How to make Apache2 to use nfs mount with symlinks
I have a Debian server (version 8) with Apache2 installed from repository.
I need help making Apache to use an nfs mount and with symlinks Is running OK and it has Followsymlinks enabled. I know because I tested it using a symlink to a local folder not on the same path of the Document Root. I have a Windows Server sharing a NSF folder with read and write access to the root user. I mount it with this command: Code:
mount -t nfs -o v3,scontext=unconfined_u:object_r:httpd_sys_content_t:s0 192.168.1.2:/FWData /mnt/nfs/external/htmldata The owner is root:root and the chmod is drxw-rx-rx. I created a folder inside the htmldata path and it has the same privileges (sarg/sarg-reports) Then I did a symlink at /var/www/html (Document Root) as Code:
ln -s sarg-reports /mnt/nfs/external/htmldata/sarg/sarg-reports I need to use nfs because the server does not have enough space to hold all the sarg reports in its local HD |
If SElinux is enabled on the server, then the directory will have to be updated to utilize the webserver context. Something like:
Code:
chcon -Rv --type=httpd_sys_content_t /mnt/nfs/external |
Quote:
http://www.linuxquestions.org/questi...no-gui-620864/ I did: cat /etc/sysconfig/selinux cat: /etc/sysconfig/selinux: No such file or directory And sestatus -bash: sestatus: command not found So I have to say that SElinux is not enabled in my server, then your suggestion does not apply. |
There are about 20 different reasons this could be happening. The fastest way to the answer is to provide as much info as possible. So how about:
*Please provide the output in CODE blocks in the editor to make it easy to read. |
As requested:
apache2.conf relevant section (This comes default with apache2.conf): Code:
<Directory /var/www/> Code:
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) Code:
total 60K Code:
total 1.0K 'ls -alh /mnt/nfs/external/htmldata/sarg/sarg-reports-squid' (Testing with smaller directory): Code:
total 18K Code:
192.168.1.2 - - [23/Nov/2016:12:30:11 -0400] "GET /sarg-reports-test HTTP/1.1" 403 519 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" Code:
[Wed Nov 23 12:30:11.211336 2016] [core:error] [pid 75916] [client 192.168.1.2:20629] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/sarg-reports-test |
Maybe im missing something but at first blush, your symlink says "sarg-reports-test -> /mnt/nfs/external/sarg/sarg-reports-squid" but you provided the ls -alh output of "/mnt/nfs/external/htmldata/sarg" which is a different directory.
What user does apache run as in Debian? Also,. I would try making a symlink to index.html and seeing if apache was able to pick up a file in the same directory as the symlink. |
Quote:
I tried a web page on a symlink within the same path (/var/www/html) to a local directory instead of nsf directory and it worked, that is why I know the FollowSymLinks directive is active. Apache service user run as? 'ps -aux |grep apache2': Code:
www-data 73936 0.0 0.5 285192 11576 ? S 07:35 0:00 /usr/sbin/apache2 -k start 'ls -alh /mnt/nfs/external/htmldata/sarg': Code:
total 2.0K Code:
total 60K Code:
192.168.1.2 - - [23/Nov/2016:15:12:08 -0400] "GET /sarg-reports-test HTTP/1.1" 403 519 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" Code:
[Wed Nov 23 15:12:08.046694 2016] [core:error] [pid 73937] [client 192.168.1.2:22515] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/sarg-reports-test |
Think I see the issue.
To verify: what does your /etc/fstab look like? |
I might be leaving soon - so here is my thought.
You have symlinks allowed, and you have a symlink. Fine. That works. That symlink points to a DIFFERENT directory that is mounted through NFS. And the NFS mount gives that directory its permissions. Looks like "drwx------ 2 4294967294 4294967294 64 Nov 23" specifically. Your apache runs as 'www-root' which is a different user and group than '4294967294' and so doesn't have access to that directory. So - make sure that your /mnt directories allow the www-data user or group and your NFS mount is mounted with the correct permissions to allow www-data user or group. You can also do this by allowing read and execute for 'world/other' for those directories. Files should be chowned similarly. |
Quote:
|
Quote:
The mount is own by root because the user that has access to the nfs is root. Maybe I can add the user www-data to the root group but still being in the www-data group. This way the apache service user will have the access by the group. |
I made the www-data user to belong to the root group.
Tried to access the Web site but still gives me Forbidden error. error.log Code:
[Tue Nov 29 14:24:29.808438 2016] [core:error] [pid 74050] [client 192.168.1.2:20748] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/sarg-reports-test Code:
uid=33(www-data) gid=33(www-data) groups=33(www-data),0(root) Code:
www-data : www-data root |
Look how www-data becomes the owner under webdav that uses Apache's default place /var/www/
http://bernaerts.dyndns.org/linux/75...n-webdav-share Ok thats only an impression. Now read how you should do it in principle: http://askubuntu.com/questions/76750...-for-a-website |
I wanted to replicate this out of the box. So I logged into digital ocean and spun up two Debian 8 instances. One I called NFS-server and the other is APACHE-server. Here is the setup I did:
root@nfs-server: Code:
apt-get update Code:
apt-get update Code:
curl http://123.123.123.123/this_is_a_symlink |
What I am wondering now is ... try this ...
Code:
cd /var/www/html |
All times are GMT -5. The time now is 01:17 AM. |