I just completed a long awaiting upgrade for my home server from openSUSE 13.1 to Leap 42.2 (yes, I did all the upgrades from 13.1–>13.2–>42.1–>42.2)
Everything is OK, with the exception of the Apache Web Server.
All started when I realized that the PHP module was not working. Since I don’t have the time to properly troubleshoot it, I used yast and I enabled PHP5.
Then, hell break loose.
I had a lot of modules that where not loaded (although I had 0 problems with them before) etc.
I limit access on the servers only for a specific subnet (192.168.0.0/24).
With the old Apache 2.2 I used the classic Order deny, allow/allow from 192.168.0.0/24 and everything was fine.
But I decided to use the “correct” directive for 2.4
So, I created a file and I included that file in all my configuration files:
Require ip 192.168.0.0/24
Don’t know if relevant, but from what you posted I noticed…
You use “mysql” in your filenames when designating website directory and files, I generally avoid that practice to avoid possible collisions with standard running processes (Which could happen if you’re running a mysql or mariadb derver)
You specify an include that points to a subdirectory of /etc. Because of the security policies applied to this location, I’d consider it a potential source of permissions problems so requires closer inspection. If the location provides webserver or website configuration information then it needs to be accessible by the apache app. If the location provides website content, then it needs virtualhost access.
To both posters: No to everything!
I don’t run appArmor, I don’t have SELinux etc
Again, access was not a problem until I run Yast to enable PHP (because I read in a post somewhere here that you cannot just enable with the a2enmod). I am sure that there is a conflict with the basic configuration etc.
What is really concerns me, is the fact that I get a 403 even for the main site.
Every modern Linux distro implements SELinux and a few including openSUSE implement AppArmor as well.
You might say that you don’t create custom modifications for either policy, but at least on openSUSE both exist.
And, this is why you can’t ordinarily deploy website files just anywhere and the safest is to deploy all within the same directory tree and not scattered across your system.
As Miuku says, Apache mods can be loaded either through YaST or a2enmod.
Proper PHP testing should not be to access your main page unless you <now> the entire page is built correctly.
Better and typically recommended is to deploy the standard PHP test page.
OK, but for the benefit of others…
Unless something changed I’m not aware of, SELinux is implemented by default… possibly in a way you’re not aware of (Many things related to the Linux kernel have changed radically within the past 5 years).
By default, it’s supposed to be a very relaxed policy only enough to protect the core system.
Based on some light research,
It seems that both SELinux and Apparmoer are implemented through the kernel LVM module, the configuration declares which security framework you wish to choose… There are currently about 4 choices of which SELinux and Apparmoer are two.
openSUSE implements Apparmor, so ordinarily SElinux is not implemented.
This seems to have been published around 2007, and implemented shortly thereafter.