We help IT Professionals succeed at work.

Fedora FC1 - Apache 403 issues / access denied to Virtual Hosts aftermigrating

Denisvt
Denisvt asked
on
Medium Priority
11,631 Views
Last Modified: 2013-12-15
Hi,
Migrating our sites from RedHat 7.3 to Fedora, we have realized our dedicated server came with FC1.
When syncrhonizing the site, all Apache config was transfered ok, but we now have a 403 error preventing the Virtual Hosts in /home/ from working :

"[error] [client xx.xx.xxx.xxx] (13)Permission denied: access to / denied"

The issue is well know but all fixes apply to Fedora 3 only, such as :
"Use : chcon -R -t httpd_sys_content_t <path>"
or
"deactive SELinux at the command line or GUI".
or :
" How do I turn enforcing on/off at boot?
You can specify the SELinux mode using the configuration file /etc/sysconfig/selinux."

However these commands do not work with Fedora 1.

Some explanations we found are :
******************************************************
Note for SELinux / Fedora Core 3+ / RedHat Enterprise users:

In addition to regular Unix permissions, under SELinux every file, directory, process, etc. has a 'security context'. When a process attempts to access a file, besides checking the Unix permissions the system also checks to see if the security context of the process is compatible with the security context of the file.

Fedora Core 3, among other systems, comes with SELinux installed by default, configured so that Apache runs in a fairly restricted security context. To run Subversion under Apache, you have to set the security context of the repository to allow Apache access (or turn off the restrictions on Apache, if you think all this is overkill). The chcon command is used to set the security context of files (similarly to how the chmod sets the traditional Unix permissions). For example, one user had to issue this command

   $ chcon -R -h -t httpd_sys_content_t PATH_TO_REPOSITORY

to set the security context to be able to successfully access the repository.
******************************************************

However with Fedora 1 we have no such files or commands, so I am not sure what to do.
What prevents our Virtual Hosts from working ?
thanks.


Comment
Watch Question

Top Expert 2011
Commented:
> "[error] [client xx.xx.xxx.xxx] (13)Permission denied: access to / denied
Please check owner and group of directory and file, and the permission on them.
The user of your httpd process need to have read permission to the file
and execute permission to the directory.
Use
chown to change the ownership ( man chown )
chmod to change the perimission ( man chmod )
Say,
chmod -R 755 PATH_TO_REPOSITORY

Wesly
Top Expert 2005
Commented:
You might be running into differences between Apache 1.3 and 2.0. What does

/sbin/service httpd configtest

/usr/sbin/httpd -S

show?

Author

Commented:
Wesly, I forgot to specify those basic ownership questions had been checked and tried to no avail - the sites were synchronized from another working server keeping all rights and ownnership anyway.

Jlevie, those tests show :
/sbin/service httpd configtest :
A few lines like
"[warn] VirtualHost IP:0 overlaps with VirtualHost IP:0, the first has precedence, perhaps you need a NameVirtualHost directive"
and then
"Syntax OK".

/usr/sbin/httpd -S :
Same lines, then
"[warn] NameVirtualHost 192.168.0.10:0 has no VirtualHosts
VirtualHost configuration:
IP:*        www.onedomainhere.com (/etc/httpd/conf/httpd.conf:1058)
wildcard NameVirtualHosts and _default_ servers:
_default_:443          machinename.here.com (/etc/httpd/conf.d/ssl.conf:99)
Syntax OK"

thanks,
Top Expert 2005

Commented:
There's your problem. Are all of these sites named virtual hosts? Or are they a mix of name based and ip based virtual hosts?

Author

Commented:
All Virtual hosts in the Apache have been copied from the old conf file and are like:

<VirtualHost xx.xxx.xx.xxx>
DocumentRoot "/home/user1dir/public_html"
ServerName www.domain1.com
</VirtualHost>
Top Expert 2005

Commented:
Is xx.xxx.xx.xxx the same for all virtual hosts?

Author

Commented:
Yes it is. Not sure what that IP 192.168.0.10 was so I replaced it with the server's real IP xx.xxx.xx.xxx, but no change.
Top Expert 2005

Commented:
Okay, the rules for defining virtual hosts changes slightly in 2.x. Actually it wasn't so much that the rules changed as it is that Apache 2.x expects the definitions to be exactly as documented.

Valid name based virtual host definitions would look like:

NameVirtualHost *:80

#
# First Virtual Domain
#
<VirtualHost *:80>
  ServerName www.dom1.tld
  ...
</VirtualHost>
#
# Second Virtual Domain
#
<VirtualHost *:80>
  ServerName www.dom2.tld
  ...
</VirtualHost>
...

Edit httpd.conf and make the definitions look like that. Then retry the configtest and 'httpd -S'. If there's no errors restart Apache.

Author

Commented:
Thanks for that suggestion,
In the meantime I managed to solve that crazy situation by finding someone who'd had the same case. It occured that the way that host provider sets up their servers seems to have an error, there is an incorrect chmod of the whole root directory (?!). So after countless hours of searches, tests and hair pulling, a simple "chmod 755 /" solved our crisis...
I may update the Apache VH descriptions based on your suggestion though.
We obviously found the solution on our own but you spent some time helping and this will remain filed with the solution at the bottom, so I'll award you the points.
Thank you.
 
Top Expert 2011

Commented:
Hi Denisvt,

   If you check my first post, then you will find that I suggested that you should check the perimssion.
However, you thought the perimssion is not the issue eariler.

> Wesly, I forgot to specify those basic ownership questions had been checked and tried to no avail - the sites were
> synchronized from another working server keeping all rights and ownnership anyway.

   Anyway, I'm glad to hear your issue is resolved.

Wesly

Author

Commented:
Hmm it may appear true yes, I underlined everything was correct as far as the user's home dirs and files were, as we checked home and all the home/username/; but the issue was with the server root directory, which I didn't think your post refered to...
Is there any way for me to split the points again or award you another way ?

Top Expert 2011

Commented:
Hi,

   It's ok for the points, which I don't care it. Leave it as it was.

> "[error] [client xx.xx.xxx.xxx] (13)Permission denied: access to / denied
From the error message, it complaint /.
Anyway, I didn't emphasize "/" as "the directory".

  I'm learning new thing as my goal here.

Regards,

Wesly
Top Expert 2005

Commented:
As a Page Editor I can unlock the question, which would allow you to split the points if you want to.

Author

Commented:
Sure, please do, I'm the one who understood the "/" to be the user's home dir, which was ok, but it could have applied to the whole server's root dir after all...Let's split for fairness and once again thanks to both of you.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.