# Apache 403 error help

## Ynazar1

Hi, my first post here, been browsing for years now....  :Smile: 

Alright this is going to one long post but i will try to give as much info as possible.

I have a reasonably fresh gentoo install. And everything is working fine except that i cannot get fresh install of apache 2.0.55 to work. Every single time i try to access anything it just gives me:

```
Forbidden

You don't have permission to access /index.html on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

--------------------------------------------------------------------------------

Apache Server at brand Port 80
```

So... Lets start with info:

CFLAGS="-march=pentium4 -O3 -pipe -fomit-frame-pointer"

USE="-X -gtk -gtk2 -gnome -kde -qt -alsa dba gd apache2 x86 php acl -java -ipv6 -vhosts -postfix -nls"

```
brand ~ # tail /var/log/apache2/error_log

[Tue Dec 20 16:01:13 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Tue Dec 20 16:01:13 2005] [notice] Digest: generating secret for digest authentication ...

[Tue Dec 20 16:01:13 2005] [notice] Digest: done

[Tue Dec 20 16:01:13 2005] [notice] Apache configured -- resuming normal operations

[Tue Dec 20 16:01:13 2005] [info] Server built: Dec 20 2005 15:47:45

[Tue Dec 20 16:01:13 2005] [debug] prefork.c(956): AcceptMutex: sysvsem (default: sysvsem)

[Tue Dec 20 16:01:16 2005] [error] [client 10.10.2.45] (13)Permission denied: access to / denied

[Tue Dec 20 16:01:17 2005] [error] [client 10.10.2.45] (13)Permission denied: access to / denied

[Tue Dec 20 16:01:17 2005] [error] [client 10.10.2.45] (13)Permission denied: access to / denied

[Tue Dec 20 16:01:21 2005] [error] [client 10.10.2.45] (13)Permission denied: access to /index.html denied

```

```
brand ~ # tail /var/log/apache2/access_log

10.10.2.45 - - [20/Dec/2005:15:49:58 -0600] "GET / HTTP/1.1" 403 376

10.10.2.45 - - [20/Dec/2005:15:49:59 -0600] "GET / HTTP/1.1" 403 376

10.10.2.45 - - [20/Dec/2005:15:49:59 -0600] "GET / HTTP/1.1" 403 376

10.10.2.45 - - [20/Dec/2005:15:49:59 -0600] "GET / HTTP/1.1" 403 376

10.10.2.45 - - [20/Dec/2005:15:50:00 -0600] "GET / HTTP/1.1" 403 376

10.10.2.45 - - [20/Dec/2005:16:00:47 -0600] "GET / HTTP/1.1" 403 376

10.10.2.45 - - [20/Dec/2005:16:01:16 -0600] "GET / HTTP/1.1" 403 376

10.10.2.45 - - [20/Dec/2005:16:01:17 -0600] "GET / HTTP/1.1" 403 376

10.10.2.45 - - [20/Dec/2005:16:01:17 -0600] "GET / HTTP/1.1" 403 376

10.10.2.45 - - [20/Dec/2005:16:01:21 -0600] "GET /index.html HTTP/1.1" 403 386

```

```
brand ~ # grep -v "#" /etc/conf.d/apache2

APACHE2_OPTS="-D DEFAULT_VHOST"

KEEPENV="PATH"

```

```

brand ~ # grep -v "#" /etc/apache2/vhosts.d/00_default_vhost.conf

NameVirtualHost *:80

<IfDefine DEFAULT_VHOST>

<VirtualHost *:80>

    DocumentRoot "/var/www/localhost/htdocs"

    <Directory "/var/www/localhost/htdocs">

        Options Indexes FollowSymLinks

        AllowOverride None

        Order allow,deny

        Allow from all

    </Directory>

    <IfModule peruser.c>

        ServerEnvironment apache apache

        MinSpareProcessors 4

        MaxProcessors 20

    </IfModule>

</VirtualHost>

</IfDefine>

```

```

brand ~ # grep -v "#" /etc/apache2/httpd.conf

ServerRoot "/usr/lib/apache2"

<IfModule !perchild.c>

</IfModule>

PidFile "/var/run/apache2.pid"

Timeout 300

KeepAlive On

MaxKeepAliveRequests 100

KeepAliveTimeout 15

<IfModule prefork.c>

    StartServers         5

    MinSpareServers      5

    MaxSpareServers     10

    MaxClients         150

    MaxRequestsPerChild  0

</IfModule>

<IfModule worker.c>

    StartServers         2

    MaxClients         150

    MinSpareThreads     25

    MaxSpareThreads     75

    ThreadsPerChild     25

    MaxRequestsPerChild  0

</IfModule>

<IfModule perchild.c>

    NumServers           5

    StartThreads         5

    MinSpareThreads      5

    MaxSpareThreads     10

    MaxThreadsPerChild  20

    MaxRequestsPerChild  0

</IfModule>

<IfModule peruser.c>

    ServerLimit          256

    MaxClients           256

    MinSpareProcessors     2

    MaxProcessors         10

    MaxRequestsPerChild 1000

    ExpireTimeout       1800

    Multiplexer nobody nobody

    Processor apache apache

</IfModule>

Listen 80

LoadModule access_module                 modules/mod_access.so

LoadModule auth_module                   modules/mod_auth.so

LoadModule auth_anon_module              modules/mod_auth_anon.so

LoadModule auth_dbm_module               modules/mod_auth_dbm.so

LoadModule auth_digest_module            modules/mod_auth_digest.so

LoadModule charset_lite_module           modules/mod_charset_lite.so

LoadModule env_module                    modules/mod_env.so

LoadModule expires_module                modules/mod_expires.so

LoadModule headers_module                modules/mod_headers.so

LoadModule mime_module                   modules/mod_mime.so

LoadModule negotiation_module            modules/mod_negotiation.so

LoadModule setenvif_module               modules/mod_setenvif.so

LoadModule log_config_module             modules/mod_log_config.so

LoadModule logio_module                  modules/mod_logio.so

LoadModule cgi_module                    modules/mod_cgi.so

LoadModule cgid_module                   modules/mod_cgid.so

LoadModule suexec_module                 modules/mod_suexec.so

LoadModule alias_module                  modules/mod_alias.so

LoadModule rewrite_module                modules/mod_rewrite.so

<IfDefine USERDIR>

    LoadModule userdir_module            modules/mod_userdir.so

</IfDefine>

<IfDefine INFO>

    LoadModule info_module               modules/mod_info.so

    LoadModule status_module             modules/mod_status.so

</IfDefine>

LoadModule actions_module                modules/mod_actions.so

LoadModule autoindex_module              modules/mod_autoindex.so

LoadModule dir_module                    modules/mod_dir.so

LoadModule ext_filter_module             modules/mod_ext_filter.so

LoadModule deflate_module                modules/mod_deflate.so

LoadModule include_module                modules/mod_include.so

<IfDefine PROXY>

    LoadModule proxy_module                  modules/mod_proxy.so

    LoadModule proxy_connect_module          modules/mod_proxy_connect.so

    LoadModule proxy_ftp_module              modules/mod_proxy_ftp.so

    LoadModule proxy_http_module             modules/mod_proxy_http.so

</IfDefine>

Include /etc/apache2/modules.d/*.conf

User apache

Group apache

ServerAdmin root@localhost

UseCanonicalName Off

<Directory />

    Options FollowSymLinks

    AllowOverride None

</Directory>

<IfModule mod_userdir.c>

    UserDir public_html

    <Directory /home/*/public_html>

        AllowOverride FileInfo AuthConfig Limit Indexes

        Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

        <Limit GET POST OPTIONS PROPFIND>

            Order allow,deny

            Allow from all

       </Limit>

       <LimitExcept GET POST OPTIONS PROPFIND>

            Order deny,allow

            Deny from all

       </LimitExcept>

    </Directory>

</IfModule>

DirectoryIndex index.html index.html.var

AccessFileName .htaccess

<Files ~ "^\.ht">

    Order allow,deny

    Deny from all

</Files>

TypesConfig /etc/mime.types

DefaultType text/plain

<IfModule mod_mime_magic.c>

    MIMEMagicFile /etc/apache2/magic

</IfModule>

HostnameLookups Off

ErrorLog logs/error_log

LogLevel debug

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%h %l %u %t \"%r\" %>s %b" common

LogFormat "%{Referer}i -> %U" referer

LogFormat "%{User-agent}i" agent

LogFormat "%v %h %l %u %t \"%r\" %>s %b %T" script

LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" VLOG=%{VLOG}e" vhost

CustomLog logs/access_log common

ServerTokens Prod

ServerSignature On

Alias /icons/ "/var/www/localhost/icons/"

<Directory "/var/www/localhost/icons/">

    Options Indexes MultiViews

    AllowOverride None

    Order allow,deny

    Allow from all

</Directory>

ScriptAlias /cgi-bin/ /var/www/localhost/cgi-bin/

<IfModule mod_cgid.c>

</IfModule>

<Directory "/var/www/localhost/cgi-bin/">

    AllowOverride None

    Options None

    Order allow,deny

    Allow from all

</Directory>

<IfModule mod_autoindex.c>

    IndexOptions FancyIndexing VersionSort

    AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

    AddIconByType (TXT,/icons/text.gif) text/*

    AddIconByType (IMG,/icons/image2.gif) image/*

    AddIconByType (SND,/icons/sound2.gif) audio/*

    AddIconByType (VID,/icons/movie.gif) video/*

    AddIcon /icons/binary.gif .bin .exe

    AddIcon /icons/binhex.gif .hqx

    AddIcon /icons/tar.gif .tar

    AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv

    AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip

    AddIcon /icons/a.gif .ps .ai .eps

    AddIcon /icons/layout.gif .html .shtml .htm .pdf

    AddIcon /icons/text.gif .txt

    AddIcon /icons/c.gif .c

    AddIcon /icons/p.gif .pl .py

    AddIcon /icons/f.gif .for

    AddIcon /icons/dvi.gif .dvi

    AddIcon /icons/uuencoded.gif .uu

    AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl

    AddIcon /icons/tex.gif .tex

    AddIcon /icons/bomb.gif core

    AddIcon /icons/back.gif ..

    AddIcon /icons/hand.right.gif README

    AddIcon /icons/folder.gif ^^DIRECTORY^^

    AddIcon /icons/blank.gif ^^BLANKICON^^

    DefaultIcon /icons/unknown.gif

    ReadmeName README.html

    HeaderName HEADER.html

</IfModule>

AddLanguage ca .ca

AddLanguage cs .cz .cs

AddLanguage da .dk

AddLanguage de .de

AddLanguage el .el

AddLanguage en .en

AddLanguage eo .eo

AddLanguage es .es

AddLanguage et .et

AddLanguage fr .fr

AddLanguage he .he

AddLanguage hr .hr

AddLanguage it .it

AddLanguage ja .ja

AddLanguage ko .ko

AddLanguage ltz .ltz

AddLanguage nl .nl

AddLanguage nn .nn

AddLanguage no .no

AddLanguage pl .po

AddLanguage pt .pt

AddLanguage pt-BR .pt-br

AddLanguage ru .ru

AddLanguage sv .sv

AddLanguage zh-CN .zh-cn

AddLanguage zh-TW .zh-tw

LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW

ForceLanguagePriority Prefer Fallback

AddDefaultCharset ISO-8859-1

AddCharset ISO-8859-1  .iso8859-1  .latin1

AddCharset ISO-8859-2  .iso8859-2  .latin2 .cen

AddCharset ISO-8859-3  .iso8859-3  .latin3

AddCharset ISO-8859-4  .iso8859-4  .latin4

AddCharset ISO-8859-5  .iso8859-5  .latin5 .cyr .iso-ru

AddCharset ISO-8859-6  .iso8859-6  .latin6 .arb

AddCharset ISO-8859-7  .iso8859-7  .latin7 .grk

AddCharset ISO-8859-8  .iso8859-8  .latin8 .heb

AddCharset ISO-8859-9  .iso8859-9  .latin9 .trk

AddCharset ISO-2022-JP .iso2022-jp .jis

AddCharset ISO-2022-KR .iso2022-kr .kis

AddCharset ISO-2022-CN .iso2022-cn .cis

AddCharset Big5        .Big5       .big5

AddCharset WINDOWS-1251 .cp-1251   .win-1251

AddCharset CP866       .cp866

AddCharset KOI8-r      .koi8-r .koi8-ru

AddCharset KOI8-ru     .koi8-uk .ua

AddCharset ISO-10646-UCS-2 .ucs2

AddCharset ISO-10646-UCS-4 .ucs4

AddCharset UTF-8       .utf8

AddCharset GB2312      .gb2312 .gb

AddCharset utf-7       .utf7

AddCharset utf-8       .utf8

AddCharset big5        .big5 .b5

AddCharset EUC-TW      .euc-tw

AddCharset EUC-JP      .euc-jp

AddCharset EUC-KR      .euc-kr

AddCharset shift_jis   .sjis

AddType application/x-compress .Z

AddType application/x-gzip .gz .tgz

AddHandler type-map var

BrowserMatch "Mozilla/2" nokeepalive

BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

BrowserMatch "RealPlayer 4\.0" force-response-1.0

BrowserMatch "Java/1\.0" force-response-1.0

BrowserMatch "JDK/1\.0" force-response-1.0

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully

BrowserMatch "^WebDrive" redirect-carefully

BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully

BrowserMatch "^gnome-vfs" redirect-carefully

<IfDefine INFO>

    ExtendedStatus On

    <Location /server-status>

        SetHandler server-status

        Order deny,allow

        Deny from all

        Allow from localhost

    </Location>

</IfDefine>

<IfDefine INFO>

    <Location /server-info>

       SetHandler server-info

       Order deny,allow

       Deny from all

       Allow from localhost

    </Location>

</IfDefine>

Include /etc/apache2/vhosts.d/*.conf

```

```

brand ~ # ll /var/www/localhost/htdocs/

total 12K

-rw-r--r--  1 root root 2.3K Dec 20 15:46 apache_pb.gif

-rw-r--r--  1 root root 2.4K Dec 20 15:46 apache_pb2.gif

-rw-r--r--  1 root root 1.5K Dec 20 15:46 index.html

brand ~ # ll /var/www/localhost

total 4.5K

drwxr-xr-x  2 root root   96 Dec 20 15:46 cgi-bin

drwxr-xr-x  2 root root  144 Dec 20 15:46 htdocs

drwxr-xr-x  3 root root 4.5K Dec 20 15:46 icons

```

So as you can see there really isn't anything that's different from default configs. Personally i'm pretty much out of ideas here. 

I think this more or less covers it. Hope someone can figure it out. i'll be very grateful.

thank you.

----------

## pjp

Try clearing the browser cache, closing/reopening the browser and see if it continues.  I've had permission problems that were resolved that way.  Also, be sure you've restarted apache if you've made changes.

----------

## Ynazar1

Nah, that didn't work. I still get the same thing, on different browsers on different computers.

Is there a way to maybe figure out what folder it's trying to access? (having "/" in logs isn't exactly helpful). Also i don't think that /var/www/localhost is any link as i removed that folder before i reemerged apache earlier (trying to fix the issue). It haven't worked since the first time i tried installing apache on that box (few months back).

I think this is a first time with gentoo i ever considered wiping the machine and starting from scratch, except i cannot do it as that box is also a gateway/firewall/openvpn for a satellite office.

----------

## pjp

 *Ynazar1 wrote:*   

> Nah, that didn't work. I still get the same thing, on different browsers on different computers.

  You've probably already checked, but are the directories leading up to index.html all OK?

 *Quote:*   

> Is there a way to maybe figure out what folder it's trying to access? (having "/" in logs isn't exactly helpful).

  I don't know how to change the log to be more informative, but this is the part that defines "/" (/etc/apache2/vhosts.d/00_default_vhost.conf):

```
DocumentRoot "/var/www/localhost/htdocs"

<Directory "/var/www/localhost/htdocs">
```

 This page describes logging, but I didn't see that it covers how to change "/" to the full path.

 *Quote:*   

> I think this is a first time with gentoo i ever considered wiping the machine and starting from scratch, except i cannot do it as that box is also a gateway/firewall/openvpn for a satellite office.

  There's a good chance it wouldn't help anyway.

In /etc/conf.d/apache2 add the "-D USERDIR" option:  APACHE2_OPTS="-D DEFAULT_VHOST -D USERDIR"

Then create a public_html directory in a user account, and add a file.  Then try accessing that file by website.domain.name/~username/that_file

Some other ideas to check:

- any .htaccess files

- volume mount options (noexec, ?) for /var/...

----------

## lefsha

I have the same issue from that time - end of last year.

Before I have never had such a problem with apache2.

But now I can't find a solution of this.

I have checked the permission many times.

I've changed it, changed the path.

I have no idea what should I do next.

----------

## Rüpel

take a look at the apache logfile. it will tell you, what's wrong.

----------

## lefsha

Unfortunately it doesn't.

access_log

```

127.0.0.1 - - [15/Feb/2006:02:15:32 +0100] "GET / HTTP/1.1" 403 380

127.0.0.1 - - [15/Feb/2006:02:15:32 +0100] "GET /favicon.ico HTTP/1.1" 403 391

127.0.0.1 - - [15/Feb/2006:22:42:54 +0100] "GET / HTTP/1.1" 403 380

127.0.0.1 - - [15/Feb/2006:22:42:57 +0100] "GET /favicon.ico HTTP/1.1" 403 391

127.0.0.1 - - [15/Feb/2006:22:43:03 +0100] "GET /index.html HTTP/1.1" 403 390

```

error_log

```

[Wed Feb 15 23:08:19 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Wed Feb 15 23:08:19 2006] [notice] Digest: generating secret for digest authentication ...

[Wed Feb 15 23:08:19 2006] [notice] Digest: done

[Wed Feb 15 23:08:19 2006] [notice] Apache configured -- resuming normal operations

[Wed Feb 15 23:09:01 2006] [error] [client 127.0.0.1] (13)Permission denied: access to /index.html denied

[Wed Feb 15 23:09:03 2006] [error] [client 127.0.0.1] (13)Permission denied: access to /index.html denied

```

```

drwxr-xr-x  2 root root 96 Фев 16 22:56 cgi-bin

drwxr-xr-x  2 root root 168 Фев 16 22:56 htdocs

drwxr-xr-x  3 root root 4600 Фев 16 22:56 icons

./cgi-bin:

итого 8

-rw-r--r--  1 root root 268 Фев 16 22:56 printenv

-rw-r--r--  1 root root 757 Фев 16 22:56 test-cgi

./htdocs:

итого 12

-rw-r--r--  1 root root 2414 Фев 16 22:56 apache_pb2.gif

-rw-r--r--  1 root root 2326 Фев 16 22:56 apache_pb.gif

-rw-r--r--  1 root root 1443 Фев 16 22:56 index.html

```

----------

## lefsha

Apache works if I add apache user to the group wheel!

That is not OK, I know, but I have found no other possibility to

make it work.

Very strange problem. And still no solutiuon.

----------

## lefsha

The Solution:

At my side was changed permission on / - root directory.

No other program, but apache has detected this.

The question is. What does it mean if I have no permission on parent

directory, but I have at least read and execute - open permission on

some child directory. Is behaviour of apache correct or not?

If apache does all right, then no other program as well could have

access to my file tree. As far as I know file permissions implemented

not in user programs, but into filesystem module.

That means that not a program decides whether it possible to open

certain dir or not, but other mudule does it undependently from it.

So, that means, apache try by it's own to open root directory.

But I have nothing for apache in the root directory?

Is it a bug or not? Could someone please explain me the logic of this behaviour?

Or may I write a bug report?

 :Wink: 

P.S. Uffffffffff...

----------

