Apache errors - (sh*t happens)


Apache error : AH00035: access to /page.html denied

While trying to setup a basic Apache configuration, /var/log/httpd/error_log reports :
[Wed Sep 20 15:48:30.346550 2017] [core:error] [pid 25989] (13)Permission denied: [client] AH00035: access to /page.html denied (filesystem path '/data/rhelRepo/page.html') because search permissions are missing on a component of the path

Solution (part 1/2) :

This is usually because the user account running apache (or httpd for Red Hatoids) is not allowed to read the path set as DocumentRoot.
  1. Just to make sure you're not running something exotic : check the username + group of the apache process owner :
    grep -E '^(User|Group) ' /etc/httpd/conf/httpd.conf
    	User apache
    	group apache
  2. Check current configuration options :
    httpd -t -D DUMP_RUN_CFG
    ServerRoot: "/etc/httpd"
    Main DocumentRoot: "/data/rhelRepo"
    Main ErrorLog: "/etc/httpd/logs/error_log"
  3. Set permissions (source) :
    myDocumentRoot='/data/rhelRepo'; find "$myDocumentRoot" -type d -exec chmod 755 {} \; ; find "$myDocumentRoot" -type f -exec chmod 644 {} \;

This should do the trick, unless SE Linux is on the way. Red Hatoid users, keep on reading part 2

Solution (part 2/2) (source) :

  1. Confirm SE Linux is involved :
    tail -f /var/log/audit/audit.log | grep -E 'type=(AVC|SYSCALL)'
  2. Send requests to the web server. You found the culprit if you can see things like :
    type=AVC msg=audit(1505919935.243:23294): avc: denied { getattr } for pid=28387 comm="httpd" path="/data/rhelRepo/page.html" dev="dm-2" ino=786435 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
    type=SYSCALL msg=audit(1505919935.243:23294): arch=c000003e syscall=4 success=no exit=-13 a0=7f511728e340 a1=7ffe6a31c6e0 a2=7ffe6a31c6e0 a3=7f510d20c792 items=1 ppid=28385 pid=28387 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

    And also :

    uid=48 gid=48
    id apache
    uid=48(apache) gid=48(apache) groupes=48(apache)

  3. Solution :
    chcon --user system_u --type httpd_sys_content_t -Rv "$myDocumentRoot"
  4. It should work now !

Apache error : AH01630: client denied by server configuration

Situation :

After upgrading Apache 2.2.x to Apache 2.4.10, /var/log/apache2/error.log started complaining :

[Sun Jan 03 15:55:13.845797 2016] [authz_core:error] [pid 2205:tid 139630284179200] [client] AH01630: client denied by server configuration: /path/to/some/web/resource

Details :

This is due to changes in the access control methods between versions 2.2 and 2.4, now using the mod_authz_host module.

Solution :

The website we're considering is on a development workstation, and should only be accessed from that workstation. The virtualhost configuration had the following lines for Apache 2.2.x :

Order Deny,Allow
Deny from all
Allow from
Can be replaced, for Apache 2.4.10, with :
Require host

This is a quick fix, and the Apache documentation should be further studied before doing this to production servers.

Other interesting Require options :

Require local
allow connections from the local host
Require all granted
Require all denied
Respectively grant / deny access to all requests

apache2: Could not reliably determine the server's fully qualified domain name, using for ServerName

If the webserver hosts a single site, and the server names matches the website's name :

echo 'ServerName myServerName' > /etc/apache2/conf.d/fqdn

Otherwise (multiple websites, multiple virtualhosts, multiple server names per virtualhost) :

  1. echo 'ServerName localhost' >> /etc/apache2/apache2.conf
  2. Make sure /etc/hosts has a line as short as : localhost (no more aliases are necessary / welcome)

When Apache VirtualHosts are in a mess : Warning: DocumentRoot [] does not exist

Situation :

Some colleagues are not the Please-leave-this-place-as-clean-as-it-was-when-you-arrived type : they add VirtualHosts to a shared Apache webserver (development platform) and just don't give a f*ck about the warnings at reload/restart when their VirtualHosts are not required / working anymore.

Details :

Upon reload/restart, Apache complains :
Warning: DocumentRoot [/path/to/docRoot1/] does not exist
Warning: DocumentRoot [/path/to/docRoot2/] does not exist
Warning: DocumentRoot [/path/to/docRoot3/] does not exist

Solution :

So let's do some cleaning :
cd /etc/apache2/sites-available/; for missingDocRoot in /path/to/docRoot1/ /path/to/docRoot2/ /path/to/docRoot3/; do a2dissite $(grep -l "$missingDocRoot" *); done; /etc/init.d/apache2 reload