Debian, Apache, 403 Forbidden Errors and Encrypted Drives

Preface:

There are a couple of reasons why this might happen and the question has already been asked several times here at Stack Exchange. Nevertheless none of the answers solved it (directly) in my case or were based upon false or outdated information.

Many of those (rightly accepted) answers tell to change permissions or ownership of the configured DocumentRoot directory and the contained files and directories recursively to www-data.

But this is likely not needed anymore when talking about a local installation of latest Debian or Ubuntu (e.g. for the purpose of basic web development).

---

Let's have a look at the logs!

As the error page itself contains just a very generic message we need to have a look at the error log to get more information on it:

sudo tail -f /var/log/apache2/error.log 

The tail command will output the last 10 lines of a file and using the -f option ensures that the output is updated while the log grows.

---

What does the log tell?

client denied by server configuration: /home/johndoe/web/test

This one is easy. As explained at Apache: client denied by server configuration we just need to update our configuration with Require all granted setting - so it looks like:

<VirtualHost *:80>

  DocumentRoot "/home/johndoe/web/test"

  ServerName test

  <Directory "/home/johndoe/web/test">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    Require all granted
  </Directory>

</VirtualHost>

Don't forget to restart Apache with:

sudo service apache2 restart

---

The error remains ...

But the log message has changed:

Symbolic link not allowed or link target not accessible: /home/johndoe/web/test

This one is a bit more complicated as it can have several reasons. To find out what the actual reason is a good start is to update our configuration to not use a destination containing a symlink but instead point to the destination directly. Here /home/johndoe/web was a symlink to /media/johndoe/crypt1/web so our configuration now looks like this:

<VirtualHost *:80>

  DocumentRoot "/media/johndoe/crypt1/web/test"

  ServerName test

  <Directory "/media/johndoe/crypt1/web/test">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    Require all granted
  </Directory>

</VirtualHost>

---

Is it fixed?

The log message likely changed to a more descriptive one. In my case it showed:

access to / denied (filesystem path '/media/johndoe/crypt1') because search permissions are missing on a component of the path

If you see another message here and may already have a working solution it would be great when you comment and link the respective discussion here so other people might find the right information as well.

---

And now?

As the message tells the path is not fully accessible for Apache as one or more components of it can not be traversed. To see which component may cause it we can do:

namei -m /media/johndoe/crypt1/web/test/

The namei command separates and prints the path components and with -m option shows the mode bits of each component in the style like ls -l command would do.

For me the output looked like this:

f: /media/johndoe/crypt1/web/test/
 drwxr-xr-x /
 drwxr-xr-x media
 drwxr-x--- johndoe
 drwxr-xr-x crypt1
 drwxr-xr-x web
 drwxr-xr-x test

As it seems the johndoe directory is causing the trouble here. So before we just modify the permissions with chmod let's better have a closer look:

ls -ld /media/johndoe/

The ls command with -d option will print the information for the directory (and not its contents) in list -l style.

It looks like this for me:

drwxr-x---+ 3 root root 4096 May 28 00:00 /media/johndoe/

And as you can see there is a + sign there which indicates further Access Control List is involved.

This finally pointed me into the right direction as I was sure that I have not setup any ACL on my own. Even more because I have not even set up the media mount points on my own but instead I used Nautilus to encrypt and mount my drive.

---

This does the trick:

So instead of letting Nautilus mess up my mount point I now mount it manually:

1) Unmount it if it is already mounted:

sudo umount /media/johndoe/crypt1

2) Create a mount point directly under /media:

sudo mkdir /media/crypt1

3) Look up the devices mapping to find out the UUID:

ls -l /dev/mapper/

4) Mount the device according to it:

sudo mount /dev/mapper/luks-<UUID> /media/crypt1

5) Update the Apache config and/or symlink accordingly e.g.:

ln -s /media/crypt1/web/ ~/web

---

Notes:

Keep in mind that you need to encrypt and mount your drive after every boot. There is plenty of information available on it here at Stack Exchange but I can recommend:

Mount encrypted volumes from command line

Mount a LUKS partition at boot

Related videos on Youtube