Ok, I know I have something screwed up here and for the life of me I can't see the forest for the trees.
I am upgrading from FC6 to FC9 with a new box and install. I use a different area to house my files for the web server than /var/www/html. I have taken my old httpd.conf and changed the DocumentRoot's in the new config file and even tried a symbolic link to see if I could get passed the permission issue I have. The regular server is working but the "not configured page" works just fine so I know the server is working. Here is the error message I am getting:
#Forbidden
#You don't have permission to access / on this server. #Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
I have run out of ideas.
Charles Layno Greensboro, NC
On Wed, 21 May 2008 20:57:55 -0400 Charles Layno clayno@ncwg.cap.gov wrote:
I have run out of ideas.
Don't know if this is the problem you are having, but I noticed in F8 that they started shipping mod-security with apache. As near as I could tell from available documentation on configuring it (i.e. no documentation at all), the sole purpose of mod-security is to prevent anyone from accessing anything at all for any reason on your web server :-).
I gave up attempting to understand yet another insane layer of obscure syntax on top of the already impossible to understand cryptic apache config files and simply used yum to erase mod-security, and everything suddenly started working again.
P.S. I'm not sure it is spelled exactly "mod-security" (hard to check, since I erased it - I can't ask the rpm name :-).
On Wed, 2008-05-21 at 20:57 -0400, Charles Layno wrote:
Ok, I know I have something screwed up here and for the life of me I can't see the forest for the trees.
I am upgrading from FC6 to FC9 with a new box and install. I use a different area to house my files for the web server than /var/www/html. I have taken my old httpd.conf and changed the DocumentRoot's in the new config file and even tried a symbolic link to see if I could get passed the permission issue I have. The regular server is working but the "not configured page" works just fine so I know the server is working. Here is the error message I am getting:
#Forbidden
#You don't have permission to access / on this server. #Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
I have run out of ideas.
---- you're obviously being deliberately vague and that makes suggestions much harder but things to check first...
1 - selinux (are there messages in /var/log/messages that indicate denied access?)
2 - httpd runs as user apache and user apache might not have access into the directories. try running chmod o+x on the directory so that 'others' can descend into the directory where your files are stored. You might have other subdirectories needing a similar change of permissions too.
3 - /var/log/httpd/error_log is your friend
Craig
i think that maybe - you forget to copy the error directory, - your files/directories don't have appropriate owner and right (shutdown SE Linux) - you didn't allow rewrite mode in http.conf to get your customized 404
--- En date de : Jeu 22.5.08, Charles Layno clayno@ncwg.cap.gov a écrit :
De: Charles Layno clayno@ncwg.cap.gov Objet: Web server permission in FC9 À: fedora-list@redhat.com Date: Jeudi 22 Mai 2008, 2h57 Ok, I know I have something screwed up here and for the life of me I can't see the forest for the trees.
I am upgrading from FC6 to FC9 with a new box and install. I use a different area to house my files for the web server than /var/www/html. I have taken my old httpd.conf and changed the DocumentRoot's in the new config file and even tried a symbolic link to see if I could get passed the permission issue I have. The regular server is working but the "not configured page" works just fine so I know the server is working. Here is the error message I am getting:
#Forbidden
#You don't have permission to access / on this server. #Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
I have run out of ideas.
Charles Layno Greensboro, NC
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
__________________________________________________ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
On Wed, 2008-05-21 at 20:57 -0400, Charles Layno wrote:
#Forbidden
#You don't have permission to access / on this server. #Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Sounds suspiciously like SELinux. And unlike some other *dumb* advice just offered, do NOT turn off SELinux, configure it properly. Write back to the list if you need further advice on how to do that.
But plain old Unix permissions also produce the same results. We can only make guesses without more information about your system.
Tim,
It is the Selinux. I turned it off to check and apacher serves up the web pages with no problem.
I know nothing about Selinux, so can you direct me on how to do that. I read some stuff on the net about it and it is all mush to me.
Thanks,
Charles
On Thursday 22 May 2008 07:07:19 Tim wrote:
On Wed, 2008-05-21 at 20:57 -0400, Charles Layno wrote:
#Forbidden
#You don't have permission to access / on this server. #Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Sounds suspiciously like SELinux. And unlike some other *dumb* advice just offered, do NOT turn off SELinux, configure it properly. Write back to the list if you need further advice on how to do that.
But plain old Unix permissions also produce the same results. We can only make guesses without more information about your system.
-- [tim@bigblack ~]$ uname -ipr 2.6.23.15-80.fc7 i686 i386
Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
NB: This is NOT a top-posting list. http://fedoraproject.org/wiki/Communicate/MailingListGuidelines#head-2193167...
On Thu, 2008-05-22 at 09:26 -0400, Charles Layno wrote:
It is the Selinux. I turned it off to check and apacher serves up the web pages with no problem.
I know nothing about Selinux, so can you direct me on how to do that. I read some stuff on the net about it and it is all mush to me.
Basic background information:
SELinux allows/restricts access based on various contexts, files are marked with the contexts that they can be used (e.g. user files, web serveable, etc.), which allows files that should be web serveable to be served, and disallows things that shouldn't.
With SELinux-aware software and systems, when you "create" files they're created with appropriate contexts. e.g. If you create a new file in /var/www/html/ it'll be created in a serveable manner. Likewise, if you copy a file to that place, the copy will be given appropriate contexts.
But if you move a file, it'll keep its originals contexts. Which will probably mean it's not serveable. That sort of thing catches a lot of people when they make new files in their homespace (which will have a different file context), then move them to somewhere else. Or they simply create them somewhere else. Relabelling *those* files solves that problem (the restorecon command).
You can see what contexts are applied to file and directories by using the -Z parameter with the ls command, or using a file manager which shows you them (e.g. Nautilus can be configured to show them).
[tim@bigblack ~]$ ls -Z /var/www/ drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t cgi-bin drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons drwxr-xr-x root root system_u:object_r:httpd_sys_content_t manual drwxr-xr-x webalizer root system_u:object_r:httpd_sys_content_t usage
That's the file side of things. There's also policies which are applied to the system. There's managing tools for that (system-config-selinux), that allow you to set options (httpd boolean settings) such as whether Apache can read files outside of /var/www/html, like from within the /home directories.
Running that configuration tool and looking at the appropriate booleans might help you solve your problem. But since you mentioned not serving out from the default location, earlier in the thread, you're probably going to have to deal with setting the right contexts on your files. That's probably easier if served from within /srv/ that some random place on the directory tree, since /srv is meant for serving files from.
But, again, we're hamstrung for giving advice since you've given no specific information about what you're actually doing.
FAQ about SELinux and Apache webserving: http://docs.fedoraproject.org/selinux-apache-fc3/ (old, but should still be applicable)
Thanks for the info. I am serving my pages from /html on its own drive with a tree below that serves several domains. Is it better to change DocumentRoot as a symbolic link or as direct? I am running FC9 with Apache 2.2.8 and a generic disk install.
Thanks,
Charles
On Thursday 22 May 2008 10:22:58 Tim wrote:
NB: This is NOT a top-posting list. http://fedoraproject.org/wiki/Communicate/MailingListGuidelines#head-219316 71219f9e2ecd6ec8655a3d582326699379
On Thu, 2008-05-22 at 09:26 -0400, Charles Layno wrote:
It is the Selinux. I turned it off to check and apacher serves up the web pages with no problem.
I know nothing about Selinux, so can you direct me on how to do that. I read some stuff on the net about it and it is all mush to me.
Basic background information:
SELinux allows/restricts access based on various contexts, files are marked with the contexts that they can be used (e.g. user files, web serveable, etc.), which allows files that should be web serveable to be served, and disallows things that shouldn't.
With SELinux-aware software and systems, when you "create" files they're created with appropriate contexts. e.g. If you create a new file in /var/www/html/ it'll be created in a serveable manner. Likewise, if you copy a file to that place, the copy will be given appropriate contexts.
But if you move a file, it'll keep its originals contexts. Which will probably mean it's not serveable. That sort of thing catches a lot of people when they make new files in their homespace (which will have a different file context), then move them to somewhere else. Or they simply create them somewhere else. Relabelling *those* files solves that problem (the restorecon command).
You can see what contexts are applied to file and directories by using the -Z parameter with the ls command, or using a file manager which shows you them (e.g. Nautilus can be configured to show them).
[tim@bigblack ~]$ ls -Z /var/www/ drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t cgi-bin drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons drwxr-xr-x root root system_u:object_r:httpd_sys_content_t manual drwxr-xr-x webalizer root system_u:object_r:httpd_sys_content_t usage
That's the file side of things. There's also policies which are applied to the system. There's managing tools for that (system-config-selinux), that allow you to set options (httpd boolean settings) such as whether Apache can read files outside of /var/www/html, like from within the /home directories.
Running that configuration tool and looking at the appropriate booleans might help you solve your problem. But since you mentioned not serving out from the default location, earlier in the thread, you're probably going to have to deal with setting the right contexts on your files. That's probably easier if served from within /srv/ that some random place on the directory tree, since /srv is meant for serving files from.
But, again, we're hamstrung for giving advice since you've given no specific information about what you're actually doing.
FAQ about SELinux and Apache webserving: http://docs.fedoraproject.org/selinux-apache-fc3/ (old, but should still be applicable)
-- [tim@bigblack ~]$ uname -ipr 2.6.23.15-80.fc7 i686 i386
Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
THIS IS NOT A TOP POSTING LIST. I will NOT answer any further top posts on this thread, and I won't be the only one that feels that way. If you want help from the members, conform to this list's etiquette.
See here: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines#head-2193167...
On Thu, 2008-05-22 at 13:16 -0400, Charles Layno wrote:
Thanks for the info. I am serving my pages from /html on its own drive with a tree below that serves several domains. Is it better to change DocumentRoot as a symbolic link or as direct? I am running FC9 with Apache 2.2.8 and a generic disk install.
I don't think that playing with links is going to help you. I've not looked into how Apache handles that, but some systems will see around symlink tricks and apply rules based on the real location, and I expect a webserver to work that way. It stops people doing something like symlinking to /etc from their homespace.
However, mounting your html drive onto /var/www/html should work fine. Everything will see the webserving files in the location that it expects them to be. Mounts are seen as virtually the same as files in a directory in the same filesystem.
Based on prior information, I think that what you need to do is set the right SELinux contexts on your webserving files with the restorecon command (recursively applied to the "html" directory and all contents). The restorecon command restores the usual expected contexts for the location.
e.g. restorecon -rv /var/www/html Would fix broken contexts in the usual webserving location.
But because you're serving from a non-standard location (/html) you might have to keep on setting contexts (with the "chcon" command), unless you mount it as I suggest. That gives you the convenience of your separate HTML discdrive, but works within the usual filetree.
i.e. chcon -R root:object_r:httpd_sys_content_t /html
I'm not using FC9, and I can't say whether setting the right contexts once on a non-standard parent location will mean that any more files created within it will inherit the parent contexts. But, with prior releases, it doesn't. You would have to keep manually setting custom contexts for non-standard locations everytime you added new files and sub-directories.
But if you were to keep working in a standard locatation (i.e. mounted inside the /var/www/ path), the right contexts will prevail whenever you create new sub-folders and files, and you use tools which understand this. e.g. When you cp files to the location, or create new files with vi in there. That's not an exhaustive list of examples, plenty of other things will work fine, too.
My system has /var/www/html/ holding the files served by default (connections to my IP that don't match a virtual hostname), and virtual hosts are kept within sub-directories in /var/www/virtual-hosts/. I don't have SELinux problems when I create new content, it just works.
On Friday 23 May 2008 02:08:06 Tim wrote:
THIS IS NOT A TOP POSTING LIST. I will NOT answer any further top posts on this thread, and I won't be the only one that feels that way. If you want help from the members, conform to this list's etiquette.
I was going to thank you for your help. It solved my problem but if this bothers you to the point of a busting a blood vessel, I think I will look elsewhere for help. I know you don't care, and I don't care you don't care, but you ranting is not worth my time and I will be sure to "spread the word" of this list's "helpfulness at your own risk" in my travels.
Good day.
On Fri, 2008-05-23 at 10:23 -0400, Charles Layno wrote:
On Friday 23 May 2008 02:08:06 Tim wrote:
THIS IS NOT A TOP POSTING LIST. I will NOT answer any further top posts on this thread, and I won't be the only one that feels that way. If you want help from the members, conform to this list's etiquette.
I was going to thank you for your help. It solved my problem but if this bothers you to the point of a busting a blood vessel, I think I will look elsewhere for help. I know you don't care, and I don't care you don't care, but you ranting is not worth my time and I will be sure to "spread the word" of this list's "helpfulness at your own risk" in my travels.
Thank you for not top-posting your reply :-)
poc
Tim:
THIS IS NOT A TOP POSTING LIST. I will NOT answer any further top posts on this thread, and I won't be the only one that feels that way. If you want help from the members, conform to this list's etiquette.
Charles Layno:
I was going to thank you for your help. It solved my problem but if this bothers you to the point of a busting a blood vessel, I think I will look elsewhere for help. I know you don't care, and I don't care you don't care, but you ranting is not worth my time and I will be sure to "spread the word" of this list's "helpfulness at your own risk" in my travels.
While you're at it, don't forget to mention that you were the rude one that didn't want to abide by the list etiquette, erroneously thought it fine to be a lout, and erroneously thought it wrong to be told to stop doing what you shouldn't be doing. I don't know where you learnt your manners from, but you didn't learn them very well. When you get told to wipe your feet before tramping mud in the house, you do what you should have done without having to be told about it, and you don't bitch about it. I have no sympathy for people who've not managed to learn something so basic, like that, that they should have learnt before they even attended school.
When someone wants help from a list, it's up to them to fit in with the list, and not dummy-spit that they shouldn't have to fit in with others. You had it pointed out once, you carried on, you got told again. You'll keep on get "corrected" until you get it right. The solution for not getting told off for being a pain is up to you, the answer is simple. You've already had the "caring" (pointing out how this list runs), the "don't care" has been you.
Those of the regulars who want to be here, and keep things running smoothly, point these things out from time to time. Top posting crap has been getting worse, of late. It's not welcome here, at all.
It's bad enough downloading so many megs a month, without having someone else artificially bloat the traffic with unneccessary cruft, and it'd be bloody awful if everybody did it. A few hundred monthly messages all twenty times bigger than necessary, and it adds up very quickly.
Seriously, if you want to do top-quoting against the list norm, and without snipping out unneccessary prior message content, and expect that everyone should just put up with your lack of care, then DO go elsewhere. Go and waste other people's bandwidth, instead. Bloated messages waste everybody's bandwidth and storage space (the list server's, and all of the list participants).
Don't let the door, etc., etc...
Tim wrote:
Tim:
THIS IS NOT A TOP POSTING LIST. I will NOT answer any further top posts on this thread, and I won't be the only one that feels that way. If you want help from the members, conform to this list's etiquette.
Charles Layno:
I was going to thank you for your help. It solved my problem but if this bothers you to the point of a busting a blood vessel, I think I will look elsewhere for help. I know you don't care, and I don't care you don't care, but you ranting is not worth my time and I will be sure to "spread the word" of this list's "helpfulness at your own risk" in my travels.
[snipped most of Tim's observations]
Bloated messages waste everybody's bandwidth and storage space (the list server's, and all of the list participants).
And just how is this tirade reducing bandwidth bloat? I don't blame you for criticizing the top-posting, but address your harangue to the poster directly, NOT the list.
Let's not start a flame war over this. I'm only posting to the list because you ignore your mailbox and I want you to see it. Otherwise this would be sent to you only. I just thought it was ironic to bloat bandwidth in order to complain about bloating bandwidth. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer rps2@nerd.com - - Hosting Consulting, Inc. - - - - The Navy's a bunch of wimps! MY job's an adventure! - ----------------------------------------------------------------------
On Fri, 2008-05-23 at 10:26 -0700, Rick Stevens wrote:
I just thought it was ironic to bloat bandwidth in order to complain about bloating bandwidth.
Yes ;-) but from time to time it's occasionally needed. New posters see the don't top post info, and then fit in, rather than every new poster needing someone to personally tell them to stop top posting.
And, as I said, lately there's been quite a lot of top-posting crap. And fully quoted, with no snipping, bottom posting.
Some just don't get it without a clue-by-four being used, that, YES, it is by the terms of the list, not your own terms, how you get help on a free mailing list.
On Fri, 2008-05-23 at 10:26 -0700, Rick Stevens wrote:
Tim wrote:
Tim:
THIS IS NOT A TOP POSTING LIST. I will NOT answer any further top posts on this thread, and I won't be the only one that feels that way. If you want help from the members, conform to this list's etiquette.
Charles Layno:
I was going to thank you for your help. It solved my problem but if this bothers you to the point of a busting a blood vessel, I think I will look elsewhere for help. I know you don't care, and I don't care you don't care, but you ranting is not worth my time and I will be sure to "spread the word" of this list's "helpfulness at your own risk" in my travels.
[snipped most of Tim's observations]
Bloated messages waste everybody's bandwidth and storage space (the list server's, and all of the list participants).
And just how is this tirade reducing bandwidth bloat? I don't blame you for criticizing the top-posting, but address your harangue to the poster
I agree with Tim. Just maybe the several others that top-post might get a hint as well. I'm on another list, that is supposed to be a very professional list that top posts technical information and it is hard as hell to recall anything that was posted. It's a damn sorry state of affairs. But, since it is the norm of that list, I shut up. Anyone with two grains of common sense would note very quickly that this is a bottom posting list as per USENET rules. Who knows, some might even start trimming their posts as well. Ric
Tim wrote:
On Fri, 2008-05-23 at 10:26 -0700, Rick Stevens wrote:
I just thought it was ironic to bloat bandwidth in order to complain about bloating bandwidth.
Yes ;-) but from time to time it's occasionally needed. New posters see the don't top post info, and then fit in, rather than every new poster needing someone to personally tell them to stop top posting.
You would be more helpful if you explained the very limited cases where top posting is appropriate, as well as telling them they what they did was not appropriate.
Top posting is appropriate when it is short, and ends the thread, and you want to make sure people see it without having to chase down to find it. Almost always in the context of multiple people trying to solve a technical problem.
Example: Long thread about an obscure bug, many suggestions, lots of discussion... in that case a one line top post like "Joe Blowe found the bug, patch at {URL}, fix will be in version {number}.
And, as I said, lately there's been quite a lot of top-posting crap. And fully quoted, with no snipping, bottom posting.
Some just don't get it without a clue-by-four being used, that, YES, it is by the terms of the list, not your own terms, how you get help on a free mailing list.
Top posting isn't inherently BAD, is is frequently MISUSED. That's a subtle difference, but worth explaining.
On Mon, 2008-05-26 at 10:55 -0400, Bill Davidsen wrote:
You would be more helpful if you explained the very limited cases where top posting is appropriate, as well as telling them they what they did was not appropriate.
From time to time... Though that turns what was going to be a shortish "don't top post" message into a long saga, particularly when someone debates it. I did post a link to the Fedora website [1], on the first two occasions I asked them not to top post, which does explain what people are supposed to do on here, and that links [2] to the whys and wherefors.
I could live with top posting, barely, *if* people snipped out the crap they quote with it. But they don't. I can't remember seeing any top poster do that. And it's bloody painful trying to figure out what they're responding to. Same goes for those who bottom post and don't snip. There's been quite a bit of both recently, made all the more worse by all that crap being quoted for a one or two line reply.
1. http://fedoraproject.org/wiki/Communicate/MailingListGuidelines#head-2193167... 2. http://en.wikipedia.org/wiki/Top-posting#Top-posting