You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Marat Khalili <mk...@rqc.ru> on 2018/02/09 09:42:36 UTC
[users@httpd] Spurious access denied errors
Dear list,
I've installed and configured mediawiki as follows (on top of default
Ubuntu 16.04 Apache/2.4.18 installation):
> DocumentRoot /var/www/html
>
> <Directory /var/www>
> Options None
> Require all denied
> </Directory>
>
> <Directory /opt/local/mediawiki>
> Options ExecCGI
> Require host proxy.example.com
> </Directory>
> <Directory /mnt/mediawiki/images>
> Options None
> Require host proxy.example.com
> </Directory>
>
> Alias /wiki /opt/local/mediawiki/index.php
> Alias /w/images /mnt/mediawiki/images
> Alias /w /opt/local/mediawiki
*Everything works*, i.e. client successfully receive all pages with
appropriate HTTP statuses in both client and Apache access log. However,
for each request like /wiki/test I see the following extra message in
error.log:
> [Fri Feb 09 09:35:25.368731 2018] [authz_core:error] [pid 695] [client
> 10.4.1.4:56622] AH01630: client denied by server configuration:
> /var/www/html/test
If I remove <Directory /var/www> clause, these messages disappear. They
trigger fail2ban and are generally confusing. What may be causing them
and how to make them stop?
--
With Best Regards,
Marat Khalili
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Spurious access denied errors
Posted by Marat Khalili <mk...@rqc.ru>.
On Sun, Feb 11, 2018 at 4:56 AM, Daniel <df...@gmail.com> wrote:
> The error may come from a subrequest, which is an internal feature
> where a module like mod_dir might use to probe if some URL exists.
Thank you for the suggestion. I tried to disable mod_dir, fortunately
mediawiki seem to work fine without it, but the error is still there.
Allowing access to DocumentRoot of course solves the problem, but I'm
still curious...
--
With Best Regards,
Marat Khalili
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Spurious access denied errors
Posted by Eric Covener <co...@gmail.com>.
On Sun, Feb 11, 2018 at 4:56 AM, Daniel <df...@gmail.com> wrote:
> what if?
>
> The way I see it you are the admin and supposed to set up a correct
> documentroot, there are not "what if" for things under your control
> imo.
>
> About the internals probably some knowledgeable dev can tell you much
> better than I, but afaik DocumentRoot is always checked because it is
> "where all starts", that is, by definition DocumentRoot is where
> apache starts looking when serving requests, all things you "mount"
> such as aliases are "mounted" on top/after/relative to it, so just
> take better care where you point the documentroot because it is
> important.
The error may come from a subrequest, which is an internal feature
where a module like mod_dir might use to probe if some URL exists.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Spurious access denied errors
Posted by Daniel <df...@gmail.com>.
what if?
The way I see it you are the admin and supposed to set up a correct
documentroot, there are not "what if" for things under your control
imo.
About the internals probably some knowledgeable dev can tell you much
better than I, but afaik DocumentRoot is always checked because it is
"where all starts", that is, by definition DocumentRoot is where
apache starts looking when serving requests, all things you "mount"
such as aliases are "mounted" on top/after/relative to it, so just
take better care where you point the documentroot because it is
important.
2018-02-09 20:21 GMT+01:00 Marat Khalili <mk...@rqc.ru>:
>> Probably because you are essentially denying access to documentroot and this path is checked for all requests.
>
> Looks like your are right, but why? What if there's a file there? What if there's a script there? A device file or a symbolic link to one?
>
>> or change documentroot to a directory you can give access even if it's an empty directory to get rid of those messages or change the documentoot to something else.
>
> I will do like you advise, but would still like to learn what's going on.
> --
>
> With Best Regards,
> Marat Khalili
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
Daniel Ferradal
IT Specialist
email dferradal at gmail.com
linkedin es.linkedin.com/in/danielferradal
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Spurious access denied errors
Posted by Marat Khalili <mk...@rqc.ru>.
> Probably because you are essentially denying access to documentroot and this path is checked for all requests.
Looks like your are right, but why? What if there's a file there? What if there's a script there? A device file or a symbolic link to one?
> or change documentroot to a directory you can give access even if it's an empty directory to get rid of those messages or change the documentoot to something else.
I will do like you advise, but would still like to learn what's going on.
--
With Best Regards,
Marat Khalili
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Spurious access denied errors
Posted by Daniel <df...@gmail.com>.
Probably because you are essentially denying access to documentroot
and this path is checked for all requests.
Add a
<Directory /var/www/html>
Require all granted
</Directory>
or change documentroot to a directory you can give access even if it's
an empty directory to get rid of those messages or change the
documentoot to something else.
Denying access to documentroot by default is not...
2018-02-09 16:30 GMT+01:00 Marat Khalili <mk...@rqc.ru>:
>> At first glance, something in your browser is probably requesting the page
>> /test. Since it doesn't correspond to any of your alias statements, it hits
>> the DocumentRoot which you have denied access to.
>>
>> Is there a corresponding entry in your access log?
>
>
>
> There's no entry in access log, and the problem is easily reproduced with
> curl/wget. There's only one request visible in tcpdump. I've also confirmed
> that excluding proxy does not fix the problem.
>
> On the other hand, I don't see same problem on bare Apache installation
> serving only static files. Can Mediawiki PHP create some internal requests?
> How can I debug this?
>
>
> --
>
> With Best Regards,
> Marat Khalili
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
Daniel Ferradal
IT Specialist
email dferradal at gmail.com
linkedin es.linkedin.com/in/danielferradal
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Spurious access denied errors
Posted by Marat Khalili <mk...@rqc.ru>.
> At first glance, something in your browser is probably requesting the
> page /test. Since it doesn't correspond to any of your alias
> statements, it hits the DocumentRoot which you have denied access to.
>
> Is there a corresponding entry in your access log?
There's no entry in access log, and the problem is easily reproduced
with curl/wget. There's only one request visible in tcpdump. I've also
confirmed that excluding proxy does not fix the problem.
On the other hand, I don't see same problem on bare Apache installation
serving only static files. Can Mediawiki PHP create some internal
requests? How can I debug this?
--
With Best Regards,
Marat Khalili
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Spurious access denied errors
Posted by Yehuda Katz <ye...@ymkatz.net>.
At first glance, something in your browser is probably requesting the page
/test. Since it doesn't correspond to any of your alias statements, it hits
the DocumentRoot which you have denied access to.
Is there a corresponding entry in your access log?
- Y
Sent from a device with a very small keyboard and hyperactive autocorrect.
On Feb 9, 2018 4:43 AM, "Marat Khalili" <mk...@rqc.ru> wrote:
Dear list,
I've installed and configured mediawiki as follows (on top of default
Ubuntu 16.04 Apache/2.4.18 installation):
DocumentRoot /var/www/html
>
> <Directory /var/www>
> Options None
> Require all denied
> </Directory>
>
> <Directory /opt/local/mediawiki>
> Options ExecCGI
> Require host proxy.example.com
> </Directory>
> <Directory /mnt/mediawiki/images>
> Options None
> Require host proxy.example.com
> </Directory>
>
> Alias /wiki /opt/local/mediawiki/index.php
> Alias /w/images /mnt/mediawiki/images
> Alias /w /opt/local/mediawiki
>
*Everything works*, i.e. client successfully receive all pages with
appropriate HTTP statuses in both client and Apache access log. However,
for each request like /wiki/test I see the following extra message in
error.log:
[Fri Feb 09 09:35:25.368731 2018] [authz_core:error] [pid 695] [client
> 10.4.1.4:56622] AH01630: client denied by server configuration:
> /var/www/html/test
>
If I remove <Directory /var/www> clause, these messages disappear. They
trigger fail2ban and are generally confusing. What may be causing them and
how to make them stop?
--
With Best Regards,
Marat Khalili
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org