Differences between revisions 15 and 16
Revision 15 as of 2015-10-22 10:54:15
Size: 3509
Editor: SeanTimmins
Comment:
Revision 16 as of 2016-03-03 01:38:15
Size: 5613
Editor: thumbs
Comment: Complete rewrite of this recipe for clarity, and added new possible causes.
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= apache HTTP server 2.4 notes = = Client denied by server configuration =
This error means that the access to the directory on the file system was denied by an Apache configuration.

== Apache HTTP server 2.4 notes ==
Line 4: Line 7:
Using 2.4 and 2.2 authorization directives (enabled by [[http://httpd.apache.org/docs/2.4/mod/mod_access_compat.html|mod_access_compat]]) in the same server instance is strongly discouraged because it can cause unexpected 'Client Denied by Server Configuration' errors that may be troublesome to resolve. When using 2.4, please migrate all [[http://httpd.apache.org/docs/2.4/mod/mod_access_compat.html|Allow, Deny, Order and Satisfy]] directives to the 2.4 equivalent using the information in the link above and then comment out the [[http://httpd.apache.org/docs/2.4/mod/mod_so.html#loadmodule|LoadModule]] line for mod_access_compat. == Before you start ==
Line 6: Line 9:
= Client denied by server configuration =
This error means that the access to the directory on the hard disk was denied by an Apache configuration. It could be that access was denied due to an explicit [[http://httpd.apache.org/docs/2.2/en/mod/mod_authz_host.html#deny|deny]] directive or due to an attempt to access a folder that is outside of the DocumentRoot.
It can also happen when you are proxying and there's no access configured for the proxied location. And it is the default response to a PUT request.

These are some reasons for this entry to be recorded in your !ErrorLog:

 * The default Apache config includes {{{Deny from all}}} in the <Directory> block the !DocumentRoot - this must be changed to allow access!
 * If you change the !DocumentRoot, you will need to change the <Directory> block referring the old root, to the refer to the new root
 * You need a <Directory> block for every folder outside of your !DocumentRoot, i.e. your cgi-bin folder.
 * You need a <Directory> or <Location> block for every Alias.
 * You need a <Location> or <Proxy> block for your proxy

To fix this problem, look at the line in your !ErrorLog, to find out which folder it is trying to access. <<BR>> If a <Directory> block already exists for that folder, make sure it is set to allow access as necessary. If not, add a <Directory> block to your Apache configuration file, allowing access as required. See the example below for folder /usr/local/awstats/htdocs.
Before attempting to alter any existing config file, please take note of the full file system path for which access is being denied, and the IP or hostname of the client:
Line 21: Line 12:
<Directory /usr/local/awstats/htdocs>
[<date here>] [error] [client ::1] client denied by server configuration: /var/www/example.com/

}}}

Using the correct path in the [[http://httpd.apache.org/docs/current/mod/core.html#directory|directory]] block for the following examples is essential to solving this problem. In this case, a client from the local machine (::1) is being denied access to /var/www/example.com .

== Troubleshooting ==

The possible causes are:

 * Access was denied due to an explicit [[http://httpd.apache.org/docs/2.2/en/mod/mod_authz_host.html#deny|deny (2.2)]] directive or [[http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require|require (2.4)]] directive in a [[http://httpd.apache.org/docs/current/mod/core.html#directory|directory]] block or .htaccess file.

{{{

DocumentRoot /var/www/example.com

}}}

2.2:

{{{

<Directory /var/www/example.com>
  Order deny,allow
  Deny from all
</Directory>

}}}

2.4:

{{{

<Directory /var/www/example.com>
  Require all denied
</Directory>

}}}

In the above examples, using the following configuration will resolve the issue:

2.2:

{{{

<Directory /var/www/example.com>
Line 25: Line 62:
Line 26: Line 64:
This directory block will allow Apache to serve files from this location, in response to an incoming request. This assumes either you have an Alias set up somewhere for serving content from this directory or, less likely, that your !DocumentRoot is /usr/local or /usr/local/awstats.
2.4:
Line 29: Line 68:
ProxyPass /foo http://internal.foo.com:8900/
ProxyPassReverse /foo http://internal.foo.com:8900/

<Directory /var/www/example.com>
  Require all granted
</Directory>

}}}

 * An attempt to access a directory outside of the DocumentRoot defined by an [[http://httpd.apache.org/docs/current/mod/mod_alias.html#alias|alias]] without a corresponding [[http://httpd.apache.org/docs/current/mod/core.html#directory|directory]] block.

{{{

DocumentRoot /var/www/example.com

Alias /foo /var/www/foo

}}}

Solution (2.2):

{{{

<Directory /var/www/foo>
  Order allow,deny
  Allow from all
</Directory>

}}}

Solution (2.4):

{{{

<Directory /var/www/foo>
  Require all granted
</Directory>

}}}

 * Proxying to a service with no explicit access in a [[http://httpd.apache.org/docs/current/mod/core.html#location|location]] block.

{{{

ProxyPass /foo/ http://internal.example.com:8900/

ProxyPassReverse /foo/ http://internal.example.com:8900/

}}}

Solution (2.2):

{{{
Line 35: Line 124:
Line 36: Line 126:
This Location block will allow Apache to proxy content for /foo. This Location block is only needed if there is earlier Proxy or Location block denying access to this resource. Some Linux distributions like Debian put Proxy block with "Deny from all" in their default mod_proxy configuration.
Line 38: Line 127:
== Example == Solution (2.4):
Line 40: Line 130:
[Fri Jan 16 15:00:42 2009] [error] [client ::1] client denied by server configuration: /var/www/phpmyadmin/
<Location /foo>
  Require all granted
</Location>
Line 42: Line 136:
Adding "Allow from 127.0.0.0/255.0.0.0 ::1/128" to the ACL, will prevent the apache internal process from erroring.
 * A PUT request was received; a 403 is the default response. Access can be granted with [[http://httpd.apache.org/docs/current/mod/core.html#limitexcept|limitexcept (2.2)]] or [[http://httpd.apache.org/docs/current/mod/mod_allowmethods.html|mod_allowmethods (2.4)]].
 * A mix of [[http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow|allow (2.2)]] and [[http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require|require (2.4)]] directives while using apache HTTPD 2.4, used in the same or separate [[http://httpd.apache.org/docs/current/mod/core.html#directory|directory]] blocks. The new 2.4 directives should be used exclusively, and the [[http://httpd.apache.org/docs/2.4/mod/mod_access_compat.html|mod_access_compat]] module should be unloaded by commenting out the [[http://httpd.apache.org/docs/2.4/mod/mod_so.html#loadmodule|LoadModule]] directive.

{{{

<Directory /var/www/example.com>
  Order allow,deny
  Allow from all
  Require all granted
</Directory>

}}}

The solution:

{{{

<Directory /var/www/example.com>
  Require all granted
</Directory>

}}}

 * Using [[http://www.modsecurity.org/projects/modsecurity/apache/index.html|mod_security]] with an explicit directive to deny access. Altering or commenting out the offending directives from that module will resolve the issue.
 * Using a bandwidth or rate limiting module such as [[http://www.zdziarski.com/blog/?page_id=442|mod_evasive]], [[http://dominia.org/djao/limitipconn2.html|mod_limitipconn]] or [[http://bwmod.sourceforge.net/|mod_bw]]. A capable firewall is far more efficient at limiting traffic bursts, and abusive clients.

== Words of caution ==

The following configuration may be included in your apache HTTPD configuration; its purpose is to prevent unauthorized access to the root of the file system. Under no condition should it be altered. Instead, the existing [[http://httpd.apache.org/docs/current/mod/core.html#directory|directory]] block for the full file system path should be altered, or a new one should be created if it was not already present.

2.2:

{{{

<Directory />
  Order deny,allow
  Deny from all
</Directory>

}}}

2.4:

{{{

<Directory />
  Require all denied
</Directory>

}}}

== Restricting access a little further ==

If granting full access to the resource in question is not an option, specific IP addresses, partial IP addresses, network masks and CIDR specifications can be used with the [[http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow|allow]] and [[http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require|require]] directives.

Client denied by server configuration

This error means that the access to the directory on the file system was denied by an Apache configuration.

Apache HTTP server 2.4 notes

The 2.4 release introduced significant changes to the authorization and authentication process. Users of that release are encouraged to read this link to migrate their older config files.

Before you start

Before attempting to alter any existing config file, please take note of the full file system path for which access is being denied, and the IP or hostname of the client:

[<date here>] [error] [client ::1] client denied by server configuration: /var/www/example.com/

Using the correct path in the directory block for the following examples is essential to solving this problem. In this case, a client from the local machine (::1) is being denied access to /var/www/example.com .

Troubleshooting

The possible causes are:

DocumentRoot /var/www/example.com

2.2:

<Directory /var/www/example.com>
  Order deny,allow
  Deny from all
</Directory>

2.4:

<Directory /var/www/example.com>
  Require all denied
</Directory>

In the above examples, using the following configuration will resolve the issue:

2.2:

<Directory /var/www/example.com>
  Order allow,deny
  Allow from all
</Directory>

2.4:

<Directory /var/www/example.com>
  Require all granted
</Directory>

DocumentRoot /var/www/example.com

Alias /foo /var/www/foo

Solution (2.2):

<Directory /var/www/foo>
  Order allow,deny
  Allow from all
</Directory>

Solution (2.4):

<Directory /var/www/foo>
  Require all granted
</Directory>
  • Proxying to a service with no explicit access in a location block.

ProxyPass /foo/ http://internal.example.com:8900/

ProxyPassReverse /foo/ http://internal.example.com:8900/

Solution (2.2):

<Location /foo>
  Order allow,deny
  Allow from all
</Location>

Solution (2.4):

<Location /foo>
  Require all granted
</Location>

<Directory /var/www/example.com>
  Order allow,deny
  Allow from all
  Require all granted
</Directory>

The solution:

<Directory /var/www/example.com>
  Require all granted
</Directory>
  • Using mod_security with an explicit directive to deny access. Altering or commenting out the offending directives from that module will resolve the issue.

  • Using a bandwidth or rate limiting module such as mod_evasive, mod_limitipconn or mod_bw. A capable firewall is far more efficient at limiting traffic bursts, and abusive clients.

Words of caution

The following configuration may be included in your apache HTTPD configuration; its purpose is to prevent unauthorized access to the root of the file system. Under no condition should it be altered. Instead, the existing directory block for the full file system path should be altered, or a new one should be created if it was not already present.

2.2:

<Directory />
  Order deny,allow
  Deny from all
</Directory>

2.4:

<Directory />
  Require all denied
</Directory>

Restricting access a little further

If granting full access to the resource in question is not an option, specific IP addresses, partial IP addresses, network masks and CIDR specifications can be used with the allow and require directives.

ClientDeniedByServerConfiguration (last edited 2016-03-03 01:38:15 by thumbs)