Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a problem where people can't view the 403 error document(that is also denied access to). Yet people on my allow list CAN view it when navigating to the root directory (which I want blocked).
ServerAdmin blahblah@blah.net
ServerName 172.25.0.165
DocumentRoot /var/www/
ServerSignature Off
HostNameLookups Off
ErrorLog /var/www/logs/error.log
<Directory />
Options None
AllowOverride None
Deny from All
</Directory>
<Directory /var/www/website>
Options Indexes FollowSymLinks MultiViews IncludesNoExec
Order deny,allow
Deny from all
Allow from 172.25.0.219
Allow from 172.25.0.218
Allow from 172.25.0.157
Allow from 172.25.0.150
Allow from 172.25.0.130
Allow from 172.25.0.165
</Directory>
<Directory /var/www/error/>
Allow from all
</Directory>
#Set Directory Index
<IfModule dir_module>
DirectoryIndex index.html index.php index.php4 index.cgi index.pl
</ifmodule>
#Error documents here
ErrorDocument 403 /error/403.html
</VirtualHost>
The computer that I'm testing from (has an ipaddress not on the allow list) can view the 403 error document when I type in the direct path:
172.25.0.165/error/403.html
But it cannot view the 403 error document if I navigate to the root directory(which is blocked), (Or any other blocked directory for that matter)
If a client on the allow list navigates to the root directory, it gets the correct error page :s
[Thu Dec 22 07:24:03 2011] [error] [client 172.25.1.1] client denied by server configuration: /var/www/
[Thu Dec 22 07:24:08 2011] [error] [client 172.25.1.1] client denied by server configuration: /var/www/website
[Thu Dec 22 07:25:02 2011] [error] [client 172.25.1.1] Directory index forbidden by Options directive: /var/www/error/
[Thu Dec 22 07:25:14 2011] [error] [client 172.25.1.1] client denied by server configuration: /var/www/website/wp-admin
It seems to be denied by the configuration file. However I'm still not seeing why. My error document is allowed, so it should be re-directed :s
I'll give the http direct link method a go and see how that works
[Thu Dec 22 07:24:03 2011] [error] [client 172.25.1.1] client denied by server configuration: /var/www/
[Thu Dec 22 07:24:08 2011] [error] [client 172.25.1.1] client denied by server configuration: /var/www/website
[Thu Dec 22 07:25:02 2011] [error] [client 172.25.1.1] Directory index forbidden by Options directive: /var/www/error/
[Thu Dec 22 07:25:14 2011] [error] [client 172.25.1.1] client denied by server configuration: /var/www/website/wp-admin
It seems to be denied by the configuration file. However I'm still not seeing why. My error document is allowed, so it should be re-directed :s
Huh. Between the first 2 logs (access to forbidden pages) and the 3rd (access to /error, meaning apache tried to give the 403 error document), there is a 1 min. gap. How comes?
Are you by any chance using mod_rewrite or something? As I see you're using wordpress, that comes with some mod_rewrite rules, so it's worth looking into them if you're not using your own.
Regarding the "Directory index forbidden by Options directive: /var/www/error/", add an index.html so apache stops complaining
Quote:
Ok, the direct HTTP method works. However it's only an interm solution as I don't really want the link to be displayed like that.
As I told you you can use it while trying to solve your problem. And since it works as expected, it makes me think that it is mod_rewrite that is responsible for this behavior
Huh. Between the first 2 logs (access to forbidden pages) and the 3rd (access to /error, meaning apache tried to give the 403 error document), there is a 1 min. gap. How comes?
Are you by any chance using mod_rewrite or something? As I see you're using wordpress, that comes with some mod_rewrite rules, so it's worth looking into them if you're not using your own.
Regarding the "Directory index forbidden by Options directive: /var/www/error/", add an index.html so apache stops complaining
Ah, I was busy between to RDP sessions, so I had a minute between retry attempts on the test VM.
Add an index? So I would add the ifmodule for the <Directory /var/www/error> group?
As for wordpress, I'm not adding any .htaccess files or other virtualhosts for it. It worked fine with the default Apache2 config file too, however I made this one so I could restrict access to other directories.
Quote:
Originally Posted by bathory
As I told you you can use it while trying to solve your problem. And since it works as expected, it makes me think that it is mod_rewrite that is responsible for this behavior
The mod_rewrite does make sense... any idea where I should be looking to find it?
Ah, I was busy between to RDP sessions, so I had a minute between retry attempts on the test VM.
No, what I'm trying to tell you, is that you should get a 403 error 2 times at the same moment. One for the /website and the other for the /error/403.html (the latter shouldn't happen and it's the problem you're facing, if I understand well your 1st post). You don't get the 2nd error, so apache looks that it works as expected, and gives you the 403 error page!!!
I've tried to do the same setup here (using different docroot), so you should get the following if there was a problem with /error:
Quote:
[Wed Dec 21 22:12:50 2011] [error] [client 127.0.0.1] client denied by server configuration: /opt/apache/htdocs/website
[Wed Dec 21 22:12:50 2011] [error] [client 127.0.0.1] client denied by server configuration: /opt/apache/htdocs/error/403.html
Quote:
Add an index? So I would add the ifmodule for the <Directory /var/www/error> group?
No, add an index.html page in /error (even blank)
Quote:
The mod_rewrite does make sense... any idea where I should be looking to find it?
It should be in a .htaccess in the root directory of wordpress. I guess this is the /website in your case
No, what I'm trying to tell you, is that you should get a 403 error 2 times at the same moment. One for the /website and the other for the /error/403.html (the latter shouldn't happen and it's the problem you're facing, if I understand well your 1st post). You don't get the 2nd error, so apache looks that it works as expected, and gives you the 403 error page!!!
I've tried to do the same setup here (using different docroot), so you should get the following if there was a problem with /error:
No, add an index.html page in /error (even blank)
It should be in a .htaccess in the root directory of wordpress. I guess this is the /website in your case
Regards
Thank you for that
I haven't found an htaccess file in the root directory of wordpress, I've searched and even used "ls" in case it was hidden in the GUI search.
I've uploaded 3 pictures. One is from ".150" which is allowed to access the wordpress directory(chrome images), the other two are from my test VM which isn't on the allow list (therefore denied). Both computers can get to the error document when typing the direct path, however when I change the path to "/error/403.html" in the virtual host file, only the computer on the allow list will be given the error document when navigating to http://172.25.0.165 (which is blocked as per the config file in post #1).
The permission error shouldn't happen for the error/403.html file as I allowed "all" to that directory(/var/www/error). Which is correct, as giving the 403 error document a path of "http://172.25.0.165/error/403.html" works. However giving /error/403.html as the path for the "error document" doesn't work for addresses not listed as allowed in the virtual host file.
I know it has to be a permission problem, I'm just struggling to find out where that issue is.
I haven't found an htaccess file in the root directory of wordpress, I've searched and even used "ls" in case it was hidden in the GUI search.
Mind that it's .htaccess (with a dot in the beginning), meaning the file is hidden from ls. Try "ls -la", because AFAIK wordpress uses .htaccess to rewrite URLs.
Quote:
The permission error shouldn't happen for the error/403.html file as I allowed "all" to that directory(/var/www/error). Which is correct, as giving the 403 error document a path of "http://172.25.0.165/error/403.html" works. However giving /error/403.html as the path for the "error document" doesn't work for addresses not listed as allowed in the virtual host file.
I've already told you, that it's correct. Besides I've simulate your setup here and it worked as expected (see my previous post).
That's why I think it's a .htaccess involved. Unless you're using a proxy (unlikely) to access your server and you get cached responses from it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Apache2 403 Error Document
