Differences between revisions 16 and 17
Revision 16 as of 2016-03-03 01:38:15
Size: 5613
Editor: thumbs
Comment: Complete rewrite of this recipe for clarity, and added new possible causes.
Revision 17 as of 2017-12-18 09:45:32
Size: 5696
Comment: Clarification, many people are not aware at first that directory permissions propagate to subdirectories.
Deletions are marked like this. Additions are marked like this.
Line 20: Line 20:

First, remember "Directory" permissions propagate to subdirectories by default.

Client denied by server configuration

This error means that the access to the directory on the file system was denied by an Apache configuration.

Apache HTTP server 2.4 notes

The 2.4 release introduced significant changes to the authorization and authentication process. Users of that release are encouraged to read this link to migrate their older config files.

Before you start

Before attempting to alter any existing config file, please take note of the full file system path for which access is being denied, and the IP or hostname of the client:

[<date here>] [error] [client ::1] client denied by server configuration: /var/www/example.com/

Using the correct path in the directory block for the following examples is essential to solving this problem. In this case, a client from the local machine (::1) is being denied access to /var/www/example.com .

Troubleshooting

First, remember "Directory" permissions propagate to subdirectories by default.

The possible causes are:

DocumentRoot /var/www/example.com

2.2:

<Directory /var/www/example.com>
  Order deny,allow
  Deny from all
</Directory>

2.4:

<Directory /var/www/example.com>
  Require all denied
</Directory>

In the above examples, using the following configuration will resolve the issue:

2.2:

<Directory /var/www/example.com>
  Order allow,deny
  Allow from all
</Directory>

2.4:

<Directory /var/www/example.com>
  Require all granted
</Directory>

DocumentRoot /var/www/example.com

Alias /foo /var/www/foo

Solution (2.2):

<Directory /var/www/foo>
  Order allow,deny
  Allow from all
</Directory>

Solution (2.4):

<Directory /var/www/foo>
  Require all granted
</Directory>
  • Proxying to a service with no explicit access in a location block.

ProxyPass /foo/ http://internal.example.com:8900/

ProxyPassReverse /foo/ http://internal.example.com:8900/

Solution (2.2):

<Location /foo>
  Order allow,deny
  Allow from all
</Location>

Solution (2.4):

<Location /foo>
  Require all granted
</Location>

<Directory /var/www/example.com>
  Order allow,deny
  Allow from all
  Require all granted
</Directory>

The solution:

<Directory /var/www/example.com>
  Require all granted
</Directory>
  • Using mod_security with an explicit directive to deny access. Altering or commenting out the offending directives from that module will resolve the issue.

  • Using a bandwidth or rate limiting module such as mod_evasive, mod_limitipconn or mod_bw. A capable firewall is far more efficient at limiting traffic bursts, and abusive clients.

Words of caution

The following configuration may be included in your apache HTTPD configuration; its purpose is to prevent unauthorized access to the root of the file system. Under no condition should it be altered. Instead, the existing directory block for the full file system path should be altered, or a new one should be created if it was not already present.

2.2:

<Directory />
  Order deny,allow
  Deny from all
</Directory>

2.4:

<Directory />
  Require all denied
</Directory>

Restricting access a little further

If granting full access to the resource in question is not an option, specific IP addresses, partial IP addresses, network masks and CIDR specifications can be used with the allow and require directives.

ClientDeniedByServerConfiguration (last edited 2017-12-18 09:45:32 by DanielFerradal)