Apache web server - sub-directory access denied

Posted on 2007-08-03
Last Modified: 2013-11-05
Please help - this is driving me mad.

Standard Apache server on a FC4 box.
DocumentRoot is /var/www/html and I can access that with I go to the website using the IP address.
But I can't access /var/www/html/subdir1/index.html

I get forbidden 403.

Here is the conf file - any clues?

ServerTokens OS

ServerRoot "/etc/httpd"

PidFile run/

Timeout 120

KeepAlive Off

MaxKeepAliveRequests 100

KeepAliveTimeout 15

<IfModule prefork.c>
StartServers       8
MinSpareServers    5
MaxSpareServers   20
ServerLimit      256
MaxClients       256
MaxRequestsPerChild  4000

<IfModule worker.c>
StartServers         2
MaxClients         150
MinSpareThreads     25
MaxSpareThreads     75
ThreadsPerChild     25
MaxRequestsPerChild  0

Listen 80

LoadModule access_module modules/
LoadModule auth_module modules/
LoadModule auth_anon_module modules/
LoadModule auth_dbm_module modules/
LoadModule auth_digest_module modules/
LoadModule ldap_module modules/
LoadModule auth_ldap_module modules/
LoadModule include_module modules/
LoadModule log_config_module modules/
LoadModule logio_module modules/
LoadModule env_module modules/
LoadModule mime_magic_module modules/
LoadModule cern_meta_module modules/
LoadModule expires_module modules/
LoadModule deflate_module modules/
LoadModule headers_module modules/
LoadModule usertrack_module modules/
LoadModule setenvif_module modules/
LoadModule mime_module modules/
LoadModule dav_module modules/
LoadModule status_module modules/
LoadModule autoindex_module modules/
LoadModule asis_module modules/
LoadModule info_module modules/
LoadModule dav_fs_module modules/
LoadModule vhost_alias_module modules/
LoadModule negotiation_module modules/
LoadModule dir_module modules/
LoadModule actions_module modules/
LoadModule speling_module modules/
LoadModule userdir_module modules/
LoadModule alias_module modules/
LoadModule rewrite_module modules/
LoadModule proxy_module modules/
LoadModule proxy_ftp_module modules/
LoadModule proxy_http_module modules/
LoadModule proxy_connect_module modules/
LoadModule cache_module modules/
LoadModule suexec_module modules/
LoadModule disk_cache_module modules/
LoadModule file_cache_module modules/
LoadModule mem_cache_module modules/
LoadModule cgi_module modules/

Include conf.d/*.conf

User apache
Group apache

ServerAdmin root@localhost

UseCanonicalName Off

DocumentRoot "/var/www/html"

<Directory />
    Options FollowSymLinks Indexes
    AllowOverride None

<Directory "/home/www/html">

    Options Indexes FollowSymLinks

    AllowOverride All

    Order allow,deny
    Allow from all


<IfModule mod_userdir.c>
    # UserDir is disabled by default since it can confirm the presence
    # of a username on the system (depending on home directory
    # permissions).
    UserDir disable

    # To enable requests to /~user/ to serve the user's public_html
    # directory, remove the "UserDir disable" line above, and uncomment
    # the following line instead:
    #UserDir public_html


DirectoryIndex index.html index.html.var

AccessFileName .htaccess

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all

TypesConfig /etc/mime.types

DefaultType text/plain

<IfModule mod_mime_magic.c>
    MIMEMagicFile conf/magic

HostnameLookups Off

ErrorLog logs/error_log

LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

CustomLog logs/access_log combined

ServerSignature On

Alias /icons/ "/var/www/icons/"

<Directory "/var/www/icons">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all

<IfModule mod_dav_fs.c>
    # Location of the WebDAV lock database.
    DAVLockDB /var/lib/dav/lockdb

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all

IndexOptions FancyIndexing VersionSort NameWidth=*

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

DefaultIcon /icons/unknown.gif

ReadmeName README.html
HeaderName HEADER.html

IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw

LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW

ForceLanguagePriority Prefer Fallback

AddDefaultCharset UTF-8

AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

AddHandler type-map var

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

Alias /error/ "/var/www/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
    <Directory "/var/www/error">
        AllowOverride None
        Options IncludesNoExec
        AddOutputFilter Includes html
        AddHandler type-map var
        Order allow,deny
        Allow from all
        LanguagePriority en es de fr
        ForceLanguagePriority Prefer Fallback


BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
Question by:sheepfarmer
    LVL 4

    Accepted Solution

    first, are the following directory/file readable by apache?

    They should either be readable by anyone, or owned by apache user.

    LVL 4

    Expert Comment

    you can do 'ls -la' while in the subdir1 and send that back to me if you are not sure.

    Author Comment

    yes, the subdir1 is 755 and the index.html 644
    owned by root, group root.

    there is no .htaccess in either ../html or ../html/subdir1

    LVL 4

    Assisted Solution

    I do not see any obvious problem with your config.

    Look in log/error_log to see if it has a more detailed error.

    Next we should determine which 403 message it is if we can, so we can narrow our focus.

    Execute access forbidden
    Read access forbidden.
    SSL Required
    Site access denied
    Directory listing denied
    LVL 51

    Expert Comment

    > go to the website using the IP address.
    does this mean that you can access the pages using the IP of that server but not it's FQDN?
    Then you either have a DNS problem on the client, or you have not configured the virtual host proper in httpd.conf.

    > But I can't access /var/www/html/subdir1/index.html
    you mean you cannot access http://--your-IP--/subdir1/index.html, do you?

    Author Comment

    I can access root of the website using with IP or FQDN.

    Correct, I get the 403 when trying to access anything in the sub directories.
    I looks like a permissions issue, but both the OS permissions and Apache perms. look OK.

    I understood that the Apache DocumentRoot permissions allows access to subdirectories by default.
    LVL 51

    Expert Comment

    please post relevant messages from your error_log

    Author Comment

    [Tue Aug 07 21:27:11 2007] [error] [client] (13)Permission denied: access to /subdir1 denied

    [Tue Aug 07 21:30:01 2007] [error] [client] (13)Permission denied: access to /subdir1/index.html denied

    Any help?
    LVL 51

    Assisted Solution

    your /subdir1 has no read/execute permission for the user running your httpd

    Author Comment

    Sorry, I have not had time to resolve this on the machine in question.
    However, on a new build it just worked on the box, so not sure what was the problem.
    Thanks for the help anyway - I'll divie up the points.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
    Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now