You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Georg Sauthoff <g_...@web.de> on 2007/08/07 21:51:38 UTC

[users@httpd] CGI works, but client denied error messages in error.log

Hi,

I have a working Apache 2 setup and Apache calls successfully the
cgi-scripts. The problem is, that for every successfull CGI-call I get a
'client denied by server configuration' error message into the error.log
file.

This message conflicts with the fact, that the CGI-call was executed
successfully and I saw the correct output in the Web browser.

I am basically using a '/ Deny all' policy and a ScriptAlias definition.
A minimal example:

NameVirtualHost *
<VirtualHost *>
  DocumentRoot /var/www/

  <Directory />
    Options -FollowSymLinks -Indexes -Includes
    AllowOverride None
    Order Deny,Allow
    Deny from all
  </Directory>


  ScriptAlias /project /var/www/project/cgi-bin/test.cgi
  <Directory /var/www/project/cgi-bin>
    Order Deny,Allow
    Allow from all
  </Directory>
</VirtualHost>

# cat test.cgi
#!/bin/sh

cat out.min

# cat out.min
Content-Type: text/html; charset=utf-8
Status: 200 OK

<HTML>
<HEAD></HEAD><BODY><H1>HELLO WORLD!</H1></BODY></HTML

Browser output from 127.0.0.1/project/bar:
very big: Hello World!

Error message in error.log:
[client 127.0.0.1] client denied by server configuration: /var/www/bar


Can someone explain me this behaviour? I don't understand this. This error
makes no sense for me, because the script execution works, apparently.

Best regards
Georg Sauthoff


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: CGI works, but client denied error messages in error.log

Posted by Georg Sauthoff <g_...@web.de>.

On 2007-08-08, Vincent Bray <no...@gmail.com> wrote:
> On 08/08/2007, Georg Sauthoff <g_...@web.de> wrote:
[..]
>> Error message in error.log:
>> [client 127.0.0.1] client denied by server configuration: /var/www/bar

>> Can someone explain me this behaviour? I don't understand this. This error
>> makes no sense for me, because the script execution works, apparently.

> How perplexing. It's odd that the error message is for /var/www/bar
> and any project/cgi-bin parts. I wonder if there's more than one
[..]

Well, I debugged this issue with gdb. The error message is a result of
how the PATH_TRANSLATED cgi env variable is constructed.

For details of the analysis see my bug report:
http://issues.apache.org/bugzilla/show_bug.cgi?id=43666

Best regards
Georg Sauthoff


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: CGI works, but client denied error messages in error.log

Posted by Georg Sauthoff <g_...@web.de>.

On 2007-08-08, Georg Sauthoff <g_...@web.de> wrote:
> On 2007-08-08, Vincent Bray <no...@gmail.com> wrote:
>> Some debugging tips:

>> http://wiki.apache.org/httpd/WatchingHttpHeaders

handy command lines - with those you don't have to worry about browser
caches/proxy configurations any more.

>> http://wiki.apache.org/httpd/ClientDeniedByServerConfiguration

Hm, this texts describes the 'normal' reason for this error message - in
the case I observe, no access is denied, and the stated url /var/www/bar
was not requested at all.

Best regards
Georg Sauthoff


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: CGI works, but client denied error messages in error.log

Posted by Georg Sauthoff <g_...@web.de>.

On 2007-08-08, Vincent Bray <no...@gmail.com> wrote:
> On 08/08/2007, Georg Sauthoff <g_...@web.de> wrote:
>> Yes I do. Now I disabled it in my Firefox, and tcpdump shows only one
>> 'GET /project/bar ...' per request. Situation has not changed for
>> access/error.log files.

> Does the server still respond correctly with the cgi executed
> response? And is the 'client denied by server configuration' message

Yes.

> still appearing?

Yes.

> Some debugging tips:

> http://wiki.apache.org/httpd/WatchingHttpHeaders
> http://wiki.apache.org/httpd/ClientDeniedByServerConfiguration

Thanks, I will look into them.

Best regards
Georg Sauthoff


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: CGI works, but client denied error messages in error.log

Posted by Vincent Bray <no...@gmail.com>.

On 08/08/2007, Georg Sauthoff <g_...@web.de> wrote:
> On 2007-08-08, Vincent Bray <no...@gmail.com> wrote:
> > You need to figure out where these two requests are originating. Have
> > you configured this server to be a forward proxy in your browser?
>
> Yes I do. Now I disabled it in my Firefox, and tcpdump shows only one
> 'GET /project/bar ...' per request. Situation has not changed for
> access/error.log files.

Does the server still respond correctly with the cgi executed
response? And is the 'client denied by server configuration' message
still appearing?

Some debugging tips:

http://wiki.apache.org/httpd/WatchingHttpHeaders
http://wiki.apache.org/httpd/ClientDeniedByServerConfiguration

-- 
noodl

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: CGI works, but client denied error messages in error.log

Posted by Georg Sauthoff <g_...@web.de>.

On 2007-08-08, Vincent Bray <no...@gmail.com> wrote:
>> Well, the access.log contains just one enty per cgi-request:
>> 127.0.0.1 - - [08/Aug/2007:11:08:32 +0200] "GET /project/bar
>> HTTP/1.1" 200

> Per cgi-request?

I mean per: 'type 127.0.0.1/project/bar into the browser and hit return
or click at reload'

>> I tcpdumped the connection and I only see two GET messages for each
>> cgi-request (which contain the requested url):
>> # tcpdump -i lo -A -s 0 -vv  | grep GET
>> ...(...(GET http://127.0.0.1/project/bar HTTP/1.1
>> ...4...4GET /project/bar HTTP/1.1
>
> You need to figure out where these two requests are originating. Have
> you configured this server to be a forward proxy in your browser?

Yes I do. Now I disabled it in my Firefox, and tcpdump shows only one
'GET /project/bar ...' per request. Situation has not changed for
access/error.log files.

Best regards
Georg Sauthoff


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: CGI works, but client denied error messages in error.log

Posted by Vincent Bray <no...@gmail.com>.

> Well, the access.log contains just one enty per cgi-request:
> 127.0.0.1 - - [08/Aug/2007:11:08:32 +0200] "GET /project/bar
> HTTP/1.1" 200

Per cgi-request?

> I tcpdumped the connection and I only see two GET messages for each
> cgi-request (which contain the requested url):
> # tcpdump -i lo -A -s 0 -vv  | grep GET
> ...(...(GET http://127.0.0.1/project/bar HTTP/1.1
> ...4...4GET /project/bar HTTP/1.1

You need to figure out where these two requests are originating. Have
you configured this server to be a forward proxy in your browser?


-- 
noodl

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: CGI works, but client denied error messages in error.log

Posted by Georg Sauthoff <g_...@web.de>.

On 2007-08-08, Vincent Bray <no...@gmail.com> wrote:
> On 08/08/2007, Georg Sauthoff <g_...@web.de> wrote:
>> I have a working Apache 2 setup and Apache calls successfully the
>> cgi-scripts. The problem is, that for every successfull CGI-call I get a
>> 'client denied by server configuration' error message into the error.log
>> file.
[..]
>> Browser output from 127.0.0.1/project/bar:
>> very big: Hello World!

>> Error message in error.log:
>> [client 127.0.0.1] client denied by server configuration: /var/www/bar
[..]
> How perplexing. It's odd that the error message is for /var/www/bar

Yes, very odd, indeed.

> and any project/cgi-bin parts. I wonder if there's more than one
> request involved, possibly for something like a favicon.ico file?
> Check your access log as well as the error log and see how many
> entries you get per request.

Well, the access.log contains just one enty per cgi-request:
127.0.0.1 - - [08/Aug/2007:11:08:32 +0200] "GET /project/bar
HTTP/1.1" 200

I tcpdumped the connection and I only see two GET messages for each
cgi-request (which contain the requested url):
# tcpdump -i lo -A -s 0 -vv  | grep GET
...(...(GET http://127.0.0.1/project/bar HTTP/1.1
...4...4GET /project/bar HTTP/1.1

Best regards
Georg Sauthoff


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] CGI works, but client denied error messages in error.log

Posted by Vincent Bray <no...@gmail.com>.

On 08/08/2007, Georg Sauthoff <g_...@web.de> wrote:
> I have a working Apache 2 setup and Apache calls successfully the
> cgi-scripts. The problem is, that for every successfull CGI-call I get a
> 'client denied by server configuration' error message into the error.log
> file.
>
> This message conflicts with the fact, that the CGI-call was executed
> successfully and I saw the correct output in the Web browser.
>
> I am basically using a '/ Deny all' policy and a ScriptAlias definition.
> A minimal example:
>
> NameVirtualHost *
> <VirtualHost *>
>   DocumentRoot /var/www/
>
>   <Directory />
>     Options -FollowSymLinks -Indexes -Includes
>     AllowOverride None
>     Order Deny,Allow
>     Deny from all
>   </Directory>
>
>
>   ScriptAlias /project /var/www/project/cgi-bin/test.cgi
>   <Directory /var/www/project/cgi-bin>
>     Order Deny,Allow
>     Allow from all
>   </Directory>
> </VirtualHost>
>
> # cat test.cgi
> #!/bin/sh
>
> cat out.min
>
> # cat out.min
> Content-Type: text/html; charset=utf-8
> Status: 200 OK
>
> <HTML>
> <HEAD></HEAD><BODY><H1>HELLO WORLD!</H1></BODY></HTML
>
> Browser output from 127.0.0.1/project/bar:
> very big: Hello World!
>
> Error message in error.log:
> [client 127.0.0.1] client denied by server configuration: /var/www/bar
>
>
> Can someone explain me this behaviour? I don't understand this. This error
> makes no sense for me, because the script execution works, apparently.

How perplexing. It's odd that the error message is for /var/www/bar
and any project/cgi-bin parts. I wonder if there's more than one
request involved, possibly for something like a favicon.ico file?
Check your access log as well as the error log and see how many
entries you get per request.

-- 
noodl

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org