Apache 403 on root serves test page instead of forbidden page

ekortright · 01-21-2014, 08:54 AM

I am testing blocking certain IP addresses on Apache (2.0 and 2.2).

When the blocked machine accesses anything under the root (e.g., mysite.com/index.html), it gets the forbidden page (either built-in or custom-defined with ErrorDocument) as expected.

However, when getting the root itself (e.g., mysite.com/), Apache serves the built-in test page ("if you can read this page"), instead of the forbidden page.

Requests for both the root and for files under the root get a 403 response and the error log shows "client denied by server configuration". The only difference is that when getting the root the user sees the test page, and when accessing anything under the root he sees the forbidden page.

Here is the entire .htaccess file in the root directory:

Code:

order allow,deny
allow from all
deny from 0.0.0.0

where 0.0.0.0 is replaced by an actual IP address.

In httpd.conf, in the virtual host entry for the site, all I have is:

Code:

<Directory "/var/www/mysite">
      AllowOverride All
</Directory>

I've tried rewriting requests for the root to /index.html, but nothing seems to work.

Could this be a bug in Apache? Or is there something in the configuration that is making it behave this way?

bathory · 01-21-2014, 04:02 PM

Hi and welcome to LQ,

Your configuration look correct, so it should work.
Perhaps you need to clear your browser cache to do your tests.

Regards

ekortright · 01-21-2014, 08:18 PM

Thank you, but I have tested this behavior both with a browser and with curl (there is no question of caching in that case).

bathory · 01-22-2014, 02:45 AM

Quote:

Originally Posted by ekortright

Thank you, but I have tested this behavior both with a browser and with curl (there is no question of caching in that case).

Doh, it should work.
Anyways you can replace your rules with mod_rewrite, like this:

Code:

RewriteEngine On

RewriteCond %{REMOTE_HOST} ^0.0.0.0.0$
RewriteRule .* - [F]

ekortright · 07-15-2014, 10:12 AM

Quote:

Originally Posted by bathory

Doh, it should work.
Anyways you can replace your rules with mod_rewrite, like this:

Code:

RewriteEngine On

RewriteCond %{REMOTE_HOST} ^0.0.0.0.0$
RewriteRule .* - [F]

Sorry for not coming back to this; I've been snowed under with other projects.

Unfortunately, your suggestion is not really an option, as the forbidden IP addresses number in the hundreds. My example was the bare minimum configuration to try to figure out what could possibly be wrong.

I just tried yet another Apache server (v. 2.2.15), where I have some Rails apps in subdirectories under the root. I have the root itself configured like this in the virtual host in the httpd.conf file:

Code:

        <Directory "/opt/webapps">
                Options -MultiViews
                Deny from all
                AllowOverride all
        </Directory>

Going to the root of the site results in a 403 Forbidden response, but the page itself displays the Apache "if you can read this page" document.

As you say, it should work, but it doesn't.

bathory · 07-15-2014, 03:36 PM

Quote:

Going to the root of the site results in a 403 Forbidden response, but the page itself displays the Apache "if you can read this page" document.

I don't get it. Where (what URL) you get the 403 and where you get the index page?

ekortright · 07-15-2014, 07:31 PM

Quote:

Originally Posted by bathory

I don't get it. Where (what URL) you get the 403 and where you get the index page?

In this latest test I get a 403 response when I navigate to the root of the site, for example: http://www.mysite.com/

The server returns an HTML document along with the 403 response, consisting of the Apache test page (the page Apache serves when there is nothing in the root folder).

Originally the folder was empty of any documents (no index.html), and contained only subdirectories. I added a dummy index.html file, but got exactly the same result: navigating to the root of the site (http://www.mysite.com/) returned a 403 response with the Apache test page in the body of the response.

bathory · 07-16-2014, 12:23 AM

Quote:

Originally Posted by ekortright

In this latest test I get a 403 response when I navigate to the root of the site, for example: http://www.mysite.com/

The server returns an HTML document along with the 403 response, consisting of the Apache test page (the page Apache serves when there is nothing in the root folder).

Originally the folder was empty of any documents (no index.html), and contained only subdirectories. I added a dummy index.html file, but got exactly the same result: navigating to the root of the site (http://www.mysite.com/) returned a 403 response with the Apache test page in the body of the response.

Are you sure you don't have a custom 403 error page? I.e something like:

Code:

ErrorDocument 403 /path/to/test-page.html