Home / server / Questions / 556848
Accepted
bwDraco
Asked: 2013-11-23 10:02:41 +0800 CST

Subdomains returning HTTP 403 after updating Apache from 2.2 to 2.4

  • 772

After an operating system upgrade which involved updating Apache from 2.2 to 2.4, I'm now getting 403s trying to access http://files.fierydragonlord.com/ and http://status.fierydragonlord.com/. However, http://www.fierydragonlord.com works. What's going on?

The following is my vhosts.conf:

#
# VirtualHost template
# Note: to use the template, rename it to /etc/apache2/vhost.d/yourvhost.conf.
# Files must have the .conf suffix to be loaded.
#
# See /usr/share/doc/packages/apache2/README.QUICKSTART for further hints
# about virtual hosts.
#
# NameVirtualHost statements can be added to /etc/apache2/listen.conf.
#
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#

NameVirtualHost *:80

<VirtualHost *:80>
    ServerName www.fierydragonlord.com

    # Specify alternative domain names for the virtual host like this
    # (wildcards * and ? may be used, and multiple aliases may be specified):
    # ServerAlias domain.tld extra.domain.tld *.domain.tld


    # DocumentRoot: The directory out of which you will serve your
    # documents. By default, all requests are taken from this directory, but
    # symbolic links and aliases may be used to point to other locations.
    DocumentRoot /srv/www/htdocs/

    # Set log file location
    ErrorLog /var/log/apache2/error_log
    CustomLog /var/log/apache2/access_log combined

    # don't loose time with IP address lookups
    HostnameLookups Off
    # needed for named virtual hosts
    UseCanonicalName Off
    # configures the footer on server-generated documents
    ServerSignature On

    # Use custom error documents
    ErrorDocument 400 /00-Error/400.php
    ErrorDocument 401 /00-Error/401.php
    ErrorDocument 403 /00-Error/403.php
    ErrorDocument 404 /00-Error/404.php
    ErrorDocument 410 /00-Error/410.php
    ErrorDocument 414 /00-Error/414.php
    ErrorDocument 500 /00-Error/500.php
    ErrorDocument 503 /00-Error/503.php
</VirtualHost>

<VirtualHost *:80>
    ServerName status.fierydragonlord.com

    # Specify alternative domain names for the virtual host like this
    # (wildcards * and ? may be used, and multiple aliases may be specified):
    # ServerAlias domain.tld extra.domain.tld *.domain.tld


    # DocumentRoot: The directory out of which you will serve your
    # documents. By default, all requests are taken from this directory, but
    # symbolic links and aliases may be used to point to other locations.
    DocumentRoot /srv/www/vhosts/status/

    DirectoryIndex index.php

    # Set log file location
    ErrorLog /var/log/apache2/status-error_log
    CustomLog /var/log/apache2/status-access_log combined

    # don't loose time with IP address lookups
    HostnameLookups Off
    # needed for named virtual hosts
    UseCanonicalName Off
    # configures the footer on server-generated documents
    ServerSignature On

    <Directory />
        Options None
        Require all granted
    </Directory>

    # use .htaccess files for overriding,
    AccessFileName .htaccess
    # and never show them
    <Files ~ "^\.ht">
        Require all denied
    </Files>
</VirtualHost>

<VirtualHost *:80>
    ServerName files.fierydragonlord.com

    # Specify alternative domain names for the virtual host like this
    # (wildcards * and ? may be used, and multiple aliases may be specified):
    # ServerAlias domain.tld extra.domain.tld *.domain.tld


    # DocumentRoot: The directory out of which you will serve your
    # documents. By default, all requests are taken from this directory, but
    # symbolic links and aliases may be used to point to other locations.
    DocumentRoot /srv/www/vhosts/files/

    DirectoryIndex index.html

    # Set log file location
    ErrorLog /var/log/apache2/files-error_log
    CustomLog /var/log/apache2/files-access_log combined

    # don't loose time with IP address lookups
    HostnameLookups Off
    # needed for named virtual hosts
    UseCanonicalName Off
    # configures the footer on server-generated documents
    ServerSignature On

    <Directory />
        Options None
        Require all granted
    </Directory>

    # use .htaccess files for overriding,
    AccessFileName .htaccess
    # and never show them
    <Files ~ "^\.ht">
        Require all denied
    </Files>

    # Use custom error documents
    ErrorDocument 400 /00-Error/400.php
    ErrorDocument 401 /00-Error/401.php
    ErrorDocument 403 /00-Error/403.php
    ErrorDocument 404 /00-Error/404.php
    ErrorDocument 410 /00-Error/410.php
    ErrorDocument 414 /00-Error/414.php
    ErrorDocument 500 /00-Error/500.php
    ErrorDocument 503 /00-Error/503.php
</VirtualHost>

I'm getting errors like this in the log:

[Fri Nov 22 12:37:53.271724 2013] [access_compat:error] [pid 5445] [client xxx.xxx.xxx.xxx:xxxx] AH01797: client denied by server configuration: /srv/www/vhosts/status/, referer: http://www.fierydragonlord.com/
[Fri Nov 22 12:46:14.115480 2013] [access_compat:error] [pid 5440] [client xxx.xxx.xxx.xxx:xxxx] AH01797: client denied by server configuration: /srv/www/vhosts/status/index.php

apache2ctl -S returns the following:

[Fri Nov 22 12:56:50.229301 2013] [core:warn] [pid 5529] AH00117: Ignoring deprecated use of DefaultType in line 140 of /etc/apache2/httpd.conf.
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/vhosts.d/vhosts.conf:16
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server www.fierydragonlord.com (/etc/apache2/vhosts.d/vhosts.conf:18)
         port 80 namevhost www.fierydragonlord.com (/etc/apache2/vhosts.d/vhosts.conf:18)
         port 80 namevhost www.fierydragonlord.com (/etc/apache2/vhosts.d/vhosts.conf:18)
         port 80 namevhost status.fierydragonlord.com (/etc/apache2/vhosts.d/vhosts.conf:53)
         port 80 namevhost status.fierydragonlord.com (/etc/apache2/vhosts.d/vhosts.conf:53)
         port 80 namevhost files.fierydragonlord.com (/etc/apache2/vhosts.d/vhosts.conf:92)
         port 80 namevhost files.fierydragonlord.com (/etc/apache2/vhosts.d/vhosts.conf:92)
ServerRoot: "/srv/www"
Main DocumentRoot: "/srv/www/htdocs"
Main ErrorLog: "/var/log/apache2/error_log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="wwwrun" id=30
Group: name="www" id=8
virtualhost

2 Answers

  1. Apache 2.4 handles virtual host directive in a different way that 2.2, review the following link for examples.

    http://httpd.apache.org/docs/current/vhosts/examples.html

    Basically, change NameVirtualHost *:80 -> Listen 80

    So it looks like this:

    Listen 80

# This is the "main" server running on 172.20.30.40
ServerName server.example.com
DocumentRoot /www/mainserver

<VirtualHost 172.20.30.50>
    DocumentRoot /www/example1
    ServerName www.example.com

    # Other directives here ...
</VirtualHost>

<VirtualHost 172.20.30.50>
    DocumentRoot /www/example2
    ServerName www.example.org

    # Other directives here ...
</VirtualHost>

    You might also want to check the rest of your httpd.conf and vhosts.conf for other deprecations and conflicts. See this link. http://httpd.apache.org/docs/trunk/upgrading.html

    You're self answer is partially correct, the order/require change but if you browse that page, you'll see quite a few more. I'd suggest reading through it well and making sure you've tackled everything. Even if you get it working, check and double check, some of the changes might not break apache or even log.. but could cause other issues (security/stability).

    • 2
  2. Best Answer

    It turns out there is a conflict between the older Order deny,allow syntax and the newer Require all granted syntax. The system's master configuration files, as supplied by openSUSE itself, are not configured to use the newer Require syntax. Because the Order syntax is processed by a different module than the Require syntax, the older syntax overrides the newer syntax, causing it to fail.

    I have reverted to the older Order syntax, with a note in the customized configuration files explaining the issue.

    • 1