| View previous topic :: View next topic |
| Author |
Message |
Talrias
n00b
Joined: 23 May 2004
Posts: 32
|
 Posted: Fri May 13, 2005 9:08 pm Post subject: Apache 2.0.54 403 error [Solved] |
 |
|
After upgrading apache today through portage, and accepting all the recommended config mergers, I now cannot access any of the pages on the website. I have /var/www/starglade.org (my domain name) symlinked to /var/www/localhost, and get the message "Symbolic link not allowed: /var/www/starglade.org" in /var/log/apache2/error_log. I never got this error message previously; I've had a look through the various config files and I see nothing which is the cause of this message. What should I do to resolve this?
Chris
_________________
"if triangles had a god, He'd have three sides."
Last edited by Talrias on Sun May 15, 2005 12:30 pm; edited 1 time in total |
|
| Back to top |
|
 |
elvisthedj
Guru
Joined: 21 Jun 2004
Posts: 483
Location: Nampa, ID
|
| Posted: Fri May 13, 2005 9:13 pm Post subject: |
|
|
You might want to look at your /etc/apache2/conf/apache2.con and see if the new config has changed your Document Root (the Document Root setting in commonapache2.conf should be commented out).
_________________
Kris Edwards
kris edwards at g mail dot c0m
PGP
WWW |
|
| Back to top |
|
|
Talrias
n00b
Joined: 23 May 2004
Posts: 32
|
| Posted: Fri May 13, 2005 9:16 pm Post subject: |
|
|
The one in commonapache2.conf is commented out, and the one in apache2.conf is set correctly to /var/www/localhost/htdocs. I'm also using the dynamic vhosts config file, and all the pages on subdomains (e.g. /var/www/subdomain.starglade.org) are giving 403 errors also - they worked correctly before this upgrade.
Chris
_________________
"if triangles had a god, He'd have three sides." |
|
| Back to top |
|
|
RayDude
Advocate
Joined: 29 May 2004
Posts: 2094
Location: San Jose, CA
|
| Posted: Fri May 13, 2005 9:25 pm Post subject: Re: Apache 2.0.54 403 error |
|
|
| Talrias wrote: | After upgrading apache today through portage, and accepting all the recommended config mergers, I now cannot access any of the pages on the website. I have /var/www/starglade.org (my domain name) symlinked to /var/www/localhost, and get the message "Symbolic link not allowed: /var/www/starglade.org" in /var/log/apache2/error_log. I never got this error message previously; I've had a look through the various config files and I see nothing which is the cause of this message. What should I do to resolve this?
Chris |
I had a similar problem a few months ago when I went to .52. .53 was a fiasco, .54 went off without a hitch, but that's because I made myself two promises: I would never run etc-update again. And I won't hand install any of the ._cfg files without first rebooting and seeing if the existing configuration works.
I actually don't follow the second rule much anymore. Here's what I do:
| Code: | cd /etc
find . -iname '._cfg*'
...
diff -u originial_file ._cfg000_original_file
...
Then I look at the changes. If I haven't touched the config file myself, usually I just:
...
mv ._cfg000_original_file originial_file
...
Which is what etc-update -3 does.
But sometimes, as in the case of xorg.conf and httpd.conf, etc, I know I don't want any over-writing, so I remove the ._cfg0000 file...
|
Back on the subject.
I used to use a symlink for squirrel mail, so I had this problem before. But I strongly suggest you edit your apache2 configuration to point everything to where you actually have the html installed. This is good because that way things are harder to be over written by an emerge and its more secure.
But if you really want to follow symlinks, I think this is what I did:
/etc/apache2/httpd.conf
#For each <directory> you'll need something like this:
| Code: | <Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
# And a bit later in <directory home>
<Directory /home/*/public_html>
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit> |
I think that's all I had to do to get them working with squirrel mail as http://myserver.org/squirrelmail
Now, however, I have set up a virtual web with webmail.myserver.org and that does not use symlinks.
So I'm not positive this is the only changes you need to make.
Raydude
_________________
Some day there will only be free software. |
|
| Back to top |
|
|
ekutay
l33t
Joined: 30 Mar 2005
Posts: 636
Location: Berlin
|
| Posted: Fri May 13, 2005 9:26 pm Post subject: |
|
|
Where is the symlink, and what are the lines in the configuration file(s) related to this link? Its not clear to me, so I cannot imagine the structure of your site.
Note: the 403 signals that there are no options to follow symlinks | Code: | | Ooption FollowSymlinks |
As it sounds you should better set up your server in another way. Its not a good idea to have a follow symlinks directive in the root of your webapp. Think about a vhost having the document root somewhere else, the Alias directive in combination with Directory or similar options.
_________________
-- erol |
|
| Back to top |
|
|
Talrias
n00b
Joined: 23 May 2004
Posts: 32
|
| Posted: Fri May 13, 2005 9:31 pm Post subject: |
|
|
The Directory config section is as follows (comments removed):
| Code: | <Directory /var/www/localhost/htdocs>
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
<IfModule mod_access.c>
Order allow,deny
Allow from all
</IfModule>
</Directory> |
In /var/www/, 'starglade.org' is a direct symlink to 'localhost'. I am using the dynamic vhosts config - as I have many subdomains it's far easier to maintain this way.
Chris
_________________
"if triangles had a god, He'd have three sides." |
|
| Back to top |
|
|
ekutay
l33t
Joined: 30 Mar 2005
Posts: 636
Location: Berlin
|
| Posted: Fri May 13, 2005 9:37 pm Post subject: |
|
|
/var/www/starglade.org should point to /var/www/localhost/htdocs if I get you correctly.
_________________
-- erol |
|
| Back to top |
|
|
Talrias
n00b
Joined: 23 May 2004
Posts: 32
|
| Posted: Fri May 13, 2005 9:39 pm Post subject: |
|
|
I don't think so; but I tried it and still get the "symlink not allowed" error.
Chris
_________________
"if triangles had a god, He'd have three sides." |
|
| Back to top |
|
|
RayDude
Advocate
Joined: 29 May 2004
Posts: 2094
Location: San Jose, CA
|
| Posted: Fri May 13, 2005 9:41 pm Post subject: |
|
|
| Talrias wrote: | The Directory config section is as follows (comments removed):
| Code: | <Directory /var/www/localhost/htdocs>
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
<IfModule mod_access.c>
Order allow,deny
Allow from all
</IfModule>
</Directory> |
In /var/www/, 'starglade.org' is a direct symlink to 'localhost'. I am using the dynamic vhosts config - as I have many subdomains it's far easier to maintain this way.
Chris |
What does your vhost file look like?
Here's mine as an example. Its fairly simple, its sounds like yours is much more complex:
| Code: | <VirtualHost *:80>
ServerName webmail.mydomain.org
ServerAlias squirrelmail.mydomain.org
DocumentRoot /usr/share/webapps/squirrelmail/1.4.4/htdocs
DirectoryIndex index.php
<Directory /usr/share/webapps/squirrelmail/1.4.4/htdocs>
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
<IfModule mod_access.c>
Order allow,deny
Allow from all
</IfModule>
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName otherdomain.net
ServerAlias *.otherdomain.net
DocumentRoot /mnt/raid1/www/otherdomain.net/htdocs
DirectoryIndex index.html
<Directory /mnt/raid1/www/otherdomain.net/htdocs>
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
<IfModule mod_access.c>
Order allow,deny
Allow from all
</IfModule>
</Directory>
</VirtualHost> |
Here's the relevant portion of my httpd.conf file:
| Code: |
<VirtualHost *:80>
DocumentRoot "/mnt/raid1/www/mydomain.org/htdocs"
<Directory "/mnt/raid1/www/mydomain.org/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory /mnt/raid1/www/mydomain.org/cgi-bin>
AllowOverride All
Options ExecCGI
<IfModule mod_access.c>
Order allow,deny
Allow from all
</IfModule>
</Directory>
</VirtualHost> |
_________________
Some day there will only be free software. |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Fri May 13, 2005 9:42 pm Post subject: |
|
|
You'd better post all the relevant bits of your config - I'm not seeing the right options.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
Talrias
n00b
Joined: 23 May 2004
Posts: 32
|
| Posted: Fri May 13, 2005 9:49 pm Post subject: |
|
|
vhosts/dynamic-hosts.conf:
| Code: | UseCanonicalName Off
LogFormat "%V %h %l %u %t \"%r\" %s %b" vcommon
CustomLog logs/access_log vcommon
VirtualDocumentRoot /var/www/%0/htdocs
VirtualScriptAlias /var/www/%0/cgi-bin |
Here's the relevant bit from commonapache2.conf, in addition to the bit above:
| Code: | <Directory />
Options -All -Multiviews
AllowOverride None
<IfModule mod_access.c>
Order deny,allow
Deny from all
</IfModule>
</Directory> |
Nothing important has been modified from the default.
_________________
"if triangles had a god, He'd have three sides." |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Fri May 13, 2005 9:55 pm Post subject: |
|
|
| Quote: | | In /var/www/, 'starglade.org' is a direct symlink to 'localhost'. |
In that case, you have to do one of two things: either
a. allow symlinking from root, or
b. set directory access for that symlink as well.
Unless you do either one of these, you won't be allowed to access content outside your *real* documentroot.
I usually set it per-vhost, since that provides both clarity and maximum control.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
Talrias
n00b
Joined: 23 May 2004
Posts: 32
|
| Posted: Fri May 13, 2005 9:59 pm Post subject: |
|
|
I just added FollowSymLinks to the directory section for /, and restarted, and I still get the 403 error before. This worked before; what has changed in the configuration since the previous version?
Chris
_________________
"if triangles had a god, He'd have three sides." |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Fri May 13, 2005 11:13 pm Post subject: |
|
|
Per-directory access rights for each vhost, methinks.
I've been running apache vhosts for years, and apache's config can get very complicated very fast - here's a free tip:
if you can't easily visualise the access hierarchy in your mind then it's probably too complex...
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
Talrias
n00b
Joined: 23 May 2004
Posts: 32
|
| Posted: Sat May 14, 2005 11:52 am Post subject: |
|
|
Any other ideas for why it's not working? Why was the config file changed so dramatically in this upgrade, anyway?
Chris
_________________
"if triangles had a god, He'd have three sides." |
|
| Back to top |
|
|
Talrias
n00b
Joined: 23 May 2004
Posts: 32
|
| Posted: Sun May 15, 2005 12:30 pm Post subject: |
|
|
I've solved this problem - <Directory /var/www/localhost/htdocs> should be changed to <Directory "/var/www/*/htdocs">
Chris
_________________
"if triangles had a god, He'd have three sides." |
|
| Back to top |
|
|
|
Networking & Security
