New apache install: 403 Forbidden error

beebopbogo · 05-24-2009, 11:25 PM

I just installed Fedora Core 9 on my desktop PC i386 a few weeks ago, and just finished installing Apache 2.0.63/PHP onto it. Unfortunately, I keep getting this error:

//Quote//
Forbidden

You don't have permission to access / on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.0.63 (Unix) Server at blah.blah.com Port 8002
//End Quote//

At least the server is up and running so I can see the error message and not some "Address not found" or something...

I compiled from source using these configure commands:
Apache: './configure --enable-so --prefix=/usr/local/apache2'
PHP: './configure --with-apxs2=/usr/local/apache2/bin/apxs --prefix=/usr/local/php5'

I do have an index.html file in my DocumentRoot folder with 777 permissions, and every folder above it is 755 with the owner set as my username (not username "apache", if that makes a difference).

Anyone have some possible solutions to this permissions problem?

Here is an excerpt of the checklist I've been working on:

# Webserver not working
..(See 'Internet Connection' above for more tests)
..Test what level isn't working:
....Is ethernet card working?:
......'ping 192.168.2.2' local
......'ssh esus.cs.montana.edu' global
......'ping www.blah.com' from esus to test access from the outside network. "blah" is my dyndns hop to my global IP address.
....If unknown server:
......'/sbin/ifconfig eth0 192.168.2.2 netmask 255.255.255.0'
......'/sbin/route add default gw 192.168.2.1'
....Is webserver serving?
......'netstat -tapn'
......'telnet 192.168.2.2 8002'
....iptables are in order? Let correct port through.
....port forwarding is set? Let correct port through.
....Is apachectl using the correct version?
......'whereis apache2ctl'
......'whereis apachectl'
......I removed /etc/apache2 and am using /usr/local/apache2
....Make sure you are starting apache correctly
......'ps aux | grep httpd' will show if it's running and who started it
......The 'apache' user should have started it.
......If 'root' user is listed, run '/usr/local/apache2/bin/apachectl stop'
......Then '/etc/init.d/httpd start'
......Now check 'ps aux | grep httpd'

bathory · 05-24-2009, 11:58 PM

Check the apache error_log to see if you find more details about the 403 Error. Make sure also that is not a SELinux problem.

Regards

beebopbogo · 05-25-2009, 12:33 AM

SELinux:
I inserted this in my grub.conf a while ago. It should be booting up without SELinux:

kernel /vmlinuz-2.6.27.21-78.2.41.fc9.i686 ro root=UUID=935355f0-a396-4f86-9225-72a286e299f6 rhgb selinux=0

/usr/bin/getenforce returns "Disabled"

Logs:
'tail /usr/local/apache2/logs/error_log' just returns a bunch of
'(13)Permission denied: access to / denied' lines from the IP I'm at now.

bathory · 05-25-2009, 12:50 AM

Quote:

I do have an index.html file in my DocumentRoot folder with 777 permissions, and every folder above it is 755 with the owner set as my username (not username "apache", if that makes a difference).

Normally this shouldn't be a problem, for web pages, but just to check change the owner to the apache user.
Consider posting httpd.conf to see how you've configured apache.
Also what happens when you access the server like: http://blah.com:8002/index.html

beebopbogo · 05-25-2009, 12:51 AM

Here's my httpd.conf as well:

ServerRoot "/usr/local/apache2"

<IfModule !mpm_winnt.c>
<IfModule !mpm_netware.c>
</IfModule>
</IfModule>

<IfModule !mpm_netware.c>
<IfModule !perchild.c>
</IfModule>
</IfModule>

<IfModule !mpm_netware.c>
PidFile logs/httpd.pid
</IfModule>

Timeout 300

KeepAlive On

MaxKeepAliveRequests 100

KeepAliveTimeout 15

<IfModule prefork.c>
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
</IfModule>

<IfModule worker.c>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>

<IfModule perchild.c>
NumServers 5
StartThreads 5
MinSpareThreads 5
MaxSpareThreads 10
MaxThreadsPerChild 20
MaxRequestsPerChild 0
</IfModule>

<IfModule mpm_winnt.c>
ThreadsPerChild 250
MaxRequestsPerChild 0
</IfModule>

<IfModule beos.c>
StartThreads 10
MaxClients 50
MaxRequestsPerThread 10000
</IfModule>

<IfModule mpm_netware.c>
ThreadStackSize 65536
StartThreads 250
MinSpareThreads 25
MaxSpareThreads 250
MaxThreads 1000
MaxRequestsPerChild 0
MaxMemFree 100
</IfModule>

<IfModule mpmt_os2.c>
StartServers 2
MinSpareThreads 5
MaxSpareThreads 10
MaxRequestsPerChild 0
</IfModule>

Listen 192.168.2.2:8002

<IfModule !mpm_winnt.c>
<IfModule !mpm_netware.c>

User nobody
Group #-1
</IfModule>
</IfModule>

ServerAdmin blah@hotmail.com

ServerName www.blah.com:8002

UseCanonicalName Off

DocumentRoot "/home/blah/www/htmldocs"

<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>

<Directory "/home/blah/www/htmldocs">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>

UserDir public_html

DirectoryIndex index.html index.html.var index.php

AccessFileName .htaccess

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

TypesConfig conf/mime.types

DefaultType text/plain

<IfModule mod_mime_magic.c>
MIMEMagicFile conf/magic
</IfModule>

HostnameLookups Off

ErrorLog logs/error_log

LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

CustomLog logs/access_log common

ServerTokens Full

ServerSignature On

Alias /icons/ "/usr/local/apache2/icons/"

<Directory "/usr/local/apache2/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>

AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|ru))?(/.*)?$ "/usr/local/apache2/manual$1"

<Directory "/usr/local/apache2/manual">
Options Indexes
AllowOverride None
Order allow,deny
Allow from all

<Files *.html>
SetHandler type-map
</Files>

SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|ru)/ prefer-language=$1
RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|ru)){2,}(/.*)?$ /manual/$1$2
</Directory>

ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"

<IfModule mod_cgid.c>
</IfModule>

<Directory "/usr/local/apache2/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>

IndexOptions FancyIndexing VersionSort

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

DefaultIcon /icons/unknown.gif

ReadmeName README.html
HeaderName HEADER.html

IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw

LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW

ForceLanguagePriority Prefer Fallback

AddDefaultCharset ISO-8859-1

AddCharset ISO-8859-1 .iso8859-1 .latin1
AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
AddCharset ISO-8859-3 .iso8859-3 .latin3
AddCharset ISO-8859-4 .iso8859-4 .latin4
AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru
AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb
AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk
AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb
AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5 .Big5 .big5
AddCharset WINDOWS-1251 .cp-1251 .win-1251
AddCharset CP866 .cp866
AddCharset KOI8-r .koi8-r .koi8-ru
AddCharset KOI8-ru .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-8 .utf8

AddCharset GB2312 .gb2312 .gb
AddCharset utf-7 .utf7
AddCharset utf-8 .utf8
AddCharset big5 .big5 .b5
AddCharset EUC-TW .euc-tw
AddCharset EUC-JP .euc-jp
AddCharset EUC-KR .euc-kr
AddCharset shift_jis .sjis

AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

AddHandler type-map var

BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully

<IfModule mod_ssl.c>
Include conf/ssl.conf
</IfModule>

beebopbogo · 05-25-2009, 12:54 AM

http://www.blah.com:8002/index.html is the same result as
http://www.blah.com:8002

Forbidden

You don't have permission to access /index.html on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.0.63 (Unix) Server at www.blah.com Port 8002

beebopbogo · 05-25-2009, 01:02 AM

[root@localhost conf]# ps aux | grep apache
root 22569 0.0 0.3 4032 1576 ? Ss May17 0:09 /usr/local/apache2/bin/httpd -k start
nobody 22570 0.0 0.3 4032 1636 ? S May17 0:00 /usr/local/apache2/bin/httpd -k start
nobody 22571 0.0 0.3 4032 1636 ? S May17 0:00 /usr/local/apache2/bin/httpd -k start
nobody 22572 0.0 0.3 4032 1636 ? S May17 0:00 /usr/local/apache2/bin/httpd -k start
nobody 22573 0.0 0.3 4032 1636 ? S May17 0:00 /usr/local/apache2/bin/httpd -k start
nobody 22574 0.0 0.3 4032 1632 ? S May17 0:00 /usr/local/apache2/bin/httpd -k start
nobody 22580 0.0 0.3 4032 1628 ? S May17 0:00 /usr/local/apache2/bin/httpd -k start
root 24986 0.0 0.1 4120 692 pts/3 S+ 22:58 0:00 grep apache

It seems the server is being run my the 'nobody' user. However:

[root@localhost conf]# su nobody
This account is currently not available.

I tried 'chown -R nobody:nobody /home/blah/www' but same results.

The 'apache' user does not exist ('cat /etc/passwd | grep apache' comes back blank) but the httpd.conf shows the default as 'nobody' anyway:

<IfModule !mpm_winnt.c>
<IfModule !mpm_netware.c>
User nobody
Group #-1
</IfModule>
</IfModule>

bathory · 05-25-2009, 02:14 AM

Doh, what it's the output of:

Code:

ls -l /home/blah
ls -al /home/blah

beebopbogo · 05-25-2009, 01:31 PM

Here's the line from my httpd.conf:
DocumentRoot "/home/blah/www/htmldocs"

And here's the output:
[blah@localhost ~]$ ls -l /home/blah
total 24
drwxr-xr-x 2 blah blah 4096 2009-04-18 23:13 Desktop
drwxr-xr-x 2 blah blah 4096 2009-05-17 15:54 Download
drwxr-xr-x 5 blah blah 4096 2009-05-24 20:43 roottools
drwxr-xr-x 3 blah blah 4096 2009-04-19 00:02 www

[blah@localhost ~]$ ls -l /home/blah/www/
total 4
drwxrwxrwx 2 blah blah 4096 2009-04-21 00:09 htmldocs
[blah@localhost ~]$ ls -l /home/blah/www/htmldocs/
total 8
-rwxrwxrwx 1 blah blah 37 2009-04-20 20:36 index.html
-rwxrwxrwx 1 blah blah 47 2009-04-19 00:02 test.php

bathory · 05-25-2009, 01:55 PM

What is the output of:

Code:

/usr/local/apache2/bin/apachectl -S

beebopbogo · 05-25-2009, 01:59 PM

[root@localhost bin]# /usr/local/apache2/bin/apachectl -S
VirtualHost configuration:
Syntax OK

beebopbogo · 05-25-2009, 02:06 PM

Also, this displays the test page nicely:
[blah@localhost htmldocs]# w3m file:///home/blah/www/htmldocs/index.html

But this one still gets the 403 error:
[blah@localhost htmldocs]# w3m http://192.168.2.2:8002

beebopbogo · 05-25-2009, 02:47 PM

Hey, here's some good news:

When the server is run by user 'nobody' it causes the 403 forbidden error.

I changed the httpd.conf line
'User nobody'
to
'User blah'
and it works.

The user 'nobody' worked fine on my last install of linux (FC8). Did something change in FC9?
I'd rather not use my personal user name for my server. Any ideas on how to get nobody working? Or add a new user, like 'apache'?

bathory · 05-25-2009, 03:37 PM

It shouldn't be a problem as far as the permissions for the directory above docroot are 755. Maybe /home/blah has 700 permissions, that's why you had to change the User in httpd.conf to your username.

beebopbogo · 05-25-2009, 04:36 PM

Good call! My /home/blah was at 700. I set 'chmod 755 /home/blah' and all is good in the world. Thanks!