Linux upgrade stopped intranet from working "Forbidden You don't have permission to access"

fuzzyfreak
fuzzyfreak used Ask the Experts™
on
Dutifully upgraded Linux on our Intranet site. At first I could not access home page, configured apache2.conf file as follows -

<Directory />
      Options FollowSymLinks
      AllowOverride None
      Require all granted
</Directory>

"Now, I can hit the home page (and open the WP-admin console) but when I try any links, I get
Not Found
The requested URL /URLNAME was not found on this server.
Apache/2.4.7 (Ubuntu) Server at intranet.goptions.co.uk Port 80"

Any ideas what is stopping me from seeing my pages? (or database?)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2015

Commented:
<Directory ...>
   <RequireAny>
       Require all granted
  </Require>
</Directory>

Author

Commented:
Hi Jan, thanks for this. Is there a typo somewhere?
when I add this to the conf file and restart apache, it complains -
"Expected </RequireAny> but saw </Require>"
Most Valuable Expert 2015

Commented:
Yes, a typo.  A closing must always match the opening except with the "/".
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
So, to be clear, it should be -
<Directory ...>
   <RequireAny>
       Require all granted
  </RequireAny>
</Directory>

?
That still does not work, I'm afraid.
Most Valuable Expert 2015
Commented:
I use this.  Try using "RequireAll" instead of requireany.

Author

Commented:
So it now looks like this -

<Directory ...>
   <RequireAll>
       Require all granted
  </RequireAll>
</Directory>

Still does not work, still getting error when trying to click links.
Most Valuable Expert 2015

Commented:
check /var/log/httpd/access* and error* logs.

are you running selinux?  
   # getenforce

if it comes back "1" then that's a yes.
   # ls -ldZ /var/www/html
   # ls -lZ /var/www/html

if you have modsecurity for apache also installed, that's another troubleshooting area to consider.
Top Expert 2015

Commented:
Why do you have access controls at all when default is to serve /index.html to the world?

Author

Commented:
Explain?
Top Expert 2015

Commented:
The could not access homepage is not backed by error log entry
There is no telling if document root went to better pasture or directory index or it is really about access list.

Author

Commented:
I am sorry,I do not understand.
This is a WordPress site, if that helps to explain location of pages better. It seems the upgrade had tied down permissions, however I can access wp-admin, link checker days pages do not exist, suggesting permissions stopping access to those pages. I have not checked the log, I can't now until I log back onto server. Any idea what I am looking for?
Top Expert 2015
Commented:
Error log. Cannot find directory index, cannot resolve rewrite rule, attempt to serve directory. Anything between starting apache and getting first error in error log

Author

Commented:
I do not see a 'httpd' folder in /var/log
Top Expert 2015

Commented:
Cos on debian it is /var/log/apache2

Author

Commented:
/var/log/apache2/error.log.1 appears to be the log file I was after and here is the error -

AH01630: client denied by server configuration:

I am therefore looking at this article at the moment -
http://stackoverflow.com/questions/18392741/apache2-ah01630-client-denied-by-server-configuration
Top Expert 2015

Commented:
You can replace FollowSymLinks with Alias, that is more secure and server side is less picky.

Author

Commented:
Still can't fix this so if either of you can help I'd appreciate it.  I believe the issue is down to my instance not being in the default folder, it is here -
 DocumentRoot "/sites/intranet/htdocs"
Top Expert 2015

Commented:
It looks that default apache conf has been hardened and you need to add premissions to <Directory /sites/intranet> too

Author

Commented:
Others already have read and execute to the entire folder structure (0755) - what specifically are you suggesting I do?

Author

Commented:
So far, I have the following -

<Directory ...>
      AllowOverride None
      Require all granted
</Directory>


<Directory /sites/intranet>
      AllowOverride None
      Require all granted
</Directory>

<Directory /sites/intranet/htdocs>
      AllowOverride None
      Require all granted
</Directory>

<Directory />
      Options FollowSymLinks
      AllowOverride None
      Require all granted
</Directory>

<Directory /usr/share>
      AllowOverride None
      Require all granted
</Directory>

<Directory /var/www/>
      Options Indexes FollowSymLinks
      AllowOverride None
      Require all granted
</Directory>

<Directory /srv/>
      Options Indexes FollowSymLinks
      AllowOverride None
      Require all granted
</Directory>
Top Expert 2015

Commented:
Do you have site editors that manipulate symlinks?
If you make symlinks you can make your apache more secure with alias per symlink.
Problem solved with the help of a work colleague. "a2nmod rewrite" - he noticed that the rewrite.load file under /etc/apache2/mods-enabled was missing.
I would never have figured that out and can't see any other forum posts to that effect - they all pointed to the
Require all granted.

Thank you both very much for your help.

Author

Commented:
Thanks for all your help on this, the situation became rather desperate and I managed to call in some internal expertise which I did not realise we had. The resolution is very important to archive because this did not exist anywhere else on support forums.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial