# apache daemon

## phoenix

hello,

i am having a problem with my apache.  i get an error that says:FORBIDDEN    you do not have permission to access / on this server.

i read somewhere that the user that runs the apache daemon does not have permission to access the folder that my website stuff is in.  any suggestions on how to make root run all of the apache processes instead of my user.

Thanks in advance,

phoenix

----------

## klieber

 *phoenix wrote:*   

> any suggestions on how to make root run all of the apache processes instead of my user.

 

This is one of the worst mistakes you can ever make on a web server.  (or any server, for that matter)

A better solution is to simply give the unprivileged apache account permissions to access the web root directory.

--kurt

----------

## mglauche

Hmmm, i think there are a few missunderstanding how apache works, and where to look for the error:

1) klieber is right, apache never should run as root. very very bad. I don't know, but apache would spill many warnings at least if you do so.

2) apache normally runs under the user "nobody" and group "nobody", but this is only a VERY rightless account, you can use other useraccounts (httpd is a good idea )

3) now to your problem: Permission denied for /, first check the Rights for the DocumentRoot of apache.  (in /etc/apache/conf/apache.conf)

That directory has to be accessible by the user and group of the webserver (i.e. readable by apache, normally with modes like 644 -rw-r--r--) 

4) If the rights to that direcory (and the upper dirs, too !) are correct, then check commonapache.conf and search for a line like this:

#

# This should be changed to whatever you set DocumentRoot to.

#

Then a line with your document root should follow:

<Directory /home/httpd/htdocs>

(this is the default one .. set it to the same DocumentRoot as in apache.conf !)

Now apache should work, if you are still getting access denied, its time to read the logs  :Smile:  (/var/log/apache)

Hope this helps,

   Michael

[/quote]

----------

## phoenix

i checked the log file   error_log   and this is the message i get:

[Sat Jul 13 20:54:47 2002] [error] [client 192.168.1.35] client denied by server configuration: /home/httpd/phpwebsite_en

suggestions will be greatly appreciated

-phoenix

----------

## Sequentious

I had a similar problem because my index file was a perl script. I had to add ExecCGI to my server root.

Also: how would one go about starting apache properly, then? both through console and through init scripts - this machine doesnt often run a server except to test scripts i write. However, im building a second machine to act as an email and web server, so naturally on that machine i would want apache started automatically.

----------

## rac

 *Sequentious wrote:*   

> how would one go about starting apache properly, then? both through console and through init scripts

 

How do you start the other daemons on your system?

----------

## Sequentious

 *rac wrote:*   

> How do you start the other daemons on your system?

 Right now im not running very many network daemons. I use ssmtp, rather than sendmail, and not much loads at startup.

I suppose i'd use the gentoo tool:

```
rc-update add apache default
```

Until now, I was just doing

```
su -

apachectl start
```

.

So I suppose I dont want to do this anymore  :Smile: 

(Edited to correct command used to start apache)

----------

## Nitro

 *phoenix wrote:*   

> i checked the log file   error_log   and this is the message i get:
> 
> [Sat Jul 13 20:54:47 2002] [error] [client 192.168.1.35] client denied by server configuration: /home/httpd/phpwebsite_en
> 
> suggestions will be greatly appreciated
> ...

 

Error Logs don't lie (and if they do, we call it a bug.  :Smile: ).  Look in your apache config file for <Directory> directives.  The error log tells us that its not a filesystem permission problem, so we don't have to track that down.

I think you need a new <Directory> setup.  Try the following:

```
<Directory "/home/httpd/phpwebsite_en">

   Options FollowSymLinks Indexes

   AllowOverride None

   Order allow,deny

   Allow from all

</Directory>
```

That is a very restrictive directory for the most part.  If you would like to learn more about it, look at http://httpd.apache.org/docs/mod/core.html#directory.  If you run in to more trouble, provide us with more information, and we will be glad to help.  :Smile: 

----------

## rac

 *Sequentious wrote:*   

> I suppose i'd use the gentoo tool:
> 
> ```
> rc-update add apache default
> ```
> ...

 

Sounds good.

 *Quote:*   

> Until now, I was just doing
> 
> ```
> su -
> 
> ...

 

Although the better long-term solution is probably to add it to the default runlevel like you planned to above, maybe a more reusable way to start daemons temporarily from the command line is:

```
# /etc/init.d/apache start
```

----------

## Sequentious

thanks rac, thats what I will do for now, until i start up my server

----------

## phoenix

thanks nitro,

that worked.  i can access my site locally now, but i can't access it anywhere else.  i have port 80 open in my dsl modem and pointed towards the proper local ip address.  i can ssh to the box from anywhere and i can do what i need to with the other ports i have open and pointed to that box. i can't seem to figure out why i can't access my site externaly.  it just sits there.  my domain is scooby.linux-site.net.

thanks,

phoenix

----------

## delta407

That sounds like a different issue; Apache isn't rejecting it, or it would get a 403 error (that and the "Allow from all" line).

----------

## Nitro

 *phoenix wrote:*   

> that worked.  i can access my site locally now, but i can't access it anywhere else.  i have port 80 open in my dsl modem and pointed towards the proper local ip address.  i can ssh to the box from anywhere and i can do what i need to with the other ports i have open and pointed to that box. i can't seem to figure out why i can't access my site externaly.  it just sits there.  my domain is scooby.linux-site.net.

 

This sounds like your ISP is blocking port 80.  :Sad:  Nothing you can do.  Try running it on another port, how bout port 81?  If that doesn't work then we can assume that your ISP is not blocking port 80, and you have a different issue.

----------

## rac

 *phoenix wrote:*   

> i can't seem to figure out why i can't access my site externaly.  it just sits there.  my domain is scooby.linux-site.net.

 

I'm coming at you from Japan, so I don't know how useful this is. I can ping scooby, but traceroute stops consistently at splitrock_shasta.sdnet.net (63.65.236.40).  Could somebody be firewalling incoming port 80 traffic upstream from you?  Does your ISP have a "no-server" rule in their TOS, for example?

----------

## Xor

well... my 2 cents is make the directory "executable" (+x).... that may help...   :Question: 

----------

