Why this 403?

winslow · 08-09-2004, 06:13 PM

Hi all,

sorry for bothering you, but i'm next to jumping out of my 6th floor window.

---
i got the following problem
---
----------------------------------------------------------------------------------
by the browser request
wow.test.now and test
===> Forbidden
You don't have permission to access / on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.0.40 Server at wow.test.now(test) Port 80
----------------------------------------------------------------------------------
by the browser request
nbnbg252 and 192.168.1.252
===> the main ServerRoot index.html is ok
----------------------------------------------------------------------------------
---
After my last changes to establish name based vhost my conf looks like that
---
----------------------------------------------------------------------------------
/etc/httpd/conf/httpd.conf

NameVirtualHost 192.168.1.252
<VirtualHost 192.168.1.252>
DocumentRoot /var/www/html
Servername nbnbg252.localhost
ServerAlias nbnbg252
</VirtualHost>
<VirtualHost 192.168.1.252>
DocumentRoot /home/myhome/www
ServerName wow.test.now
ServerAlias test
ScriptAlias /cgi-bin/ "/home/myhome/www/cgi-bin/"
</VirtualHost>
----------------------------------------------------------------------------------
drwxrwxrwx 11 apache apache 4096 9. Aug 23:19 www
and below the
-rwxrwxrwx 1 apache apache 76 9. Aug 23:19 index.html
-----------------------------------------------------------------------------------
drwxr-xr-x 4 apache apache 4096 9. Aug 23:31 html
and below the
-rwxr-xr-x 1 apache apache 4105 6. Aug 00:04 index.html
----------------------------------------------------------------------------------
/etc/hosts at the server

127.0.0.1 nbnbg252.localhost wow.test.now nbnbg252
(there was a "test" alias, but i think there is no need to it)
----------------------------------------------------------------------------------
---
additional (don't know if that does matter?)
---
----------------------------------------------------------------------------------
/etc/hosts and C:\\WINNT\system32\drivers\etc\hosts at the clients

192.168.1.252 wow.test.now nbnbg252 test
----------------------------------------------------------------------------------
drwx------ 32 myuser myuser 4096 9. Aug 23:54 myhome

myuser were switched out of an old_myuser
myhome is the copied content of old_myhome
----------------------------------------------------------------------------------

ANY suggestion?
thanks ahead
winslow

wijnands · 08-10-2004, 02:14 AM

Does it work on the server itself? Keeping a tail on your access_log and error_log might provide clues.

winslow · 08-10-2004, 05:48 AM

access_log contains
192.168.1.32 - - [10/Aug/2004:12:26:35 +0200] "GET / HTTP/1.1" 403 392 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312"
192.168.1.32 - - [10/Aug/2004:12:26:59 +0200] "GET / HTTP/1.1" 403 392 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312"
nbnbg32 - - [10/Aug/2004:12:27:14 +0200] "GET / HTTP/1.1" 200 4105 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312"
nbnbg32 - - [10/Aug/2004:12:27:30 +0200] "GET / HTTP/1.1" 200 4105 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312"
after =>
1. request to test
2. request to wow.test.now
3. request nbnbg252
4. request 192.168.1.252

error_log contains
[Tue Aug 10 12:26:59 2004] [error] [client 192.168.1.32] (13)no permission: access to / denied
[Tue Aug 10 12:31:42 2004] [error] [client 192.168.1.32] (13)no permission: access to / denied
after =>
1. and 2. request

after booting the following is in the error_log
[Tue Aug 10 11:37:48 2004] [info] Init: Initializing OpenSSL library
[Tue Aug 10 11:37:49 2004] [info] Init: Seeding PRNG with 136 bytes of entropy
[Tue Aug 10 11:37:49 2004] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Aug 10 11:37:49 2004] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Aug 10 11:37:49 2004] [debug] /usr/src/build/288112-i386/BUILD/httpd-2.0.40/modules/ssl/ssl_scache_dbm.c(416): Inter-Process Session Cache (DBM) Expiry: old: 0, new: 0, removed: 0
[Tue Aug 10 11:37:49 2004] [info] Init: Initializing (virtual) servers for SSL
[Tue Aug 10 11:37:49 2004] [info] Server: Apache/2.0.40, Interface: mod_ssl/2.0.40, Library: OpenSSL/0.9.7a
[Tue Aug 10 11:37:49 2004] [info] mod_unique_id: using ip addr 127.0.0.1
PHP Warning: Function registration failed - duplicate name - imap_open in Unknown on line 0
......................lots more of these php stuff that i don't need--------------------
PHP Warning: ldap: Unable to register functions, unable to load in Unknown on line 0
[Tue Aug 10 11:37:53 2004] [info] Init: Initializing OpenSSL library
[Tue Aug 10 11:37:53 2004] [info] Init: Seeding PRNG with 136 bytes of entropy
[Tue Aug 10 11:37:53 2004] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Aug 10 11:37:53 2004] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Aug 10 11:37:53 2004] [debug] /usr/src/build/288112-i386/BUILD/httpd-2.0.40/modules/ssl/ssl_scache_dbm.c(416): Inter-Process Session Cache (DBM) Expiry: old: 0, new: 0, removed: 0
[Tue Aug 10 11:37:53 2004] [info] Init: Initializing (virtual) servers for SSL
[Tue Aug 10 11:37:53 2004] [info] Server: Apache/2.0.40, Interface: mod_ssl/2.0.40, Library: OpenSSL/0.9.7a
[Tue Aug 10 11:37:53 2004] [notice] Digest: generating secret for digest authentication ...
[Tue Aug 10 11:37:53 2004] [notice] Digest: done
[Tue Aug 10 11:37:53 2004] [info] mod_unique_id: using ip addr 127.0.0.1
[Tue Aug 10 11:37:54 2004] [notice] Apache/2.0.40 (Red Hat Linux) mod_perl/1.99_07-dev Perl/v5.8.0 PHP/4.2.2 mod_python/3.0.1 Python/2.2.2 mod_ssl/2.0.40 OpenSSL/0.9.7a DAV/2 configured -- resuming normal operations
[Tue Aug 10 11:37:54 2004] [info] Server built: Jul 31 2003 11:36:14
[Tue Aug 10 11:37:54 2004] [debug] /usr/src/build/288112-i386/BUILD/httpd-2.0.40/server/mpm/prefork/prefork.c(1037): AcceptMutex: sysvsem (default: sysvsem)

i can't see a case which disturbs permissions

wijnands · 08-10-2004, 07:15 AM

No but it does seem to be a permission problem. Out of my skill level though, sorry.

stickman · 08-10-2004, 07:30 AM

Can you get to /index.html or any other index page? If yes, look for these terms in your httpd.conf: Options Indexes.

winslow · 08-10-2004, 08:07 AM

tp wijnands: what did you exactly mean with:
Does it work on the server itself?

the deamon is up, i checked via ssh the logs error/access and the respond

to stickman
"Can you get to /index.html or any other index page?"
I get my main index page
DocumentRoot /var/www/html
"If yes, look for these terms in your httpd.conf: Options Indexes"
I read in the apache.org tutorial something about its more save not to use
Options Indexes!?
So i deleted these entries.

I tried it with Options Indexes in the "/" , but there was no difference.
i can allways see the nbnbg/192.168.1.252
but never the test/wow.test.now

here is my actuall setting on Directories
# important to security
<Directory "/">
Options FollowSymlinks
AllowOverride None
</Directory>

# DocRoot Directives
<Directory "/var/www/html">
Options IncludesNoexec FollowSymLinks
AllowOverride None
Allow from from all
Order allow,deny
</Directory>
<Directory "/var/www/icons">
Options MultiViews
AllowOverride None
Allow from from all
Order allow,deny
</Directory>
<Directory "/var/www/cgi-bin">
Options ExecCGI
AllowOverride None
Allow from from all
Order allow,deny
</Directory>

# VHost Directives
<Directory "/home/myhome/www">
Options IncludesNoexec FollowSymLinks Multiviews
AllowOverride None
Allow from from all
Order allow,deny
</Directory>
<Directory "/home/myhome/www/cgi-bin">
Options ExecCGI
AllowOverride None
Allow from from all
Order allow,deny
</Directory>

winslow · 08-10-2004, 09:55 AM

i opened mozilla via ssh and tried to reach my sites (Preferences - proxy - direct connection)

"192.168.1.252" - was the main DocumentRoot => ok

"test" was redirected to www.test.com, which i didn't wanted to go, the alias seems not to be ok, could be because of the missing /etc/hosts entry?

wow.test.now, "The connection was refused when attempting to connect to wow.test.now", the vhost is not ok
nbnbg252, the same as with wow.test.now, the alias to my main address is not ok, i could only reac id via IP

access_log noticed the ip of the server
error_log gives me new [Tue Aug 10 15:03:08 2004] [error] [client 192.168.1.32] (13)no permission: access to / denied

What do you think?

stickman · 08-10-2004, 02:09 PM

Quote:

Originally posted by winslow
to stickman
"Can you get to /index.html or any other index page?"
I get my main index page
DocumentRoot /var/www/html
"If yes, look for these terms in your httpd.conf: Options Indexes"
I read in the apache.org tutorial something about its more save not to use
Options Indexes!?
So i deleted these entries.

What do you have specified for the DirectoryIndex in your httpd.conf? Does it match the index page that you expect to use? If you don't have a matching index page in that directory and you are not using "Options Indexes", then your server is exhibiting the correct behavior.

Also are the permission on /home/myhome set to 700 or some other setting that restricts access to other?

winslow · 08-10-2004, 04:49 PM

Quote:

What do you have specified for the DirectoryIndex in your httpd.conf? Does it match the index page that you expect to use? If you don't have a matching index page in that directory and you are not using "Options Indexes", then your server is exhibiting the correct behavior.

Also are the permission on /home/myhome set to 700 or some other setting that restricts access to other?

htpd.conf:
DirectoryIndex index.html index.htm index.xml

i have in all DocumentRoot directories an index.html with at least 755
in the case of the vhost DocumentRoot (while testing) i have 777
to the directorie and the index.html

Quote:

"and you are not using "Options Indexes", then your server is exhibiting the correct behavio"

please could you go in more detail, i don't understand that point
where have this "Options Indexes" to be,
<Directory "/">
or
<Directory "/var/www/html">
or
<Directory "/home/myhome/www">
or not at all in a <Directory "/foo/bar">

thx

stickman · 08-11-2004, 07:48 AM

Quote:

Originally posted by winslow
i have in all DocumentRoot directories an index.html with at least 755
in the case of the vhost DocumentRoot (while testing) i have 777
to the directorie and the index.html

Ok, so you have /home/myhome/www set to 777, but what are the permissions on /home/myhome? You need to make sure that whatever user your Apache runs as can read the directory tree to your DocumentRoot (ie /home, /home/myhome, and /home/myhome/www). Redhat usually creates user directories with default perms of 700 which means apache or www can't read the contents of them.

The "Options Indexes" is a feature that when their is no matching index present and the directory is requested, it will present a file list as the index page. This is a security concern if you do not want the contents of that particular directortory presented.

winslow · 08-11-2004, 05:35 PM

Originally posted by stickman

Quote:

Ok, so you have /home/myhome/www set to 777, but what are the permissions on /home/myhome? You need to make sure that whatever user your Apache runs as can read the directory tree to your DocumentRoot (ie /home, /home/myhome, and /home/myhome/www). Redhat usually creates user directories with default perms of 700 which means apache or www can't read the contents of them.

/home was allready setted to 755
/home/myhome was setted to 700 is now 755
/home/myhome/www was setted to 777 is now 755

and it was a small step to mankind but a big to myself,
the clients(not the server) get access to the vhost,
thanks a lot to stickman

there are some minor problems left

I get results only when my browser preferences are setted to
Proxy - Direct connection
Any ideas what to tell the squid proxy to ignore these intranet requests???