authz_core keeps denying access

apache-2.4 php-fpm mod-proxy-fcgi

20,968

As requested, here is the answer with some extra explanation.

The error "client denied by server configuration" has some very specific causes, all of which are detailed here http://wiki.apache.org/httpd/ClientDeniedByServerConfiguration

As I mentioned in the comment, <Directory> blocks do not affect any request that is proxied as they only affect requests that Apache itself maps to a file system path.

Look for any Location or Files blocks that are allowing/denying access to thebase URI path or .php files.

The solution I proposed which seems to have worked was to add the following block to the virtual host.

<Location />
  require all granted
</Location>

I would still suggest looking for other Location/Files blocks in the remainder of your configuration as there should be something else that caused the requests to be denied originally. Adding this block allowed the requested to start working because of the way Apache merges these sorts of blocks, as described in the following link.

https://httpd.apache.org/docs/current/sections.html

20,968

Stephan Klein

Updated on September 18, 2022

Comments

Stephan Klein almost 2 years

I've configured a webserver more or less according to this tutorial (https://wiki.apache.org/httpd/PHP-FPM) and I can't get PHP to work. HTML-files are served fine. I get the following error message:

mod_authz_core.c(802): [client <myip>:36570] AH01626: authorization result of Require all denied: denied
mod_authz_core.c(802): [client <myip>:36570] AH01626: authorization result of <RequireAny>: denied
127.0.0.1 [client <myip>:36570] AH01630: client denied by server configuration: proxy:fcgi://127.0.0.1:9000/var/www/html/test.php

Here's my PHP file:

www@<server>:/var/www/html$ ls -l
-rw-rw----  1 www www-data    26 Sep  6 09:14 test.php

As you see the file is owned by "www". The webserver and "php-fpm" is running as "www-data".

Here's the basic configuration from the "apache.conf":

<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>

<Directory /usr/share>
        AllowOverride None
        Require all granted
</Directory>

<Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>

Here's the config for my virtual host:

<VirtualHost *:80>
  ServerAdmin [email protected]

  DocumentRoot /var/www/html

  <Directory "/var/www/html">
    Options FollowSymLinks
    AllowOverride None
    Require all granted
  </Directory>

  ErrorLog /var/log/apache2/error.log

  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel debug

  CustomLog /var/log/apache2/access.log combined
  ServerSignature Off

  # Enable forwarding of php requests via php-fpm
  ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/html/$1
</VirtualHost>

I had the impression that the "Require all granted" part would prevent access to the php file and mod_authz would be happy with it.

I already checked that "php-fpm" is listening as is should:

www@<server>:/etc/php5/fpm/pool.d$ netstat -an | grep :9000
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN

Now I'm out of ideas on where to look next. Any suggestions?

Francesco Abeni almost 8 years

Please make sure mod_php5 is disabled: sudo a2dismod php5
Stephan Klein almost 8 years

mod_php5 isn't even installed.
Unbeliever almost 8 years

Your <Directory> blocks should not affect anything that is proxied as they only affect requests that Apache itself maps to a file system path (here it is the php-fpm process that is doing that). Look for any Location or Files blocks that are allowing/denying access. You shouldn't need it but you can try adding a <Location /> require all granted </Location> to your virtual host.
Stephan Klein almost 8 years

Thank you, that did the trick. Time to start reading on <Location> to really understand what's happening.