How to make Apache2 to use nfs mount with symlinks

jetberrocal · 11-21-2016, 10:44 AM

I have a Debian server (version 8) with Apache2 installed from repository.

I need help making Apache to use an nfs mount and with symlinks

Is running OK and it has Followsymlinks enabled. I know because I tested it using a symlink to a local folder not on the same path of the Document Root.

I have a Windows Server sharing a NSF folder with read and write access to the root user.

I mount it with this command:

Code:

mount -t nfs -o v3,scontext=unconfined_u:object_r:httpd_sys_content_t:s0 192.168.1.2:/FWData /mnt/nfs/external/htmldata

I test it and I can read,write,delete files and folders on the path.

The owner is root:root and the chmod is drxw-rx-rx. I created a folder inside the htmldata path and it has the same privileges (sarg/sarg-reports)

Then I did a symlink at /var/www/html (Document Root) as

Code:

ln -s sarg-reports /mnt/nfs/external/htmldata/sarg/sarg-reports

When I go to the browser to the address http://myserver/sarg-reports I get error 403 Forbidden access.

I need to use nfs because the server does not have enough space to hold all the sarg reports in its local HD

szboardstretcher · 11-21-2016, 10:48 AM

If SElinux is enabled on the server, then the directory will have to be updated to utilize the webserver context. Something like:

Code:

chcon -Rv --type=httpd_sys_content_t /mnt/nfs/external

jetberrocal · 11-22-2016, 02:09 PM

Quote:

Originally Posted by szboardstretcher

If SElinux is enabled on the server, then the directory will have to be updated to utilize the webserver context. Something like:

Code:

chcon -Rv --type=httpd_sys_content_t /mnt/nfs/external

I looked how do I know SElinux status:
http://www.linuxquestions.org/questi...no-gui-620864/

I did:
cat /etc/sysconfig/selinux
cat: /etc/sysconfig/selinux: No such file or directory
And
sestatus
-bash: sestatus: command not found

So I have to say that SElinux is not enabled in my server, then your suggestion does not apply.

szboardstretcher · 11-22-2016, 02:28 PM

There are about 20 different reasons this could be happening. The fastest way to the answer is to provide as much info as possible. So how about:

What does your apache configuration look like near the 'followsymlinks' section that you added?
What does the command 'mount' output?
What does 'ls -alh /var/www/html' output?
What does 'ls -alh /mnt/nfs/external/htmldata/sarg' output?
What does 'ls -alh /mnt/nfs/external/htmldata/sarg/sarg-reports' output?
What does your apache error and access logs output when requesting the page?

*Please provide the output in CODE blocks in the editor to make it easy to read.

jetberrocal · 11-23-2016, 10:37 AM

As requested:

apache2.conf relevant section (This comes default with apache2.conf):

Code:

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>

mount output:

Code:

sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,relatime,size=10240k,nr_inodes=253483,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,relatime,size=408976k,mode=755)
/dev/sda1 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=23,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
mqueue on /dev/mqueue type mqueue (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
vmware-vmblock on /run/vmblock-fuse type fuse.vmware-vmblock (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other)
rpc_pipefs on /run/rpc_pipefs type rpc_pipefs (rw,relatime)
tmpfs on /run/user/0 type tmpfs (rw,nosuid,nodev,relatime,size=204488k,mode=700)
192.168.1.2:/FWData on /mnt/nfs/external/htmldata type nfs (rw,relatime,vers=3,rsize=32768,wsize=32768,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.1.2,mountvers=3,mountport=1048,mountproto=udp,local_lock=none,addr=192.168.1.2)
/dev/sdb on /diskb type ext4 (rw,relatime,data=ordered)

'ls -alh /var/www/html' (Using sarg-reports-test symlink):

Code:

total 60K
drwxr-xr-x 5 root root 4.0K Nov 23 12:15 .
drwxr-xr-x 3 root root 4.0K Aug 12 00:20 ..
-rw-r--r-- 1 root root 5.3K Sep  5 15:30 amss-logo.jpg
-rw-r--r-- 1 root root  11K Aug 12 00:26 apache.html
drwxr-xr-x 2 root root 4.0K Aug 19 20:43 e2gCA
drwxr-xr-x 2 root root 4.0K Oct 25 18:08 files
-rw-r--r-- 1 root root 2.3K Sep  5 15:23 index.html
-rw-r--r-- 1 root root 9.1K Sep  5 15:30 LogoFor_iDrive_Main.png
-rw-r--r-- 1 root root  556 Nov 11 16:11 proxy.pac
lrwxrwxrwx 1 root root   24 Nov 21 14:09 sarg-reports -> /diskb/sarg/sarg-reports
lrwxrwxrwx 1 root root   30 Nov 21 14:11 sarg-reports-squid -> /diskb/sarg/sarg-reports-squid
lrwxrwxrwx 1 root root   41 Nov 23 12:15 sarg-reports-test -> /mnt/nfs/external/sarg/sarg-reports-squid
drwxr-xr-x 3 root root 4.0K Nov 21 19:31 usr
lrwxrwxrwx 1 root root    9 Nov 11 16:11 wpad.dat -> proxy.pac

'ls -alh /mnt/nfs/external/htmldata/sarg':

Code:

total 1.0K
drwxr-xr-x 2 root       root       64 Nov 23 11:28 .
drwx------ 2 4294967294 4294967294 64 Nov 23 11:28 ..

'ls -alh /mnt/nfs/external/htmldata/sarg/sarg-reports-squid' (Testing with smaller directory):

Code:

total 18K
drwxr-xr-x 2 root root   64 Nov 23 11:53 .
drwxr-xr-x 2 root root   64 Nov 23 11:49 ..
drwxr-xr-x 2 root root 8.0K Nov 23 11:53 2016Nov17-2016Nov17
drwxr-xr-x 2 root root   64 Nov 23 11:53 images
-rw-r--r-- 1 root root 4.4K Nov 17 14:20 index.html
drwxr-xr-x 2 root root   64 Nov 23 12:12 sum

access.log:

Code:

192.168.1.2 - - [23/Nov/2016:12:30:11 -0400] "GET /sarg-reports-test HTTP/1.1" 403 519 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"
192.168.1.2 - - [23/Nov/2016:12:30:11 -0400] "GET /favicon.ico HTTP/1.1" 404 501 "http://e2guardian/sarg-reports-test" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"

error.log

Code:

[Wed Nov 23 12:30:11.211336 2016] [core:error] [pid 75916] [client 192.168.1.2:20629] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/sarg-reports-test

szboardstretcher · 11-23-2016, 10:44 AM

Maybe im missing something but at first blush, your symlink says "sarg-reports-test -> /mnt/nfs/external/sarg/sarg-reports-squid" but you provided the ls -alh output of "/mnt/nfs/external/htmldata/sarg" which is a different directory.

What user does apache run as in Debian?

Also,. I would try making a symlink to index.html and seeing if apache was able to pick up a file in the same directory as the symlink.

jetberrocal · 11-23-2016, 01:32 PM

Quote:

Originally Posted by szboardstretcher

Maybe im missing something but at first blush, your symlink says "sarg-reports-test -> /mnt/nfs/external/sarg/sarg-reports-squid" but you provided the ls -alh output of "/mnt/nfs/external/htmldata/sarg" which is a different directory.

What user does apache run as in Debian?

Also,. I would try making a symlink to index.html and seeing if apache was able to pick up a file in the same directory as the symlink.

Sorry.

I tried a web page on a symlink within the same path (/var/www/html) to a local directory instead of nsf directory and it worked, that is why I know the FollowSymLinks directive is active.

Apache service user run as?
'ps -aux |grep apache2':

Code:

www-data  73936  0.0  0.5 285192 11576 ?        S    07:35   0:00 /usr/sbin/apache2 -k start
www-data  73937  0.0  0.5 285184 11532 ?        S    07:35   0:00 /usr/sbin/apache2 -k start
www-data  73938  0.0  0.5 285192 11548 ?        S    07:35   0:00 /usr/sbin/apache2 -k start
www-data  73939  0.0  0.5 285192 11552 ?        S    07:35   0:00 /usr/sbin/apache2 -k start
www-data  73940  0.0  0.5 285184 11484 ?        S    07:35   0:00 /usr/sbin/apache2 -k start
www-data  75735  0.0  0.5 285184 11532 ?        S    08:16   0:00 /usr/sbin/apache2 -k start
www-data  75916  0.0  0.5 285192 11568 ?        S    08:25   0:00 /usr/sbin/apache2 -k start
root      83511  0.0  0.1  12732  2088 pts/0    S+   15:27   0:00 grep apache2
root     101905  0.0  1.3 284736 27780 ?        Ss   Nov18   0:16 /usr/sbin/apache2 -k start

Providing update with fixed symlink:

'ls -alh /mnt/nfs/external/htmldata/sarg':

Code:

total 2.0K
drwxr-xr-x 2 root       root       64 Nov 23 11:49 .
drwx------ 2 4294967294 4294967294 64 Nov 23 11:28 ..
drwxr-xr-x 2 root       root       64 Nov 23 11:30 sarg-reports
drwxr-xr-x 2 root       root       64 Nov 23 11:53 sarg-reports-squid

'ls -alh /var/www/html' (Using sarg-reports-test symlink):

Code:

total 60K
drwxr-xr-x 5 root root 4.0K Nov 23 15:11 .
drwxr-xr-x 3 root root 4.0K Aug 12 00:20 ..
-rw-r--r-- 1 root root 5.3K Sep  5 15:30 amss-logo.jpg
-rw-r--r-- 1 root root  11K Aug 12 00:26 apache.html
drwxr-xr-x 2 root root 4.0K Aug 19 20:43 e2gCA
drwxr-xr-x 2 root root 4.0K Oct 25 18:08 files
-rw-r--r-- 1 root root 2.3K Sep  5 15:23 index.html
-rw-r--r-- 1 root root 9.1K Sep  5 15:30 LogoFor_iDrive_Main.png
-rw-r--r-- 1 root root  556 Nov 11 16:11 proxy.pac
lrwxrwxrwx 1 root root   24 Nov 21 14:09 sarg-reports -> /diskb/sarg/sarg-reports
lrwxrwxrwx 1 root root   30 Nov 21 14:11 sarg-reports-squid -> /diskb/sarg/sarg-reports-squid
lrwxrwxrwx 1 root root   50 Nov 23 15:11 sarg-reports-test -> /mnt/nfs/external/htmldata/sarg/sarg-reports-squid
drwxr-xr-x 3 root root 4.0K Nov 21 19:31 usr
lrwxrwxrwx 1 root root    9 Nov 11 16:11 wpad.dat -> proxy.pac

access.log

Code:

192.168.1.2 - - [23/Nov/2016:15:12:08 -0400] "GET /sarg-reports-test HTTP/1.1" 403 519 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"
192.168.1.2 - - [23/Nov/2016:15:12:08 -0400] "GET /favicon.ico HTTP/1.1" 404 501 "http://e2guardian/sarg-reports-test" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"

error.log

Code:

[Wed Nov 23 15:12:08.046694 2016] [core:error] [pid 73937] [client 192.168.1.2:22515] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/sarg-reports-test

szboardstretcher · 11-23-2016, 01:51 PM

Think I see the issue.

To verify:

what does your /etc/fstab look like?

szboardstretcher · 11-23-2016, 01:56 PM

I might be leaving soon - so here is my thought.

You have symlinks allowed, and you have a symlink. Fine. That works.

That symlink points to a DIFFERENT directory that is mounted through NFS. And the NFS mount gives that directory its permissions.

Looks like "drwx------ 2 4294967294 4294967294 64 Nov 23" specifically.

Your apache runs as 'www-root' which is a different user and group than '4294967294' and so doesn't have access to that directory.

So - make sure that your /mnt directories allow the www-data user or group and your NFS mount is mounted with the correct permissions to allow www-data user or group. You can also do this by allowing read and execute for 'world/other' for those directories. Files should be chowned similarly.

jetberrocal · 11-23-2016, 03:39 PM

Quote:

Originally Posted by szboardstretcher

Think I see the issue.

To verify:

what does your /etc/fstab look like?

fstab does not have the nfs mount. I have not add it yet waiting for it to work with manual mount.

jetberrocal · 11-23-2016, 03:44 PM

Quote:

Originally Posted by szboardstretcher

I might be leaving soon - so here is my thought.

You have symlinks allowed, and you have a symlink. Fine. That works.

That symlink points to a DIFFERENT directory that is mounted through NFS. And the NFS mount gives that directory its permissions.

Looks like "drwx------ 2 4294967294 4294967294 64 Nov 23" specifically.

Your apache runs as 'www-root' which is a different user and group than '4294967294' and so doesn't have access to that directory.

So - make sure that your /mnt directories allow the www-data user or group and your NFS mount is mounted with the correct permissions to allow www-data user or group. You can also do this by allowing read and execute for 'world/other' for those directories. Files should be chowned similarly.

The mount point is own by root and the chmod is already with world rx access, so I dont understant .

The mount is own by root because the user that has access to the nfs is root.

Maybe I can add the user www-data to the root group but still being in the www-data group. This way the apache service user will have the access by the group.

jetberrocal · 11-29-2016, 12:30 PM

I made the www-data user to belong to the root group.

Tried to access the Web site but still gives me Forbidden error.

error.log

Code:

[Tue Nov 29 14:24:29.808438 2016] [core:error] [pid 74050] [client 192.168.1.2:20748] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/sarg-reports-test

id www-data:

Code:

uid=33(www-data) gid=33(www-data) groups=33(www-data),0(root)

groups www-data:

Code:

www-data : www-data root

andre@home · 11-29-2016, 12:49 PM

Look how www-data becomes the owner under webdav that uses Apache's default place /var/www/

http://bernaerts.dyndns.org/linux/75...n-webdav-share

Ok thats only an impression.

Now read how you should do it in principle:

http://askubuntu.com/questions/76750...-for-a-website

szboardstretcher · 11-29-2016, 12:59 PM

I wanted to replicate this out of the box. So I logged into digital ocean and spun up two Debian 8 instances. One I called NFS-server and the other is APACHE-server. Here is the setup I did:

root@nfs-server:

Code:

apt-get update
apt-get install nfs-kernel-server
echo "/export 123.123.123.123/16(rw)" > /etc/exports
systemctl restart nfs-kernel-server
mkdir /export
echo "A FILE" > /export/somefile

root@apache-server

Code:

apt-get update
apt-get install nfs-client
mount -t nfs 123.123.123.123:/export /mnt
apt-get install apache2 apache2-utils
systemctl start apache2
cd /var/www/html/
ln -s /mnt/somefile this_is_a_symlink

root@tool-box

Code:

curl http://123.123.123.123/this_is_a_symlink
A FILE

So it works out of the box. Not sure what that proved though.

szboardstretcher · 11-29-2016, 01:17 PM

What I am wondering now is ... try this ...

Code:

cd /var/www/html
ln -s /diskb/sarg/sarg-reports/TEXTFILE asymlink
echo "HELLO" > /diskb/sarg/sarg-reports/TEXTFILE

then try to hit http://yourserver/asymlink