Fresh install of Saucy. Apache2 configs from Raring are epic failure
Kevin O'Gorman
kogorman at gmail.com
Thu Dec 26 05:51:09 UTC 2013
On Wed, Dec 25, 2013 at 8:26 PM, Kevin O'Gorman <kogorman at gmail.com> wrote:
> On Wed, Dec 25, 2013 at 7:57 PM, Tom H <tomh0665 at gmail.com> wrote:
>> On Thu, Dec 26, 2013 at 2:28 AM, Kevin O'Gorman <kogorman at gmail.com> wrote:
>>> Due to a GUI meltdown, I found it expedient to do a fresh install so I
>>> chose Xubuntu Saucy.
>>>
>>> All but one thing went well. My web server is really down.
>>>
>>> Now mind, the basics work. I can access things in /var/www it seems,
>>> but I usually keep only one file there. I configure aliases to get to
>>> everything else.
>>>
>>> None of these are working. Home directory pages are not working. My
>>> specialized code is not working.
>>>
>>> And by not working I mean a pretty uniform 403 with an occasional 404.
>>> The error log points the finger at my configuration, saying "client
>>> denied by server configuration"
>>>
>>> For example, I have a directory devoted to a dear departed canine
>>> companion named Ogden Gnash. His stuff is stored in /www/Dogs/Oggie.
>>> I have an alias thus:
>>>
>>> Alias /Oggie /www/Dogs/Oggie
>>> <Directory /www/Dogs/Oggie>
>>> Order allow,deny
>>> Allow from all
>>> </Directory>
>>>
>>> And when I try to go to http://kosmanor.com/Oggie the browser tells me
>>> "You don't have permission to access /Oggie on this server." while the
>>> error log contains "
>>>
>>> [Wed Dec 25 18:22:22.504423 2013] [authz_core:error] [pid 6022:tid
>>> 140127561000704] [client 71.80.244.253:43755] AH01630: client denied
>>> by server configuration: /www/Dogs/Oggie
>>>
>>> What could be clearer? It sees the Alias, but does not give access,
>>> and it's not file permission (which I've checked anyway) but it's the
>>> server configuration.
>>
>> From the README:
>>
>> apache2 (2.4.1-1) unstable; urgency=low
>>
>> This package introduces a new major release of the Apache HTTP server. It is
>> likely the site configuration needs changes to work with this release.
>> Notable changes which need special care are:
>>
>> The module interface (ABI) has changed. If you have any locally compiled
>> modules, you have to re-compile them for apache2 2.4.
>>
>> The authorization and authentication system has changed. Existing
>> configurations using deprecated Order/Allow/Deny directives should be
>> upgraded to the new system. Please review upstream's "Authentication,
>> Authorization and Access Control Howto" [1]. However, "mod_access_compat" is
>> loaded by default to provide backward compatibility.
>>
>> Furthermore, MPMs are simple modules now. Thus, the MPM can be changed
>> at any time by (un-)loading a specific module. Be careful when upgrading. An
>> example of changing the MPM is given below:
>>
>> a2dismod mpm_worker
>> a2enmod mpm_prefork
>>
>> We did change the security model for Apache in our default configuration. We
>> do not allow access to the file system outside /var/www and /usr/share.
>> If you are running virtual hosts or scripts outside these directories, you
>> need to whitelist them in your configuration to grant access through HTTP.
>> Special care must be taken if you are using a sub-directory in /srv to serve
>> your content as recommended by the File Hierarchy Standard (FHS). You must
>> allow access to your served directory explicity in the corresponding virtual
>> host, or by allowing access in apache2.conf as proposed.
>>
>> Moreover, the configuration mechanism in Debian has changed. All
>> configurations in sites-enabled and conf-enabled need a ".conf" suffix now.
>> The latter replaces the deprecated /etc/apache2/conf.d/ directory (which is
>> not supported any more) and works just like {sites,mods}-{available,enabled}
>> via the "a2enconf" tool. The upgrade tries to migrate known configuration
>> files from /etc/apache2/conf.d/ to /etc/apache2/conf-available/ - please
>> review these changes.
>>
>> Note this means all existing sites are ignored until they get a ".conf"
>> suffix and are re-enabled by the use of a2ensite. The script in [3] can
>> automate that for simple cases. This change also includes Debian default
>> sites, so the default site has been renamed to 000-default to avoid naming
>> confusions. The rename of the config files to *.conf makes the special
>> handling inside apache2 to ignore *.dpkg-* backup files obsolete. This
>> special handling has been removed.
>>
>> Users of mod_authn_dbm should switch to htdbm to manage their DBM user
>> databases. The pure-perl management utility "dbmmanage" was removed as it was
>> outdated and orphaned upstream.
>>
>> Packagers are advised to review whether their packages comply with this
>> new version. Please see [2] for detailed documentation and instructions.
>>
>> [1] http://httpd.apache.org/docs/2.4/howto/auth.html
>> [2] </usr/share/doc/apache2/PACKAGING>
>> [3] </usr/share/doc/apache2/migrate-sites.pl>
>>
>> -- Arno Töll <arno at debian.org> Fri, 23 July 2012 23:50:13 +0200
>>
>> --
>> ubuntu-users mailing list
>> ubuntu-users at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
>
> Thanks for this. There was enough that happened during installation
> that warned me of these changes. As near as I can tell, all necessary
> changes have been made. All the config files are in conf-available,
> and links are managed using the apache tools.
>
> The example with Oggie shows that my configuration is being read. The
> permissions look right. It just doesn't work.
>
>
> --
> Kevin O'Gorman
>
> programmer, n. an organism that transmutes caffeine into software.
> Please consider the environment before printing this email.
*ahem* I take it back. And, really, thanks again.
Deciding to distrust the [1] document's promise of compatibility, I
copied some permissions stanzas from the new userdirs.conf file, and
lo and behold a bunch of directories are now visible. In fact,
everything except my CGI stuff and user authentication is working.
I presume I'll have to actually learn the new stuff. It will be like
starting over since this was all set up over 10 years ago, but I can
do that.
Sigh.
--
Kevin O'Gorman
programmer, n. an organism that transmutes caffeine into software.
Please consider the environment before printing this email.
More information about the ubuntu-users
mailing list