logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Forbiden access with <Directory inside <VirtualHost st
Author
Otomatic



Joined: 01 Sep 2011
Posts: 212
Location: Paris, France, EU

PostPosted: Sun 04 Dec '16 16:03    Post subject: Forbiden access with <Directory inside <VirtualHost st Reply with quote

Hi,

Windows 7 Pro 64 bit
Apache 2.4.23
J:\wamp\bin\apache\apache2.4.23\bin>httpd -M
Loaded Modules:
core_module (static)
win32_module (static)
mpm_winnt_module (static)
http_module (static)
so_module (static)
access_compat_module (shared)
actions_module (shared)
alias_module (shared)
allowmethods_module (shared)
asis_module (shared)
auth_basic_module (shared)
auth_digest_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cache_module (shared)
cache_disk_module (shared)
cgi_module (shared)
dir_module (shared)
env_module (shared)
file_cache_module (shared)
include_module (shared)
isapi_module (shared)
log_config_module (shared)
mime_module (shared)
negotiation_module (shared)
rewrite_module (shared)
setenvif_module (shared)
userdir_module (shared)
vhost_alias_module (shared)
php7_module (shared)

With, in httpd-vhosts.conf :
Code:
<VirtualHost *:80>
  ServerName techaero
  DocumentRoot j:/wamp/www/techaero
  <Directory "j:/wamp/www/techaero/">
    Options +Indexes +Includes +FollowSymLinks +MultiViews
    AllowOverride all
    <RequireAny>
      Require local
      Require ip 192.168.0
    </RequireAny>
  </Directory>
</VirtualHost>

Local access 'http://techaero/' works well.
Network access with 'http://198.168.0.10/techaero/' from a post with IP 198.168.0.15 gives an error 403 :
Apache access.log
Code:
192.168.0.15 - - [03/Dec/2016:10:18:48 +0100] "GET /techaero/ HTTP/1.1" 403

Apache apache_error.log
Code:
[Sun Dec 04 14:44:44.643053 2016] [authz_core:error] [pid 6556:tid 956] [client 192.168.0.15:51951] AH01630: client denied by server configuration: J:/wamp/www/techaero/


If I modify http-vhosts.conf with <Directory... outside of VirtualHost structure :

Code:
<VirtualHost *:80>
   ServerName techaero
   DocumentRoot j:/wamp/www/techaero
</VirtualHost>

<Directory "j:/wamp/www/techaero/">
  Options +Indexes +Includes +FollowSymLinks +MultiViews
  AllowOverride all
    <RequireAny>
      Require local
      Require ip 192.168.0
    </RequireAny>
</Directory>


Local access and network access work well.

Where is my mistake? Why is access prohibited if <Directory .. is inside the structure <VirtualHost?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Sat 10 Dec '16 13:13    Post subject: Reply with quote

Apache is a bit picky with the naming.

Your document root is
j:/wamp/www/techaero
but your Directory is
j:/wamp/www/techaero/

the drive letter also suggest that it might be a network drive? If it is a network drive and you run apache as a service you need to create a unique local user for apache, cause the normal service user is not allowed to access the network.
Back to top
Otomatic



Joined: 01 Sep 2011
Posts: 212
Location: Paris, France, EU

PostPosted: Sat 10 Dec '16 15:29    Post subject: Reply with quote

James Blond wrote:
Apache is a bit picky with the naming.
Your document root is
j:/wamp/www/techaero
but your Directory is
j:/wamp/www/techaero/

It is NOT a network drive.
The documentation said : The DocumentRoot should be specified without a trailing slash.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Sat 10 Dec '16 18:00    Post subject: Reply with quote

Why don't you then remove the slash in the Directory block and give it try?
Back to top
Otomatic



Joined: 01 Sep 2011
Posts: 212
Location: Paris, France, EU

PostPosted: Fri 16 Dec '16 19:52    Post subject: Reply with quote

James Blond wrote:
Why don't you then remove the slash in the Directory block and give it try?

It does not change the problem.
Moreover I do not see in what way the presence or absence of the final slash could change something.

The problem is not in the syntax of the <Directory <structure, but in the fact that it is not taken into account if the <Directory structure is inside the <VirtualHost structure, but taken into account if it is outside the <VirtualHost structure.
Re-reading my first message, I think my explanations are coherent, although the English is not my mother tongue
Back to top
Otomatic



Joined: 01 Sep 2011
Posts: 212
Location: Paris, France, EU

PostPosted: Sun 15 Jan '17 19:05    Post subject: Reply with quote

Hi,

I'm sorry to relaunch this discussion.
The problem is exactly the same with Apache 2.4.25.

So I ask the question:

Why is access prohibited if <Directory .. structure is inside the <VirtualHost structure and access is not prohibited if <Directory .. structure is outside the <VirtualHost structure.

While I read and reread the Apache 2.4 documentation in all directions, nowhere is it mentioned that <Directory does not work if in a <VirtualHost
Back to top
covener



Joined: 23 Nov 2008
Posts: 59

PostPosted: Sun 15 Jan '17 19:24    Post subject: Reply with quote

Otomatic wrote:
Hi,

I'm sorry to relaunch this discussion.
The problem is exactly the same with Apache 2.4.25.

So I ask the question:

Why is access prohibited if <Directory .. structure is inside the <VirtualHost structure and access is not prohibited if <Directory .. structure is outside the <VirtualHost structure.

While I read and reread the Apache 2.4 documentation in all directions, nowhere is it mentioned that <Directory does not work if in a <VirtualHost


I'd assume your request is not handled by the virtualhost. Try adding a customlog there to easily confirm.
Back to top
Otomatic



Joined: 01 Sep 2011
Posts: 212
Location: Paris, France, EU

PostPosted: Sun 22 Jan '17 18:25    Post subject: Reply with quote

Hi,

I apologize for this late response.

I modify the VirtualHost with a dedicated customlog
Code:

<VirtualHost *:80>
   ServerName techaero
   DocumentRoot j:/wamp/www/techaero
   LogFormat "%h %l %u %t \"%r\" %>s %b" common
   CustomLog "j:/wamp/logs/techaero.log" common
<Directory "j:/wamp/www/techaero/">
  Options +Indexes +Includes +FollowSymLinks +MultiViews
  AllowOverride all
    <RequireAny>
      Require local
      Require ip 192.168.0
    </RequireAny>
</Directory>
</VirtualHost>


Local access with 'http://techaero/' is OK in the dedicated customlog:
Code:

::1 - - [22/Jan/2017:16:53:22 +0100] "GET / HTTP/1.1" 200 5066
::1 - - [22/Jan/2017:16:53:22 +0100] "GET /css/menu_h.css HTTP/1.1" 200 3723
::1 - - [22/Jan/2017:16:53:22 +0100] "GET /css/general.css HTTP/1.1" 200 11314
::1 - - [22/Jan/2017:16:53:22 +0100] "GET /images/crevette1.png HTTP/1.1" 200 3162
::1 - - [22/Jan/2017:16:53:22 +0100] "GET /images/superstarliner150.jpg HTTP/1.1" 200 15268
::1 - - [22/Jan/2017:16:53:22 +0100] "GET /images/bimoteur150.jpg HTTP/1.1" 200 6276
::1 - - [22/Jan/2017:16:53:22 +0100] "GET /images/jesuisparis_66.jpg HTTP/1.1" 200 10503
::1 - - [22/Jan/2017:16:53:22 +0100] "GET /images/bandeau_756.jpg HTTP/1.1" 200 27384
::1 - - [22/Jan/2017:16:53:22 +0100] "GET /favicon/favicon-16x16.png HTTP/1.1" 200 1434

This shows that in local access, the VirtualHost is well taken into account.

Since I do not have a second PC on the network, I do the remote access by a Smartphone in WiFi.
'http://192.168.0.10/techaero/'
Forbidden
You don't have permission to access /techaero/ on this server

In this case this the global access.log that it is written:
Code:
192.168.0.15 - - [22/Jan/2017:17:00:17 +0100] "GET /techaero/ HTTP/1.1" 403 -

and the global apache_error.log
Code:
[Sun Jan 22 17:00:17.248942 2017] [authz_core:error] [pid 5268:tid 928] [client 192.168.0.15:53365] AH01630: client denied by server configuration: J:/wamp/www/pasdroit.html


I put the <Directory outside of the VirtualHost
Code:

<VirtualHost *:80>
   ServerName techaero
   DocumentRoot j:/wamp/www/techaero
   LogFormat "%h %l %u %t \"%r\" %>s %b" common
   CustomLog "j:/wamp/logs/techaero.log" common
</VirtualHost>
<Directory "j:/wamp/www/techaero/">
  Options +Indexes +Includes +FollowSymLinks +MultiViews
  AllowOverride all
    <RequireAny>
      Require local
      Require ip 192.168.0
    </RequireAny>
</Directory>

Local access with 'http://techaero/' is OK in the dedicated customlog:
Code:

::1 - - [22/Jan/2017:17:10:02 +0100] "GET / HTTP/1.1" 200 5066
::1 - - [22/Jan/2017:17:10:02 +0100] "GET /css/general.css HTTP/1.1" 304 -
::1 - - [22/Jan/2017:17:10:02 +0100] "GET /css/menu_h.css HTTP/1.1" 304 -
::1 - - [22/Jan/2017:17:10:02 +0100] "GET /images/bandeau_756.jpg HTTP/1.1" 304 -
::1 - - [22/Jan/2017:17:10:02 +0100] "GET /images/crevette1.png HTTP/1.1" 304 -
::1 - - [22/Jan/2017:17:10:02 +0100] "GET /images/superstarliner150.jpg HTTP/1.1" 304 -
::1 - - [22/Jan/2017:17:10:02 +0100] "GET /images/bimoteur150.jpg HTTP/1.1" 304 -
::1 - - [22/Jan/2017:17:10:03 +0100] "GET /images/jesuisparis_66.jpg HTTP/1.1" 304 -


I do the remote access by a Smartphone in WiFi.
'http://192.168.0.10/techaero/'
Access is OK, but not in dedicated customlog, in the global access.log
Code:

192.168.0.15 - - [22/Jan/2017:17:13:39 +0100] "GET /techaero/ HTTP/1.1" 200 5066
192.168.0.15 - - [22/Jan/2017:17:13:44 +0100] "GET /techaero/vilgenis/vilgenis.php HTTP/1.1" 200 15914
192.168.0.15 - - [22/Jan/2017:17:13:44 +0100] "GET /techaero/js/jquery-3.1.1.min.js HTTP/1.1" 200 86709
192.168.0.15 - - [22/Jan/2017:17:14:17 +0100] "GET /techaero/vilgenis/les_promos.php HTTP/1.1" 200 7853
192.168.0.15 - - [22/Jan/2017:17:14:17 +0100] "GET /techaero/vilgenis/images/mini/promo_toutes_160.jpg HTTP/1.1" 200 6048

As you wrote: "I'd assume your request is not handled by the virtualhost", it would seem that from external accesses, VirtualHost is not taken into account, but only the main server.

And I do not know why!
Back to top


Reply to topic   Topic: Forbiden access with <Directory inside <VirtualHost st View previous topic :: View next topic
Post new topic   Forum Index -> Apache