LinuxQuestions.org
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Debian (https://www.linuxquestions.org/questions/debian-26/)
-   -   How to make Apache2 to use nfs mount with symlinks (https://www.linuxquestions.org/questions/debian-26/how-to-make-apache2-to-use-nfs-mount-with-symlinks-4175593965/)

jetberrocal 11-21-2016 10:44 AM
How to make Apache2 to use nfs mount with symlinks
 
I have a Debian server (version 8) with Apache2 installed from repository.

I need help making Apache to use an nfs mount and with symlinks

Is running OK and it has Followsymlinks enabled. I know because I tested it using a symlink to a local folder not on the same path of the Document Root.

I have a Windows Server sharing a NSF folder with read and write access to the root user.

I mount it with this command:

Code:
mount -t nfs -o v3,scontext=unconfined_u:object_r:httpd_sys_content_t:s0 192.168.1.2:/FWData /mnt/nfs/external/htmldata
I test it and I can read,write,delete files and folders on the path.

The owner is root:root and the chmod is drxw-rx-rx. I created a folder inside the htmldata path and it has the same privileges (sarg/sarg-reports)

Then I did a symlink at /var/www/html (Document Root) as
Code:
ln -s sarg-reports /mnt/nfs/external/htmldata/sarg/sarg-reports
When I go to the browser to the address http://myserver/sarg-reports I get error 403 Forbidden access.

I need to use nfs because the server does not have enough space to hold all the sarg reports in its local HD

szboardstretcher 11-21-2016 10:48 AM
If SElinux is enabled on the server, then the directory will have to be updated to utilize the webserver context. Something like:

Code:
chcon -Rv --type=httpd_sys_content_t /mnt/nfs/external

jetberrocal 11-22-2016 02:09 PM
Quote:
Originally Posted by szboardstretcher (Post 5633010)
If SElinux is enabled on the server, then the directory will have to be updated to utilize the webserver context. Something like:

Code:
chcon -Rv --type=httpd_sys_content_t /mnt/nfs/external
I looked how do I know SElinux status:
http://www.linuxquestions.org/questi...no-gui-620864/

I did:
cat /etc/sysconfig/selinux
cat: /etc/sysconfig/selinux: No such file or directory
And
sestatus
-bash: sestatus: command not found

So I have to say that SElinux is not enabled in my server, then your suggestion does not apply.

szboardstretcher 11-22-2016 02:28 PM
There are about 20 different reasons this could be happening. The fastest way to the answer is to provide as much info as possible. So how about:
  • What does your apache configuration look like near the 'followsymlinks' section that you added?
  • What does the command 'mount' output?
  • What does 'ls -alh /var/www/html' output?
  • What does 'ls -alh /mnt/nfs/external/htmldata/sarg' output?
  • What does 'ls -alh /mnt/nfs/external/htmldata/sarg/sarg-reports' output?
  • What does your apache error and access logs output when requesting the page?

*Please provide the output in CODE blocks in the editor to make it easy to read.

jetberrocal 11-23-2016 10:37 AM
As requested:

apache2.conf relevant section (This comes default with apache2.conf):
Code:
<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>
mount output:
Code:
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,relatime,size=10240k,nr_inodes=253483,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,relatime,size=408976k,mode=755)
/dev/sda1 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=23,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
mqueue on /dev/mqueue type mqueue (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
vmware-vmblock on /run/vmblock-fuse type fuse.vmware-vmblock (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other)
rpc_pipefs on /run/rpc_pipefs type rpc_pipefs (rw,relatime)
tmpfs on /run/user/0 type tmpfs (rw,nosuid,nodev,relatime,size=204488k,mode=700)
192.168.1.2:/FWData on /mnt/nfs/external/htmldata type nfs (rw,relatime,vers=3,rsize=32768,wsize=32768,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.1.2,mountvers=3,mountport=1048,mountproto=udp,local_lock=none,addr=192.168.1.2)
/dev/sdb on /diskb type ext4 (rw,relatime,data=ordered)
'ls -alh /var/www/html' (Using sarg-reports-test symlink):
Code:
total 60K
drwxr-xr-x 5 root root 4.0K Nov 23 12:15 .
drwxr-xr-x 3 root root 4.0K Aug 12 00:20 ..
-rw-r--r-- 1 root root 5.3K Sep  5 15:30 amss-logo.jpg
-rw-r--r-- 1 root root  11K Aug 12 00:26 apache.html
drwxr-xr-x 2 root root 4.0K Aug 19 20:43 e2gCA
drwxr-xr-x 2 root root 4.0K Oct 25 18:08 files
-rw-r--r-- 1 root root 2.3K Sep  5 15:23 index.html
-rw-r--r-- 1 root root 9.1K Sep  5 15:30 LogoFor_iDrive_Main.png
-rw-r--r-- 1 root root  556 Nov 11 16:11 proxy.pac
lrwxrwxrwx 1 root root  24 Nov 21 14:09 sarg-reports -> /diskb/sarg/sarg-reports
lrwxrwxrwx 1 root root  30 Nov 21 14:11 sarg-reports-squid -> /diskb/sarg/sarg-reports-squid
lrwxrwxrwx 1 root root  41 Nov 23 12:15 sarg-reports-test -> /mnt/nfs/external/sarg/sarg-reports-squid
drwxr-xr-x 3 root root 4.0K Nov 21 19:31 usr
lrwxrwxrwx 1 root root    9 Nov 11 16:11 wpad.dat -> proxy.pac
'ls -alh /mnt/nfs/external/htmldata/sarg':
Code:
total 1.0K
drwxr-xr-x 2 root      root      64 Nov 23 11:28 .
drwx------ 2 4294967294 4294967294 64 Nov 23 11:28 ..

'ls -alh /mnt/nfs/external/htmldata/sarg/sarg-reports-squid' (Testing with smaller directory):
Code:
total 18K
drwxr-xr-x 2 root root  64 Nov 23 11:53 .
drwxr-xr-x 2 root root  64 Nov 23 11:49 ..
drwxr-xr-x 2 root root 8.0K Nov 23 11:53 2016Nov17-2016Nov17
drwxr-xr-x 2 root root  64 Nov 23 11:53 images
-rw-r--r-- 1 root root 4.4K Nov 17 14:20 index.html
drwxr-xr-x 2 root root  64 Nov 23 12:12 sum
access.log:
Code:
192.168.1.2 - - [23/Nov/2016:12:30:11 -0400] "GET /sarg-reports-test HTTP/1.1" 403 519 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"
192.168.1.2 - - [23/Nov/2016:12:30:11 -0400] "GET /favicon.ico HTTP/1.1" 404 501 "http://e2guardian/sarg-reports-test" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"
error.log
Code:
[Wed Nov 23 12:30:11.211336 2016] [core:error] [pid 75916] [client 192.168.1.2:20629] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/sarg-reports-test

szboardstretcher 11-23-2016 10:44 AM
Maybe im missing something but at first blush, your symlink says "sarg-reports-test -> /mnt/nfs/external/sarg/sarg-reports-squid" but you provided the ls -alh output of "/mnt/nfs/external/htmldata/sarg" which is a different directory.

What user does apache run as in Debian?

Also,. I would try making a symlink to index.html and seeing if apache was able to pick up a file in the same directory as the symlink.

jetberrocal 11-23-2016 01:32 PM
Quote:
Originally Posted by szboardstretcher (Post 5633870)
Maybe im missing something but at first blush, your symlink says "sarg-reports-test -> /mnt/nfs/external/sarg/sarg-reports-squid" but you provided the ls -alh output of "/mnt/nfs/external/htmldata/sarg" which is a different directory.

What user does apache run as in Debian?

Also,. I would try making a symlink to index.html and seeing if apache was able to pick up a file in the same directory as the symlink.
Sorry.

I tried a web page on a symlink within the same path (/var/www/html) to a local directory instead of nsf directory and it worked, that is why I know the FollowSymLinks directive is active.

Apache service user run as?
'ps -aux |grep apache2':
Code:
www-data  73936  0.0  0.5 285192 11576 ?        S    07:35  0:00 /usr/sbin/apache2 -k start
www-data  73937  0.0  0.5 285184 11532 ?        S    07:35  0:00 /usr/sbin/apache2 -k start
www-data  73938  0.0  0.5 285192 11548 ?        S    07:35  0:00 /usr/sbin/apache2 -k start
www-data  73939  0.0  0.5 285192 11552 ?        S    07:35  0:00 /usr/sbin/apache2 -k start
www-data  73940  0.0  0.5 285184 11484 ?        S    07:35  0:00 /usr/sbin/apache2 -k start
www-data  75735  0.0  0.5 285184 11532 ?        S    08:16  0:00 /usr/sbin/apache2 -k start
www-data  75916  0.0  0.5 285192 11568 ?        S    08:25  0:00 /usr/sbin/apache2 -k start
root      83511  0.0  0.1  12732  2088 pts/0    S+  15:27  0:00 grep apache2
root    101905  0.0  1.3 284736 27780 ?        Ss  Nov18  0:16 /usr/sbin/apache2 -k start
Providing update with fixed symlink:


'ls -alh /mnt/nfs/external/htmldata/sarg':
Code:
total 2.0K
drwxr-xr-x 2 root      root      64 Nov 23 11:49 .
drwx------ 2 4294967294 4294967294 64 Nov 23 11:28 ..
drwxr-xr-x 2 root      root      64 Nov 23 11:30 sarg-reports
drwxr-xr-x 2 root      root      64 Nov 23 11:53 sarg-reports-squid
'ls -alh /var/www/html' (Using sarg-reports-test symlink):
Code:
total 60K
drwxr-xr-x 5 root root 4.0K Nov 23 15:11 .
drwxr-xr-x 3 root root 4.0K Aug 12 00:20 ..
-rw-r--r-- 1 root root 5.3K Sep  5 15:30 amss-logo.jpg
-rw-r--r-- 1 root root  11K Aug 12 00:26 apache.html
drwxr-xr-x 2 root root 4.0K Aug 19 20:43 e2gCA
drwxr-xr-x 2 root root 4.0K Oct 25 18:08 files
-rw-r--r-- 1 root root 2.3K Sep  5 15:23 index.html
-rw-r--r-- 1 root root 9.1K Sep  5 15:30 LogoFor_iDrive_Main.png
-rw-r--r-- 1 root root  556 Nov 11 16:11 proxy.pac
lrwxrwxrwx 1 root root  24 Nov 21 14:09 sarg-reports -> /diskb/sarg/sarg-reports
lrwxrwxrwx 1 root root  30 Nov 21 14:11 sarg-reports-squid -> /diskb/sarg/sarg-reports-squid
lrwxrwxrwx 1 root root  50 Nov 23 15:11 sarg-reports-test -> /mnt/nfs/external/htmldata/sarg/sarg-reports-squid
drwxr-xr-x 3 root root 4.0K Nov 21 19:31 usr
lrwxrwxrwx 1 root root    9 Nov 11 16:11 wpad.dat -> proxy.pac
access.log
Code:
192.168.1.2 - - [23/Nov/2016:15:12:08 -0400] "GET /sarg-reports-test HTTP/1.1" 403 519 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"
192.168.1.2 - - [23/Nov/2016:15:12:08 -0400] "GET /favicon.ico HTTP/1.1" 404 501 "http://e2guardian/sarg-reports-test" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"
error.log
Code:
[Wed Nov 23 15:12:08.046694 2016] [core:error] [pid 73937] [client 192.168.1.2:22515] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/sarg-reports-test

szboardstretcher 11-23-2016 01:51 PM
Think I see the issue.

To verify:

what does your /etc/fstab look like?

szboardstretcher 11-23-2016 01:56 PM
I might be leaving soon - so here is my thought.

You have symlinks allowed, and you have a symlink. Fine. That works.

That symlink points to a DIFFERENT directory that is mounted through NFS. And the NFS mount gives that directory its permissions.

Looks like "drwx------ 2 4294967294 4294967294 64 Nov 23" specifically.

Your apache runs as 'www-root' which is a different user and group than '4294967294' and so doesn't have access to that directory.

So - make sure that your /mnt directories allow the www-data user or group and your NFS mount is mounted with the correct permissions to allow www-data user or group. You can also do this by allowing read and execute for 'world/other' for those directories. Files should be chowned similarly.

jetberrocal 11-23-2016 03:39 PM
Quote:
Originally Posted by szboardstretcher (Post 5633952)
Think I see the issue.

To verify:

what does your /etc/fstab look like?
fstab does not have the nfs mount. I have not add it yet waiting for it to work with manual mount.

jetberrocal 11-23-2016 03:44 PM
Quote:
Originally Posted by szboardstretcher (Post 5633953)
I might be leaving soon - so here is my thought.

You have symlinks allowed, and you have a symlink. Fine. That works.

That symlink points to a DIFFERENT directory that is mounted through NFS. And the NFS mount gives that directory its permissions.

Looks like "drwx------ 2 4294967294 4294967294 64 Nov 23" specifically.

Your apache runs as 'www-root' which is a different user and group than '4294967294' and so doesn't have access to that directory.

So - make sure that your /mnt directories allow the www-data user or group and your NFS mount is mounted with the correct permissions to allow www-data user or group. You can also do this by allowing read and execute for 'world/other' for those directories. Files should be chowned similarly.
The mount point is own by root and the chmod is already with world rx access, so I dont understant .

The mount is own by root because the user that has access to the nfs is root.

Maybe I can add the user www-data to the root group but still being in the www-data group. This way the apache service user will have the access by the group.

jetberrocal 11-29-2016 12:30 PM
I made the www-data user to belong to the root group.

Tried to access the Web site but still gives me Forbidden error.

error.log
Code:
[Tue Nov 29 14:24:29.808438 2016] [core:error] [pid 74050] [client 192.168.1.2:20748] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/sarg-reports-test
id www-data:
Code:
uid=33(www-data) gid=33(www-data) groups=33(www-data),0(root)
groups www-data:
Code:
www-data : www-data root

andre@home 11-29-2016 12:49 PM
Look how www-data becomes the owner under webdav that uses Apache's default place /var/www/

http://bernaerts.dyndns.org/linux/75...n-webdav-share

Ok thats only an impression.

Now read how you should do it in principle:

http://askubuntu.com/questions/76750...-for-a-website

szboardstretcher 11-29-2016 12:59 PM
I wanted to replicate this out of the box. So I logged into digital ocean and spun up two Debian 8 instances. One I called NFS-server and the other is APACHE-server. Here is the setup I did:

root@nfs-server:
Code:
apt-get update
apt-get install nfs-kernel-server
echo "/export 123.123.123.123/16(rw)" > /etc/exports
systemctl restart nfs-kernel-server
mkdir /export
echo "A FILE" > /export/somefile
root@apache-server
Code:
apt-get update
apt-get install nfs-client
mount -t nfs 123.123.123.123:/export /mnt
apt-get install apache2 apache2-utils
systemctl start apache2
cd /var/www/html/
ln -s /mnt/somefile this_is_a_symlink
root@tool-box
Code:
curl http://123.123.123.123/this_is_a_symlink
A FILE
So it works out of the box. Not sure what that proved though.

szboardstretcher 11-29-2016 01:17 PM
What I am wondering now is ... try this ...

Code:
cd /var/www/html
ln -s /diskb/sarg/sarg-reports/TEXTFILE asymlink
echo "HELLO" > /diskb/sarg/sarg-reports/TEXTFILE
then try to hit http://yourserver/asymlink


All times are GMT -5. The time now is 01:17 AM.
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page