apache - Error message "Forbidden You don't have permission to access / on this server" -

-

i have configured apache myself , have tried load phpmyadmin on virtual host, received:

403 forbidden don't have permission access / on server

my httpd.conf

# # main apache http server configuration file.  contains # configuration directives give server instructions. # see <url:http://httpd.apache.org/docs/2.2> detailed information. # in particular, see  # <url:http://httpd.apache.org/docs/2.2/mod/directives.html> # discussion of each configuration directive. # # not read instructions in here without understanding # do.  they're here hints or reminders.  if unsure # consult online docs. have been warned.   # # configuration , logfile names: if filenames specify many # of server's control files begin "/" (or "drive:/" win32), # server use explicit path.  if filenames *not* begin # "/", value of serverroot prepended -- "logs/foo.log" # serverroot set "c:/program files (x86)/apache software foundation/apache2.2" interpreted # server "c:/program files (x86)/apache software foundation/apache2.2/logs/foo.log". # # note: filenames specified, must use forward slashes # instead of backslashes (e.g., "c:/apache" instead of "c:\apache"). # if drive letter omitted, drive on httpd.exe located # used default.  recommended supply # explicit drive letter in absolute paths avoid confusion.  # # serverroot: top of directory tree under server's # configuration, error, , log files kept. # # not add slash @ end of directory path.  if point # serverroot @ non-local disk, sure point lockfile directive # @ local disk.  if wish share same serverroot multiple # httpd daemons, need change @ least lockfile , pidfile. # serverroot "c:/program files (x86)/apache software foundation/apache2.2"  # # listen: allows bind apache specific ip addresses and/or # ports, instead of default. see <virtualhost> # directive. # # change listen on specific ip addresses shown below  # prevent apache glomming onto bound ip addresses. # #listen 12.34.56.78:80 listen 127.0.0.1:80  include conf/vhosts.conf  # # dynamic shared object (dso) support # # able use functionality of module built dso # have place corresponding `loadmodule' lines @ location # directives contained in available _before_ used. # statically compiled modules (those listed `httpd -l') not need # loaded here. # # example: # loadmodule foo_module modules/mod_foo.so # loadmodule actions_module modules/mod_actions.so loadmodule alias_module modules/mod_alias.so loadmodule asis_module modules/mod_asis.so loadmodule auth_basic_module modules/mod_auth_basic.so #loadmodule auth_digest_module modules/mod_auth_digest.so #loadmodule authn_alias_module modules/mod_authn_alias.so #loadmodule authn_anon_module modules/mod_authn_anon.so #loadmodule authn_dbd_module modules/mod_authn_dbd.so #loadmodule authn_dbm_module modules/mod_authn_dbm.so loadmodule authn_default_module modules/mod_authn_default.so loadmodule authn_file_module modules/mod_authn_file.so #loadmodule authnz_ldap_module modules/mod_authnz_ldap.so #loadmodule authz_dbm_module modules/mod_authz_dbm.so loadmodule authz_default_module modules/mod_authz_default.so loadmodule authz_groupfile_module modules/mod_authz_groupfile.so loadmodule authz_host_module modules/mod_authz_host.so #loadmodule authz_owner_module modules/mod_authz_owner.so loadmodule authz_user_module modules/mod_authz_user.so loadmodule autoindex_module modules/mod_autoindex.so #loadmodule cache_module modules/mod_cache.so #loadmodule cern_meta_module modules/mod_cern_meta.so loadmodule cgi_module modules/mod_cgi.so #loadmodule charset_lite_module modules/mod_charset_lite.so #loadmodule dav_module modules/mod_dav.so #loadmodule dav_fs_module modules/mod_dav_fs.so #loadmodule dav_lock_module modules/mod_dav_lock.so #loadmodule dbd_module modules/mod_dbd.so #loadmodule deflate_module modules/mod_deflate.so loadmodule dir_module modules/mod_dir.so #loadmodule disk_cache_module modules/mod_disk_cache.so #loadmodule dumpio_module modules/mod_dumpio.so loadmodule env_module modules/mod_env.so #loadmodule expires_module modules/mod_expires.so #loadmodule ext_filter_module modules/mod_ext_filter.so #loadmodule file_cache_module modules/mod_file_cache.so #loadmodule filter_module modules/mod_filter.so #loadmodule headers_module modules/mod_headers.so #loadmodule ident_module modules/mod_ident.so #loadmodule imagemap_module modules/mod_imagemap.so loadmodule include_module modules/mod_include.so #loadmodule info_module modules/mod_info.so loadmodule isapi_module modules/mod_isapi.so #loadmodule ldap_module modules/mod_ldap.so #loadmodule logio_module modules/mod_logio.so loadmodule log_config_module modules/mod_log_config.so #loadmodule log_forensic_module modules/mod_log_forensic.so #loadmodule mem_cache_module modules/mod_mem_cache.so loadmodule mime_module modules/mod_mime.so #loadmodule mime_magic_module modules/mod_mime_magic.so loadmodule negotiation_module modules/mod_negotiation.so #loadmodule proxy_module modules/mod_proxy.so #loadmodule proxy_ajp_module modules/mod_proxy_ajp.so #loadmodule proxy_balancer_module modules/mod_proxy_balancer.so #loadmodule proxy_connect_module modules/mod_proxy_connect.so #loadmodule proxy_ftp_module modules/mod_proxy_ftp.so #loadmodule proxy_http_module modules/mod_proxy_http.so #loadmodule proxy_scgi_module modules/mod_proxy_scgi.so #loadmodule reqtimeout_module modules/mod_reqtimeout.so #loadmodule rewrite_module modules/mod_rewrite.so loadmodule setenvif_module modules/mod_setenvif.so #loadmodule speling_module modules/mod_speling.so #loadmodule ssl_module modules/mod_ssl.so #loadmodule status_module modules/mod_status.so #loadmodule substitute_module modules/mod_substitute.so #loadmodule unique_id_module modules/mod_unique_id.so #loadmodule userdir_module modules/mod_userdir.so #loadmodule usertrack_module modules/mod_usertrack.so #loadmodule version_module modules/mod_version.so #loadmodule vhost_alias_module modules/mod_vhost_alias.so loadmodule php5_module "c:/program files/php/php5apache2_2.dll"   <ifmodule !mpm_netware_module> <ifmodule !mpm_winnt_module> # # if wish httpd run different user or group, must run # httpd root , switch.   # # user/group: name (or #number) of user/group run httpd as. # practice create dedicated user , group # running httpd, system services. # user daemon group daemon  </ifmodule> </ifmodule>  # 'main' server configuration # # directives in section set values used 'main' # server, responds requests aren't handled # <virtualhost> definition.  these values provide defaults # <virtualhost> containers may define later in file. # # of these directives may appear inside <virtualhost> containers, # in case these default settings overridden # virtual host being defined. #  # # serveradmin: address, problems server should # e-mailed.  address appears on server-generated pages, such # error documents.  e.g. admin@your-domain.com # serveradmin webmaster@somenet.com  # # servername gives name , port server uses identify itself. # can determined automatically, recommend specify # explicitly prevent problems during startup. # # if host doesn't have registered dns name, enter ip address here. # #servername www.somenet.com:80  # # documentroot: directory out of serve # documents. default, requests taken directory, # symbolic links , aliases may used point other locations. # documentroot "c:/program files (x86)/apache software foundation/apache2.2/htdocs"  # # each directory apache has access can configured respect # services , features allowed and/or disabled in # directory (and subdirectories).  # # first, configure "default" restrictive set of  # features.   # <directory />     options followsymlinks     allowoverride none     order deny,allow     deny </directory>  # # note point forward must allow # particular features enabled - if something's not working # might expect, make sure have enabled # below. #  # # should changed whatever set documentroot to. # <directory "c:/program files (x86)/apache software foundation/apache2.2/htdocs">     #     # possible values options directive "none", "all",     # or combination of:     #   indexes includes followsymlinks symlinksifownermatch execcgi multiviews     #     # note "multiviews" must named *explicitly* --- "options all"     # doesn't give you.     #     # options directive both complicated , important.  please see     # http://httpd.apache.org/docs/2.2/mod/core.html#options     # more information.     #     options indexes followsymlinks      #     # allowoverride controls directives may placed in .htaccess files.     # can "all", "none", or combination of keywords:     #   options fileinfo authconfig limit     #     allowoverride none      #     # controls can stuff server.     #     order allow,deny     allow  </directory>  # # directoryindex: sets file apache serve if directory # requested. # <ifmodule dir_module>     directoryindex index.html index.php </ifmodule>  # # following lines prevent .htaccess , .htpasswd files being  # viewed web clients.  # <filesmatch "^\.ht">     order allow,deny     deny     satisfy </filesmatch>  # # errorlog: location of error log file. # if not specify errorlog directive within <virtualhost> # container, error messages relating virtual host # logged here.  if *do* define error logfile <virtualhost> # container, host's errors logged there , not here. # errorlog "logs/error.log"  # # loglevel: control number of messages logged error_log. # possible values include: debug, info, notice, warn, error, crit, # alert, emerg. # loglevel warn  <ifmodule log_config_module>     #     # following directives define format nicknames use     # customlog directive (see below).     #     logformat "%h %l %u %t \"%r\" %>s %b \"%{referer}i\" \"%{user-agent}i\"" combined     logformat "%h %l %u %t \"%r\" %>s %b" common      <ifmodule logio_module>       # need enable mod_logio.c use %i , %o       logformat "%h %l %u %t \"%r\" %>s %b \"%{referer}i\" \"%{user-agent}i\" %i %o" combinedio     </ifmodule>      #     # location , format of access logfile (common logfile format).     # if not define access logfiles within <virtualhost>     # container, logged here.  contrariwise, if *do*     # define per-<virtualhost> access logfiles, transactions     # logged therein , *not* in file.     #     customlog "logs/access.log" common      #     # if prefer logfile access, agent, , referer information     # (combined logfile format) can use following directive.     #     #customlog "logs/access.log" combined </ifmodule>  <ifmodule alias_module>     #     # redirect: allows tell clients documents used      # exist in server's namespace, not anymore. client      # make new request document @ new location.     # example:     # redirect permanent /foo http://www.somenet.com/bar      #     # alias: maps web paths filesystem paths , used     # access content not live under documentroot.     # example:     # alias /webpath /full/filesystem/path     #     # if include trailing / on /webpath server     # require present in url.      # need provide <directory> section allow access     # filesystem path.      #     # scriptalias: controls directories contain server scripts.      # scriptaliases same aliases, except     # documents in target directory treated applications ,     # run server when requested rather documents sent     # client.  same rules trailing "/" apply scriptalias     # directives alias.     #     scriptalias /cgi-bin/ "c:/program files (x86)/apache software foundation/apache2.2/cgi-bin/"  </ifmodule>  <ifmodule cgid_module>     #     # scriptsock: on threaded servers, designate path unix     # socket used communicate cgi daemon of mod_cgid.     #     #scriptsock logs/cgisock </ifmodule>  # # "c:/program files (x86)/apache software foundation/apache2.2/cgi-bin" should changed whatever scriptaliased # cgi directory exists, if have configured. # <directory "c:/program files (x86)/apache software foundation/apache2.2/cgi-bin">     allowoverride none     options none     order allow,deny     allow </directory>  # # defaulttype: default mime type server use document # if cannot otherwise determine one, such filename extensions. # if server contains text or html documents, "text/plain" # value.  if of content binary, such applications # or images, may want use "application/octet-stream" instead # keep browsers trying display binary files though # text. # defaulttype text/plain  <ifmodule mime_module>     #     # typesconfig points file containing list of mappings     # filename extension mime-type.     #     typesconfig conf/mime.types      #     # addtype allows add or override mime configuration     # file specified in typesconfig specific file types.     #     #addtype application/x-gzip .tgz     #     # addencoding allows have browsers uncompress     # information on fly. note: not browsers support this.     #     #addencoding x-compress .z     #addencoding x-gzip .gz .tgz     #     # if addencoding directives above commented-out,     # should define extensions indicate media types:     #     addtype application/x-compress .z     addtype application/x-gzip .gz .tgz      #     # addhandler allows map file extensions "handlers":     # actions unrelated filetype. these can either built server     # or added action directive (see below)     #     # use cgi scripts outside of scriptaliased directories:     # (you need add "execcgi" "options" directive.)     #     #addhandler cgi-script .cgi      # type maps (negotiated resources):     #addhandler type-map var      #     # filters allow process content before sent client.     #     # parse .shtml files server-side includes (ssi):     # (you need add "includes" "options" directive.)     #     #addtype text/html .shtml     #addoutputfilter includes .shtml      addtype application/x-httpd-php .php  </ifmodule>  # # mod_mime_magic module allows server use various hints # contents of file determine type.  mimemagicfile # directive tells module hint definitions located. # #mimemagicfile conf/magic  # # customizable error responses come in 3 flavors: # 1) plain text 2) local redirects 3) external redirects # # examples: #errordocument 500 "the server made boo boo." #errordocument 404 /missing.html #errordocument 404 "/cgi-bin/missing_handler.pl" #errordocument 402 http://www.somenet.com/subscription_info.html #  # # maxranges: maximum number of ranges in request before # returning entire resource, or 1 of special # values 'default', 'none' or 'unlimited'. # default setting accept 200 ranges. #maxranges unlimited  # # enablemmap , enablesendfile: on systems support it,  # memory-mapping or sendfile syscall used deliver # files.  improves server performance, must # turned off when serving networked-mounted  # filesystems or if support these functions otherwise # broken on system. # #enablemmap off #enablesendfile off  # supplemental configuration # # configuration files in conf/extra/ directory can  # included add features or modify default configuration of  # server, or may copy contents here , change  # necessary.  # server-pool management (mpm specific) #include conf/extra/httpd-mpm.conf  # multi-language error messages #include conf/extra/httpd-multilang-errordoc.conf  # fancy directory listings #include conf/extra/httpd-autoindex.conf  # language settings #include conf/extra/httpd-languages.conf  # user home directories #include conf/extra/httpd-userdir.conf  # real-time info on requests , configuration #include conf/extra/httpd-info.conf  # virtual hosts #include conf/extra/httpd-vhosts.conf  # local access apache http server manual #include conf/extra/httpd-manual.conf  # distributed authoring , versioning (webdav) #include conf/extra/httpd-dav.conf  # various default settings #include conf/extra/httpd-default.conf  # secure (ssl/tls) connections #include conf/extra/httpd-ssl.conf # # note: following must must present support #       starting without ssl on platforms no /dev/random equivalent #       statically compiled-in mod_ssl. # <ifmodule ssl_module> sslrandomseed startup builtin sslrandomseed connect builtin </ifmodule>  phpinidir "c:/program files/php"

and vhosts.conf:

namevirtualhost 127.0.0.1:80  <virtualhost 127.0.0.1:80>     documentroot i:/projects/webserver/__tools/phpmyadmin/     servername dbadmin.tools </virtualhost>

update october 2016

4 years ago, since answer used reference many, , while learned lot security perspective during these years, feel responsible clarify important notes, , i've update answer accordingly.

the original answer correct not safe production environments, in addition explain issues might fall while setting environment.

if looking quick solution , security not matter, i.e development env, skip , read original answer instead

many scenarios can lead 403 forbidden:

a. directory indexes (from mod_autoindex.c)

when access directory , there no default file found in directory and apache options indexes not enabled directory.

a.1. directoryindex option example

directoryindex index.html default.php welcome.php

a.2. options indexes option

if set, apache list directory content if no default file found (from above 👆🏻 option)

if none of conditions above satisfied

you receive 403 forbidden

recommendations

  • you should not allow directory listing unless really needed.
  • restrict default index directoryindex minimum.
  • if want modify, restrict modification needed directory only, instance, use .htaccess files, or put modification inside <directory /my/directory> directive

b. deny,allow directives (apache 2.2)

mentioned @radu, @simon a. eugster in comments request denied, blacklisted or whitelisted directives.

i not post full explanation, think examples may understand, in short remember rule:

if matched both, last win

order allow,deny

deny win if matched both directives (even if allow directive written after deny in conf)

order deny,allow

allow win if matched both directives

example 1

order allow,deny allow localhost mydomain.com

only localhost , *.mydomain.com can access this, other hosts denied

example 2

order allow,deny deny evil.com allow safe.evil.com # <-- has no effect since evaluated first

all requests denied, last line may trick you, remember if matched both last win rule (here deny last), same written: 

order allow,deny allow safe.evil.com deny evil.com # <-- override previous 1

example 4

order deny,allow allow site.com deny untrusted.site.com # <-- has no effect since matched above `allow` directive

requests accepted hosts

example 4: typical public sites (allow unless blacklisted)

order allow,deny allow deny hacker1.com deny hacker2.com

example 5: typical intranet , secure sites (deny unless whitelisted)

order deny,allow deny allow mypc.localdomain allow managment.localdomain

c. require directive (apache 2.4)

apache 2.4 use new module called mod_authz_host

require granted => allow requests

require denied => deny requests

require host safe.com => safe.com allowed

d. files permissions

one thing people wrong configuring files permissions,

the golden rule

starts no permission , add per need

in linux:

  • directories should have execute permission

  • files should have read permission

  • yes, right not add execute permission files

for instance, use script setup folders permissions

# setting permissions /var/www/mysite.com  # read permission owner  chmod -r /var/www/mysite.com 400   # add execute folders find /var/www/mysite.com -type d -exec chmod -r u+x {} \;  # allow file uploads  chmod -r /var/www/mysite.com/public/uploads u+w  # allow log writing folder chmod -r /var/www/mysite.com/logs/

i posted code example, setup may vary in other situations

original answer

i faced same issue, solved setting options directive either in global directory setting in httpd.conf or in specific directory block in httpd-vhosts.conf:

options indexes followsymlinks includes execcgi

by default, global directory settings (httpd.conf line ~188):

<directory />     options followsymlinks     allowoverride     order deny,allow     allow </directory>

set options : options indexes followsymlinks includes execcgi

finally, should like:

<directory />     #options followsymlinks     options indexes followsymlinks includes execcgi     allowoverride     order deny,allow     allow </directory>

also try changing order deny,allow , allow all lines require granted.

appendix

directory indexes source code (some code remove brevity)

if (allow_opts & opt_indexes) {      return index_directory(r, d); } else {         const char *index_names = apr_table_get(r->notes, "dir-index-names");          ap_log_rerror(aplog_mark, aplog_err, 0, r, aplogno(01276)                       "cannot serve directory %s: no matching directoryindex (%s) found, , "                       "server-generated directory index forbidden "                       "options directive",                        r->filename,                        index_names ? index_names : "none");         return http_forbidden;     }

Comments

Post a Comment

Popular posts from this blog

Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:2.12:test (default-test) on project.Error occurred in starting fork -

-
i searched on internet provided answers did not in building project. the error starting fork. tried following methods: mvn clean install -u when searched, people said because of java 7 , should work java 6. using java 6 only. some said set surefire plugin this: <groupid>org.apache.maven.plugins</groupid> <artifactid>maven-surefire-plugin</artifactid> <version>2.5</version> <configuration> <skiptests>false</skiptests> <testfailureignore>true</testfailureignore> <forkmode>once</forkmode> </configuration> the actual error is: [error] failed execute goal org.apache.maven.plugins:maven-surefire-plugin:2.12:test (default-test) on project junitcategorizer.instrument: error occurred in starting fork, check output in log -> [help 1] org.apache.maven.lifecycle.lifecycleexecutionexception: failed execute goal org.apache.maven.plugins:maven-surefire-plugin:2...
Read more

windows - Debug iNetMgr.exe unhandle exception System.Management.Automation.CmdletInvocationException -

-
i fired windows 7 machine today , attempting start intemgr.exe process terminates immediately. started process under debugger. seems process terminating following exception: system.management.automation.cmdletinvocationexception . dumping exceptions on heap yields following results. heap has few more exception listed below. so based on research exception happens when cmdlet encounters terminating error. method call before processrecord(). provides record-by-record processing functionality cmdlet. windows powershell runtime calls method multiple times each instance of cmdlet in pipeline. how can inspect pipeline debugger? exception object: 0000000002702940 exception type: system.management.automation.itemnotfoundexception message: cannot find path 'c:\windows\system32\windowspowershell\v1.0\modules\applicationserver\applicationserver.dll' because not exist. innerexception: <none> stacktrace (generated): sp ip function 000000001...
Read more

configurationsection - activeMq-5.13.3 setup configurations for wildfly 10.0.0 -

-
hi new work on activemq, trying access messages send activemq in mdb onmsg() method unable things done here sample standalone-full.xml configuration. <subsystem xmlns="urn:jboss:domain:messaging-activemq:1.0"> <jms-queue name="favouritesqueue" entries="queue/favouritesqueue"/> </server> </subsystem> mdb configuration <mdb> <resource-adapter-ref resource-adapter-name="activemq-ra.rar"/> <bean-instance-pool-ref pool-name="mdb-strict-max-pool"/> </mdb> <subsystem xmlns="urn:jboss:domain:resource-adapters:4.0"> <resource-adapters> <resource-adapter id="activemq-ra.rar"> <archive> activemq-rar-5.13.3.rar </archive> <transaction-support>xatr...
Read more