[Bug 854263] New: apache update causes "403 forbidden" errors
https://bugzilla.novell.com/show_bug.cgi?id=854263 https://bugzilla.novell.com/show_bug.cgi?id=854263#c0 Summary: apache update causes "403 forbidden" errors Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: Other OS/Version: openSUSE 13.1 Status: NEEDINFO Severity: Critical Priority: P5 - None Component: Apache AssignedTo: bnc-team-apache@forge.provo.novell.com ReportedBy: suse-beta@cboltz.de QAContact: qa-bugs@suse.de InfoProvider: maintenance@opensuse.org Found By: Beta-Customer Blocker: --- There are separal reports on the opensuse-de mailinglist that apache will only deliver "403 forbidden" errors since the latest update. The log contains: [Fri Dec 06 17:53:22.804744 2013] [authz_core:error] [pid 3513] [client 127.0.0.1:58895] AH01630: client denied by server configuration: /srv/www/htdocs/index.html It reportedly works again after replacing "Order by ..." and "Allow from ... " / "Deny from ..." with "Require ...". I'd guess that... === openSUSE-2013-906 - Patch 1 (recommended) === apache2: Update apache2 to reflect changes introduced in Apache 2.4 This update fixes the following issue with apache2: - bnc#848146: Removed obsolete directive DefaultType - Changed Order Deny Allow directives to new Require{|Any|All|None} === .. "Changed Order Deny Allow directives..." is the change that broke it - it seems that "Require" has more weight than the old directives and overrules them. BTW: I've seen the same problem in factory, so I can help with testing if needed. @maintenance team: can you please remove this update until this bug is fixed to avoid breaking more systems? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c1
Roman Drahtmueller
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c2
--- Comment #2 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c3
--- Comment #3 from Christian Boltz
Since the Require directive has precedence over the Allow/Deny directives, [...] so we will have to stick with the compiled-in mod_access_compat for a while.
Isn't this the main bug/problem? IMHO Require should have the same weight as Order/Allow/Deny so that they can co-exist. Otherwise I'm afraid we'll have to stick with mod_access_compat forever because nobody will risk to switch to Require and possible break someone's configuration. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c4
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c5
--- Comment #5 from Helga Fischer
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c6
--- Comment #6 from Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c7
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c8
Bruno Friedmann
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c9
Steffen Hau
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c10
Christian Boltz
This update causes all of my apache installations, which I've migrated to 2.4 config style, to report error 403.
Steffen, can you please paste the output of rpm -q --changelog apache2 | head I'd guess you got the (older) broken update, not the latest one... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c11
Steffen Hau
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c12
Martin H. Sluka
This update causes all of my apache installations, which I've migrated to 2.4 config style, to report error 403.
Same here. Had to revert to the old Allow/Deny/Satisfy syntax. See https://plus.google.com/101955290992770425676/posts/hUW5PuuCn6G (German) for details. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c13
Oscar Curero
www-1v40:~ # rpm -q --changelog apache2 | head * Sa Dez 07 2013 draht@suse.de - revert last change about Require directive to avoid spurious 403 errors due to conflicts with Require vs. Deny/Allow. The problem: In /etc/apache2/httpd.conf, the permissions are set for "/" using <Directory /> ... Require all denied </Directory>. This overrides all subsequent Allow/Deny directives that may be present in an older confguration and leads to a 403 unless configured otherwise with a further "Require all granted" down in a directory or vhost. This cannot be guaranteed, though, and numerous configurations
www-1v40:~ # zypper ref Repository 'openSUSE-13.1-Non-Oss' is up to date. Repository 'openSUSE-13.1-Oss' is up to date. Repository 'openSUSE-13.1-Update' is up to date. Repository 'openSUSE-13.1-Update-Non-Oss' is up to date. All repositories have been refreshed.
www-1v40:~ # zypper lu Loading repository data... Reading installed packages... No updates found.
The apache update was installed today.
I can confirm that this update breaks apache totally. I'm unable to get any page, all of them return a 403 error. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c14
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c15
--- Comment #15 from Steffen Hau
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c16
Roman Drahtmueller
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c17
--- Comment #17 from Bruno Friedmann
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c18
--- Comment #18 from Steffen Hau
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c19
--- Comment #19 from Roman Drahtmueller
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c20
--- Comment #20 from Roman Drahtmueller
There's two places
in httpd.conf
then in default-server.conf
What exactly is there? Require or Allow/Deny?
Depending of what people are doing and where the root document is the result can differ.
On my side, I simply remove any form of old kind of configuration everywhere, then it works, if you check that your .conf are not becoming rpmsave, or replaced.
mod_access_compat should have been left as a module but that's another thread.
Old configuration should work flawlessly (we MUST NOT break configurations!) if no Require directive is used anywhere. If there is a Require directive somewhere, it will override all subsequent Allow/Deny directives for the tree below. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c21
--- Comment #21 from Bruno Friedmann
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c22
--- Comment #22 from Roman Drahtmueller
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c23
Glenn Doig
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c24
Bruno Friedmann
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c
Bruno Friedmann
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c25
--- Comment #25 from Glenn Doig
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c26
--- Comment #26 from Glenn Doig
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c27
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=854263
https://bugzilla.novell.com/show_bug.cgi?id=854263#c29
--- Comment #29 from Roman Drahtmueller
participants (1)
-
bugzilla_noreply@novell.com