Linux upgrade stopped intranet from working "Forbidden You don't have permission to access"

Dutifully upgraded Linux on our Intranet site. At first I could not access home page, configured apache2.conf file as follows -

<Directory />
      Options FollowSymLinks
      AllowOverride None
      Require all granted
</Directory>

"Now, I can hit the home page (and open the WP-admin console) but when I try any links, I get
Not Found
The requested URL /URLNAME was not found on this server.
Apache/2.4.7 (Ubuntu) Server at intranet.goptions.co.uk Port 80"

Any ideas what is stopping me from seeing my pages? (or database?)
LVL 4
fuzzyfreakAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
<Directory ...>
   <RequireAny>
       Require all granted
  </Require>
</Directory>
0
fuzzyfreakAuthor Commented:
Hi Jan, thanks for this. Is there a typo somewhere?
when I add this to the conf file and restart apache, it complains -
"Expected </RequireAny> but saw </Require>"
0
Jan SpringerCommented:
Yes, a typo.  A closing must always match the opening except with the "/".
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

fuzzyfreakAuthor Commented:
So, to be clear, it should be -
<Directory ...>
   <RequireAny>
       Require all granted
  </RequireAny>
</Directory>

?
That still does not work, I'm afraid.
0
Jan SpringerCommented:
I use this.  Try using "RequireAll" instead of requireany.
0
fuzzyfreakAuthor Commented:
So it now looks like this -

<Directory ...>
   <RequireAll>
       Require all granted
  </RequireAll>
</Directory>

Still does not work, still getting error when trying to click links.
0
Jan SpringerCommented:
check /var/log/httpd/access* and error* logs.

are you running selinux?  
   # getenforce

if it comes back "1" then that's a yes.
   # ls -ldZ /var/www/html
   # ls -lZ /var/www/html

if you have modsecurity for apache also installed, that's another troubleshooting area to consider.
0
gheistCommented:
Why do you have access controls at all when default is to serve /index.html to the world?
0
fuzzyfreakAuthor Commented:
Explain?
0
gheistCommented:
The could not access homepage is not backed by error log entry
There is no telling if document root went to better pasture or directory index or it is really about access list.
0
fuzzyfreakAuthor Commented:
I am sorry,I do not understand.
This is a WordPress site, if that helps to explain location of pages better. It seems the upgrade had tied down permissions, however I can access wp-admin, link checker days pages do not exist, suggesting permissions stopping access to those pages. I have not checked the log, I can't now until I log back onto server. Any idea what I am looking for?
0
gheistCommented:
Error log. Cannot find directory index, cannot resolve rewrite rule, attempt to serve directory. Anything between starting apache and getting first error in error log
0
fuzzyfreakAuthor Commented:
I do not see a 'httpd' folder in /var/log
0
gheistCommented:
Cos on debian it is /var/log/apache2
0
fuzzyfreakAuthor Commented:
/var/log/apache2/error.log.1 appears to be the log file I was after and here is the error -

AH01630: client denied by server configuration:

I am therefore looking at this article at the moment -
http://stackoverflow.com/questions/18392741/apache2-ah01630-client-denied-by-server-configuration
0
gheistCommented:
You can replace FollowSymLinks with Alias, that is more secure and server side is less picky.
0
fuzzyfreakAuthor Commented:
Still can't fix this so if either of you can help I'd appreciate it.  I believe the issue is down to my instance not being in the default folder, it is here -
 DocumentRoot "/sites/intranet/htdocs"
0
gheistCommented:
It looks that default apache conf has been hardened and you need to add premissions to <Directory /sites/intranet> too
0
fuzzyfreakAuthor Commented:
Others already have read and execute to the entire folder structure (0755) - what specifically are you suggesting I do?
0
fuzzyfreakAuthor Commented:
So far, I have the following -

<Directory ...>
      AllowOverride None
      Require all granted
</Directory>


<Directory /sites/intranet>
      AllowOverride None
      Require all granted
</Directory>

<Directory /sites/intranet/htdocs>
      AllowOverride None
      Require all granted
</Directory>

<Directory />
      Options FollowSymLinks
      AllowOverride None
      Require all granted
</Directory>

<Directory /usr/share>
      AllowOverride None
      Require all granted
</Directory>

<Directory /var/www/>
      Options Indexes FollowSymLinks
      AllowOverride None
      Require all granted
</Directory>

<Directory /srv/>
      Options Indexes FollowSymLinks
      AllowOverride None
      Require all granted
</Directory>
0
gheistCommented:
Do you have site editors that manipulate symlinks?
If you make symlinks you can make your apache more secure with alias per symlink.
0
fuzzyfreakAuthor Commented:
Problem solved with the help of a work colleague. "a2nmod rewrite" - he noticed that the rewrite.load file under /etc/apache2/mods-enabled was missing.
I would never have figured that out and can't see any other forum posts to that effect - they all pointed to the
Require all granted.

Thank you both very much for your help.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fuzzyfreakAuthor Commented:
Thanks for all your help on this, the situation became rather desperate and I managed to call in some internal expertise which I did not realise we had. The resolution is very important to archive because this did not exist anywhere else on support forums.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.