[SOLVED] Apache

AlucardZero · 11-19-2009, 04:14 PM

Error:

Code:

Forbidden
 
You don't have permission to access /~support/index.html on this server.
 
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.0.46 (Red Hat) Server at server.example.com Port 80

URL I am trying to hit: http://server.example.com/~support/index.html

This server is behind a restrictive firewall, so even if I gave you the real URL, you couldn't hit it

.

Server:

Code:

# cat /etc/*release
Red Hat Enterprise Linux AS release 3 (Taroon Update 9)
# uname -a
Linux server.example.com 2.4.21-32.0.1.EL #1 Tue May 17 18:01:37 EDT 2005 i686 i686 i386 GNU/Linux
# rpm -qa | grep httpd-2
httpd-2.0.46-77.ent

Permissions are fine:

Code:

# ls -ld / /home /home/support /home/support/public_html /home/support/public_html/index.html
drwxr-xr-x   31 root     root         4096 Nov  1 12:11 /
drwxrwxrwx   88 root     root        12288 Oct 29 18:10 /home
drwxrwxr-x   45 support  ip     20480 Nov 19 10:17 /home/support
drwxrwxr-x   35 support  ip     16384 Nov 19 11:32 /home/support/public_html
-rw-rw-r--    1 support  ip     32166 Jun 21  2005 /home/support/public_html/index.html

httpd is running under user apache. If I "su - apache", I am able to read index.html.

I reinstalled apache after moving /etc/httpd out of the way, and the only change I made to the default httpd.conf was to comment out "UserDir disable" and uncomment "UserDir public_html".

DocumentRoot is /var/www/html.

There are no files named .htaccess anywhere in /var/www/html or /home/support.

Adding apache to the ip group (or support to the apache group) changed nothing.

(Temporarily) chmoding 777 / /home /home/support /home/support/public_html and /home/support/public_html/index.html changed nothing.

http://server.example.com/~alucard/ works fine.

The error logs says:

Code:

[Thu Nov 19 16:09:00 2009] [error] [client 1.1.1.1] (13)Permission denied: access to /~support/index.html denied
[Thu Nov 19 16:09:00 2009] [error] [client 1.1.1.1] File does not exist: /var/www/html/favicon.ico, referer: http://inside-wcds.swg.usma.ibm.com/~support/index.html

I'm at a loss as to why I am still getting Forbidden - any more ideas?

bathory · 11-19-2009, 05:18 PM

Hi,

Since it's a RHEL server could be a SELinux permissions problem.

AlucardZero · 11-19-2009, 06:09 PM

I don't think RHEL3 comes with SELinux.

anomie · 11-19-2009, 06:16 PM

Anything useful in Apache's error log? (If not, try cranking up to LogLevel debug and try the request again to capture more info.)

AlucardZero · 11-19-2009, 06:18 PM

When I turn LogLevel to debug, I get the same error in error_log as above.

anomie · 11-19-2009, 06:22 PM

Oops. I thought I read it carefully, and I still missed that.

Do you have any <Location> directives in place where you're denying access?

Failing that, I think I'd create a new user account and see if his home directory is accessible. If so, perhaps blow away "support" and recreate from scratch. (May not help, but also should not hurt.)

AlucardZero · 11-20-2009, 10:07 AM

No uncommented Location directives. Some Directory directives, but they're the default:

Code:

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>


<Directory "/var/www/html">
    Options Indexes FollowSymLinks

    AllowOverride None


    Order allow,deny
    Allow from all
</Directory>

<Directory /home/*/public_html>
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>

Edit: I didn't see this before:

Code:

# mount | grep home
netapp:/vol/vol0/home on /home type nfs (rw,rsize=8192,wsize=8192,intr,nfsvers=3,bg,addr=1.2.2.2)

Does that matter?

AlucardZero · 11-20-2009, 02:27 PM

The reason was that support's homedir was set to /net/netapp/vol/vol0/home/support, which apache did *not* have access to all the way down the path. I changed the user's homedir to /home/support since it was mounted anyway, and I can hit index.html.