I am on a shared hosting package on a LAMP stack with no shell access.
I can create symlinks using PHP's symlink() function.
Let's say my web root is /home/www/user1/public
Let's say I have a real directory named /home/www/user1/public/real_dir
And I create a symlink named /home/www/user1/public/fake_dir pointing to real_dir
Why would I get a 403 Forbidden when trying to access www.mydomain.com/fake_dir but not when trying to access www.mydomain.com/real_dir?
It shouldn't be a rights problem because when I create a file in PHP, I can access that all right.
I tried switching FollowSymlinks off and on in .htaccess (it was on), but no luck.
Could it be that FollowSymlinks is defined as not overwritable in a .htaccess file? Or is there something else to be aware of when working with Symlinks in Apache?
Apache has to be configured to allow access to the directory on the filesystem. This has to be done by a system administrator by inserting a <Directory> directive in the apache configuration files (httpd.conf).
Since the real directory is inside the web root it must be accessible, but FollowSymLinks may not have been enabled for the directory - this also has to be added to the <Directory> directive.
See http://httpd.apache.org/docs/2.0/mod/core.html#directory
This is possible SELinux security issue.
cat /selinux/enforce
if the value is 1, set it to 0, then restart apache.
Related
I've read countless forum posts about this but none of the answers seem to help my situation. Here's the log excerpt:
[proxy_fcgi:error] [pid XXXX] [client redacted] AH01071: Got error 'Unable to open primary script: /home/user-account/public_html/www/index.php (No such file or directory)'
I've verified manually that this file is readable through SSH; also, other non-php files can be accessed through the browser.
My directory structure is as follows:
/home/user-account
/home/user-account/apps
/home/user-account/apps/old
/home/user-account/apps/current
/home/user-account/public_html
/home/user-account/public_html/old > symlink to > /home/user-account/apps/old
/home/user-account/public_html/test > symlink to > /home/user-account/apps/current
/home/user-account/public_html/www > symlink to > /home/user-account/apps/current
I have 2 subdomains on 'domain.com':
old.domain.com
test.domain.com
Therefore due to how cPanel/WHM/Apache writes out their virtualhosts (considering the ServerAlias directive), the resulting domain structure is:
old.domain.com
www.old.domain.com (I ignore this)
test.domain.com
www.test.domain.com (I ignore this)
domain.com (.htaccess redirects to www.domain.com)
www.domain.com (This is the domain with the issue; also domain.com would be an issue if not for the redirect)
Up until now I've been developing my wordpress website under a real directory /home/user-account/public_html/test. The site is in perfect working condition. Then I decided to go live. I moved the real folder to it's current location (/home/user-account/apps/current) and symlinked /home/user-account/public_html/test to it. I restarted Apache and verified the test.domain.com site still operated as expected (testing out the symlink). Feeling confident in the symlink setup, I removed my original symlink of /home/user-account/public_html/www (pointing to my old rails app at /home/user-account/apps/old) and created a new one pointing to /home/user-account/apps/current. This is when the issue started.
httpd.conf:
The only appreciable difference between the test subdomain and the main domain (with www aliased) is that the test subdomain's auto-generated directives point to the true aliased folder location (DocumentRoot/Directory/ScriptAlias all use /home/user-account/public_html/test). I believe this was because I had used cPanel to create a subdomain which had to point to a directory within /home/user-account/public_html. But the main domain's auto-generated directives all point to /home/user-account/public_html instead of /home/user-account/public_html/www.
However, apache 2.4 allows me to include custom virtualhost config options by placing my custom.conf files in the appropriate directories. So I don't need any of them for the test subdomain but I had to use them for the main domain; I know they're working because the error log (found at the top of this post) shows it's using the proper DocumentRoot. Here's an excerpt from the std custom.conf to show that in addition to setting the DocumentRoot I also override the other autogenerated directives explicitly:
DocumentRoot /home/user-account/public_html/www
<IfModule mod_include.c>
<Directory "/home/user-account/public_html/www">
SSILegacyExprParser On
</Directory>
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ /home/user-account/public_html/www/cgi-bin/
</IfModule>
<IfModule ssl_module>
<Directory "/home/user-account/public_html/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
</IfModule>
File permissions:
I haven't changed the file permissions from their original setup and I've already verified they're correct. Again, test.domain.com was working as expected. It's only (www.?)domain.com that isn't.
Other 'fixes' that did nothing:
Rebuilding/restarting PHP-FPM (ineffective)
SetHandler/ProxyOverride (SetHandler is automatically created for me by rebuildhttpdconf and I don't expect it's the issue as it's working for the test subdomain; ProxyOverride doesn't seem to do anything)
Set up wordpress .htaccess (already in place and matches what is shown here. Again, test subdomain is working and it's an alias just like www is)
Server stats:
EasyApache 4 with
Apache 2.4.43
mod_proxy_fcgi
PHP 7.3
php73-php-fpm
Whatever you consider, remember that there's practically no difference between the files in the test subdomain vs the main domain (.htaccess included); they're both aliased to the same directory. The only difference I can see is that test is a registered subdomain and therefore httpd.conf handles it slightly differently than the main domain. However I can't just add a 'www' subdomain through cPanel - it won't let me - probably because it aliases www anyway.
I've been clawing around trying to fix this and my public website has been down for 24+ hours so I would greatly appreciate any help you can provide!
Addendum:
I don't know if it's relevant (it didn't seem to affect my old rails app), but under WHM > Manage SSL Hosts, my main domain and www subdomain point to a document root of /home/user-account/public_html, whereas my subdomains point to the correct respective directories.
I also tried setting the vhost on the main domain to use the test directory (same as the test subdomain) but it's giving me the same error. I don't think it's a permission/file issue.
I also created a test.php file in the /public_html directory in order to test out a direct access. It still erred out and logged:
AH01071: Got error 'Unable to open primary script: /home/user-account/public_html/www/index.php (No such file or directory)', referer: https:// domain.com/test.php
And the answer is that I had to set the doc_root through the PHP-FPM Configuration for the given domain. Why? I don't know - if someone can shed some light on this I'd rather not have to do things through the FPM configuration and set it through Apache if possible. I don't have to do this for subdomains...
Actually my project is in WordPress. I'm changing my server from windows to Linux.
After changing this I'm facing this error!
Why isn't my .htaccess supporting the Linux server?
If you're using Apache, you should configure it in order to allow .htaccess files to be executed.
To do so, you can
Create a virtual host, that configures specifically one site. Using a virtual host you can set a domain name, document root, server alias, etc. Also, you can set Allowoverride to All (or other). See AllowOverride
Set your configuration in /etc/apache2/apache2.conf (or /etc/apache2/httpd.conf in some versions). In these files, there is a <Directory "/var/www/" that points to your /var/www/ directory. Inside this Directory tag, you can set AllowOverride to All. Using this configuration, every site on your server will be allowed to use .htaccess.
I recommend to use the Virtual Host that allows a easier and cleaner configuration.
Checkout the comment in .htaccess file, if it starts with // then change it to #
For me this solved the problem, I wish for you too.
There are lots of questions on this but I still cannot get it to work.
I am installing Apache 2.4 and PHP 5.4.37 on a W7 Pro PC. PHP is running as a load module. If installed respectively in c:\apache24 and c:\php, with the document root as default at c:\apache24\htdocs, it all works fine.
However, I then decided I wanted the document root at f:\webroot (local drive), making necessary changes to document root in httpd.conf. webroot has all the same permissions as c:\apache24\htdocs, but I get the error message in the title.
A normal index.html file in webroot is served OK, it is just any PHP file that isn't.
I noted that the Apache service is started with user LocalSystem. So I tried various others. I even tried running Apache from the command line (instead of as a service) logged in as Administrator, which should have had access to anything, and it made no difference - same message.
Don't understand what is going on. I can go back to the default document root, but at some point will need to access folders elsewhere on the system, so I will be back with the same problem, I guess.
Further info:
Tried various combinations of the commands in <directory "f:/webroot"> to no effect, BUT have found that if in <directory /> I set 'Require all granted' instead of 'Require all denied', it works. However, not sure (a) if that is wise (it probably isn't) and (b) why it is needed anyway. Any suggestions about what I should set it to?
Solved this:
Not only do you have to set Document root and the matching <DIRECTORY ...> section entry in httpd.conf, but also DocumentRoot in the <VirtualHost _default_:80> section of the ...\conf\extras\httpd-vhosts.conf file.
Setting 'Require all granted' in <DIRECTORY /> was a mistake.
I've seen a lot of questions on here regarding files not being accessible due to permissions with LAMP but nothing about making files unviewable by the http client using permissions.
I have files and folders in my Apache2 root folder that I don't want people to be able to access via their browser or by other external means. I set the permissions to 770, but this doesn't seem to be enough. Do outside users access files as the apache user?
I'm running LAMP under Ubuntu Server with little modifications to the defaults, thus my apache user is www-data, group is :www-data, and the apache root is /var/www.
I have a /var/www/_private folder that has 770 permissions and the same permissions on its enclosed files. However, if I access these files through a browser, they are still viewable. Are clients accessing my files as the www-data user? If so, how do I rectify this?
I've worked on hosted setups where setting the "other" permissions to 0 was sufficient for denying outside direct access to files. Do I need to install some extra module to gain this functionality?
Note: I still need my accessible-to-the-client PHP scripts to access these files via includes, fopen, etc...
Well, right, 770 means that the owner of the file and the group can read, write and execute it. I'm going to guess the Apache is the owner of that file, thus allowing it to access it and open it to the world.
Instead of modifying the permissions on the server, and possibly causing harm to the accessibility of the file, why don't you use an .htaccess file. It will instruct Apache to take actions in certain instances, like denying access to a file. Simply create the .htaccess file in the root of the website with
<Files {your file name here}>
deny from all
</Files>
and you'll deny everyone from accessing it with Apache.
And if you want to deny an entire directory:
<Directory /var/www/_private>
Order Deny,allow
Deny from all
</Directory>
I have a production server with apache2, php, mysql.
I have just one site right now (mysite.com) as a virtual host. I want to put phpmyadmin, webalizer, and maybe webmin on there. So far, I installed phpmyadmin, and it works but the whole internet can go to mysite.com/phpmyadmin
How can I reduce the visibility to say 192.168.0.0/16 so it's just accessible to machines behind my firewall?
1) You can do it at the Webserver level.
Use allow/deny rules for apache. If you don't have direct access to your apache configuration file, you may use a .htaccess file.
<Directory /docroot>
Order Deny,Allow
Deny from all
Allow from 10.1.2.3
</Directory>
2) You can do it at the application level using the phpmyadmin config file.
The configuration parameter is: $cfg['Servers'][$i]['AllowDeny']['rules']
Examples of rules are:
'all' -> 0.0.0.0/0
'localhost' -> 127.0.0.1/8
'localnetA' -> SERVER_ADDRESS/8
'localnetB' -> SERVER_ADDRESS/16
'localnetC' -> SERVER_ADDRESS/24
You can see this on the official phpMyAdmin configuration documentation.
http://www.phpmyadmin.net/documentation/#servers_allowdeny_order
You would use a module in Apache called mod_access
You can either configure it in your apache config file or within a .htaccess file in the directory's root.
Here's a short example
<Directory /your_folder/location>
Order Deny,Allow
Deny from all
Allow from 123.123.123.123
</Directory>
Use the <Location> directive (either in server configuration or if it is allowed, in .htaccess). In there, you can use Allow from to deny access to everyone else except some certain source.