[opensuse-factory] Apache config changes needed
Hello, if you are updating to the latest Apache packages from Factory, you'll get a "Forbidden" error, and the log contains: AH01630: client denied by server configuration This is probably caused by * Mo Nov 04 2013 freek@opensuse.org - Removed obsolete directive DefaultType - Changed all access control to new Require directive The solution is to replace Order allow,deny Allow from all with Require all granted in the apache config. This change is needed even if the access_compat module is loaded [1] :-( Freek, was this an intentional change, or something we should call a bug? ;-) Regards, Christian Boltz [1] APACHE_MODULES="actions alias auth_basic authz_host authz_groupfile authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 rewrite proxy proxy_http reqtimeout unixd access_compat authz_core systemd authn_core" -- Maybe the next openSUSE conference should have a mandatory group hug after all... ;-) [Jos Poortvliet in opensuse-factory] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On dinsdag 12 november 2013 20:45:30 you wrote:
Hello,
if you are updating to the latest Apache packages from Factory, you'll get a "Forbidden" error, and the log contains: AH01630: client denied by server configuration
This is probably caused by
* Mo Nov 04 2013 freek@opensuse.org - Removed obsolete directive DefaultType - Changed all access control to new Require directive
The solution is to replace Order allow,deny Allow from all with Require all granted in the apache config.
This change is needed even if the access_compat module is loaded [1] :-(
Freek, was this an intentional change, or something we should call a bug? ;-)
I searched all the configuration files for this type of entries and replaced directive Order, followed by Allow or Deny by the Require directives. I could have overlooked one or more. So I consider this a bug. But we need some more output in the error_log to pinpoint what went wrong. According to the documentation Order and following should remain working with the access_compat module. Maybe that module was not present, which gives a warning at start up, subsequently an error when such access control is used.
Regards,
Christian Boltz
[1] APACHE_MODULES="actions alias auth_basic authz_host authz_groupfile authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 rewrite proxy proxy_http reqtimeout unixd access_compat authz_core systemd authn_core" -- fr.gr.
member openSUSE Freek de Kruijf -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Dienstag, 12. November 2013 schrieb Freek de Kruijf:
On dinsdag 12 november 2013 20:45:30 you wrote:
This change is needed even if the access_compat module is loaded [1] :-(
Freek, was this an intentional change, or something we should call a bug? ;-)
I searched all the configuration files for this type of entries and replaced directive Order, followed by Allow or Deny by the Require directives. I could have overlooked one or more.
I needed to replace the "Order" and "Allow" in one of my local config files (sorry for not mentioning that!), so it's nothing in the package.
But we need some more output in the error_log to pinpoint what went wrong.
That would indeed be nice ;-)
According to the documentation Order and following should remain working with the access_compat module.
That's also what I'd expect.
Maybe that module was not present, which gives a warning at start up,
The apache log doesn't contain a warning, but "rcapache2 status" does. (But: who checks "rcapache2 status" if apache is running? ;-) I didn't...) Nov 13 02:03:11 geeko start_apache2[3692]: Module "unixd" is not installed, ignoring. Nov 13 02:03:11 geeko start_apache2[3692]: Check the APACHE_MODULES setting in /etc/sysconfig/apache2. Nov 13 02:03:11 geeko start_apache2[3692]: Module "access_compat" is not installed, ignoring. Nov 13 02:03:11 geeko start_apache2[3692]: Check the APACHE_MODULES setting in /etc/sysconfig/apache2. Nov 13 02:03:11 geeko start_apache2[3692]: Module "systemd" is not installed, ignoring. Nov 13 02:03:11 geeko start_apache2[3692]: Check the APACHE_MODULES setting in /etc/sysconfig/apache2. Nov 13 02:03:11 geeko systemd[1]: Started The Apache Webserver. At least this explains why "Order" and "Allow" didn't work anymore ;-) Now the interesting question is when/why the module was lost. The last known-working version is (from /var/log/zypp/history): 2013-11-07 17:07:22|install|apache2-utils|2.4.6-10.1|x86_64||factory-oss|8909604008e65a12ced581183d1ddd87ca16bd5a27aae64c3494b07770d5e232| 2013-11-07 17:13:55|install|apache2|2.4.6-10.1|x86_64||factory-oss|37a6b461b1853d2276e957e67d6fa6f5f0eaae8585f4d215d9b825e63afbcfc2| 2013-11-07 17:13:59|install|apache2-prefork|2.4.6-10.1|x86_64||factory-oss|9312ce97f46bd9f799e724e0c5bfb8b65bcebc5adcf4a81eb13982b67734463b| Now I have (with the problems described above): 2013-11-12 17:23:31|install|apache2-utils|2.4.6-11.1|x86_64||factory-oss|12dfcafc57b0373f795e24e0aa48db7d767c90e7cc408916fd9bdc44d3d45cef| 2013-11-12 17:26:10|install|apache2|2.4.6-11.1|x86_64||factory-oss|c4aff354571c5423e38dd82c7d8a9a3ac24197de1d957787041a7bd75ac4077f| 2013-11-12 17:26:10|install|apache2-prefork|2.4.6-11.1|x86_64||factory-oss|231059d82f008e88ac18efa8177cfb76c976f316e7810fec69b4736b81f826ad| The good thing is that the time and amount of changes between these two versions isn't too big ;-) Regards, Christian Boltz -- Lass Dir kein X für ein U vormachen, sei auf der Hxt! -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
El 13/11/13 01:19, Christian Boltz escribió:
Hello,
Nov 13 02:03:11 geeko start_apache2[3692]: Module "unixd" is not installed, ignoring. Nov 13 02:03:11 geeko start_apache2[3692]: Check the APACHE_MODULES setting in /etc/sysconfig/apache2. Nov 13 02:03:11 geeko start_apache2[3692]: Module "access_compat" is not installed, ignoring. Nov 13 02:03:11 geeko start_apache2[3692]: Check the APACHE_MODULES setting in /etc/sysconfig/apache2. Nov 13 02:03:11 geeko start_apache2[3692]: Module "systemd" is not installed, ignoring. Nov 13 02:03:11 geeko start_apache2[3692]: Check the APACHE_MODULES setting in /etc/sysconfig/apache2. Nov 13 02:03:11 geeko systemd[1]: Started The Apache Webserver.
At least this explains why "Order" and "Allow" didn't work anymore ;-)
Now the interesting question is when/why the module was lost.
Nothing was lost, you initially installed apache at a time there was a transition going on, modules "unixd", "access_compat", "systemd" are now built-in the server statically and therefore do not need to be present in APACHE_MODULES. Supported upgrade paths are only from one released product containing apache 2.2.x to apache 2.4.x. not from one incarnation of factory to another and therefore there is no "cleanup" of old unneeded APACHE_MODULES entries. -- "Judging by their response, the meanest thing you can do to people on the Internet is to give them really good software for free". - Anil Dash -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Mittwoch, 13. November 2013 schrieb Cristian Rodríguez:
El 13/11/13 01:19, Christian Boltz escribió:
Now the interesting question is when/why the module was lost.
Nothing was lost, you initially installed apache at a time there was a transition going on, modules "unixd", "access_compat", "systemd" are now built-in the server statically and therefore do not need to be present in APACHE_MODULES.
Supported upgrade paths are only from one released product containing apache 2.2.x to apache 2.4.x. not from one incarnation of factory to another and therefore there is no "cleanup" of old unneeded APACHE_MODULES entries.
OK, thanks for pointing that out. After removing the now built-in modules from APACHE_MODULES, rcapache2 status looks good. Nevertheless, if I add change on of my vhosts back to <VirtualHost *:80> # [...] <Directoy /path/to/docroot> # [...] Order allow,deny Allow from all # Require all granted </Directory> </VirtualHost> I end up with [Wed Nov 13 13:47:27.692515 2013] [authz_core:error] [pid 7238] [client 127.0.0.1:41087] AH01630: client denied by server configuration: /path/to/docroot/ so the problem still exists - looks like access_compat doesn't really work :-( Regards, Christian Boltz -- Erstes Gesetz WWW: Du mögest trennen die Spinnen und Indianer von den Usern und jedem sein eigen Grund und Heim zuteilen auf das der eine nicht neidisch werde auf den anderen und begehre dessen Heim und Gut. *lach* [Thomas Templin in suse-linux] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
El mié 13 nov 2013 12:54:29 UTC, Christian Boltz escribió:
so the problem still exists - looks like access_compat doesn't really work :-(
The access_compat module works ok, using it myself quite extensively. -- "Judging by their response, the meanest thing you can do to people on the Internet is to give them really good software for free". - Anil Dash -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Mittwoch, 13. November 2013 schrieb Cristian Rodríguez:
El mié 13 nov 2013 12:54:29 UTC, Christian Boltz escribió:
so the problem still exists - looks like access_compat doesn't really work :-(
The access_compat module works ok, using it myself quite extensively.
I'm afraid I have to disagree :-( I checked my /etc/apache2/ with rpm -qf and rpm -V. None of the files there is modified, which means I basically have a default setup. The files in /etc/apache2/ come from the following packages: apache2-2.4.6-11.1.x86_64 apache2-mod_php5-5.4.21-1.1.x86_64 git-web-1.8.4.2-1.1.x86_64 phpMyAdmin-4.0.9-1.1.noarch yast2-instserver-3.1.0-1.1.noarch I only have the following files "not owned by any package": /etc/apache2/sysconfig.d/global.conf /etc/apache2/sysconfig.d/include.conf /etc/apache2/sysconfig.d/loadmodule.conf /etc/apache2/vhosts.d/postfixadmin.tux.conf /etc/apache2/vhosts.d/postfixadmin.tux.conf looks quite boring: <VirtualHost *:80> ServerName postfixadmin.tux DocumentRoot /home/cb/postfixadmin/ ErrorLog /var/log/apache2/postfixadmin-error.log CustomLog /var/log/apache2/postfixadmin-access.log combined # don't loose time with IP address lookups HostnameLookups Off # needed for named virtual hosts UseCanonicalName Off <Directory "/home/cb/postfixadmin/"> Options +Indexes +SymlinksIfOwnermatch AllowOverride all Order allow,deny Allow from all # Require all granted </Directory> </VirtualHost> /etc/sysconfig/apache2 contains (comments removed): APACHE_CONF_INCLUDE_FILES="" APACHE_CONF_INCLUDE_DIRS="" APACHE_MODULES="actions alias auth_basic authz_host authz_groupfile authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 rewrite proxy proxy_http reqtimeout authz_core authn_core " APACHE_SERVER_FLAGS="" APACHE_HTTPD_CONF="" APACHE_MPM="" APACHE_SERVERADMIN="" APACHE_SERVERNAME="" APACHE_START_TIMEOUT="2" APACHE_SERVERSIGNATURE="on" APACHE_LOGLEVEL="warn" APACHE_ACCESS_LOG="/var/log/apache2/access_log combined" APACHE_USE_CANONICAL_NAME="off" APACHE_SERVERTOKENS="OS" APACHE_EXTENDED_STATUS="off" DOC_SERVER="no" Nevertheless, I get: [Wed Nov 13 20:52:52.989725 2013] [authz_core:error] [pid 11269] [client 127.0.0.1:37280] AH01630: client denied by server configuration: /home/cb/postfixadmin/favicon.ico until I replace the "Order" and "Allow" lines with "Require all granted" Note: As I already wrote in my first mail, this only happens with the very latest apache packages from factory. With the packages from a week ago, everything worked as expected. Regards, Christian Boltz -- [tgz Datei entpacken] tar xzf <Archiv> Für weitere Informationen lesen Sie bitte die Manpage oder Ihren Admin. [Torsten Hallmann in suse-linux] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Mittwoch, 13. November 2013 schrieb Christian Boltz:
Am Mittwoch, 13. November 2013 schrieb Cristian Rodríguez:
El mié 13 nov 2013 12:54:29 UTC, Christian Boltz escribió:
so the problem still exists - looks like access_compat doesn't really work :-(
The access_compat module works ok, using it myself quite extensively. I'm afraid I have to disagree :-(
It got even worse - the packages with the broken access_compat (or whatever detail causes the problem) was released as update for 13.1, and several people on opensuse-de reported that apache only delivers "403 forbidden" errors to them :-( I wasn't too surprised that replacing Order/Allow/Deny with Require fixed the problem for them, as it did for me some weeks ago. I just reported this as https://bugzilla.novell.com/show_bug.cgi?id=854263 and strongly recommend to revert this update. For some more technical/config details, see my previous mail in this thread. Regards, Christian Boltz --
[Angabe des Realname] Weil das hier so üblich ist. Nur weil etwas üblich ist, muss es noch lange nicht gut sein. :-)) Nur weil es hier üblich ist, anderen zu helfen, müssen wir Dir ja auch nicht helfen..... [> Malte und Volker Knoll in suse-linux]
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Friday 06 December 2013 22.33:06 Christian Boltz wrote:
Hello,
Am Mittwoch, 13. November 2013 schrieb Christian Boltz:
Am Mittwoch, 13. November 2013 schrieb Cristian Rodríguez:
El mié 13 nov 2013 12:54:29 UTC, Christian Boltz escribió:
so the problem still exists - looks like access_compat doesn't really work :-(
The access_compat module works ok, using it myself quite extensively. I'm afraid I have to disagree :-(
It got even worse - the packages with the broken access_compat (or whatever detail causes the problem) was released as update for 13.1, and several people on opensuse-de reported that apache only delivers "403 forbidden" errors to them :-(
I wasn't too surprised that replacing Order/Allow/Deny with Require fixed the problem for them, as it did for me some weeks ago.
I just reported this as https://bugzilla.novell.com/show_bug.cgi?id=854263 and strongly recommend to revert this update.
For some more technical/config details, see my previous mail in this thread.
Regards,
Christian Boltz
[Angabe des Realname] Weil das hier so üblich ist. Nur weil etwas üblich ist, muss es noch lange nicht gut sein. :-)) Nur weil es hier üblich ist, anderen zu helfen, müssen wir Dir ja auch nicht helfen..... [> Malte und Volker Knoll in suse-linux]
Couldn't we encourage users to following the migration guide to 2.4 configuration. One day or another they will be hit by not following and revised conf files. ps : also yast2 is just to be forgetting under 13.1 until it get a real fix and support 2.4 -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch openSUSE Member GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On woensdag 13 november 2013 02:19:49 wrote Christian Boltz:
At least this explains why "Order" and "Allow" didn't work anymore ;-)
I have a habit to always do a systemctl status after a start, so I also knew that a missing module did not prevent apache2 to start. Maybe this needs to be addressed. In my view it is better to not start the server if some of the modules you apparently want to have active are not available. In case you don't need them you can remove them from your configuration.
Regards,
Christian Boltz -- fr.gr.
member openSUSE Freek de Kruijf -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (4)
-
Bruno Friedmann
-
Christian Boltz
-
Cristian Rodríguez
-
Freek de Kruijf