httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oscar Knorn <oscar.kn...@uni-duisburg-essen.de>
Subject Re: [users@httpd] Why is debian-hosted 2.2.x giving 403 on CGI's?
Date Tue, 22 Apr 2014 14:05:20 GMT
Am 22.04.2014 15:46, schrieb Jonathan Hayward:
>
> I have a fresh Debian installation (if that's not an oxymoron), with
> Apache 2.2.x which I am migrating to after using Ubuntu Saucy and
> Apache 2.4.x, and I'm pulling my hair out about
> why http://dev.JonathansCorner.com/index.cgi
> <http://dev.jonathanscorner.com/index.cgi> (used to serve the
> homepage) is giving a 403. An old,
> static http://dev.JonathansCorner.com/index.html
> <http://dev.jonathanscorner.com/index.html> is working just fine, as
> well as other static pages within the site.
>
> What I had remembered to do was add mod_cgi:
>
> |root@ps306627:/etc/apache2/mods-enabled# ls *cgi*
> cgi.load  cgid.conf  cgid.load  proxy_scgi.load
> |
>
> And after a bit of searching, I confirmed that I needed ExecCGI and
> AddHandler directives:
>
> |    <Directory /home/cjsh/>
>             Options +ExecCGI Indexes FollowSymLinks MultiViews
>             AddHandler cgi-script .cgi
>             AllowOverride None
>             Order allow,deny
>             allow from all
>     </Directory>
> |
>
> I thought it might be that I hadn't explicitly said an index.cgi could
> serve the DirectoryIndex, but I have:
>
> |    DirectoryIndex index.cgi index.html
> |
>
> And furthermore, another CGI script
> at http://dev.JonathansCorner.com/sidebar_index.cgi
> <http://dev.jonathanscorner.com/sidebar_index.cgi> is behaving exactly
> like the homepage and gives a 403.
>
> I've also restarted the server every time I made a chance I wanted to
> test. I checked directory permissions; the static content wouldn't be
> served if the Apache processes couldn't access the static content, and
> I double-checked and have confirmed that when I run the index.cgi from
> a shell as nobody it gives the output I want without a Linux
> permissions error.
>
> What else can I give to let someone explain why I'm not plugging in
> all the things I need to plug in to get index.cgi to work the way it
> does executed from a shell as nobody? Here is a concatenation of my
> apache2.conf and 000-default.conf (I deleted 000-default; the
> configuration files are imported from an Apache 2). Still a little
> puzzled at what's going wrong:
>
> |#   
> # Based upon the NCSA server configuration files originally by Rob McCool.
> #   
> # This is the main Apache server configuration file.  It contains the
> # configuration directives that give the server its instructions.
> # See http://httpd.apache.org/docs/2.2/ for detailed information about
> # the directives.
> #   
> # Do NOT simply read the instructions in here without understanding
> # what they do.  They're here only as hints or reminders.  If you are unsure
> # consult the online docs. You have been warned.
> #   
> # The configuration directives are grouped into three basic sections:
> #  1. Directives that control the operation of the Apache server process as a
> #     whole (the 'global environment').
> #  2. Directives that define the parameters of the 'main' or 'default' server,
> #     which responds to requests that aren't handled by a virtual host.
> #     These directives also provide default values for the settings
> #     of all virtual hosts.
> #  3. Settings for virtual hosts, which allow Web requests to be sent to
> #     different IP addresses or hostnames and have them handled by the
> #     same Apache server process.
> #   
> # Configuration and logfile names: If the filenames you specify for many
> # of the server's control files begin with "/" (or "drive:/" for Win32), the
> # server will use that explicit path.  If the filenames do *not* begin
> # with "/", the value of ServerRoot is prepended -- so "foo.log"
> # with ServerRoot set to "/etc/apache2" will be interpreted by the
> # server as "/etc/apache2/foo.log".
> #   
>
> ### Section 1: Global Environment
> #   
> # The directives in this section affect the overall operation of Apache,
> # such as the number of concurrent requests it can handle or where it
> # can find its configuration files.
> #   
>
> #   
> # ServerRoot: The top of the directory tree under which the server's
> # configuration, error, and log files are kept.
> #   
> # NOTE!  If you intend to place this on an NFS (or otherwise network)
> # mounted filesystem then please read the LockFile documentation (available
> # at <URL:http://httpd.apache.org/docs/2.2/mod/mpm_common.html#lockfile>);
> # you will save yourself a lot of trouble.
> #   
> # Do NOT add a slash at the end of the directory path.
> #   
> #ServerRoot "/etc/apache2"
>
> #   
> # The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
> #
> LockFile ${APACHE_LOCK_DIR}/accept.lock
>
> #
> # PidFile: The file in which the server should record its process
> # identification number when it starts.
> # This needs to be set in /etc/apache2/envvars
> #
> PidFile ${APACHE_PID_FILE}
>
> #
> # Timeout: The number of seconds before receives and sends time out.
> #
> Timeout 300
>
> #
> # KeepAlive: Whether or not to allow persistent connections (more than
> # one request per connection). Set to "Off" to deactivate.
> #
> KeepAlive On
>
> #
> # MaxKeepAliveRequests: The maximum number of requests to allow
> # during a persistent connection. Set to 0 to allow an unlimited amount.
> # We recommend you leave this number high, for maximum performance.
> #
> MaxKeepAliveRequests 100
>
> #
> # KeepAliveTimeout: Number of seconds to wait for the next request from the
> # same client on the same connection.
> #
> KeepAliveTimeout 15
>
> ##
> ## Server-Pool Size Regulation (MPM specific)
> ##
>
> # prefork MPM
> # StartServers: number of server processes to start
> # MinSpareServers: minimum number of server processes which are kept spare
> # MaxSpareServers: maximum number of server processes which are kept spare
> # MaxClients: maximum number of server processes allowed to start
> # MaxRequestsPerChild: maximum number of requests a server process serves
> <IfModule mpm_prefork_module>
>     StartServers          5
>     MinSpareServers       5
>     MaxSpareServers      10
>     MaxClients          150
>     MaxRequestsPerChild   0
> </IfModule>
>
> # worker MPM
> # StartServers: initial number of server processes to start
> # MaxClients: maximum number of simultaneous client connections
> # MinSpareThreads: minimum number of worker threads which are kept spare
> # MaxSpareThreads: maximum number of worker threads which are kept spare
> # ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
> #              graceful restart. ThreadLimit can only be changed by stopping
> #              and starting Apache.
> # ThreadsPerChild: constant number of worker threads in each server process
> # MaxRequestsPerChild: maximum number of requests a server process serves
> <IfModule mpm_worker_module>
>     StartServers          2
>     MinSpareThreads      25
>     MaxSpareThreads      75
>     ThreadLimit          64
>     ThreadsPerChild      25
>     MaxClients          150
>     MaxRequestsPerChild   0
> </IfModule>
>
> # event MPM
> # StartServers: initial number of server processes to start
> # MaxClients: maximum number of simultaneous client connections
> # MinSpareThreads: minimum number of worker threads which are kept spare
> # MaxSpareThreads: maximum number of worker threads which are kept spare
> # ThreadsPerChild: constant number of worker threads in each server process
> # MaxRequestsPerChild: maximum number of requests a server process serves
> <IfModule mpm_event_module>
>     StartServers          2
>     MaxClients          150
>     MinSpareThreads      25
>     MaxSpareThreads      75
>     ThreadLimit          64
>     ThreadsPerChild      25
>     MaxRequestsPerChild   0
> </IfModule>
>
> # These need to be set in /etc/apache2/envvars
> User ${APACHE_RUN_USER}
> Group ${APACHE_RUN_GROUP}
>
> #
> # AccessFileName: The name of the file to look for in each directory
> # for additional configuration directives.  See also the AllowOverride
> # directive.
> #
>
> AccessFileName .htaccess
>
> #
> # The following lines prevent .htaccess and .htpasswd files from being
> # viewed by Web clients.
> #
> <Files ~ "^\.ht">
>     Order allow,deny
>     Deny from all
>     Satisfy all
> </Files>
>
> #
> # DefaultType is the default MIME type the server will use for a document
> # if it cannot otherwise determine one, such as from filename extensions.
> # If your server contains mostly text or HTML documents, "text/plain" is
> # a good value.  If most of your content is binary, such as applications
> # or images, you may want to use "application/octet-stream" instead to
> # keep browsers from trying to display binary files as though they are
> # text.
> #
> DefaultType text/plain
>
>
> #
> # HostnameLookups: Log the names of clients or just their IP addresses
> # e.g., www.apache.org <http://www.apache.org> (on) or 204.62.129.132 (off).
> # The default is off because it'd be overall better for the net if people
> # had to knowingly turn this feature on, since enabling it means that
> # each client request will result in AT LEAST one lookup request to the
> # nameserver.
> #
> HostnameLookups Off
>
> # ErrorLog: The location of the error log file.
> # If you do not specify an ErrorLog directive within a <VirtualHost>
> # container, error messages relating to that virtual host will be
> # logged here.  If you *do* define an error logfile for a <VirtualHost>
> # container, that host's errors will be logged there and not here.
> #
> ErrorLog ${APACHE_LOG_DIR}/error.log
>
> #
> # LogLevel: Control the number of messages logged to the error_log.
> # Possible values include: debug, info, notice, warn, error, crit,
> # alert, emerg.
> #
> LogLevel warn
>
> # Include module configuration:
> Include mods-enabled/*.load
> Include mods-enabled/*.conf
>
> # Include all the user configurations:
> Include httpd.conf
>
> # Include ports listing
> Include ports.conf
> # Include ports listing
> Include ports.conf
>
> #
> # The following directives define some format nicknames for use with
> # a CustomLog directive (see below).
> # If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
> #
> LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
> LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
> LogFormat "%h %l %u %t \"%r\" %>s %O" common
> LogFormat "%{Referer}i -> %U" referer
> LogFormat "%{User-agent}i" agent
>
> # Include of directories ignores editors' and dpkg's backup files,
> # see README.Debian for details.
>
> # Include generic snippets of statements
> Include conf.d/
>
> # Include the virtual host configurations:
> Include sites-enabled/
>
> AddHandler cgi-script .cgi
>
> # End apache2.conf; begin sites-enabled/000-default.conf:
>
>         #<VirtualHost *:80>
>         #ServerName media.pragmatometer.com <http://media.pragmatometer.com>
>         #ServerAlias media.ccachicago.pragmatometer.com <http://media.ccachicago.pragmatometer.com>
>         #DocumentRoot /home/cjsh/ccachicago/media
>         #<Directory "/home/cjsh/ccachicago/media/">
>             #Options Indexes MultiViews FollowSymLinks
>             #AllowOverride None
>             ##Order deny,allow
>             ##Deny from all
>             ##Allow from 127.0.0.0/255.0.0.0 <http://127.0.0.0/255.0.0.0> ::1/128
>         #</Directory>
>         #ServerAdmin CJSHayward@PObox.com
>     #</VirtualHost>
> <VirtualHost *:80>
>     ServerAdmin CJSHayward@POBox.com
>     ServerName default.jonathanscorner.com <http://default.jonathanscorner.com>
>     DocumentRoot /home/cjsh/mirror
>     RewriteEngine On
>     RewriteRule ^(.*)$ http://jonathanscorner.com$1 [R=301,L]
> </VirtualHost>
> <VirtualHost *:80>
>         ServerAdmin CJSHayward@POBox.com
>
>     ServerName jonathanscorner.com <http://jonathanscorner.com>
>     ServerAlias dev.jonathanscorner.com <http://dev.jonathanscorner.com>
>         DocumentRoot /home/cjsh/mirror
>     RewriteEngine On
>     RewriteRule ^[SANITIZED]$ / [R=301,L]
>     RewriteRule ^[SANITIZED]$ / [R=301,L]
>         <Directory />
>                 Options FollowSymLinks
>                 AllowOverride None
>         </Directory>
>         <Directory /home/cjsh/>
>                 Options +ExecCGI Indexes FollowSymLinks MultiViews
>                 AddHandler cgi-script .cgi
>                 AllowOverride None
>                 Order allow,deny
>                 allow from all
>         </Directory>
>
>     DirectoryIndex index.cgi index.html
>         ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
>         <Directory "/usr/lib/cgi-bin">
>                 AllowOverride None
>                 Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
>                 Order allow,deny
>                 Allow from all
>         </Directory>
>
>     ErrorDocument 404 /missing.html
>     ErrorDocument 500 /servererror.html
>         ErrorLog ${APACHE_LOG_DIR}/error.log
>
>         # Possible values include: debug, info, notice, warn, error, crit,
>         # alert, emerg.
>         LogLevel warn
>
>         CustomLog ${APACHE_LOG_DIR}/access.log combined
>
>     Alias /doc/ "/usr/share/doc/"
>     <Directory "/usr/share/doc/">
>         Options Indexes MultiViews FollowSymLinks
>         AllowOverride None
>         Order deny,allow
>         Deny from all
>         Allow from 127.0.0.0/255.0.0.0 <http://127.0.0.0/255.0.0.0> ::1/128
>     </Directory>
>
> </VirtualHost>
>
> <VirtualHost *:80>
>         ServerAdmin CJSHayward@POBox.com
>     ServerName www.jonathanscorner.com <http://www.jonathanscorner.com>
>     ServerAlias jonathonscorner.com <http://jonathonscorner.com> www.jonathonscorner.com
<http://www.jonathonscorner.com> johnathanscorner.com <http://johnathanscorner.com>
www.johnathanscorner.com <http://www.johnathanscorner.com> johnathonscorner.com <http://johnathonscorner.com>
www.johnathonscorner.com <http://www.johnathonscorner.com> jonathanscorner.biz <http://jonathanscorner.biz>
www.jonathanscorner.com <http://www.jonathanscorner.com> jonathanscorner.org <http://jonathanscorner.org>
www.jonathanscorner.org <http://www.jonathanscorner.org> jonathanscorner.info <http://jonathanscorner.info>
www.jonathanscorner.info <http://www.jonathanscorner.info> jonathanscorner.net <http://jonathanscorner.net>
www.jonathanscorner.net <http://www.jonathanscorner.net>
>     DocumentRoot /home/cjsh/mirror
>
>     RewriteEngine On
>     RewriteRule ^(.*)$ http://jonathanscorner.com$1 [R=301,L]
>
> </VirtualHost>
> |
> |
> |
>
Please post acceslogs AND errorlogs for the vhosts subject to the 403.

Hint: the Allow/Deny Syntax did change from 2.2 -> 2.4.

Mime
View raw message