Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Forbiden access with <Directory inside <VirtualHost st |
|
Author |
|
Otomatic

Joined: 01 Sep 2011 Posts: 249 Location: Paris, France, EU
|
Posted: Sun 04 Dec '16 16:03 Post subject: Forbiden access with <Directory inside <VirtualHost st |
|
|
Hi,
Windows 7 Pro 64 bit
Apache 2.4.23
J:\wamp\bin\apache\apache2.4.23\bin>httpd -M
Loaded Modules:
core_module (static)
win32_module (static)
mpm_winnt_module (static)
http_module (static)
so_module (static)
access_compat_module (shared)
actions_module (shared)
alias_module (shared)
allowmethods_module (shared)
asis_module (shared)
auth_basic_module (shared)
auth_digest_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cache_module (shared)
cache_disk_module (shared)
cgi_module (shared)
dir_module (shared)
env_module (shared)
file_cache_module (shared)
include_module (shared)
isapi_module (shared)
log_config_module (shared)
mime_module (shared)
negotiation_module (shared)
rewrite_module (shared)
setenvif_module (shared)
userdir_module (shared)
vhost_alias_module (shared)
php7_module (shared)
With, in httpd-vhosts.conf :
Code: | <VirtualHost *:80>
ServerName techaero
DocumentRoot j:/wamp/www/techaero
<Directory "j:/wamp/www/techaero/">
Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride all
<RequireAny>
Require local
Require ip 192.168.0
</RequireAny>
</Directory>
</VirtualHost>
|
Local access 'http://techaero/' works well.
Network access with 'http://198.168.0.10/techaero/' from a post with IP 198.168.0.15 gives an error 403 :
Apache access.log
Code: | 192.168.0.15 - - [03/Dec/2016:10:18:48 +0100] "GET /techaero/ HTTP/1.1" 403 |
Apache apache_error.log
Code: | [Sun Dec 04 14:44:44.643053 2016] [authz_core:error] [pid 6556:tid 956] [client 192.168.0.15:51951] AH01630: client denied by server configuration: J:/wamp/www/techaero/ |
If I modify http-vhosts.conf with <Directory... outside of VirtualHost structure :
Code: | <VirtualHost *:80>
ServerName techaero
DocumentRoot j:/wamp/www/techaero
</VirtualHost>
<Directory "j:/wamp/www/techaero/">
Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride all
<RequireAny>
Require local
Require ip 192.168.0
</RequireAny>
</Directory> |
Local access and network access work well.
Where is my mistake? Why is access prohibited if <Directory .. is inside the structure <VirtualHost? |
|
Back to top |
|
James Blond Moderator

Joined: 19 Jan 2006 Posts: 7402 Location: EU, Germany, Next to Hamburg
|
Posted: Sat 10 Dec '16 13:13 Post subject: |
|
|
Apache is a bit picky with the naming.
Your document root is
j:/wamp/www/techaero
but your Directory is
j:/wamp/www/techaero/
the drive letter also suggest that it might be a network drive? If it is a network drive and you run apache as a service you need to create a unique local user for apache, cause the normal service user is not allowed to access the network. |
|
Back to top |
|
Otomatic

Joined: 01 Sep 2011 Posts: 249 Location: Paris, France, EU
|
Posted: Sat 10 Dec '16 15:29 Post subject: |
|
|
James Blond wrote: | Apache is a bit picky with the naming.
Your document root is
j:/wamp/www/techaero
but your Directory is
j:/wamp/www/techaero/
|
It is NOT a network drive.
The documentation said : The DocumentRoot should be specified without a trailing slash. |
|
Back to top |
|
James Blond Moderator

Joined: 19 Jan 2006 Posts: 7402 Location: EU, Germany, Next to Hamburg
|
Posted: Sat 10 Dec '16 18:00 Post subject: |
|
|
Why don't you then remove the slash in the Directory block and give it try? |
|
Back to top |
|
Otomatic

Joined: 01 Sep 2011 Posts: 249 Location: Paris, France, EU
|
Posted: Fri 16 Dec '16 19:52 Post subject: |
|
|
James Blond wrote: | Why don't you then remove the slash in the Directory block and give it try? |
It does not change the problem.
Moreover I do not see in what way the presence or absence of the final slash could change something.
The problem is not in the syntax of the <Directory <structure, but in the fact that it is not taken into account if the <Directory structure is inside the <VirtualHost structure, but taken into account if it is outside the <VirtualHost structure.
Re-reading my first message, I think my explanations are coherent, although the English is not my mother tongue |
|
Back to top |
|
Otomatic

Joined: 01 Sep 2011 Posts: 249 Location: Paris, France, EU
|
Posted: Sun 15 Jan '17 19:05 Post subject: |
|
|
Hi,
I'm sorry to relaunch this discussion.
The problem is exactly the same with Apache 2.4.25.
So I ask the question:
Why is access prohibited if <Directory .. structure is inside the <VirtualHost structure and access is not prohibited if <Directory .. structure is outside the <VirtualHost structure.
While I read and reread the Apache 2.4 documentation in all directions, nowhere is it mentioned that <Directory does not work if in a <VirtualHost |
|
Back to top |
|
covener
Joined: 23 Nov 2008 Posts: 60
|
Posted: Sun 15 Jan '17 19:24 Post subject: |
|
|
Otomatic wrote: | Hi,
I'm sorry to relaunch this discussion.
The problem is exactly the same with Apache 2.4.25.
So I ask the question:
Why is access prohibited if <Directory .. structure is inside the <VirtualHost structure and access is not prohibited if <Directory .. structure is outside the <VirtualHost structure.
While I read and reread the Apache 2.4 documentation in all directions, nowhere is it mentioned that <Directory does not work if in a <VirtualHost |
I'd assume your request is not handled by the virtualhost. Try adding a customlog there to easily confirm. |
|
Back to top |
|
Otomatic

Joined: 01 Sep 2011 Posts: 249 Location: Paris, France, EU
|
Posted: Sun 22 Jan '17 18:25 Post subject: |
|
|
Hi,
I apologize for this late response.
I modify the VirtualHost with a dedicated customlog
Code: |
<VirtualHost *:80>
ServerName techaero
DocumentRoot j:/wamp/www/techaero
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog "j:/wamp/logs/techaero.log" common
<Directory "j:/wamp/www/techaero/">
Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride all
<RequireAny>
Require local
Require ip 192.168.0
</RequireAny>
</Directory>
</VirtualHost>
|
Local access with 'http://techaero/' is OK in the dedicated customlog:
Code: |
::1 - - [22/Jan/2017:16:53:22 +0100] "GET / HTTP/1.1" 200 5066
::1 - - [22/Jan/2017:16:53:22 +0100] "GET /css/menu_h.css HTTP/1.1" 200 3723
::1 - - [22/Jan/2017:16:53:22 +0100] "GET /css/general.css HTTP/1.1" 200 11314
::1 - - [22/Jan/2017:16:53:22 +0100] "GET /images/crevette1.png HTTP/1.1" 200 3162
::1 - - [22/Jan/2017:16:53:22 +0100] "GET /images/superstarliner150.jpg HTTP/1.1" 200 15268
::1 - - [22/Jan/2017:16:53:22 +0100] "GET /images/bimoteur150.jpg HTTP/1.1" 200 6276
::1 - - [22/Jan/2017:16:53:22 +0100] "GET /images/jesuisparis_66.jpg HTTP/1.1" 200 10503
::1 - - [22/Jan/2017:16:53:22 +0100] "GET /images/bandeau_756.jpg HTTP/1.1" 200 27384
::1 - - [22/Jan/2017:16:53:22 +0100] "GET /favicon/favicon-16x16.png HTTP/1.1" 200 1434
|
This shows that in local access, the VirtualHost is well taken into account.
Since I do not have a second PC on the network, I do the remote access by a Smartphone in WiFi.
'http://192.168.0.10/techaero/'
Forbidden
You don't have permission to access /techaero/ on this server
In this case this the global access.log that it is written:
Code: | 192.168.0.15 - - [22/Jan/2017:17:00:17 +0100] "GET /techaero/ HTTP/1.1" 403 - |
and the global apache_error.log
Code: | [Sun Jan 22 17:00:17.248942 2017] [authz_core:error] [pid 5268:tid 928] [client 192.168.0.15:53365] AH01630: client denied by server configuration: J:/wamp/www/pasdroit.html |
I put the <Directory outside of the VirtualHost
Code: |
<VirtualHost *:80>
ServerName techaero
DocumentRoot j:/wamp/www/techaero
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog "j:/wamp/logs/techaero.log" common
</VirtualHost>
<Directory "j:/wamp/www/techaero/">
Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride all
<RequireAny>
Require local
Require ip 192.168.0
</RequireAny>
</Directory>
|
Local access with 'http://techaero/' is OK in the dedicated customlog:
Code: |
::1 - - [22/Jan/2017:17:10:02 +0100] "GET / HTTP/1.1" 200 5066
::1 - - [22/Jan/2017:17:10:02 +0100] "GET /css/general.css HTTP/1.1" 304 -
::1 - - [22/Jan/2017:17:10:02 +0100] "GET /css/menu_h.css HTTP/1.1" 304 -
::1 - - [22/Jan/2017:17:10:02 +0100] "GET /images/bandeau_756.jpg HTTP/1.1" 304 -
::1 - - [22/Jan/2017:17:10:02 +0100] "GET /images/crevette1.png HTTP/1.1" 304 -
::1 - - [22/Jan/2017:17:10:02 +0100] "GET /images/superstarliner150.jpg HTTP/1.1" 304 -
::1 - - [22/Jan/2017:17:10:02 +0100] "GET /images/bimoteur150.jpg HTTP/1.1" 304 -
::1 - - [22/Jan/2017:17:10:03 +0100] "GET /images/jesuisparis_66.jpg HTTP/1.1" 304 -
|
I do the remote access by a Smartphone in WiFi.
'http://192.168.0.10/techaero/'
Access is OK, but not in dedicated customlog, in the global access.log
Code: |
192.168.0.15 - - [22/Jan/2017:17:13:39 +0100] "GET /techaero/ HTTP/1.1" 200 5066
192.168.0.15 - - [22/Jan/2017:17:13:44 +0100] "GET /techaero/vilgenis/vilgenis.php HTTP/1.1" 200 15914
192.168.0.15 - - [22/Jan/2017:17:13:44 +0100] "GET /techaero/js/jquery-3.1.1.min.js HTTP/1.1" 200 86709
192.168.0.15 - - [22/Jan/2017:17:14:17 +0100] "GET /techaero/vilgenis/les_promos.php HTTP/1.1" 200 7853
192.168.0.15 - - [22/Jan/2017:17:14:17 +0100] "GET /techaero/vilgenis/images/mini/promo_toutes_160.jpg HTTP/1.1" 200 6048
|
As you wrote: "I'd assume your request is not handled by the virtualhost", it would seem that from external accesses, VirtualHost is not taken into account, but only the main server.
And I do not know why! |
|
Back to top |
|
|
|
|
|
|