How to make Apache2 to use nfs mount with symlinks
I have a Debian server (version 8) with Apache2 installed from repository.
I need help making Apache to use an nfs mount and with symlinks Is running OK and it has Followsymlinks enabled. I know because I tested it using a symlink to a local folder not on the same path of the Document Root. I have a Windows Server sharing a NSF folder with read and write access to the root user. I mount it with this command: Code:
mount -t nfs -o v3,scontext=unconfined_u:object_r:httpd_sys_content_t:s0 192.168.1.2:/FWData /mnt/nfs/external/htmldata The owner is root:root and the chmod is drxw-rx-rx. I created a folder inside the htmldata path and it has the same privileges (sarg/sarg-reports) Then I did a symlink at /var/www/html (Document Root) as Code:
ln -s sarg-reports /mnt/nfs/external/htmldata/sarg/sarg-reports I need to use nfs because the server does not have enough space to hold all the sarg reports in its local HD |
If SElinux is enabled on the server, then the directory will have to be updated to utilize the webserver context. Something like:
Code:
chcon -Rv --type=httpd_sys_content_t /mnt/nfs/external |
Quote:
http://www.linuxquestions.org/questi...no-gui-620864/ I did: cat /etc/sysconfig/selinux cat: /etc/sysconfig/selinux: No such file or directory And sestatus -bash: sestatus: command not found So I have to say that SElinux is not enabled in my server, then your suggestion does not apply. |
There are about 20 different reasons this could be happening. The fastest way to the answer is to provide as much info as possible. So how about:
*Please provide the output in CODE blocks in the editor to make it easy to read. |
As requested:
apache2.conf relevant section (This comes default with apache2.conf): Code:
<Directory /var/www/> Code:
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) Code:
total 60K Code:
total 1.0K 'ls -alh /mnt/nfs/external/htmldata/sarg/sarg-reports-squid' (Testing with smaller directory): Code:
total 18K Code:
192.168.1.2 - - [23/Nov/2016:12:30:11 -0400] "GET /sarg-reports-test HTTP/1.1" 403 519 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" Code:
[Wed Nov 23 12:30:11.211336 2016] [core:error] [pid 75916] [client 192.168.1.2:20629] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/sarg-reports-test |
Maybe im missing something but at first blush, your symlink says "sarg-reports-test -> /mnt/nfs/external/sarg/sarg-reports-squid" but you provided the ls -alh output of "/mnt/nfs/external/htmldata/sarg" which is a different directory.
What user does apache run as in Debian? Also,. I would try making a symlink to index.html and seeing if apache was able to pick up a file in the same directory as the symlink. |
Quote:
I tried a web page on a symlink within the same path (/var/www/html) to a local directory instead of nsf directory and it worked, that is why I know the FollowSymLinks directive is active. Apache service user run as? 'ps -aux |grep apache2': Code:
www-data 73936 0.0 0.5 285192 11576 ? S 07:35 0:00 /usr/sbin/apache2 -k start 'ls -alh /mnt/nfs/external/htmldata/sarg': Code:
total 2.0K Code:
total 60K Code:
192.168.1.2 - - [23/Nov/2016:15:12:08 -0400] "GET /sarg-reports-test HTTP/1.1" 403 519 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" Code:
[Wed Nov 23 15:12:08.046694 2016] [core:error] [pid 73937] [client 192.168.1.2:22515] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/sarg-reports-test |
Think I see the issue.
To verify: what does your /etc/fstab look like? |
I might be leaving soon - so here is my thought.
You have symlinks allowed, and you have a symlink. Fine. That works. That symlink points to a DIFFERENT directory that is mounted through NFS. And the NFS mount gives that directory its permissions. Looks like "drwx------ 2 4294967294 4294967294 64 Nov 23" specifically. Your apache runs as 'www-root' which is a different user and group than '4294967294' and so doesn't have access to that directory. So - make sure that your /mnt directories allow the www-data user or group and your NFS mount is mounted with the correct permissions to allow www-data user or group. You can also do this by allowing read and execute for 'world/other' for those directories. Files should be chowned similarly. |
Quote:
|
Quote:
The mount is own by root because the user that has access to the nfs is root. Maybe I can add the user www-data to the root group but still being in the www-data group. This way the apache service user will have the access by the group. |
I made the www-data user to belong to the root group.
Tried to access the Web site but still gives me Forbidden error. error.log Code:
[Tue Nov 29 14:24:29.808438 2016] [core:error] [pid 74050] [client 192.168.1.2:20748] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/sarg-reports-test Code:
uid=33(www-data) gid=33(www-data) groups=33(www-data),0(root) Code:
www-data : www-data root |
Look how www-data becomes the owner under webdav that uses Apache's default place /var/www/
http://bernaerts.dyndns.org/linux/75...n-webdav-share Ok thats only an impression. Now read how you should do it in principle: http://askubuntu.com/questions/76750...-for-a-website |
I wanted to replicate this out of the box. So I logged into digital ocean and spun up two Debian 8 instances. One I called NFS-server and the other is APACHE-server. Here is the setup I did:
root@nfs-server: Code:
apt-get update Code:
apt-get update Code:
curl http://123.123.123.123/this_is_a_symlink |
What I am wondering now is ... try this ...
Code:
cd /var/www/html |
I have not done your last suggestions. I don't know why the thread changes/additions are not being notified to my email even that I am supposedly registered to the thread and set to receive notifications immediately. As soon as I can do your request I will post back.
By the way I did not install nfs-client itself but nfs-common. |
Quote:
I see a web page with the word HELLO. By the way I executed the command lines with root user |
Ok. So YOUR original symlink is pointing to a directory and not a file.
Code:
LINKS Looking back at our conversation and your symlinks - are you pointing to a directory on purpose? Do you want to display the directory contents in the browser? is that what you are trying to do? If so, then look up DirectoryIndex and configure it correctly for your server. If not, then create your symlink to point to a file instead of a directory. |
Quote:
|
Right on. Try this configuration (notice the + ), restart apache, then:
Code:
<Directory /var/www/> |
apache2.conf has:
Code:
<Directory /var/www/> Code:
<Directory /var/www/> Code:
<Directory /var/www/> |
For starters, add a plus sign + to Indexes,.. like this
Code:
Options +Indexes FollowSymLinks |
Quote:
Service failed to start. Code:
root@e2guardian:/etc/apache2# journalctl -xn |
I added the + sign to the options.
Code:
<Directory /var/www/> Service started successfully. Tried and got: You don't have permission to access /sarg-reports-test on this server. You don't have permission to access /sarg-reports-test/index.html on this server. |
All times are GMT -5. The time now is 12:34 PM. |