|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
httpd -t -D DUMP_MODULES or with PHP using
apache_get_modules().
[ More Info ]
/etc/httpd/conf/httpd.conf
on an Apache web server, when I tried accessing the site I saw the message
below:
Forbidden
You don't have permission to access / on this server.
I'd encountered the problem in the past when there was a problem with
permissions on the user's home directory. I didn't see any log files for the
site in the directory under the user account, either, where the
ErrorLog and CustomLog directives in the
VirtualHost section for the website should have placed them. I checked the
access for the user's home directory and found that the only access to that
directory was read, write, and execute access for the user's account.
# ls -ld /home/jim drwx------ 5 jim jim 4096 Jan 22 21:44 /home/jim
When I added "search" access for the group and all users to the user's home directory from the root account, I was able to access the website from a browser.
# chmod ga+x /home/joe
I.e., the cause of the problem had been the same as the last time I encountered the error message.
grep resuming
/var/log/httpd/error_log.# grep resuming /var/log/httpd/error_log
[Sun Nov 09 03:29:02.631763 2014] [mpm_prefork:notice] [pid 20663] AH00163: Apac
he/2.4.6 (CentOS) configured -- resuming normal operationshttpd.conf file on a Linux system, I restarted Apache and tried
viewing the website with a browser. Instead of seeing the home page for the
site, I saw:
Forbidden
You don't have permission to access / on this server.
When I looked in the error log for the site, I saw the following:
Checking the public_html directory and the directories
beneath it, I saw that owner, group, and world all had "execute" access,
i.e., the capability to search through the directories.
$ ls -ld public_html drwxrwxr-x. 14 jdoe jdoe 4096 Nov 5 21:04 public_html
But, checking the user's home directory I found there was no access to it except for the owner. When I changed that access to grant search access to other accounts in the same group and all accounts, then the website became visible.
$ chmod ga+x /home/jdoe $ ls -ld /home/jdoe drwx--x--x. 13 jdoe jdoe 4096 Nov 5 21:17 /home/jdoe
You can check the permissions on a directory and the directories
above it up to the root directory with just one command using
the namei -m command in the form namei -m
/path_to_directory/dirname. E.g.:
$ namei -m /home/jdoe/public_html f: /home/jdoe/public_html drwxr-xr-x / drwxr-xr-x home drwx--x--x jdoe drwxrwxr-x public_html
500 Internal Server Error
with the message "The server encountered an internal error or
misconfiguration and was unable to complete your request." whenever I tried
to access a file in a password-protected subdirectory beneath the one
in which I had created the .htaccess file to have the Apache server
redirect visitors accessing an old .html file that I had replaced with a
.php one.
Redirect 301 /dir1/dir2/example.html /dir1/dir2/example.php
In the Apache error log for the website, I saw the following:
[Wed Mar 19 21:05:17 2014] [alert] [client 192.168.0.10] /home/jdoe/public_html/dir1/dir2/dir3/.htaccess: AuthUserFile not allowed here, referer: http://support.moonpoint.com/dir1/dir2/example.php
That error log entry was created when I clicked on a link I had in example.php to access a file in the directory dir3, which was below the one in which example.php was located.
To allow the redirect to work, I had inserted the following code in
the VirtualHost section for the website within Apache's
/etc/httpd/conf/httpd.conf file.
<Directory /home/jdoe/public_html/dir1/dir2>
AllowOverride FileInfo
</Directory>
The .htaccess file for controlling access to the subdirectory
dir1/dir2/dir3 had worked fine until I created another
.htaccess file above it in dir2 for the redirect. The one for controlling access
to dir3 with a username and password was similar to the following:
AuthUserFile /home/jdoe/public_html/.htpasswd-test
AuthGroupFile /dev/null
AuthName Testing
AuthType Basic
Require user test1
Because it contained AuthUserFile and
AuthGroupFile, but I didn't specify AuthConfig
within the <Directory> section for the virtual host
in the httpd.conf file, but only FileInfo
for AllowOverride, the authorization control no longer
worked. When I changed the AllowOverride line to that
shown below and restarted Apache with apachectl restart
then both the redirect for the file in dir2 and the HTTP
basic access
authentication method for files in the subdirectory dir3
beneath dir2 both worked.
<Directory /home/jdoe/public_html/dir1/dir2>
AllowOverride AuthConfig FileInfo
</Directory>
I had forgotten that by limiting AllowOverride to just
FileInfo for dir2, I was effectively nullifying any other
type of overrides in any subdirectores beneath it.
References:
[ More Info ]
httpd.conf, which can usually be found at
/etc/httpd/conf/httpd.conf on
a Linux system. To determine if it is loaded, look for a line similar to the
following in the configuration file:
LoadModule authz_host_module modules/mod_authz_host.so
You can restrict access to a website that is set up as a virtual host by
including information on what IP addresses should have access to documents
on the website in a directory section Directory as shown below.
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAdmin webmaster@example.com
DocumentRoot /home/www/example
ErrorLog /home/www/example/logs/error.log
CustomLog /home/www/example/logs/transfer.log common
<Directory /home/www/example>
Order Deny,Allow
Deny from all
Allow from 192.168 127.0.0.1
</Directory>
</VirtualHost>In the case above, access to the document root of the website, i.e., all documents on the website, is restricted to allow access only from IP addresses beginning with 192.168 and 127.0.0.1, which is the "localhost" address, meaning the address of the server itself. Anyone trying to access example.com from any other IP address would see the default webpage for the server, if any, not the example.com website.
References:
[ More Info ]
[ More Info ]
httpd.conf
file will be used as the default for any domain that doesn't have
its own virtualhost section in the configuration file, if you
use *:80 in the virtualhost section. E.g., suppose
the very first virtualhost listed in httpd.conf
is dummy-host.example.com as shown below.
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /www/docs/dummy-host.example.com
ServerName dummy-host.example.com
ErrorLog logs/dummy-host.example.com-error_log
CustomLog logs/dummy-host.example.com-access_log common
</VirtualHost>
If the IP address for another.example.com, points to
the same webserver, but there is no virtualhost section for
another.example.com, then anyone who uses
http://another.example.com will see whatever homepage was set up
for dummy-host.example.com.
References:
