https://bugzilla.novell.com/show_bug.cgi?id=854263 https://bugzilla.novell.com/show_bug.cgi?id=854263#c1 Roman Drahtmueller changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |draht@suse.com --- Comment #1 from Roman Drahtmueller 2013-12-07 01:49:45 UTC --- What happens is that /etc/apache2/httpd.conf sets the following: <Directory /> Options None AllowOverride None Require all denied </Directory> Since the Require directive has precedence over the Allow/Deny directives, it will 403 all requests unless a Require directive grants access further down in the directory tree in apache's configuration. We can't reliably change user- or CGI-package's access control configuration from a conversion script, so we will have to stick with the compiled-in mod_access_compat for a while. created request id Request: #209698 maintenance_incident: home:draht:branches:openSUSE:13.1:Update/apache2 -> openSUSE:Maintenance (release in openSUSE:13.1:Update) Removing the update package may not help those who have already updated. recommended text for patch: This update reverts a partial change from the last update and re-introduces the Deny/Allow directives into the configuration framework, because the new 2.4-specific Require directive overrides the uses of Deny/Allow further down in the directory structure in apache's configuration space. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=854263 https://bugzilla.novell.com/show_bug.cgi?id=854263#c3 --- Comment #3 from Christian Boltz 2013-12-07 13:41:10 CET --- Thanks for preparing a new update to revert the changes quickly :-) However, for the long term... (In reply to comment #1)

Since the Require directive has precedence over the Allow/Deny directives, [...] so we will have to stick with the compiled-in mod_access_compat for a while.

Isn't this the main bug/problem? IMHO Require should have the same weight as Order/Allow/Deny so that they can co-exist. Otherwise I'm afraid we'll have to stick with mod_access_compat forever because nobody will risk to switch to Require and possible break someone's configuration. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=854263 https://bugzilla.novell.com/show_bug.cgi?id=854263#c5 --- Comment #5 from Helga Fischer 2013-12-08 17:14:10 UTC --- My scenario is using a local apache for phpmyadmin and testing some cms or websites all configured as vhosts; domains are solved by named. I don't know, where the failure occurs. Could be during the update from 12.3 up to 13.1 or before the great update. Now my vhosts (and the default one) could be invoked. The workaround works for me, but this behavoir was very surprising. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=854263 https://bugzilla.novell.com/show_bug.cgi?id=854263#c7 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #7 from Marcus Meissner 2013-12-09 09:16:07 UTC --- hopefully resolved -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=854263 https://bugzilla.novell.com/show_bug.cgi?id=854263#c9 Steffen Hau changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High Status|RESOLVED |REOPENED CC| |steffen.hau@rz.uni-mannheim | |.de Resolution|FIXED | --- Comment #9 from Steffen Hau 2013-12-09 10:29:34 UTC --- This update causes all of my apache installations, which I've migrated to 2.4 config style, to report error 403. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=854263 https://bugzilla.novell.com/show_bug.cgi?id=854263#c11 Steffen Hau changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED InfoProvider|steffen.hau@rz.uni-mannheim | |.de | --- Comment #11 from Steffen Hau 2013-12-09 11:53:52 UTC --- www-1v40:~ # rpm -q --changelog apache2 | head * Sa Dez 07 2013 draht@suse.de - revert last change about Require directive to avoid spurious 403 errors due to conflicts with Require vs. Deny/Allow. The problem: In /etc/apache2/httpd.conf, the permissions are set for "/" using <Directory /> ... Require all denied </Directory>. This overrides all subsequent Allow/Deny directives that may be present in an older confguration and leads to a 403 unless configured otherwise with a further "Require all granted" down in a directory or vhost. This cannot be guaranteed, though, and numerous configurations www-1v40:~ # zypper ref Repository 'openSUSE-13.1-Non-Oss' is up to date. Repository 'openSUSE-13.1-Oss' is up to date. Repository 'openSUSE-13.1-Update' is up to date. Repository 'openSUSE-13.1-Update-Non-Oss' is up to date. All repositories have been refreshed. www-1v40:~ # zypper lu Loading repository data... Reading installed packages... No updates found. The apache update was installed today. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=854263 https://bugzilla.novell.com/show_bug.cgi?id=854263#c12 Martin H. Sluka changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sluka@noris.net --- Comment #12 from Martin H. Sluka 2013-12-09 23:39:51 UTC --- (In reply to comment #9)

This update causes all of my apache installations, which I've migrated to 2.4 config style, to report error 403.

Same here. Had to revert to the old Allow/Deny/Satisfy syntax. See https://plus.google.com/101955290992770425676/posts/hUW5PuuCn6G (German) for details. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=854263 https://bugzilla.novell.com/show_bug.cgi?id=854263#c14 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO InfoProvider| |suse-beta@cboltz.de --- Comment #14 from Christian Boltz 2013-12-18 12:44:10 CET --- "It's broken" always sounds interesting, but some lines from your error_log would be more useful ;-) Please also check if there are some *.rpm* files in /etc/apache2/ A last question - in the config files you added for your local setup, do you use Allow/Deny or Require? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=854263 https://bugzilla.novell.com/show_bug.cgi?id=854263#c15 --- Comment #15 from Steffen Hau 2013-12-18 11:56:49 UTC --- Example of error_log: [Mon Dec 16 14:35:20.059664 2013] [access_compat:error] [pid 7402:tid 140357747734272] [client w.x.y.z:57123] AH01797: client denied by server configuration: /srv/www/virtual/mailgraph/htdocs/ [Mon Dec 16 14:35:37.021822 2013] [access_compat:error] [pid 7400:tid 140357652182784] [client w.x.y.z:57132] AH01797: client denied by server configuration: /srv/www/virtual/mailgraph/cgi-bin/mailgraph.cgi First, when I updated from openSUSE 12.3 to 13.1 I had to replace the "Allow/Deny from all" in each vhost config to "require all granted/denied". Then someone decided to compile apache with mod_access_compat enabled by default, all these configurations where broken and I had to re-add the "Allow/deny from all" back to each vhost config. Currently, I have both directives "Allow/Deny" and "Require" in my configs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=854263 https://bugzilla.novell.com/show_bug.cgi?id=854263#c17 --- Comment #17 from Bruno Friedmann 2013-12-18 12:43:19 UTC --- There's two places in httpd.conf then in default-server.conf Depending of what people are doing and where the root document is the result can differ. On my side, I simply remove any form of old kind of configuration everywhere, then it works, if you check that your .conf are not becoming rpmsave, or replaced. mod_access_compat should have been left as a module but that's another thread. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=854263 https://bugzilla.novell.com/show_bug.cgi?id=854263#c19 --- Comment #19 from Roman Drahtmueller 2013-12-18 14:28:24 UTC --- I agree, this would be beneficial for everything. It's not that easy, though, because the permissions to locations are handled in a chain, not in a single place. If you use the /etc/apache2/httpd.conf that comes with the package, your own Allow/Deny and Require directives should work, because they are further away from the <Directory /></Directory> section. If a single Require directive is effective on a tree, though, an Allow/Deny pair can't mediate that any more. The problem should therefore be described as directory-hierarchical override. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=854263 https://bugzilla.novell.com/show_bug.cgi?id=854263#c21 --- Comment #21 from Bruno Friedmann 2013-12-18 16:13:26 UTC --- @Roman, as I previously said I've managed to change all my configuration to use the new 2.4 directive and totally erase the Allow/Deny. It was done long ago, when 2.4 appear in Apache repository (I'm using it under 12.3) and the first build doesn't contain mod_access_compat (was a module you have to activate). I was not happy, but if Apache upstream decide it's time to change them, why not Using a lot with different kind of (ip, user etc) It was paying off to have all of them setup the new way. We should have simply document it, and running apache2ctl -t is able to show you we it fail. (when no module was loaded) So my configuration and the way I use apache2 is not what I would call an end-user case. I just regret the fact we don't kindly force administrators and users to upgrade their configuration. It would have been a one time effort ( since apache 1.3 ). We would have eventually be able to propose a kind of sed_update_my_conf script. (at least I would do it for SLE :-) ) I let the needinfo open, I suppose it was for Oscar -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=854263 https://bugzilla.novell.com/show_bug.cgi?id=854263#c23 Glenn Doig changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |doiggl@velocitynet.com.au --- Comment #23 from Glenn Doig 2014-05-03 07:30:38 UTC --- Hello, How can following errer be fixed - AH01630: client denied by server configuration I am using opensuse 13.1x x86_64 Thanks Glenn # cat /var/log/apache2/cacti-error_log [Sat May 03 16:55:06.376082 2014] [authz_core:error] [pid 7273] [client 127.0.0.1:51539] AH01630: client denied by server configuration: /srv/www/cacti/ [Sat May 03 16:55:06.493612 2014] [authz_core:error] [pid 7273] [client 127.0.0.1:51539] AH01630: client denied by server configuration: /srv/www/cacti/favicon.ico # Causes browser to show: Access forbidden! You don't have permission to access the requested directory. There is either no index document or the directory is read-protected. If you think this is a server error, please contact the webmaster. Error 403 127.0.0.1 Apache/2.4.7 (Linux/SUSE) # rpm -qa | grep -i apache2 |sort apache2-2.4.7-3.2.x86_64 apache2-doc-2.4.6-6.19.2.noarch apache2-example-pages-2.4.6-6.19.2.x86_64 apache2-mod_php5-5.4.20-4.1.x86_64 apache2-prefork-2.4.7-3.2.x86_64 apache2-utils-2.4.6-6.19.2.x86_64 # ping localhost.org PING localhost (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.051 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.047 ms 64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.069 ms #Settings used: # cat /etc/apache2/vhosts.d/cacti.conf ServerAdmin test@localhost.org ServerName 127.0.0.1 DocumentRoot /srv/www/cacti/ ErrorLog /var/log/apache2/cacti-error_log CustomLog /var/log/apache2/cacti-access_log combined HostnameLookups Off UseCanonicalName Off ServerSignature On <IfModule mod_userdir.c> UserDir public_html Include /etc/apache2/mod_userdir.conf </IfModule> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> </VirtualHost> # httpd2 -S AH00557: httpd2: apr_sockaddr_info_get() failed for test.site AH00558: httpd2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message VirtualHost configuration: *:80 127.0.0.1 (/etc/apache2/vhosts.d/cacti.conf:1) ServerRoot: "/srv/www" Main DocumentRoot: "/srv/www/htdocs" Main ErrorLog: "/var/log/apache2/error_log" Mutex ssl-stapling: using_defaults Mutex ssl-cache: using_defaults Mutex default: dir="/run/" mechanism=default Mutex mpm-accept: using_defaults PidFile: "/run/httpd.pid" Define: DUMP_VHOSTS Define: DUMP_RUN_CFG User: name="wwwrun" id=30 Group: name="www" id=8 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=854263 https://bugzilla.novell.com/show_bug.cgi?id=854263#c Bruno Friedmann changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO InfoProvider| |doiggl@velocitynet.com.au -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=854263 https://bugzilla.novell.com/show_bug.cgi?id=854263#c26 --- Comment #26 from Glenn Doig 2014-05-03 12:08:27 UTC --- ## I changed the folling in From: # forbid access to the entire filesystem by default <Directory /> Options None AllowOverride None Order deny,allow Deny from all </Directory> # use .htaccess files for overriding, AccessFileName .htaccess # and never show them Order allow,deny Deny from all </Files> To: # forbid access to the entire filesystem by default <Directory /> Options None AllowOverride None Require all granted </Directory> # use .htaccess files for overriding, AccessFileName .htaccess # and never show them Require all granted </Files> So I retried and got a different error but resolved this one - comment 23 so now its different. FATAL: Cannot connect to MySQL server on 'localhost'. Please make sure you have specified a valid MySQL database name in 'include/config.php' Cheers Glenn -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=854263 https://bugzilla.novell.com/show_bug.cgi?id=854263#c Ludwig Nussel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED CC| |crrodriguez@opensuse.org InfoProvider|doiggl@velocitynet.com.au | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.