Smart questions
Smart answers
Smart people
Join Tek-Tips Forums
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Error 403 Access ForbiddenHelpful Member!(2) 

rphips (IS/IT--Management) (OP)
16 Dec 11 13:04
Good Day Everyone,

I must admit I am not a Linux or Apache expert so I am at a complete lost on why I keep getting the 403 error.

I am currently running Apache2 on a Suse Linux box and everything is running great. So My boss wants a backup box to go into are backup center. So using the same version I completely cloned the system that is up and running.

The complete web site is under /home/www/html and it has a index.html file. All rights are good and my files httpd.conf and defaultserver.conf have been configured (just like the running server) but when I try to access the web page I get

Access forbidden You don't have permission to access the requested object. It is either read-protected or not readable by the server.

If you think this is a server error, please contact the webmaster.


when I check the logs I get the following:
Kelly Kernel: SubDomain: REJECTING r access to /home/www/html/index.html (httpd2-prefork(7404) profile /usr/sbin/httpd2-prefork active DEFAULT_URI)

I am ready to blow it up - does anybody know what it is talking about and How can I fix it?

thank you and I do appriaciate any help on this matter

bob
ChrisHirst (IS/IT--Management)
17 Dec 11 16:52
Double check the ownership and permissions on the file(s)and folders.

The owner needs to be the same user as the owner the site runs as. Permissions for .html files should be set at 644  

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

RhythmAce (TechnicalUser)
18 Dec 11 20:49
You may have solved the problem by now but if you didn't,  the 403 is an error code sent by apache telling your browser that it doesn't think its allowed to serve the document at that particular url.  As mentioned before, this is more than likely a permissions issue.  There are basically two types of permissions, those handled by the file system and those in apache's configuration files.  You said that you "cloned" the system.  Depending on how this was done, file permissions and directory strucures could have changed.  For example, if you moved or copied theses files and directories as root, their ownership may have changed.  The Documentroot and all its subdirectories should be owned by the webmaster of that particular webspace.  All directories usually have a chmod value of 755 and and the web pages a value of 644.  Next, assure the the directory structure is the exact same as the original system.  If there are changes, you will need to reflect this in the definitions of your directory containers within httpd.conf or whatever file your vhosts are defined in.  Any time you make changes to any of apache's config files, you must restart apache.
  
ChrisHirst (IS/IT--Management)
19 Dec 11 9:08

Quote:

and the web pages a value of 644
Unless they are scripted pages (php, .pl etc.) when, depending on the server setup  you may have to give "world read and execute" permissions to.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

rphips (IS/IT--Management) (OP)
20 Dec 11 10:35
Thanks for answering me - -- just returned and still getting the same error.

I checked the permissions - and they are assigned as:

User = www
Groups = users

from the www home directory throught the whole directory.

Like I said I am just a beginer with this - - how do you get the chmod value?

bob
rphips (IS/IT--Management) (OP)
20 Dec 11 11:00
hey guys

i found the program chmod calculator and all my files have a chmod of 777 according to the calculator and the settings the have total access


bob
Helpful Member!  RhythmAce (TechnicalUser)
20 Dec 11 19:22
That is not good rphips.  777 means that the whole world can read, write and execute any of those files.  In other words, they can delete your entire website or add their own scripts if the directories are also 777.  Do you have access to the command shell?  If so, you can type "man chmod" on the command line and you will get the man pages for chmod.  Man is short for manual.  You can also do "man chown" to learn how to change ownership.  If you have any prblems understanding any of it, I or anyone else here will be more than happy to put things into simpler terms.  I would not go live with that server until you get eerything secure.
 
rphips (IS/IT--Management) (OP)
21 Dec 11 10:00
Thanks RhythmAce

I went through every directory and every file and reset all the rights to the proper settings - (easy when using YAST)

But I still cannot access the web pages - (same errors) even if I try localhost or accessing from an outside source.

Time to blow it - hold just found out this happened once before when they changed their ISP in August and a consultant changed something in the original configuration - I guess I need to know what he did.

If anybody knows what he might have done your help would be appreciated

bob

Noway2 (Programmer)
22 Dec 11 15:22
It wasn't clear from your post, did it function when the permissions were set to 777?  If so, it indicates that the user account under which aache is running (typically something like nobody, or  www-data) can't access the files.  This is generally covered via the "others" read permission.

You could also be facing a ACL (access control list) problem if you are using a security application such as App Armor or SELinux and you may need to make adjustments there.

Another possibility is that you haven't properly declared the directory or set the permissions within the host declaration in Apache.  Apache uses the Allow,Deny rule combination to determine whether or not a folder is accessible and by whom.  

If you determine it is not a file permissions issue, look at your host declaration.  If you don't see anything wrong, consider posting it for assistance.
 
rphips (IS/IT--Management) (OP)
3 Jan 12 13:36
Hey everyone

Hope your new years was a good one --- mine more of the same ----

Still getting the 403 error - tried reload - no-good, contacted the last consultant (he was brain dead didn't have a clue), I redid all the .htaccess files and regenerated all the passwords, still nothing here is my httpd.conf file
#
# /etc/apache2/httpd.conf
#
# This is the main Apache server configuration file. It contains #theconfiguration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs-2.0/> for detailed information aboutthe directives.

# Based upon the default apache configuration file that ships #with apache,which is based upon the NCSA server configuration #files originally by Rob
# McCool. This file was knocked together by Peter Poeml #<poeml+apache@suse.de>.

# If possible, avoid changes to this file. It does mainly contain Include
# statements and global settings that can/should be overridden in the
# configuration of your virtual hosts.

# Overview of include files, chronologically:
#
# httpd.conf
# |
# |-- uid.conf . . . . . . . . . . . . . . UserID/GroupID to run under
# |-- server-tuning.conf . . . . . . . . . sizing of the server (how many processes to start, ...)
# |-- sysconfig.d/loadmodule.conf . . . . . [*] load these modules
# |-- listen.conf . . . . . . . . . . . . . IP adresses / ports to listen on
# |-- mod_log_config.conf . . . . . . . . . define logging formats
# |-- sysconfig.d/global.conf . . . . . . . [*] server-wide general settings
# |-- mod_status.conf . . . . . . . . . . . restrict access to mod_status (server monitoring)
# |-- mod_info.conf . . . . . . . . . . . . restrict access to mod_info
# |-- mod_usertrack.conf . . . . . . . . . defaults for cookie-based user tracking
# |-- mod_autoindex-defaults.conf . . . . . defaults for displaying of server-generated directory listings
# |-- mod_mime-defaults.conf . . . . . . . defaults for mod_mime configuration
# |-- errors.conf . . . . . . . . . . . . . customize error responses
# |-- ssl-global.conf . . . . . . . . . . . SSL conf that applies to default server _and all_ virtual hosts
# |
# |-- default-server.conf . . . . . . . . . set up the default server that replies to non-virtual-host requests
# | |--mod_userdir.conf . . . . . . . . enable UserDir (if mod_userdir is loaded)
# | `--conf.d/apache2-manual?conf . . . add the docs ('?' = if installed)
# |
# |-- sysconfig.d/include.conf . . . . . . [*] your include files
# | (for each file to be included here, put its name
# | into APACHE_INCLUDE_* in /etc/sysconfig/apache2)
# |
# `-- vhosts.d/ . . . . . . . . . . . . . . for each virtual host, place one file here
# `-- *.conf . . . . . . . . . . . . . (*.conf is automatically included)
#
#
# Files marked [*] are created from sysconfig upon server restart: instead of
# these files, you edit /etc/sysconfig/apache2

# Filesystem layout:
#
# /etc/apache2/
# |-- conf.d/
# | |-- apache2-manual.conf . . . . . . . conf that comes with apache2-doc
# | |-- mod_php4.conf . . . . . . . . . . (example) conf that comes with apache2-mod_php4
# | `-- ... . . . . . . . . . . . . . . . other configuration added by packages
# |-- default-server.conf
# |-- errors.conf
# |-- httpd.conf . . . . . . . . . . . . . top level configuration file
# |-- listen.conf
# |-- magic
# |-- mime.types -> ../mime.types
# |-- mod_autoindex-defaults.conf
# |-- mod_info.conf
# |-- mod_log_config.conf
# |-- mod_mime-defaults.conf
# |-- mod_perl-startup.pl
# |-- mod_status.conf
# |-- mod_userdir.conf
# |-- mod_usertrack.conf
# |-- server-tuning.conf
# |-- ssl-global.conf
# |-- ssl.crl/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificate Revocation Lists (CRL)
# |-- ssl.crt/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificates
# |-- ssl.csr/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificate Signing Requests
# |-- ssl.key/ . . . . . . . . . . . . . . PEM-encoded RSA Private Keys
# |-- ssl.prm/ . . . . . . . . . . . . . . public DSA Parameter Files
# |-- sysconfig.d/ . . . . . . . . . . . . files that are created from /etc/sysconfig/apache2
# | |-- global.conf
# | |-- include.conf
# | `-- loadmodule.conf
# |-- uid.conf
# `-- vhosts.d/ . . . . . . . . . . . . . . put your virtual host configuration (*.conf) here
# |-- vhost-ssl.template
# `-- vhost.template

### Global Environment ######################################################
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests.

# run under this user/group id
Include /etc/apache2/uid.conf

# - how many server processes to start (server pool regulation)
# - usage of KeepAlive
Include /etc/apache2/server-tuning.conf

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
ErrorLog /var/log/apache2/error_log

# generated from APACHE_MODULES in /etc/sysconfig/apache2
Include /etc/apache2/sysconfig.d/loadmodule.conf

# IP addresses / ports to listen on
Include /etc/apache2/listen.conf

# predefined logging formats
Include /etc/apache2/mod_log_config.conf

# generated from global settings in /etc/sysconfig/apache2
Include /etc/apache2/sysconfig.d/global.conf

# optional mod_status, mod_info
Include /etc/apache2/mod_status.conf
Include /etc/apache2/mod_info.conf

# optional cookie-based user tracking
# read the documentation before using it!!
Include /etc/apache2/mod_usertrack.conf

# configuration of server-generated directory listings
Include /etc/apache2/mod_autoindex-defaults.conf

# associate MIME types with filename extensions
TypesConfig /etc/apache2/mime.types
DefaultType text/plain
Include /etc/apache2/mod_mime-defaults.conf

# set up (customizable) error responses
Include /etc/apache2/errors.conf

# global (server-wide) SSL configuration, that is not specific to
# any virtual host
Include /etc/apache2/ssl-global.conf

# forbid access to the entire filesystem by default
<Directory />
Options None
AllowOverride None
Order deny,allow
Deny from all
</Directory>

# use .htaccess files for overriding,
AccessFileName .htaccess
# and never show them
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

<Directory "/home/www/html/alert/">
AllowOverride AuthConfig
order allow,deny
Allow from all
</Directory>

<Directory "/home/www/html/alert/archive">
AllowOverride AuthConfig
order allow,deny
Allow from all
</Directory>

<Directory "/home/www/html/alert/dlrweb-pleasedelete">
AllowOverride AuthConfig
order allow,deny
Allow from all
</Directory>

<Directory "/home/www/html/alert/dlrwebtemp">
AllowOverride AuthConfig
order allow,deny
Allow from all
</Directory>

<Directory "/home/www/html/alert/dlrwebtemp-pleasedelete">
AllowOverride AuthConfig
order allow,deny
Allow from all
</Directory>

<Directory "/home/www/html/newalert/dlrweb">
AllowOverride AuthConfig
order allow,deny
Allow from all
</Directory>

<Directory "/home/www/html/newalert/dirweb/dlrweb">
AllowOverride AuthConfig
order allow,deny
Allow from all
</Directory>

<Directory "/home/www/html/OldAlert">
AllowOverride AuthConfig
order allow,deny
Allow from all
</Directory>

<Directory "/home/www/html/OldAlert/dirweb">
AllowOverride AuthConfig
order allow,deny
Allow from all
</Directory>

# List of resources to look for when the client requests a directory
DirectoryIndex index.html index.html.var

### 'Main' server configuration #############################################
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
Include /etc/apache2/default-server.conf

# Another way to include your own files
#
# The file below is generated from /etc/sysconfig/apache2,
# include arbitrary files as named in APACHE_CONF_INCLUDE_FILES and
# APACHE_CONF_INCLUDE_DIRS
Include /etc/apache2/sysconfig.d/include.conf

### Virtual server configuration ############################################
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs-2.0/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
Include /etc/apache2/vhosts.d/*.conf

# Note: instead of adding your own configuration here, consider
# adding it in your own file (/etc/apache2/httpd.conf.local)
# putting its name into APACHE_CONF_INCLUDE_FILES in
# /etc/sysconfig/apache2 -- this will make system updates
# easier :)


As you can tell it pretty much just the defaults just a few added directory inputs.

Any suggestions

bob
Noway2 (Programmer)
3 Jan 12 14:08

Quote:

# forbid access to the entire filesystem by default
<Directory />
Options None
AllowOverride None
Order deny,allow
Deny from all
</Directory>
This directive isn't to forbid access to the file system, this will forbid access to the document root, of which it looks like index.html might be part of.  Is /home/www/html/ your document root?
 
rphips (IS/IT--Management) (OP)
3 Jan 12 14:17
Noway2

Yes /home/www/html is the document root - I declared it in the defaultserver.conf file

DocumentRoot "/home/www/html"

<Directory "/home/www/html">
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>


bob
Noway2 (Programmer)
3 Jan 12 15:02
From looking at my own configuration, using a deny / directory followed by one that will allow /home/www/html should work.  I didn't see this in your previous post which contained your configuration.

Are you saying that you added this?  If so, did it resolve your problem?
 
rphips (IS/IT--Management) (OP)
3 Jan 12 15:15
Noway2

Hi Again

the first posting was my httpd.conf file the second was a clip from the defaultserver.conf file.

They been there all along so the problem still persist.
Helpful Member!  Noway2 (Programmer)
3 Jan 12 15:38
I am going to hazard a guess that you are running Suse.  The configuration file default-server.conf is not one that I have encountered before and doesn't appear to be standard Apache configuration, but Google is giving me a lot of hits regarding Suse specific posts.  The configuration files will vary depending on your distribution.  For example, Ubuntu uses sites-enabled/000-default.  Slackware puts everything by default in httpd.conf, which would be the default Apache configuration.  This leads to a potentially dumb question: is this file, default-server.conf, being included as a line item in any of the standard configuration files?


 
rphips (IS/IT--Management) (OP)
4 Jan 12 10:32
Noway2

Yes I am using Suse Enterprise 9   -  I have installed it on one machine and it works perfect - but when I tried to get it to work on another (backup system) BOOM  - it just gives me the 403 error.

Yet they are clones of each other.  I am at a lost on this  - if you can figure it out please let me know - but a star for your gallent try

bob
rphips (IS/IT--Management) (OP)
4 Jan 12 12:29
Noway2

The Httpd.conf calls the default-server file

Include /etc/apache2/default-server.conf
Noway2 (Programmer)
4 Jan 12 15:27
The fact that it is working on one server, but not on the backup is a STRONG indication that the server configuration is not the problem.  Depending on how, and when, the file systems were mirrored, there could be a difference in permissions.  According to a previous post, user/owner of the file is www and group is users.  One potential, discrepancy would be in the users in your /etc/password file.  The file user is actually by number and if you have different users on the system, the actual assigned user may not match - hence causing a permissions problem.  Lets take a close look at the permissions.

The first thing to look at is, are the group and owner really the same on both systems?

The second thing to look at would be for any difference in file and directory permissions between the two.  As was previously mentioned in an earlier post, typically you want the permissions to be 644 which means owner read-write, group and others read on the files.  You can get the information regarding the file permissions with the following simple command: (Go to the document root and type) ls -lRa
The l is for long listing, a is for all files and R is for recursively traverse the directories.  At the left you will see a set of notations like -rw-r--r--, or drw-rw-r--.  These are the permissions(read, write, execute) for owner, group, others, respectively.  

The third thing to look at would be to verify the user that Apache is running under.  You can do this by running the command: ps aux | grep -i apache.  If that doesn't get anything substitute apache with httpd, which is the official name of the application.  This will search through the process list and print out the lines with apache in them.  The first entry on the line will be the user account that apache is running under.  If this name is not the owner of the files, then the permissions in effect will be for others.  In either case, if the r permission is not set, Apache won't be able to access the file and you will get a forbidden error.  It also needs to be able to traverse the directories.  In the ls output above, directories will have a d in the first permissions field.  Directories need 755 permissions, which sets the 3rd flag, the X for execute.  In order to be able to access the directory an application must have execute permissions on the directory.

You can use the CHMOD command, with the -R flag to recursively set the permissions on files.  You need to be very careful doing this because you will also impact the directories which need execute, and the files that don't.  To change the permissions simply use: chmod 0644 <filename> or chmod 0755 <directoryname>.
rphips (IS/IT--Management) (OP)
10 Jan 12 11:48
Sorry Noway2  been on another project for the past week - but now I am back to the 403 problem.

I will test what you requested and will get back to you as soon as I can confrim the results

 
tarn (TechnicalUser)
17 Jan 12 17:57
How about you test your config files and see what Apache says it may give some clues?


You can check your configuration files for syntax errors without starting the server by using apachectl configtest or the -t command line option.

CODE

$ httpd -t -c httpd.conf

Then let us see the output .... just a chance it will highlight something .....

One other thought is local firewall?? I assume you have not got one configured ?

Laurie.  
rphips (IS/IT--Management) (OP)
26 Jan 12 13:58
Hello Everyone

Well I spent a lot of time trying to figure out what was going on  - I check my configurations so many times i lost count  -

anyway I found out my side was good  -  evedently the web maker hard coded something and it was flipping the 403 error.  Nice of him to realize this after I spent weeks banging my head and all I got was oops  sorry  

Well at least I still have a job  but really thanks for all your help even though it seems we wasted our time, But I will say this I did learn a lot more about Apache configurations.

bob

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close