Apache Giving 403 Forbidden Errors

Apache giving 403 forbidden errors

Check that :

  • Apache can physically access the file (the user that run apache, probably www-data or apache, can access the file in the filesystem)
  • Apache can list the content of the folder (read permission)
  • Apache has a "Allow" directive for that folder. There should be one for /var/www/, you can check default vhost for example.

Additionally, you can look at the error.log file (usually located at /var/log/apache2/error.log) which will describe why you get the 403 error exactly.

Finally, you may want to restart apache, just to be sure all that configuration is applied.
This can be generally done with /etc/init.d/apache2 restart. On some system, the script will be called httpd. Just figure out.

What is causing the '403 Forbidden error' in my Apache2 server? And how can I fix it? The available fixes on the web are not working for me

I've found a solution, for now at least. I ran a sudo chmod 777 on my home folder so that literally every single file is accessible. I heard that this solution was not recommendable, but for now it will do.

I still don't know why other solutions that were posted didn't work for me, because it was of my understanding that every file that was needed to fun the server was inside the django_project folder.

I will be looking into it a bit more though, because I don't know how secure it is to have everysingle file with permisions.

Apache gives 403 forbidden

Apparently simply chmoding the directory the project is in wasn't enough. I had to chmod all the directories higher up in the tree as well.

So even though my VHOST pointed to /home/powerbuoy/Dropbox/Projects/AProject/ simply chmoding /AProject/ is not enough but it has to be done all the way from /home/powerbuoy/ it seems.

Apache 2.4.7 403 Forbidden Error

Here is how I solved this problem for anyone who might have a similar one:

It seemed the problem came from where I installed the overpass installation ($EXEC_DIR).

So I had to change the install directories to: 

$EXEC_DIR       /var/www/osm/
$DB_DIR         /var/www/osm/db/
$PLANET_FILE    /var/www/osm/planet.osm.bz2
$REPLICATE_DIR  /var/www/osm/rep/

Giving the resulting default.conf:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ExtFilterDefine gzip mode=output cmd=/bin/gzip
    DocumentRoot /root/osm-3s_v0.7.4/html

    # This directive indicates that whenever someone types                         http://www.example.com/api/ 
    # Apache2 should refer to what is in the local directory         [YOUR_EXEC_DIR]/cgi-bin/
    ScriptAlias /api/ /var/www/osm/cgi-bin/

    # This specifies some directives specific to the directory: [YOUR_EXEC_DIR]/cgi-bin/
    <Directory "/var/www/osm/cgi-bin/">
            AllowOverride None
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            Order allow,deny
            Allow from all
            #SetOutputFilter gzip
            #Header set Content-Encoding gzip
    </Directory>

    ErrorLog /var/log/apache2/error.log

    # Possible values include: debug, info, notice, warn, error, crit, alert, emerg
    LogLevel warn

    CustomLog /var/log/apache2/access.log combined

</VirtualHost>

I tried and tried but couldn't get it working with the old dir. Good luck!

Error message Forbidden You don't have permission to access / on this server

Update October 2016

4 years ago, since this answer is used as a reference by many, and while I learned a lot from security perspective during these years,
I feel I am responsible to clarify some important notes, and I've update my answer accordingly.

The original answer is correct but not safe for some production environments,
in addition I would like to explain some issues that you might fall into while setting up your environment.

If you are looking for a quick solution and SECURITY IS NOT A MATTER, i.e development env, skip and read the original answer instead

Many scenarios can lead to 403 Forbidden:


A. Directory Indexes (from mod_autoindex.c)

When you access a directory and there is no default file found in this directory
AND Apache Options Indexes is not enabled for this directory.

A.1. DirectoryIndex option example

DirectoryIndex index.html default.php welcome.php

A.2. Options Indexes option

If set, Apache will list the directory content if no default file found (from the above option)

If none of the conditions above is satisfied

You will receive a 403 Forbidden

Recommendations

  • You should not allow directory listing unless REALLY needed.
  • Restrict the default index DirectoryIndex to the minimum.
  • If you want to modify, restrict the modification to the needed directory ONLY, for instance, use .htaccess files, or put your modification inside the <Directory /my/directory> directive

B. deny,allow directives (Apache 2.2)

Mentioned by @Radu, @Simon A. Eugster in the comments
You request is denied, blacklisted or whitelisted by those directives.

I will not post a full explanation, but I think some examples may help you understand,
in short remember this rule:

IF MATCHED BY BOTH, THE LAST DIRECTIVE IS THE ONE THAT WILL WIN

Order allow,deny

Deny will win if matched by both directives (even if an allow directive is written after the deny in the conf)

Order deny,allow

allow will win if matched by both directives

Example 1

Order allow,deny
Allow from localhost mydomain.example

Only localhost and *.mydomain.example can access this, all other hosts are denied

Example 2

Order allow,deny
Deny from evil.example
Allow from safe.evil.example # <-- has no effect since this will be evaluated first

All requests are denied, the last line may trick you, but remember that if matched by both the last win rule (here Deny is the last), same as written:

Order allow,deny
Allow from safe.evil.example
Deny from evil.example # <-- will override the previous one

Example 4

Order deny,allow
Allow from site.example
Deny from untrusted.site.example # <-- has no effect since this will be matched by the above `Allow` directive

Requests are accepted from all hosts

Example 4: typical for public sites (allow unless blacklisted)

Order allow,deny
Allow from all
Deny from hacker1.example
Deny from hacker2.example

Example 5: typical for intranet and secure sites (deny unless whitelisted)

Order deny,allow
Deny from all
Allow from mypc.localdomain
Allow from managment.localdomain

C. Require directive (Apache 2.4)

Apache 2.4 use a new module called mod_authz_host

Require all granted => Allow all requests

Require all denied => Deny all requests

Require host safe.example => Only from safe.example are allowed


D. Files permissions

One thing that most people do it wrong is configuring files permissions,

The GOLDEN RULE is

STARTS WITH NO PERMISSION AND ADD AS PER YOUR NEED

In Linux:

  • Directories should have the Execute permission

  • Files should have the Read permission

  • YES, you are right DO NOT ADD Execute permission for files

for instance, I use this script to setup the folders permissions

# setting permissions for /var/www/mysite.example

# read permission ONLY for the owner
chmod -R /var/www/mysite.example 400

# add execute for folders only
find /var/www/mysite.example -type d -exec chmod -R u+x {} \;

# allow file uploads
chmod -R /var/www/mysite.example/public/uploads u+w

# allow log writing to this folder
chmod -R /var/www/mysite.example/logs/

I posted this code as an example, setup may vary in other situations



Original Answer

I faced the same issue, but I solved it by setting the options directive either in the global directory setting in the httpd.conf or in the specific directory block in httpd-vhosts.conf:

Options Indexes FollowSymLinks Includes ExecCGI

By default, your global directory settings is (httpd.conf line ~188):

<Directory />
    Options FollowSymLinks
    AllowOverride All
    Order deny,allow
    Allow from all
</Directory>

set the options to:
Options Indexes FollowSymLinks Includes ExecCGI

Finally, it should look like:

<Directory />
    #Options FollowSymLinks
    Options Indexes FollowSymLinks Includes ExecCGI
    AllowOverride All
    Order deny,allow
    Allow from all
</Directory>

Also try changing Order deny,allow and Allow from all lines by Require all granted.

Appendix

Directory Indexes source code (some code remove for brevity)

if (allow_opts & OPT_INDEXES) {
     return index_directory(r, d);
} else {
        const char *index_names = apr_table_get(r->notes, "dir-index-names");

        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01276)
                      "Cannot serve directory %s: No matching DirectoryIndex (%s) found, and "
                      "server-generated directory index forbidden by "
                      "Options directive",
                       r->filename,
                       index_names ? index_names : "none");
        return HTTP_FORBIDDEN;
    }

Apache giving 403 forbidden errors when accessing files in 'Sites' folder

This isn't fabricated by Apache — execute man 7 path_resolution on your system. The three ways around it are to make your home directory world-executable, make your home-directory group-executable and share a secondary group with your webserver userid, or move your content out of your home directory.

Apache VirtualHost 403 Forbidden

Apache 2.4.3 (or maybe slightly earlier) added a new security feature that often results in this error. You would also see a log message of the form "client denied by server configuration". The feature is requiring a user identity to access a directory. It is turned on by DEFAULT in the httpd.conf that ships with Apache. You can see the enabling of the feature with the directive

Require all denied

This basically says to deny access to all users. To fix this problem, either remove the denied directive (or much better) add the following directive to the directories you want to grant access to:

Require all granted

as in 

<Directory "your directory here">
   Order allow,deny
   Allow from all
   # New directive needed in Apache 2.4.3: 
   Require all granted
</Directory>

ErrorDocument 403 is not accessible by its 403 access deny in Apache

To allow banned IPs to access the 403 error document, You should make a directory and configure it with a different access level. make errorpages directory first and implement this code in httpd.conf.

<Directory "${SRVROOT}/htdocs/errorpages">
    Require all granted
</Directory>
<Location /errorpages>
    Require all granted
</Location>

also, You need to change ErrorDocument 403 "/error403.php" into ErrorDocument 403 "/errorpages/error403.php"

<Directory "${SRVROOT}/htdocs">
    Options FollowSymLinks 
    AllowOverride None
    <RequireAll>
        Require all granted
        Include conf/banlist.conf
    </RequireAll>
    ErrorDocument 403 "/errorpages/error403.php"
</Directory>

<Location />
    <RequireAll>
        Require all granted
        Include conf/banlist.conf
    </RequireAll>
    ErrorDocument 403 "/errorpages/error403.php"
</Location>

then they can see the 403 error document, but they are still not allowed to see other pages in your server.


Related Topics

Flexbox - Fill Remaining Space

How to Customize the In-Browser Tool Tip Bubble

How to Make a Div Not Wrap

How to Pre-Populate HTML Form Input Fields from Url Parameters

How to Color Text in Github's Flavoured Markdown

<Strong> VS. Font-Weight:Bold & <Em> VS. Font-Style:Italic

Items That Span All Columns/Rows Using CSS Grid Layout

HTMLagilitypack Drops Option End Tags

Html/Css: Empty Page + Only Header Page When Printing Table

Responsive Tables, The Smart Way

Bootstrap Navbar Link Color Won't Change

How to Style Radio Buttons with Images - Laughing Smiley for Good, Sad Smiley for Bad

Ticks for Type="Range" HTML Input

How to Vertically Align a Table in CSS

Why Does Width and Height of a Flex Item Affect How a Flex Item Is Rendered

How to Make Bootstrap Carousel Image Responsive

CSS Rounded Corners

Inverted Scooped Corners Using CSS


Leave a reply



Submit