apache ERROR 403 after update tumbleweed 13.1 ==> tumbleweed 13.2

Hello,

On 13.1 ('tumbleweed) I had 3 php applications working without problem (phpwebgallery, phpMyAdmin, phpgedview)
I updated to tumbleweed 13.2 via “zypper dup” and now I receive an error "Forbidden access error 403 " when I try to reach these 3 applications locally (http://localhost/xxx or http://192.168.1.120/xxx)

I checked the /srv/www/htdocs authorization which seems correct

ls -al
total 60
drwxr-xr-x 10 wwwrun   www   4096 11 nov.  12:03 .
drwxr-xr-x  7 root     root  4096 28 sept. 23:34 ..
drwxr-xr-x  2 root     root  4096 13 juil. 20:30 backup
drwxr-xr-x 23 wwwrun   www   4096  4 août   2012 catalog
-rw-r--r--  1 root     root   302 13 mars   2006 favicon.ico
drwxrwxrwx 37 philippe users 4096  2 févr.  2014 galleries
drwxr-xr-x 20 wwwrun   www   4096  4 nov.  17:47 gedview
drwxr-xr-x  2 wwwrun   www   4096  7 nov.  19:46 gif
-rw-r--r--  1 wwwrun   www     45 11 juin   2007 index.html
-rw-r--r--  1 wwwrun   www   2356 29 sept. 05:09 info2html.css
-rw-rw-r--  1 wwwrun   www     69 27 févr.  2014 phpinfo.php
drwxr-xr-x  6 wwwrun   www   4096  7 nov.  21:02 phpMyAdmin
-rw-r--r--  1 root     root    26  5 nov.  16:39 robots.txt
drwxrwxrwx 15 wwwrun   www   4096 27 févr.  2014 webgal
drwxr-xr-x 14 root     root  4096  2 févr.  2014 webgalold

i have reinstalled all the apache RPM but the error remains/ the only difference that I see is that after re-installation the index.html and favicon.ico files belong to root

the log /var/log/apache2/error_log contains

[Tue Nov 11 11:55:52.691900 2014] [authz_core:error] [pid 32511] [client 192.168.1.120:55927] AH01630: client denied by server configuration: /srv/www/htdocs/phpMyAdmin
[Tue Nov 11 14:16:18.375941 2014] [authz_core:error] [pid 31928] [client 192.168.1.120:57102] AH01630: client denied by server configuration: /srv/www/htdocs/webgal/
[Tue Nov 11 14:16:22.857969 2014] [authz_core:error] [pid 31930] [client 127.0.0.1:53722] AH01630: client denied by server configuration: /srv/www/htdocs/gedview/
[Tue Nov 11 14:16:23.074537 2014] [authz_core:error] [pid 31930] [client 127.0.0.1:53722] AH01630: client denied by server configuration: /srv/www/htdocs/favicon.ico

The apache server seems running

systemctl status apache2.service       
apache2.service - The Apache Webserver
   Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled)
   Active: active (running) since Tue 2014-11-11 11:44:24 CET; 10s ago
  Process: 31888 ExecStop=/usr/sbin/start_apache2 -D SYSTEMD -DFOREGROUND -k graceful-stop (code=exited, status=0/SUCCESS)
 Main PID: 31910 (httpd2-prefork)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/apache2.service
           ├─31910 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DICINGA -D SYSTEMD -DFOREGROUND -k start
           ├─31928 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DICINGA -D SYSTEMD -DFOREGROUND -k start
           ├─31930 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DICINGA -D SYSTEMD -DFOREGROUND -k start
           ├─31932 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DICINGA -D SYSTEMD -DFOREGROUND -k start
           ├─31933 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DICINGA -D SYSTEMD -DFOREGROUND -k start
           └─31934 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DICINGA -D SYSTEMD -DFOREGROUND -k start

the apache version

rpm -qi apache2
Name        : apache2
Version     : 2.4.10
Release     : 5.1
Architecture: x86_64
Install Date: Tue Nov 11 12:03:06 2014
Group       : Productivity/Networking/Web/Servers
Size        : 3773478
License     : Apache-2.0
Signature   : RSA/SHA256, Wed Nov  5 16:41:24 2014, Key ID b88b2fd43dbdc284
Source RPM  : apache2-2.4.10-5.1.src.rpm
Build Date  : Wed Nov  5 16:40:00 2014
Build Host  : build31
Relocations : (not relocatable)
Packager    : http://bugs.opensuse.org
Vendor      : openSUSE
URL         : http://httpd.apache.org/
Summary     : The Apache Web Server Version 2.4
Description :
This version of httpd is a major release of the 2.4 stable branch,
and represents the best available version of Apache HTTP Server.
New features include Loadable MPMs, major improvements to OCSP support,
mod_lua, Dynamic Reverse Proxy configuration, Improved Authentication/
Authorization, FastCGI Proxy, New Expression Parser, and a Small Object
Caching API.

 See /usr/share/doc/packages/apache2/, http://httpd.apache.org/, and
http://httpd.apache.org/docs-2.4/upgrading.html.
Distribution: openSUSE Factory

apache rpm installed

pm -qa apache*
apache2-2.4.10-5.1.x86_64
apache2-mod_php5-5.6.2-1.1.x86_64
apache2-example-pages-2.4.10-5.1.x86_64
apache2-mod_perl-2.0.8-9.2.x86_64
apache2-doc-2.4.10-5.1.noarch
apache2-prefork-2.4.10-5.1.x86_64
apache2-utils-2.4.10-5.1.x86_64
apache2-devel-2.4.10-5.1.x86_64

httpd.conf

#
# /etc/apache2/httpd.conf 
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http:///httpd.apache.org/docs/2.4/> for detailed information about
# the directives.

# Based upon the default apache configuration file that ships with apache,
# which is based upon the NCSA server configuration files originally by Rob
# McCool. This file was knocked together by Peter Poeml <poeml+apache@suse.de>.

# If possible, avoid changes to this file. It does mainly contain Include
# statements and global settings that can/should be overridden in the
# configuration of your virtual hosts.

# Quickstart guide:
# http://en.opensuse.org/SDB:Apache_installation


# Overview of include files, chronologically:
#
# httpd.conf
#  | 
#  |-- uid.conf  . . . . . . . . . . . . . .  UserID/GroupID to run under
#  |-- server-tuning.conf  . . . . . . . . .  sizing of the server (how many processes to start, ...)
#  |-- sysconfig.d/loadmodule.conf . . . . .  
[li] load these modules[/li]#  |-- listen.conf . . . . . . . . . . . . .  IP adresses / ports to listen on
#  |-- mod_log_config.conf . . . . . . . . .  define logging formats
#  |-- sysconfig.d/global.conf . . . . . . .  
[li] server-wide general settings[/li]#  |-- mod_status.conf . . . . . . . . . . .  restrict access to mod_status (server monitoring)
#  |-- mod_info.conf . . . . . . . . . . . .  restrict access to mod_info
#  |-- mod_usertrack.conf  . . . . . . . . .  defaults for cookie-based user tracking
#  |-- mod_autoindex-defaults.conf . . . . .  defaults for displaying of server-generated directory listings
#  |-- mod_mime-defaults.conf  . . . . . . .  defaults for mod_mime configuration
#  |-- errors.conf . . . . . . . . . . . . .  customize error responses
#  |-- ssl-global.conf . . . . . . . . . . .  SSL conf that applies to default server _and all_ virtual hosts
#  |
#  |-- default-server.conf . . . . . . . . .  set up the default server that replies to non-virtual-host requests
#  |    |--mod_userdir.conf  . . . . . . . .  enable UserDir (if mod_userdir is loaded)
#  |    `--conf.d/apache2-manual?conf  . . .  add the docs ('?' = if installed)
#  |
#  |-- sysconfig.d/include.conf  . . . . . .  
[li] your include files [/li]#  |                                             (for each file to be included here, put its name 
#  |                                              into APACHE_INCLUDE_* in /etc/sysconfig/apache2)
#  |
#  `-- vhosts.d/ . . . . . . . . . . . . . .  for each virtual host, place one file here
#       `-- *.conf . . . . . . . . . . . . .     (*.conf is automatically included)
#
#
# Files marked 
[li] are created from sysconfig upon server restart: instead of[/li]# these files, you edit /etc/sysconfig/apache2



#  Filesystem layout:
#
# /etc/apache2/
#  |-- charset.conv  . . . . . . . . . . . .  for mod_auth_ldap
#  |-- conf.d/
#  |   |-- apache2-manual.conf . . . . . . .  conf that comes with apache2-doc
#  |   |-- mod_php4.conf . . . . . . . . . .  (example) conf that comes with apache2-mod_php4
#  |   `-- ... . . . . . . . . . . . . . . .  other configuration added by packages
#  |-- default-server.conf
#  |-- errors.conf
#  |-- httpd.conf  . . . . . . . . . . . . .  top level configuration file
#  |-- listen.conf
#  |-- magic
#  |-- mime.types -> ../mime.types
#  |-- mod_autoindex-defaults.conf
#  |-- mod_info.conf
#  |-- mod_log_config.conf
#  |-- mod_mime-defaults.conf
#  |-- mod_perl-startup.pl
#  |-- mod_status.conf
#  |-- mod_userdir.conf
#  |-- mod_usertrack.conf
#  |-- server-tuning.conf
#  |-- ssl-global.conf
#  |-- ssl.crl/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificate Revocation Lists (CRL)
#  |-- ssl.crt/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificates
#  |-- ssl.csr/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificate Signing Requests
#  |-- ssl.key/  . . . . . . . . . . . . . .  PEM-encoded RSA Private Keys
#  |-- ssl.prm/  . . . . . . . . . . . . . .  public DSA Parameter Files
#  |-- sysconfig.d/  . . . . . . . . . . . .  files that are created from /etc/sysconfig/apache2
#  |   |-- global.conf
#  |   |-- include.conf
#  |   `-- loadmodule.conf
#  |-- uid.conf
#  `-- vhosts.d/ . . . . . . . . . . . . . .  put your virtual host configuration (*.conf) here
#      |-- vhost-ssl.template
#      `-- vhost.template



### Global Environment ######################################################
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests.
# run under this user/group id
Include /etc/apache2/uid.conf

# - how many server processes to start (server pool regulation)
# - usage of KeepAlive
Include /etc/apache2/server-tuning.conf

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a &lt;VirtualHost&gt;
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a &lt;VirtualHost&gt;
# container, that host's errors will be logged there and not here.
ErrorLog /var/log/apache2/error_log

# generated from APACHE_MODULES in /etc/sysconfig/apache2
Include /etc/apache2/sysconfig.d/loadmodule.conf

# IP addresses / ports to listen on
Include /etc/apache2/listen.conf

# predefined logging formats
Include /etc/apache2/mod_log_config.conf

# generated from global settings in /etc/sysconfig/apache2
Include /etc/apache2/sysconfig.d/global.conf

# optional mod_status, mod_info
Include /etc/apache2/mod_status.conf
Include /etc/apache2/mod_info.conf

# optional cookie-based user tracking
# read the documentation before using it!!
Include /etc/apache2/mod_usertrack.conf

# configuration of server-generated directory listings
Include /etc/apache2/mod_autoindex-defaults.conf

# associate MIME types with filename extensions
TypesConfig /etc/apache2/mime.types
Include /etc/apache2/mod_mime-defaults.conf

# set up (customizable) error responses
Include /etc/apache2/errors.conf

# global (server-wide) SSL configuration, that is not specific to 
# any virtual host
Include /etc/apache2/ssl-global.conf

# forbid access to the entire filesystem by default
&lt;Directory /&gt;
    Options None
    AllowOverride None
    Require all denied
&lt;/Directory&gt;

# use .htaccess files for overriding,
AccessFileName .htaccess
# and never show them
&lt;Files ~ "^\.ht"&gt;
    Require all denied
&lt;/Files&gt;

# List of resources to look for when the client requests a directory
DirectoryIndex index.html index.html.var

### 'Main' server configuration #############################################
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# &lt;VirtualHost&gt; definition.  These values also provide defaults for
# any &lt;VirtualHost&gt; containers you may define later in the file.
#
# All of these directives may appear inside &lt;VirtualHost&gt; containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
Include /etc/apache2/default-server.conf


# Another way to include your own files
#
# The file below is generated from /etc/sysconfig/apache2,
# include arbitrary files as named in APACHE_CONF_INCLUDE_FILES and
# APACHE_CONF_INCLUDE_DIRS
Include /etc/apache2/sysconfig.d/include.conf

### Virtual server configuration ############################################
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# &lt;URL:http:///httpd.apache.org/docs/2.4/vhosts/&gt;
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
IncludeOptional /etc/apache2/vhosts.d/*.conf
# Note: instead of adding your own configuration here, consider 
#       adding it in your own file (/etc/apache2/httpd.conf.local)
#       putting its name into APACHE_CONF_INCLUDE_FILES in 
#       /etc/sysconfig/apache2 -- this will make system updates 
#       easier :) 

webmin (https://localhost:10000/) works
any idea what is wrong?

Regards
Philippe

Please show


ls -ld /srv
ls -ld /srv/www
ls -ld /srv/www/htdocs


plus, check the perms set in /etc/apache2/httpd.conf

An additional note:

There is no “tumbleweed 13.1” or “tumbleweed 13.2”.

Tumbleweed is a complete distribution on its own now, independent of the standard openSUSE releases.

If you still have the openSUSE-Current repos and the Tumbleweed addon repo, you are not using Tumbleweed, and even can get problems (AFAIK the openSUSE-Current-Update repo still points to 13.1, and 3rd party Tumbleweed repos are built against Tumbleweed, not what you have).

See here for details:
https://en.opensuse.org/Portal:Tumbleweed

If you’re in doubt, please post your repo list, but maybe better open a new thread for that.

zypper lr -d

Compare your default-server.conf and default-server.conf.rpmnew in /etc/apache2/ , you most likely have one.

Hello,

here the list of repositories

# | Alias               | Name                             | Enabled | Refresh | Priority | Type   | URI                                                            | Service
--+---------------------+----------------------------------+---------+---------+----------+--------+----------------------------------------------------------------+--------
1 | Packman_Tumbleweed  | Packman Tumbleweed               | Yes     | Yes     |   95     | rpm-md | ftp://packman.inode.at/suse/openSUSE_Tumbleweed/               |        
2 | games               | games                            | Yes     | Yes     |   96     | rpm-md | http://download.opensuse.org/repositories/games/openSUSE_13.2/ |        
3 | repo-debug          | repo-debug                       | Yes     | Yes     |   99     | yast2  | http://download.opensuse.org/tumbleweed/repo/debug             |        
4 | repo-non-oss        | repo-non-oss                     | Yes     | Yes     |   99     | yast2  | http://download.opensuse.org/tumbleweed/repo/non-oss           |        
5 | repo-oss            | repo-oss                         | Yes     | Yes     |   99     | yast2  | http://download.opensuse.org/tumbleweed/repo/oss               |        
6 | repo-update-non-oss | openSUSE-20141105-Update-Non-Oss | No      | No      |   99     | rpm-md | http://download.opensuse.org/update/20141105-non-oss/          |    

Regards
Philippe

here the output

#ls -ld /srv
drwxr-xr-x 8 root root 4096 Sep 28 23:34 /srv
# ls -ld /srv/www
drwxr-xr-x 7 root root 4096 Sep 28 23:34 /srv/www
# ls -ld /srv/www/htdocs
drwxr-xr-x 10 wwwrun www 4096 Nov 11 12:03 /srv/www/htdocs
ls -l /etc/apache2/httpd.conf
-rw-r--r-- 1 root root 8278 Nov  5 16:39 /etc/apache2/httpd.conf

Regards
Philippe

Ok, that’s fine.

Although you probably should use the games repo for openSUSE_Factory, not 13.2.
But that’s completely unrelated to your Apache problem anyway.

I meant the content of the file.

Or better, follow Miuku’s suggestion

Hello,

I see the following difference

in section <Directory "/srv/www/htdocs">
in default-server.conf:
    Order allow,deny
     Allow from all

in default-server.conf.rpmnew:
    Require all granted

I saved default-server.conf and renamed default-server.conf.rpmnew to default-server.conf and restart apache2.service

systemctl restart apache2.service
hpprol2:/etc/apache2 systemctl status apache2.service
apache2.service - The Apache Webserver
   Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled)
   Active: active (running) since mar. 2014-11-11 17:32:07 CET; 15s ago
  Process: 9573 ExecStop=/usr/# sbin/start_apache2 -D SYSTEMD -DFOREGROUND -k graceful-stop (code=exited, status=0/SUCCESS)
 Main PID: 9595 (httpd2-prefork)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/apache2.service
           ├─9595 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DICINGA -D SYSTEMD -DFOREGROUND -k start
           ├─9612 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DICINGA -D SYSTEMD -DFOREGROUND -k start
           ├─9614 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DICINGA -D SYSTEMD -DFOREGROUND -k start
           ├─9616 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DICINGA -D SYSTEMD -DFOREGROUND -k start
           ├─9617 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DICINGA -D SYSTEMD -DFOREGROUND -k start
           └─9618 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -DICINGA -D SYSTEMD -DFOREGROUND -k start


thereafter it works :slight_smile:

Many thanks.

Can I ask you something?
If I understand correctly
“Order allow,deny
Allow from all”
deny access to the directory for all user?

and “Require all granted” give access to everybody?

Many thanks in advance
Philippe

Yes, the new Apache requires the new 2.4 style “require all granted” parameters, the old one no longer works without hacking. And yes, require all granted means “everyone can access this directory and files inside it”.

Remember if you have vhosts or other directories like that, you may need to to change them as well as .htaccess files.

Take a peek here;
http://httpd.apache.org/docs/current/upgrading.html

under “Access control” they explain it in a very simple and straightforward manner.

Thanks Miuku,

I’ll read this carefully

Regards
Philippe