bundle.js gives me 600K of download with gzip compression. ALL GOOD
Now for the change. The default path of the app needs to reverse proxy to another application and apache is just serving up static content.
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
extra/proxy-html.conf file content
#default proxy stuff above...
ProxyRequests off
ProxyPass / http://localhost:5000/
#ProxyPass /static/ /
ProxyHTMLURLMap http://localhost:5000/ /
<Location />
ProxyPassReverse /
ProxyHTMLEnable On
ProxyHTMLURLMap / /
RequestHeader unset Accept-Encoding
</Location>
<Location /static/ >
ProxyPass !
</Location>
This still allows me to hit my static data, only now the gzip compression is not happening. I do not know if this is a bug in apache or if there is a better way to configure this.
Here are my requirements:
I cannot change the pathing of the url (static is where it is, and root url content gets reverse proxied
I need compression
Deployment is to a root folder that honestly is not named static, so the fact that I route (in this example) static to {some directory}/static it is really http://localhost/static/* to a dist folder in all actuality.

It appears that RequestHeader unset Accept-Encoding is bleeding over into the other Location definition. This seems like it should not be expected behavior. There appears to be two solutions to the problem.
Remove the ProxyHTMLURLMap and RequestHeader unset Accept-Encoding as this needs to uncompress the content
to do the url rewriting.
Inflate and Deflate the content. I have yet to determine of this will inflate and deflate the static content on the server. The only reason I mention this is because the usetting of the Accept-Encoding seemed to bleed over into the static section. -- Not sure how to test this yet.
Example of removing ProxyURLMap
ProxyRequests off
ProxyPass / http://localhost:5000/
ProxyPassReverse / http://localhost:5000/
<Location /static/ >
ProxyPass !
</Location>
#Do not use this anymore
#<Location />
# ProxyPassReverse /
# ProxyHTMLEnable On
# ProxyHTMLURLMap / /
# RequestHeader unset Accept-Encoding
#</Location>
Example of using the INFLATE;DEFLATE
ProxyRequests off
ProxyPass / http://localhost:5000/
ProxyPassReverse / http://localhost:5000/
<Location />
ProxyPassReverse /
ProxyHTMLEnable On
ProxyHTMLURLMap / /
SetOutputFilter INFLATE;DEFLATE
</Location>
<Location /static/ >
ProxyPass !
</Location>

angular 2 html video non english subtitles served by apache2

I have angular 2 app with latest angular-cli. App has html video player and is able to play videos with english subtitles (vtt). Video and subtitle files are served with apache2 and so is angular bundle from dist/. English subtitles are working fine but non english simply not appear in the video.
The key difference is when I access non-en sub. with chrome a get the encoding right (expected chars.). But when accessed (loaded by track tag) encoding is wrong (some messy chars.).
I only noticed difference in req header: accept, but I doubt that's the cause.
direct access with chrome:
loaded by track:
I'm including my apache configs (last lines are just tries with encoding, long time no see apache...).
apache2.conf:
...
<IfModule mod_mime.c>
AddType application/x-javascript .js
AddType text/css .css
AddType text/plain .webapp
AddType text/xml .xml
AddType application/xml .xml
AddType application/javascript .js
AddType application/javascript .json
</IfModule>
<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
<IfModule mod_setenvif.c>
SetEnvIfNoCase Request_URI \.(?:rar|zip)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:gif|jpg|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:avi|mov|mp4)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mp3$ no-gzip dont-vary
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
</IfModule>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
</IfModule>
AddDefaultCharset utf-8
<FilesMatch \.vtt$>
ForceType text/vtt;charset=utf-8
</FilesMatch>
AddType text/vtt .vtt
AddCharset UTF-8 .vtt
apache2 conf sites-enabled/000-default.conf:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
<Directory />
Options -Indexes FollowSymLinks
AllowOverride None
Header set Access-Control-Allow-Origin "*"
</Directory>
<Directory /var/www/>
Header set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
Options FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Directory /var/www/hvp/>
Header set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
Options FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Redirect permanent / https://myserver/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/myserver/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/myserver/privkey.pem
<Directory /var/www/hvp/>
Header set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
Options FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/https_error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/https_access.log combined
</VirtualHost>
What could cause this behaviour? thx.

I managed to solve it.
First, when a file has a .vtt suffix chrome interprets it and finds right encoding. So comparing these two was pointless. Now when subs are working and I look in network tab I see messy chars anyway, but in player it's working.
Second, replacing commas with dots in time definition helped alongside with editing in webstorm and checking result in vlc.
So the real problem were the subtitle file's encoding and/or commas instead of dots in time def.

403 errors for images only on newly added ServerAlias

I have had two webservers running on the same machine with addresses like the following:
internal.myservername.com
and
test.myservername.com
The test site is (on some pages) pulling images from the internal site, and works flawlessly. Now that we are out of testing, I wanted to add/change the test domain to be the main site, so I added the apache server alias of myservername.com to the test site, but although all pages work, any images from internal will not show up on that address, resulting in a 403 error:
[access_compat:error] AH01797: client denied by server configuration
I have also tried setting up myservername.com as its own domain, and also tried making it the primary name on the test site (with test being an alias). In all cases, test.myservername.com continues to work fine and display images correctly, whereas myservername.com will not (resulting in all the 403 errors for these embedded images).
I have checked all configs and find nothing amiss. And there is nothing in my .htaccess files or conf files that is specific to "test". I am stumped.
I should probably also mention that I am running on a Mac OS Sierra server. (Server version: Apache/2.4.23 (Unix))
UPDATE WITH REQUESTED DETAIL:
img tags: there is nothing special in the image tags, they are called using the full url, ie
<img src="http://internal.myservername.com/images/imagename.jpg" />
I should also add that if I take the exact src url and paste it alone into a browser, the image WILL load. It is only embedded in the page that it will refuse to load. (and only on the main domain, test works fine embedded in img tag)
And the setup of test/main conf is:
<VirtualHost 127.0.0.1:34580>
ServerName http://test.myservername.com:80
ServerAdmin admin#example.com
DocumentRoot "/Library/Server/Web/Data/Sites/myservername.com/plugins/mywebsite"
DirectoryIndex index.php home.php index.html
CustomLog /var/log/apache2/access_log combinedvhost
ErrorLog /var/log/apache2/error_log
<IfModule mod_ssl.c>
SSLEngine Off
SSLCipherSuite "HIGH:MEDIUM:!MD5:!RC4:!3DES"
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLProxyEngine Off
SSLProxyProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
</IfModule>
<IfModule mod_secure_transport.c>
MSTEngine Off
MSTCipherSuite HIGH, MEDIUM
MSTProtocolRange TLSv1.2 TLSv1.2
MSTProxyEngine On
MSTProxyProtocolRange TLSv1.2 TLSv1.2
</IfModule>
<Directory "/Library/Server/Web/Data/Sites/myservername.com/plugins/mywebsite">
Options All -Indexes +ExecCGI +Includes +MultiViews
AllowOverride All
<IfModule mod_dav.c>
DAV Off
</IfModule>
<IfDefine !WEBSERVICE_ON>
Require all denied
ErrorDocument 403 /customerror/websitesoff403.html
</IfDefine>
</Directory>
ServerAlias myservername.com
And the conf for internal:
<VirtualHost 127.0.0.1:34580>
ServerName http://internal.myservername.com:80
ServerAdmin admin#example.com
DocumentRoot "/Library/Server/Web/Data/Sites/myservername.com"
DirectoryIndex index.php
CustomLog /var/log/apache2/access_log combinedvhost
ErrorLog /var/log/apache2/error_log
<IfModule mod_ssl.c>
SSLEngine Off
SSLCipherSuite "HIGH:MEDIUM:!MD5:!RC4:!3DES"
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLProxyEngine Off
SSLProxyProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
</IfModule>
<IfModule mod_secure_transport.c>
MSTEngine Off
MSTCipherSuite HIGH, MEDIUM
MSTProtocolRange TLSv1.2 TLSv1.2
MSTProxyEngine On
MSTProxyProtocolRange TLSv1.2 TLSv1.2
</IfModule>
<IfModule mod_headers.c>
<filesmatch "^.*www.*\.jpg$">
Header set Cache-Control "max-age=2678400, public"
</filesmatch>
</IfModule>
<Directory "/Library/Server/Web/Data/Sites/myservername.com">
Options All -Indexes +ExecCGI +Includes +MultiViews
AllowOverride All
Require all granted
<IfModule mod_dav.c>
DAV Off
</IfModule>
<IfDefine !WEBSERVICE_ON>
Require all denied
ErrorDocument 403 /customerror/websitesoff403.html
</IfDefine>
</Directory>
</VirtualHost>

UGH, I just figured out what was causing this, and here are the steps I took to figure it out:
Because my error was happening in mod_access_compat, I turned off that module to see if anything changed
This resulted in a much more clear error_log message that pointed to a problem with an .htaccess file inside my images folder on the internal site (that was setup by someone else and that I had no idea existed until the error showed it to me)
That .htaccess file contained directives that allowed my test site to pull images, but not the new domain, so once I added it to the file, all was fixed.
For those that want to know what the directives there were:
SetEnvIfNoCase Referer "^http://test.myservername.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://test.myservername.com$" locally_linked=1
SetEnvIfNoCase Referer "^http://internal.myservername.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://internal.myservername.com$" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(gif|png|jpe?g)$">
Order Allow,Deny
Allow from env=locally_linked
</FilesMatch>
And by adding the following two lines, it now works:
SetEnvIfNoCase Referer "^http://myservername.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://myservername.com$" locally_linked=1

Strange CSS/Apache problem

I have been trying to install ReviewBoard and all looks like it has gone well, in as much as I can access the site and functionality
However, I have strangeness where no style sheet appears to be applied for some reason.
I suspect it may be a permissions issue on a folder that it can't access or some Apache setup error I have made.
Is there any Apache configuration that could have caused this?
Has anyone experienced any similar problems not just for ReviewBoard?
Further info: It looks like Apache is receiving the request for the Stylesheets
[20/May/2009:10:00:35 +0100] "GET /reviewboard/media/rb/css/common.css?1242747706 HTTP/1.1" 404 2512
[20/May/2009:10:00:35 +0100] "GET /reviewboard/media/rb/css/ie_hacks.css?1242747706 HTTP/1.1" 404 2514
[20/May/2009:10:00:36 +0100] "GET /reviewboard/media/rb/js/csshover2.htc?1242747706 HTTP/1.1" 404 2514
[20/May/2009:10:00:36 +0100] "GET /reviewboard/media/rb/js/pngfix.htc?1242747706 HTTP/1.1" 404 2511
EDIT: Looking at the access logs the GET for the CSS is actually 404-ing as the path should be reviewboard/htdocs/media/rb/css/* (although there is an alias in the HTTP.conf that I assumed dealt with this.
EDIT: The .htaccess file contains
<IfModule mod_expires.c>
<FilesMatch "\.(jpg|gif|png|css|js|htc)">
ExpiresActive on
ExpiresDefault "access plus 1 year"
</FilesMatch>
</IfModule>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>
EDIT:
The httpd.conf sections looks like this
<VirtualHost *:8080>
ServerName FASKALLYRB
DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/reviewboard/htdocs"
# Error handlers
ErrorDocument 500 /errordocs/500.html
ErrorDocument 404 /errordocs/500.html
# Serve django pages
<Location "/">
PythonPath "['C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/reviewboard/conf'] + sys.path"
SetEnv DJANGO_SETTINGS_MODULE reviewboard.settings
SetEnv PYTHON_EGG_CACHE "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/reviewboard/tmp/egg_cache"
SetHandler mod_python
PythonHandler django.core.handlers.modpython
PythonAutoReload Off
PythonDebug Off
# Used to run multiple mod_python sites in the same apache
PythonInterpreter reviewboard_reviewboard
</Location>
# Serve static media without running it through mod_python
# (overrides the above)
<Location "reviewboard/media">
SetHandler None
</Location>
<Location "reviewboard/errordocs">
SetHandler None
</Location>
<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/reviewboard/htdocs">
AllowOverride All
</Directory>
# Alias static media requests to filesystem
Alias reviewboard/media "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/reviewboard/htdocs/media"
Alias reviewboard/errordocs "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/reviewboard/htdocs/errordocs"
</VirtualHost>

The URL for Location and Alias directives can't be relative and needs a leading slash. Thus you should be using '/reviewboard/.......'.
FWIW, the PythonInterpreter directive isn't used for what your comment against it seems to indicate you think it does.
# Used to run multiple mod_python sites in the same apache
PythonInterpreter reviewboard_reviewboard
The application is always run within same Apache instance. What PythonInterpreter does is allow you control which Python sub interpreter within each Apache server child process it runs. It is actually redundant in your case, as the same sub interpreter is by default used for all mod_python hosted applications under the same VirtualHost. Note that there will still be multiple instances of the application, on in each of the Apache server child processes.

You could make a symlink in reviewboard called 'media' that points at htdocs/media perhaps.
Alternatively:
move htdocs/media to ..
or go into the reviewboard code and tweak the url generating code
or if you have mod_rewrite installed you could redirect requests to the right place