[英]Apache giving 403 forbidden errors
Ok, so i've previously set up two virtual hosts and they are working cool.好的,所以我之前设置了两个虚拟主机,它们运行良好。 they both house simple web projects and work fine with http://project1
and http://project2
in the browser.它们都包含简单的 web 项目,并且可以在浏览器中使用http://project1
和http://project2
工作。
Anyway, I've come to add another vhost.无论如何,我来添加另一个虚拟主机。 I edited the /etc/hosts file with 127.0.0.1 project3 and also updated the httpd-vhosts.conf file by copy and pasting the previous entries for project2 and editing the file path.我用 127.0.0.1 project3 编辑了 /etc/hosts 文件,还通过复制和粘贴 project2 的先前条目并编辑文件路径来更新 httpd-vhosts.conf 文件。
I've checked all the file and folder permissions (in fact I copied and pasted from project2) and simply put a "hello world" message in the index.php file.我检查了所有文件和文件夹权限(实际上是我从 project2 复制和粘贴的),并在 index.php 文件中简单地放置了一条“hello world”消息。
I get a 403 forbidden permission denied message when accessing http://project3
访问http://project3
时收到 403 禁止权限被拒绝消息
Why is this, I just can figure out what step I've missed as everything seems to be set up correct.为什么会这样,我可以弄清楚我错过了哪一步,因为一切似乎都设置正确。
Check that :检查:
Additionally, you can look at the error.log file (usually located at /var/log/apache2/error.log
) which will describe why you get the 403 error exactly.此外,您可以查看 error.log 文件(通常位于/var/log/apache2/error.log
),该文件将准确描述您收到 403 错误的原因。
Finally, you may want to restart apache, just to be sure all that configuration is applied.最后,您可能需要重新启动 apache,以确保应用所有配置。 This can be generally done with /etc/init.d/apache2 restart
.这通常可以通过/etc/init.d/apache2 restart
来完成。 On some system, the script will be called httpd.在某些系统上,该脚本将被称为 httpd。 Just figure out.只要弄清楚。
I just fixed this issue after struggling for a few days.经过几天的努力,我刚刚解决了这个问题。 Here's what worked for me:以下是对我有用的内容:
First, check your Apache error_log
file and look at the most recent error message.首先,检查您的 Apache error_log
文件并查看最新的错误消息。
If it says something like:如果它说的是:
access to /mySite denied (filesystem path '/Users/myusername/Sites/mySite') because search permissions are missing on a component of the path
then there is a problem with your file permissions.那么你的文件权限有问题。 You can fix them by running these commands from the terminal:您可以通过从终端运行这些命令来修复它们:
$ cd /Users/myusername/Sites/mySite $ find . -type f -exec chmod 644 {} \\; $ find . -type d -exec chmod 755 {} \\;
Then, refresh the URL where your website should be (such as http://localhost/mySite
).然后,刷新您的网站所在的 URL(例如http://localhost/mySite
)。 If you're still getting a 403 error, and if your Apache error_log
still says the same thing, then progressively move up your directory tree, adjusting the directory permissions as you go.如果您仍然收到 403 错误,并且如果您的 Apache error_log
仍然显示相同的内容,则逐步向上移动您的目录树,并随时调整目录权限。 You can do this from the terminal by:您可以通过以下方式从终端执行此操作:
$ cd .. $ chmod 755 mySite
If necessary, continue with:如有必要,请继续:
$ cd .. $ chmod Sites
and, if necessary,如有必要,
$ cd .. $ chmod myusername
DO NOT go up farther than that.不要走得更远。 You could royally mess up your system.你可以彻底搞砸你的系统。 If you still get the error that says search permissions are missing on a component of the path
, I don't know what you should do.如果您仍然收到错误消息,指出search permissions are missing on a component of the path
,我不知道您应该怎么做。 However, I encountered a different error (the one below) which I fixed as follows:但是,我遇到了一个不同的错误(下面的一个),我修复了如下:
If your error_log
says something like:如果您的error_log
如下内容:
client denied by server configuration: /Users/myusername/Sites/mySite
then your problem is not with your file permissions, but instead with your Apache configuration.那么您的问题不在于您的文件权限,而在于您的 Apache 配置。
Notice that in your httpd.conf
file, you will see a default configuration like this (Apache 2.4+):请注意,在您的httpd.conf
文件中,您将看到这样的默认配置(Apache 2.4+):
<Directory /> AllowOverride none Require all denied </Directory>
or like this (Apache 2.2):或者像这样(Apache 2.2):
<Directory /> Order deny,allow Deny from all </Directory>
DO NOT change this!不要改变这个! We will not override these permissions globally, but instead in your httpd-vhosts.conf
file.我们不会全局覆盖这些权限,而是在您的httpd-vhosts.conf
文件中。 First, however, make sure that your vhost Include
line in httpd.conf
is uncommented .但是,首先要确保httpd.conf
中的 vhost Include
行是uncommented 。 It should look like this.它应该是这样的。 (Your exact path may be different.) (您的确切路径可能会有所不同。)
# Virtual hosts Include etc/extra/httpd-vhosts.conf
Now, open the httpd-vhosts.conf
file that you just Include
d.现在,打开您刚刚Include
的httpd-vhosts.conf
文件 d。 Add an entry for your webpage if you don't already have one.如果您还没有,请为您的网页添加一个条目。 It should look something like this.它应该看起来像这样。 The DocumentRoot
and Directory
paths should be identical, and should point to wherever your index.html
or index.php
file is located. DocumentRoot
和Directory
路径应该相同,并且应该指向index.html
或index.php
文件所在的位置。 For me, that's within the public
subdirectory.对我来说,那是在public
子目录中。
For Apache 2.2:对于 Apache 2.2:
<VirtualHost *:80> # ServerAdmin webmaster@dummy-host2.example.com DocumentRoot "/Users/myusername/Sites/mySite/public" ServerName mysite # ErrorLog "logs/dummy-host2.example.com-error_log" # CustomLog "logs/dummy-host2.example.com-access_log" common <Directory "/Users/myusername/Sites/mySite/public"> Options Indexes FollowSymLinks Includes ExecCGI AllowOverride All Order allow,deny Allow from all Require all granted </Directory> </VirtualHost>
The lines saying台词说
AllowOverride All Require all granted
are critical for Apache 2.4+.对 Apache 2.4+ 至关重要。 Without these, you will not be overriding the default Apache settings specified in httpd.conf
.如果没有这些,您将不会覆盖httpd.conf
指定的默认 Apache 设置。 Note that if you are using Apache 2.2, these lines should instead say请注意,如果您使用的是 Apache 2.2,这些行应该改为
Order allow,deny Allow from all
This change has been a major source of confusion for googlers of this problem, such as I, because copy-pasting these Apache 2.2 lines will not work in Apache 2.4+, and the Apache 2.2 lines are still commonly found on older help threads.这一变化一直是这个问题的谷歌人的主要困惑来源,比如我,因为复制粘贴这些 Apache 2.2 行在 Apache 2.4+ 中不起作用,并且 Apache 2.2 行仍然常见于较旧的帮助线程中。
Once you have saved your changes, restart Apache .保存更改后,重新启动 Apache 。 The command for this will depend on your OS and installation, so google that separately if you need help with it.此命令将取决于您的操作系统和安装,因此如果您需要帮助,请单独使用谷歌搜索。
I hope this helps someone else!我希望这对其他人有帮助!
PS: If you are having trouble finding these .conf
files, try running the find
command, such as: PS:如果找不到这些.conf
文件,请尝试运行find
命令,例如:
$ find / -name httpd.conf
restorecon
命令的工作原理如下:
restorecon -v -R /var/www/html/
但是,它并没有解决问题,因为在例如打开 SUSE Tumbleweed 时,自定义源构建在默认网页上触发了相同的 401 错误,该错误是使用索引和
Require all granted
服务器可能需要您的主目录和其中的 .htaccess 的读取权限
您可以尝试禁用 selinux 并使用以下命令重试
setenforce 0
In my case it was failing as the IP of my source server was not whitelisted in the target server.在我的情况下,它失败了,因为我的源服务器的 IP 没有在目标服务器中列入白名单。
For eg I was trying to access https://prodcat.ref.test.co.uk from application running on my source server.例如,我试图从我的源服务器上运行的应用程序访问https://prodcat.ref.test.co.uk 。 On source server find IP by ifconfig在源服务器上通过 ifconfig 查找 IP
This IP should be whitelisted in the target Server's apache config file.此 IP 应在目标服务器的 apache 配置文件中列入白名单。 If its not then get it whitelist.如果不是,则将其列入白名单。
Steps to add a IP for whitelisting (if you control the target server as well) ssh to the apache server sudo su - cd /usr/local/apache/conf/extra (actual directories can be different based on your config)将 IP 添加到白名单的步骤(如果您也控制目标服务器) ssh 到 apache 服务器 sudo su - cd /usr/local/apache/conf/extra (实际目录可能因您的配置而异)
Find the config file for the target application for eg prodcat-443.conf找到目标应用程序的配置文件,例如 prodcat-443.conf
RewriteCond %{REMOTE_ADDR} <YOUR Server's IP>
for e.g.
RewriteCond %{REMOTE_ADDR} !^192\.68\.2\.98
Hope this helps someone希望这有助于某人
Notice that another issue that might be causing this is that, the "FollowSymLinks" option of a parent directory might have been mistakenly overwritten by the options of your project's directory.请注意,可能导致此问题的另一个问题是,父目录的“FollowSymLinks”选项可能已被项目目录的选项错误地覆盖。 This was the case for me and made me pull my hair until I found out the cause!这就是我的情况,让我拉我的头发,直到我找出原因!
Here's an example of such a mistake :这是此类错误的示例:
<Directory />
Options FollowSymLinks
AllowOverride all
Require all denied
</Directory>
<Directory /var/www/>
Options Indexes # <--- NOT OK! It's overwriting the above option of the "/" directory.
AllowOverride all
Require all granted
</Directory>
So now if you check the Apache's log message( tail -n 50 -f /var/www/html/{the_error_log_file_of_your_site}
) you'll see such an error:所以现在如果你检查 Apache 的日志消息( tail -n 50 -f /var/www/html/{the_error_log_file_of_your_site}
)你会看到这样的错误:
Options FollowSymLinks and SymLinksIfOwnerMatch are both off, so the RewriteRule directive
is also forbidden due to its similar ability to circumvent directory restrictions
That's because Indexes
in the above rules for /var/www
directory is overwriting the FolowSymLinks
of the /
directory.这是因为/var/www
目录的上述规则中的Indexes
覆盖了/
目录的FolowSymLinks
。 So now that you know the cause, in order to fix it, you can do many things depending on your need.所以现在您知道了原因,为了解决它,您可以根据需要做很多事情。 For instance:例如:
<Directory />
Options FollowSymLinks
AllowOverride all
Require all denied
</Directory>
<Directory /var/www/>
Options FollowSymLinks Indexes # <--- OK.
AllowOverride all
Require all granted
</Directory>
Or even this:甚至这个:
<Directory />
Options FollowSymLinks
AllowOverride all
Require all denied
</Directory>
<Directory /var/www/>
Options -Indexes # <--- OK as well! It will NOT cause an overwrite.
AllowOverride all
Require all granted
</Directory>
The example above will not cause the overwrite issue, because in Apache, if an option is "+" it will overwrite the "+"s only, and if it's a "-", it will overwrite the "-"s... (Don't ask me for a reference on that though, it's just my interpretation of an Apache's error message(checked through journalctl -xe
) which says: Either all Options must start with + or -, or no Option may.
when an option has a sign, but another one doesn't(Eg, FollowSymLinks -Indexes). So it's my personal conclusion -thus should be taken with a grain of salt- that if I've used -Indexes
as the option, that will be considered as a whole distinct set of options by the Apache from the other option in the "/" which doesn't have any signs on it, and so no annoying rewrites will occur in the end, which I could successfully confirm by the above rules in a project directory of my own).上面的例子不会导致覆盖问题,因为在Apache中,如果一个选项是“+”,它只会覆盖“+”,如果它是“-”,它会覆盖“-”...... (不过,不要问我对此的参考,这只是我对 Apache 错误消息的解释(通过journalctl -xe
检查),其中说: Either all Options must start with + or -, or no Option may.
当一个选项有一个标志,但另一个没有(例如,FollowSymLinks -Indexes)。所以这是我个人的结论 - 因此应该持保留态度 - 如果我使用-Indexes
作为选项,那将被考虑作为 Apache 的一组完全不同的选项,“/”中的另一个选项上没有任何标志,因此最终不会发生烦人的重写,我可以通过上述规则成功确认我自己的项目目录)。
Hope that this will help you pull much less of your hair!希望这会帮助你减少你的头发! :) :)
Add添加
<Directory "/path/to/webroot">
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Order allow, deny
Allow from all
Require all granted
</Directory>
to your config file (eg /etc/apache2/sites-enabled/000-default.conf) Tested LAMP stack Debian 11到您的配置文件(例如 /etc/apache2/sites-enabled/000-default.conf) 测试 LAMP 堆栈 Debian 11
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.