Debian, Apache, 403 Forbidden Errors and Encrypted Drives
Preface:
There are a couple of reasons why this might happen and the question has already been asked several times here at Stack Exchange. Nevertheless none of the answers solved it (directly) in my case or were based upon false or outdated information.
Many of those (rightly accepted) answers tell to change permissions or ownership of the configured DocumentRoot
directory and the contained files and directories recursively to www-data
.
But this is likely not needed anymore when talking about a local installation of latest Debian or Ubuntu (e.g. for the purpose of basic web development).
Let's have a look at the logs!
As the error page itself contains just a very generic message we need to have a look at the error log to get more information on it:
sudo tail -f /var/log/apache2/error.log
The tail
command will output the last 10 lines of a file and using the -f
option ensures that the output is updated while the log grows.
What does the log tell?
client denied by server configuration: /home/johndoe/web/test
This one is easy. As explained at Apache: client denied by server configuration we just need to update our configuration with Require all granted
setting - so it looks like:
<VirtualHost *:80>
DocumentRoot "/home/johndoe/web/test"
ServerName test
<Directory "/home/johndoe/web/test">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>
Don't forget to restart Apache with:
sudo service apache2 restart
The error remains ...
But the log message has changed:
Symbolic link not allowed or link target not accessible: /home/johndoe/web/test
This one is a bit more complicated as it can have several reasons. To find out what the actual reason is a good start is to update our configuration to not use a destination containing a symlink but instead point to the destination directly. Here /home/johndoe/web
was a symlink to /media/johndoe/crypt1/web
so our configuration now looks like this:
<VirtualHost *:80>
DocumentRoot "/media/johndoe/crypt1/web/test"
ServerName test
<Directory "/media/johndoe/crypt1/web/test">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>
Is it fixed?
The log message likely changed to a more descriptive one. In my case it showed:
access to / denied (filesystem path '/media/johndoe/crypt1') because search permissions are missing on a component of the path
If you see another message here and may already have a working solution it would be great when you comment and link the respective discussion here so other people might find the right information as well.
And now?
As the message tells the path is not fully accessible for Apache as one or more components of it can not be traversed. To see which component may cause it we can do:
namei -m /media/johndoe/crypt1/web/test/
The namei
command separates and prints the path components and with -m
option shows the mode bits of each component in the style like ls -l
command would do.
For me the output looked like this:
f: /media/johndoe/crypt1/web/test/
drwxr-xr-x /
drwxr-xr-x media
drwxr-x--- johndoe
drwxr-xr-x crypt1
drwxr-xr-x web
drwxr-xr-x test
As it seems the johndoe
directory is causing the trouble here. So before we just modify the permissions with chmod
let's better have a closer look:
ls -ld /media/johndoe/
The ls
command with -d
option will print the information for the directory (and not its contents) in list -l
style.
It looks like this for me:
drwxr-x---+ 3 root root 4096 May 28 00:00 /media/johndoe/
And as you can see there is a +
sign there which indicates further Access Control List is involved.
This finally pointed me into the right direction as I was sure that I have not setup any ACL on my own. Even more because I have not even set up the media mount points on my own but instead I used Nautilus to encrypt and mount my drive.
This does the trick:
So instead of letting Nautilus mess up my mount point I now mount it manually:
1) Unmount it if it is already mounted:
sudo umount /media/johndoe/crypt1
2) Create a mount point directly under /media
:
sudo mkdir /media/crypt1
3) Look up the devices mapping to find out the UUID:
ls -l /dev/mapper/
4) Mount the device according to it:
sudo mount /dev/mapper/luks-<UUID> /media/crypt1
5) Update the Apache config and/or symlink accordingly e.g.:
ln -s /media/crypt1/web/ ~/web
Notes:
Keep in mind that you need to encrypt and mount your drive after every boot. There is plenty of information available on it here at Stack Exchange but I can recommend:
Mount encrypted volumes from command line
Mount a LUKS partition at boot
Related videos on Youtube
conceptdeluxe
Updated on September 18, 2022Comments
-
conceptdeluxe over 1 year
I have set up Apache on my local Debian Jessie installation but can not get my VirtualHost to work. Accessing
http://localhost
works just fine and shows me the It works! page.But when trying to access
http://test
a 403 Forbidden error is shown:You don't have permission to access / on this server.
My configuration looks just common:
<VirtualHost *:80> DocumentRoot "/home/johndoe/web/test" ServerName test <Directory "/home/johndoe/web/test"> Options Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from all </Directory> </VirtualHost>
-
Tony Sepia almost 6 yearsWhat a great answer. No shamanism - pure troubleshooting skills.