apache2 config - directory listing

Hi,

I’m trying to get a web server up and running on 11.4 that will display a directory listing of a directory on the web server to internal machines. I’ve been digging around in /etc/apache2/httpd.conf and /etc/apache2/default-server.conf.

I understand that the webserver root directory is /srv/www/htdocs. So I’ve put a symlink in that directory to the directory (which is a user’s home directory) which I want to access via a web browser. However, when I navigate to that directory, I get an “Access Forbidden” error. I’ve put an .htaccess file in that directory containing “Option +Indexes”, and changed the AllowOverride to All in both the httpd.conf and default-server.conf, but still the same result.

Can someone please explain which config files I need to edit and how to allow a directory listing for a directory that’s sitting in the document root of the webserver.

Thanks.

Apache does not follow symlinks (security) IIRC. I do not know if this is configurable, but it is at least a default.

When you put a symbolic link into directory /srv/www/htdocs/ then you must create a correct entry in the config file for the new directory (preferrably in httpd.local.conf, include that from httpd.conf) and it must contain:

<Directory "/srv/www/htdocs/yourlink">
    Options Indexes FollowSymLinks
    (... some other stuff)
</Directory>

This allows apache to follow symbolic links and it will generate an index list of the directory when there is no “index.html” file. BTW apache has very good documentation. Its worth reading it.

On Sun, 26 Jun 2011 18:36:03 +0530, vodoo
<vodoo@no-mx.forums.opensuse.org> wrote:

>
> When you put a symbolic link into directory /srv/www/htdocs/ then you
> must create a correct entry in the config file for the new directory
> (preferrably in httpd.local.conf, include that from httpd.conf) and it
> must contain:
>
>
> Code:
> --------------------
> <Directory “/srv/www/htdocs/yourlink”>
> Options Indexes FollowSymLinks
> (… some other stuff)
> </Directory>
> --------------------
>
>
> This allows apache to follow symbolic links and it will generate an
> index list of the directory when there is no “index.html” file. BTW
> apache has very good documentation. Its worth reading it.
>
>

and, of course, the user’s home dir. has to be readable by apache. by
default they aren’t.


phani.

and, of course, the user’s home dir. has to be readable by apache. by
default they aren’t.

Correct and understandable by most. May I dare to add: that means by the user and/or group that runs the Apache processes. The default on openSUSE is user wwwrun and group www.

Hi,

Thanks for the helpful replies. However, I’m still getting a 403 response.

I’ve created an httpd.local.conf in /etc/apache2, which contains:

<Directory "/srv/www/htdocs/videos/">
    Options Indexes FollowSymLinks
    Order allow,deny
    Allow from all
</Directory>

I’ve added a line to my httpd.conf file as follows:

Include /etc/apache2/httpd.local.conf

And I’ve added the user wwwrun to the users group.

But still no luck. I have the following in httpd.conf (which is the default):

# forbid access to the entire filesystem by default
<Directory />
    Options None
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

I’ve changed that to:

<Directory />
    Options None
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

But still no luck. Any help would be appreciated.

The path specified in the <Directory> directive has to be the real path, not the symlink. So it would be something like /home/someuser/videos.

Tried that, but no luck. What’s the point of putting in FollowSymLinks if you’re not using the symlink?

You probably need two stanzas, one to allow the directory in htdocs to follow the symlink, and another stanza to specify that /home/someuser/videos can be accessed by all.

You should look in /var/log/apache2/error_log to see if there is any more information on failed accesses.

Hi,

Thanks for responding again. My httpd.local.conf now looks like this:

<Directory "/home/matt/storage/videos">
    Options Indexes FollowSymLinks
    Order allow,deny
    Allow from all
</Directory>

<Directory "/srv/www/htdocs/videos">
    Options Indexes FollowSymLinks
    Order allow,deny
    Allow from all
</Directory>

When I access it, I get this error in the logs:

[Mon Jun 27 09:51:56 2011] [error] [client 203.171.xx.xxx] Symbolic link not allowed or link target not accessible: /srv/www/htdocs/videos
[Mon Jun 27 09:51:56 2011] [error] [client 203.171.xx.xxx] File does not exist: /srv/www/htdocs/favicon.ico

Any further help would be appreciated.

Probably wwwrun has no access to your videos directory. You can “become” wwwrun by

# su - wwwrun

(you might need to temporarily change wwwrun’s shell to /bin/bash in /etc/passwd) and see if you can navigate to your videos directory. If not, you probably didn’t allow world search permission somewhere along the way, probably your $HOME is not world searchable because it’s mode 700 or 750.

wwwrun definitely has access to the relevant directory. wwwrun is also a member of the users group.

Did you test it empirically though?

Another thing to investigate is apparmor.

I tested using your method.

Apparmor is off, as it interferes with dovecot - still need to work out how to fix that too!

Is there something else I should be looking at?

Did you restart apache2 after editing /etc/group? Changes in groups don’t take effect until the session leader is restarted.

Another thing to note is that FollowSymlinks should be applied to the enclosing directory, not the link itself.

BTW there is an easier way to achieve what you want without a symlink and FollowSymlinks. Use:

Alias /videos/ /home/matt/storage/videos/

You still need the stanza for that directory.

Yes, I restart apache2 after each change.

so the stanza should be:

<Directory "/srv/www/htdocs">
    Options Indexes FollowSymLinks
    Order allow,deny
    Allow from all
</Directory

if the symlink is /srv/www/htdocs/videos?

Yay. That did it! I used an .htaccess file instead of the stanza.

Thanks v much for your help!

dmbkiwi wrote:
> Yay. That did it! I used an .htaccess file instead of the stanza.

In general it’s better to use a config file than htaccess. htaccess
files slow Apache down, and there are more security risks with them.

But congratulations on getting it working :slight_smile: