LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Debian (https://www.linuxquestions.org/questions/debian-26/)
-   -   How to make Apache2 to use nfs mount with symlinks (https://www.linuxquestions.org/questions/debian-26/how-to-make-apache2-to-use-nfs-mount-with-symlinks-4175593965/)

jetberrocal 11-21-2016 10:44 AM
How to make Apache2 to use nfs mount with symlinks
 
I have a Debian server (version 8) with Apache2 installed from repository.

I need help making Apache to use an nfs mount and with symlinks

Is running OK and it has Followsymlinks enabled. I know because I tested it using a symlink to a local folder not on the same path of the Document Root.

I have a Windows Server sharing a NSF folder with read and write access to the root user.

I mount it with this command:

Code:
mount -t nfs -o v3,scontext=unconfined_u:object_r:httpd_sys_content_t:s0 192.168.1.2:/FWData /mnt/nfs/external/htmldata
I test it and I can read,write,delete files and folders on the path.

The owner is root:root and the chmod is drxw-rx-rx. I created a folder inside the htmldata path and it has the same privileges (sarg/sarg-reports)

Then I did a symlink at /var/www/html (Document Root) as
Code:
ln -s sarg-reports /mnt/nfs/external/htmldata/sarg/sarg-reports
When I go to the browser to the address http://myserver/sarg-reports I get error 403 Forbidden access.

I need to use nfs because the server does not have enough space to hold all the sarg reports in its local HD

szboardstretcher 11-21-2016 10:48 AM
If SElinux is enabled on the server, then the directory will have to be updated to utilize the webserver context. Something like:

Code:
chcon -Rv --type=httpd_sys_content_t /mnt/nfs/external

jetberrocal 11-22-2016 02:09 PM
Quote:
Originally Posted by szboardstretcher (Post 5633010)
If SElinux is enabled on the server, then the directory will have to be updated to utilize the webserver context. Something like:

Code:
chcon -Rv --type=httpd_sys_content_t /mnt/nfs/external
I looked how do I know SElinux status:
http://www.linuxquestions.org/questi...no-gui-620864/

I did:
cat /etc/sysconfig/selinux
cat: /etc/sysconfig/selinux: No such file or directory
And
sestatus
-bash: sestatus: command not found

So I have to say that SElinux is not enabled in my server, then your suggestion does not apply.

szboardstretcher 11-22-2016 02:28 PM
There are about 20 different reasons this could be happening. The fastest way to the answer is to provide as much info as possible. So how about:
  • What does your apache configuration look like near the 'followsymlinks' section that you added?
  • What does the command 'mount' output?
  • What does 'ls -alh /var/www/html' output?
  • What does 'ls -alh /mnt/nfs/external/htmldata/sarg' output?
  • What does 'ls -alh /mnt/nfs/external/htmldata/sarg/sarg-reports' output?
  • What does your apache error and access logs output when requesting the page?

*Please provide the output in CODE blocks in the editor to make it easy to read.

jetberrocal 11-23-2016 10:37 AM
As requested:

apache2.conf relevant section (This comes default with apache2.conf):
Code:
<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>
mount output:
Code:
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,relatime,size=10240k,nr_inodes=253483,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,relatime,size=408976k,mode=755)
/dev/sda1 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=23,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
mqueue on /dev/mqueue type mqueue (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
vmware-vmblock on /run/vmblock-fuse type fuse.vmware-vmblock (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other)
rpc_pipefs on /run/rpc_pipefs type rpc_pipefs (rw,relatime)
tmpfs on /run/user/0 type tmpfs (rw,nosuid,nodev,relatime,size=204488k,mode=700)
192.168.1.2:/FWData on /mnt/nfs/external/htmldata type nfs (rw,relatime,vers=3,rsize=32768,wsize=32768,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=192.168.1.2,mountvers=3,mountport=1048,mountproto=udp,local_lock=none,addr=192.168.1.2)
/dev/sdb on /diskb type ext4 (rw,relatime,data=ordered)
'ls -alh /var/www/html' (Using sarg-reports-test symlink):
Code:
total 60K
drwxr-xr-x 5 root root 4.0K Nov 23 12:15 .
drwxr-xr-x 3 root root 4.0K Aug 12 00:20 ..
-rw-r--r-- 1 root root 5.3K Sep  5 15:30 amss-logo.jpg
-rw-r--r-- 1 root root  11K Aug 12 00:26 apache.html
drwxr-xr-x 2 root root 4.0K Aug 19 20:43 e2gCA
drwxr-xr-x 2 root root 4.0K Oct 25 18:08 files
-rw-r--r-- 1 root root 2.3K Sep  5 15:23 index.html
-rw-r--r-- 1 root root 9.1K Sep  5 15:30 LogoFor_iDrive_Main.png
-rw-r--r-- 1 root root  556 Nov 11 16:11 proxy.pac
lrwxrwxrwx 1 root root  24 Nov 21 14:09 sarg-reports -> /diskb/sarg/sarg-reports
lrwxrwxrwx 1 root root  30 Nov 21 14:11 sarg-reports-squid -> /diskb/sarg/sarg-reports-squid
lrwxrwxrwx 1 root root  41 Nov 23 12:15 sarg-reports-test -> /mnt/nfs/external/sarg/sarg-reports-squid
drwxr-xr-x 3 root root 4.0K Nov 21 19:31 usr
lrwxrwxrwx 1 root root    9 Nov 11 16:11 wpad.dat -> proxy.pac
'ls -alh /mnt/nfs/external/htmldata/sarg':
Code:
total 1.0K
drwxr-xr-x 2 root      root      64 Nov 23 11:28 .
drwx------ 2 4294967294 4294967294 64 Nov 23 11:28 ..

'ls -alh /mnt/nfs/external/htmldata/sarg/sarg-reports-squid' (Testing with smaller directory):
Code:
total 18K
drwxr-xr-x 2 root root  64 Nov 23 11:53 .
drwxr-xr-x 2 root root  64 Nov 23 11:49 ..
drwxr-xr-x 2 root root 8.0K Nov 23 11:53 2016Nov17-2016Nov17
drwxr-xr-x 2 root root  64 Nov 23 11:53 images
-rw-r--r-- 1 root root 4.4K Nov 17 14:20 index.html
drwxr-xr-x 2 root root  64 Nov 23 12:12 sum
access.log:
Code:
192.168.1.2 - - [23/Nov/2016:12:30:11 -0400] "GET /sarg-reports-test HTTP/1.1" 403 519 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"
192.168.1.2 - - [23/Nov/2016:12:30:11 -0400] "GET /favicon.ico HTTP/1.1" 404 501 "http://e2guardian/sarg-reports-test" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"
error.log
Code:
[Wed Nov 23 12:30:11.211336 2016] [core:error] [pid 75916] [client 192.168.1.2:20629] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/sarg-reports-test

szboardstretcher 11-23-2016 10:44 AM
Maybe im missing something but at first blush, your symlink says "sarg-reports-test -> /mnt/nfs/external/sarg/sarg-reports-squid" but you provided the ls -alh output of "/mnt/nfs/external/htmldata/sarg" which is a different directory.

What user does apache run as in Debian?

Also,. I would try making a symlink to index.html and seeing if apache was able to pick up a file in the same directory as the symlink.

jetberrocal 11-23-2016 01:32 PM
Quote:
Originally Posted by szboardstretcher (Post 5633870)
Maybe im missing something but at first blush, your symlink says "sarg-reports-test -> /mnt/nfs/external/sarg/sarg-reports-squid" but you provided the ls -alh output of "/mnt/nfs/external/htmldata/sarg" which is a different directory.

What user does apache run as in Debian?

Also,. I would try making a symlink to index.html and seeing if apache was able to pick up a file in the same directory as the symlink.
Sorry.

I tried a web page on a symlink within the same path (/var/www/html) to a local directory instead of nsf directory and it worked, that is why I know the FollowSymLinks directive is active.

Apache service user run as?
'ps -aux |grep apache2':
Code:
www-data  73936  0.0  0.5 285192 11576 ?        S    07:35  0:00 /usr/sbin/apache2 -k start
www-data  73937  0.0  0.5 285184 11532 ?        S    07:35  0:00 /usr/sbin/apache2 -k start
www-data  73938  0.0  0.5 285192 11548 ?        S    07:35  0:00 /usr/sbin/apache2 -k start
www-data  73939  0.0  0.5 285192 11552 ?        S    07:35  0:00 /usr/sbin/apache2 -k start
www-data  73940  0.0  0.5 285184 11484 ?        S    07:35  0:00 /usr/sbin/apache2 -k start
www-data  75735  0.0  0.5 285184 11532 ?        S    08:16  0:00 /usr/sbin/apache2 -k start
www-data  75916  0.0  0.5 285192 11568 ?        S    08:25  0:00 /usr/sbin/apache2 -k start
root      83511  0.0  0.1  12732  2088 pts/0    S+  15:27  0:00 grep apache2
root    101905  0.0  1.3 284736 27780 ?        Ss  Nov18  0:16 /usr/sbin/apache2 -k start
Providing update with fixed symlink:


'ls -alh /mnt/nfs/external/htmldata/sarg':
Code:
total 2.0K
drwxr-xr-x 2 root      root      64 Nov 23 11:49 .
drwx------ 2 4294967294 4294967294 64 Nov 23 11:28 ..
drwxr-xr-x 2 root      root      64 Nov 23 11:30 sarg-reports
drwxr-xr-x 2 root      root      64 Nov 23 11:53 sarg-reports-squid
'ls -alh /var/www/html' (Using sarg-reports-test symlink):
Code:
total 60K
drwxr-xr-x 5 root root 4.0K Nov 23 15:11 .
drwxr-xr-x 3 root root 4.0K Aug 12 00:20 ..
-rw-r--r-- 1 root root 5.3K Sep  5 15:30 amss-logo.jpg
-rw-r--r-- 1 root root  11K Aug 12 00:26 apache.html
drwxr-xr-x 2 root root 4.0K Aug 19 20:43 e2gCA
drwxr-xr-x 2 root root 4.0K Oct 25 18:08 files
-rw-r--r-- 1 root root 2.3K Sep  5 15:23 index.html
-rw-r--r-- 1 root root 9.1K Sep  5 15:30 LogoFor_iDrive_Main.png
-rw-r--r-- 1 root root  556 Nov 11 16:11 proxy.pac
lrwxrwxrwx 1 root root  24 Nov 21 14:09 sarg-reports -> /diskb/sarg/sarg-reports
lrwxrwxrwx 1 root root  30 Nov 21 14:11 sarg-reports-squid -> /diskb/sarg/sarg-reports-squid
lrwxrwxrwx 1 root root  50 Nov 23 15:11 sarg-reports-test -> /mnt/nfs/external/htmldata/sarg/sarg-reports-squid
drwxr-xr-x 3 root root 4.0K Nov 21 19:31 usr
lrwxrwxrwx 1 root root    9 Nov 11 16:11 wpad.dat -> proxy.pac
access.log
Code:
192.168.1.2 - - [23/Nov/2016:15:12:08 -0400] "GET /sarg-reports-test HTTP/1.1" 403 519 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"
192.168.1.2 - - [23/Nov/2016:15:12:08 -0400] "GET /favicon.ico HTTP/1.1" 404 501 "http://e2guardian/sarg-reports-test" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"
error.log
Code:
[Wed Nov 23 15:12:08.046694 2016] [core:error] [pid 73937] [client 192.168.1.2:22515] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/sarg-reports-test

szboardstretcher 11-23-2016 01:51 PM
Think I see the issue.

To verify:

what does your /etc/fstab look like?

szboardstretcher 11-23-2016 01:56 PM
I might be leaving soon - so here is my thought.

You have symlinks allowed, and you have a symlink. Fine. That works.

That symlink points to a DIFFERENT directory that is mounted through NFS. And the NFS mount gives that directory its permissions.

Looks like "drwx------ 2 4294967294 4294967294 64 Nov 23" specifically.

Your apache runs as 'www-root' which is a different user and group than '4294967294' and so doesn't have access to that directory.

So - make sure that your /mnt directories allow the www-data user or group and your NFS mount is mounted with the correct permissions to allow www-data user or group. You can also do this by allowing read and execute for 'world/other' for those directories. Files should be chowned similarly.

jetberrocal 11-23-2016 03:39 PM
Quote:
Originally Posted by szboardstretcher (Post 5633952)
Think I see the issue.

To verify:

what does your /etc/fstab look like?
fstab does not have the nfs mount. I have not add it yet waiting for it to work with manual mount.

jetberrocal 11-23-2016 03:44 PM
Quote:
Originally Posted by szboardstretcher (Post 5633953)
I might be leaving soon - so here is my thought.

You have symlinks allowed, and you have a symlink. Fine. That works.

That symlink points to a DIFFERENT directory that is mounted through NFS. And the NFS mount gives that directory its permissions.

Looks like "drwx------ 2 4294967294 4294967294 64 Nov 23" specifically.

Your apache runs as 'www-root' which is a different user and group than '4294967294' and so doesn't have access to that directory.

So - make sure that your /mnt directories allow the www-data user or group and your NFS mount is mounted with the correct permissions to allow www-data user or group. You can also do this by allowing read and execute for 'world/other' for those directories. Files should be chowned similarly.
The mount point is own by root and the chmod is already with world rx access, so I dont understant .

The mount is own by root because the user that has access to the nfs is root.

Maybe I can add the user www-data to the root group but still being in the www-data group. This way the apache service user will have the access by the group.

jetberrocal 11-29-2016 12:30 PM
I made the www-data user to belong to the root group.

Tried to access the Web site but still gives me Forbidden error.

error.log
Code:
[Tue Nov 29 14:24:29.808438 2016] [core:error] [pid 74050] [client 192.168.1.2:20748] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/sarg-reports-test
id www-data:
Code:
uid=33(www-data) gid=33(www-data) groups=33(www-data),0(root)
groups www-data:
Code:
www-data : www-data root

andre@home 11-29-2016 12:49 PM
Look how www-data becomes the owner under webdav that uses Apache's default place /var/www/

http://bernaerts.dyndns.org/linux/75...n-webdav-share

Ok thats only an impression.

Now read how you should do it in principle:

http://askubuntu.com/questions/76750...-for-a-website

szboardstretcher 11-29-2016 12:59 PM
I wanted to replicate this out of the box. So I logged into digital ocean and spun up two Debian 8 instances. One I called NFS-server and the other is APACHE-server. Here is the setup I did:

root@nfs-server:
Code:
apt-get update
apt-get install nfs-kernel-server
echo "/export 123.123.123.123/16(rw)" > /etc/exports
systemctl restart nfs-kernel-server
mkdir /export
echo "A FILE" > /export/somefile
root@apache-server
Code:
apt-get update
apt-get install nfs-client
mount -t nfs 123.123.123.123:/export /mnt
apt-get install apache2 apache2-utils
systemctl start apache2
cd /var/www/html/
ln -s /mnt/somefile this_is_a_symlink
root@tool-box
Code:
curl http://123.123.123.123/this_is_a_symlink
A FILE
So it works out of the box. Not sure what that proved though.

szboardstretcher 11-29-2016 01:17 PM
What I am wondering now is ... try this ...

Code:
cd /var/www/html
ln -s /diskb/sarg/sarg-reports/TEXTFILE asymlink
echo "HELLO" > /diskb/sarg/sarg-reports/TEXTFILE
then try to hit http://yourserver/asymlink

jetberrocal 12-01-2016 07:08 PM
I have not done your last suggestions. I don't know why the thread changes/additions are not being notified to my email even that I am supposedly registered to the thread and set to receive notifications immediately. As soon as I can do your request I will post back.

By the way I did not install nfs-client itself but nfs-common.

jetberrocal 12-02-2016 02:29 PM
Quote:
Originally Posted by szboardstretcher (Post 5635893)
What I am wondering now is ... try this ...

Code:
cd /var/www/html
ln -s /diskb/sarg/sarg-reports/TEXTFILE asymlink
echo "HELLO" > /diskb/sarg/sarg-reports/TEXTFILE
then try to hit http://yourserver/asymlink
I did that and it worked.

I see a web page with the word HELLO.

By the way I executed the command lines with root user

szboardstretcher 12-02-2016 02:42 PM
Ok. So YOUR original symlink is pointing to a directory and not a file.

Code:
LINKS
lrwxrwxrwx 1 root root  24 Nov 21 14:09 sarg-reports -> /diskb/sarg/sarg-reports
lrwxrwxrwx 1 root root  30 Nov 21 14:11 sarg-reports-squid -> /diskb/sarg/sarg-reports-squid

DIRECTORIES
drwxr-xr-x 2 root      root      64 Nov 23 11:30 sarg-reports
drwxr-xr-x 2 root      root      64 Nov 23 11:53 sarg-reports-squid
My TEST symlink points to a FILE and proves that NFS is working, permissions are correct, and symlinks are allowed.

Looking back at our conversation and your symlinks - are you pointing to a directory on purpose? Do you want to display the directory contents in the browser? is that what you are trying to do?

If so, then look up DirectoryIndex and configure it correctly for your server.

If not, then create your symlink to point to a file instead of a directory.

jetberrocal 12-02-2016 02:59 PM
Quote:
Originally Posted by szboardstretcher (Post 5637194)
Ok. So YOUR original symlink is pointing to a directory and not a file.

Code:
LINKS
lrwxrwxrwx 1 root root  24 Nov 21 14:09 sarg-reports -> /diskb/sarg/sarg-reports
lrwxrwxrwx 1 root root  30 Nov 21 14:11 sarg-reports-squid -> /diskb/sarg/sarg-reports-squid

DIRECTORIES
drwxr-xr-x 2 root      root      64 Nov 23 11:30 sarg-reports
drwxr-xr-x 2 root      root      64 Nov 23 11:53 sarg-reports-squid
My TEST symlink points to a FILE and proves that NFS is working, permissions are correct, and symlinks are allowed.

Looking back at our conversation and your symlinks - are you pointing to a directory on purpose? Do you want to display the directory contents in the browser? is that what you are trying to do?

If so, then look up DirectoryIndex and configure it correctly for your server.

If not, then create your symlink to point to a file instead of a directory.

Please click yes on all the posts you found helpful to increase my reputation.
Yes, I am pointing it to a Directory on purpose. I want to display all web pages and subdirectories web pages inside the Directory.

szboardstretcher 12-02-2016 03:14 PM
Right on. Try this configuration (notice the + ), restart apache, then:

Code:
<Directory /var/www/>
        Options +Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>

jetberrocal 12-02-2016 03:17 PM
apache2.conf has:

Code:
<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>
I should change to?:

Code:
<Directory /var/www/>
        Options Indexes FollowSymLinks
        DirectoryIndex index.html
        AllowOverride None
        Require all granted
</Directory>
Or to?

Code:
<Directory /var/www/>
        Options Indexes FollowSymLinks
        DirectoryIndex disable
        AllowOverride None
        Require all granted
</Directory>
I want apache to make its own index file if it does not found any index file

szboardstretcher 12-02-2016 03:24 PM
For starters, add a plus sign + to Indexes,.. like this

Code:
Options +Indexes FollowSymLinks
And see if that gets us a directory listing.

jetberrocal 12-02-2016 03:40 PM
Quote:
Originally Posted by szboardstretcher (Post 5637206)
For starters, add a plus sign + to Indexes,.. like this

Code:
Options +Indexes FollowSymLinks
And see if that gets us a directory listing.

Service failed to start.

Code:
root@e2guardian:/etc/apache2# journalctl -xn
-- Logs begin at Thu 2016-10-27 11:45:12 AST, end at Fri 2016-12-02 17:36:51 AST. --
Dec 02 17:35:13 e2guardian apache2[21043]: AH00526: Syntax error on line 165 of /etc/apache2/apache2.conf:
Dec 02 17:35:13 e2guardian apache2[21043]: Either all Options must start with + or -, or no Option may.
Dec 02 17:35:13 e2guardian apache2[21043]: Action 'configtest' failed.
Dec 02 17:35:13 e2guardian apache2[21043]: The Apache error log may have more information.
Dec 02 17:35:13 e2guardian systemd[1]: apache2.service: control process exited, code=exited status=1
Dec 02 17:35:13 e2guardian systemd[1]: Failed to start LSB: Apache2 web server.
-- Subject: Unit apache2.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit apache2.service has failed.
--
-- The result is failed.
Dec 02 17:35:13 e2guardian systemd[1]: Unit apache2.service entered failed state.
I will add the + sign to Followsymlinks to verify

jetberrocal 12-02-2016 03:46 PM
I added the + sign to the options.

Code:
<Directory /var/www/>
        Options +Indexes +FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>

Service started successfully.

Tried and got:

You don't have permission to access /sarg-reports-test on this server.
You don't have permission to access /sarg-reports-test/index.html on this server.


All times are GMT -5. The time now is 12:34 PM.