I need help with apache

I’m working on setting up a web page that I want to host locally and will only be available on my local network. I used swerdna’s guide as much as I could, some of it was over my head with this being the first time I’ve hosted my own site, and when I try to view the page I created I get access forbidden. I figure it’s probably something simple I missed.

Thanks
Dan

I found part of the problem, I forgot to restart apache after making some changes to a .conf file. Now it finds the HTML files but none of the pictures or videos I have will load. If I look at the page source it tells me that access is forbidden for those files.

Check the access rights of these files and directories. The files should be readable and the directories readable and exectutable by everyone.
A common mistake is to use symlinks for directories an forget to add the options FollowSymLinks in /etc/apache2/httpd.conf or in the config file of the virtualhost if you made one.

Don’t forget to restart apache after each modification!

Where in httpd.conf do I add it? This is all new to me.

Never mind I found it in default-server.conf, and now it all works.

Thanks

Well done fucodclown. That Apache is so hard for new users. I had the devil of a time getting to understand it.

I object to things being made readable (etc.) by everyone. This should be accessible (read, search, whatever is applicable) by the user that runs Apache. In a standard openSUSE that is user wwwrun and the group is www. Thus you could e.g. make wwwrun owner of those files, or make the owner of the files member of group www and make the files group accessible or do anything of the normal things when you want to makes files available to users for access. Making them world accessible is not the most secure way to solve access problems (to put it mildly, it is like opening wide all the doors of your house 24 hours a day because some stranger could not find the doorbell).

Don’t forget to restart apache after each modification!

Exactly! The elegant way to do this is (as root):

rcapache2 reload

This will reload the configuration files (as opposed to restarting apache as a whole).

There is a counter argument that you should make them readable by wwwrun or www but not owned by them (except for upload directories) so that if there is any bug in the web app, it will not be able to overwrite web content. Probably making them readable but not writable by group www will satisfy both of you.

In real life since you’re publishing the content via the web, it makes little difference that the files are world readable locally. But please not mode 777.

The idea behind my post was of course that on should not make things world accessible when something says: I have no permission. A more intelligent action is needed then and a lot of arguments including ken_yap’s should be taken into account. My objection is indeed against simply saying chmod 777 to a permission problem.

If the pages (and PHP scripts, etc) must be protected agains snooping (and of course ovewriting) from other users on the system is also something to think about.

What is the ideal solution? (this is a rethoric question, no serious answers please).

Seems a good place to ask this:

I’ve got websites hosted on a remote server (Wales, if you must know). There are two of us who upload pages (php, html etc) to the webserver, we use ftp with two different usernames.
the ftp is pureftpd & the usernames are valid linux users. We (I mostly) also sometimes use scp (or fish:) to get the files up there instead of ftp.

Apache can serve the pages just fine regardless of who uploaded the files (I haven’t looked into how yet!), but if I upload eg index.php the other one can’t edit it because its owned by me and vice-versa.

How do you all get around this?

If you can get the ftp server to force the group and the group write bit, that will work. Otherwise you may have to resort to ACLs.

While I agree with what your saying it doesn’t really apply in this case, this site is strictly on my local network. I’m not opening any ports in my firewall to allow people to be able and see my site or registering a domain for it. I havn’t tried it yet, because all the files involved in this site are owned by the same user, but I think as long as everyone can read the files that should be enough.

You’re right. But from what kind of website are we talking about? localhost! And, since you thought it appropriate to quote my answer, please notice that I didn’t say “readable (etc) by everyone” but just “readable by everyone”. On local webservers, where files belong to the users who created them (usually with umask 022), they are indeed readable by everyone.

Making them world accessible is not the most secure way to solve access problems (to put it mildly, it is like opening wide all the doors of your house 24 hours a day because some stranger could not find the doorbell).

It is not. But it is surely the best way to intimidate newbies (to put it mildler).

You are correct.

BUT, security is always first.

AND even if you do have only one user created on your system now (but there are allready more, a typical openSUSE installation has allready more then 20 before you start creating your own ones. One of them is the wwwrun allready mentioned. Why do you think a seperate user is created for such things as an HTTP service?) maybe the day after next New year you will crate another one for a new (girl) friend and then you will forget that you have a system open for every user. And even if you remember you have an internal vulnerable system, it is not easy to undo all the holes you created.

AND maybe the day after the summer hollidays in 2013 you open up some port somewhere just for a montrh because …

I am allways utterly unimpressed by arguments that explain why in this special case, where person X is the owner, administrator, single user, and where - endless stories of closed ports, infallable managent, etc, etc … - makes it plausible not to follow best practices, but spend the time inventing by oneself what might be a save server.

Reading your post #1 above, my assessment was that when you do not understand what a “permission denied” means and where to look for the solution (users, groups. access-bits), you were not very knowledgeble in this area and thus my advice for good practices. Of couse, it is difficult to get a good impression about somebody’s Unix/Linux knowledge in such a short post, thus I could be utterly wrong there and I then appoligize. But these things are only advices and they originate from the general experience of years of many system managers who spread these advices amongst others, so they do not have to invent the wheel again.

But of course, it is your system and you may maintain, manhandle or otherwise do as you like with it.

@please_try_again. IMHO users should know better and have their umask at 027 (and system managers should try to put this as default in their envirioment and telling them why they did so and encourage them not to loosen this). But that may indicate a very different approach to security by me and a majority here. Let everybody have her/his own joy.

In any case (I am afraid I am repeating myself) the idea to just open up for the world on some complaint isn’t something I would advertise. Specialy because when we say it today for read access, somebody reading this wil do it tomorrow for write access.

In this case my approach to security is simply this. I’m building this site on the computer I use everyday, I would never open it up to the world, I would build a separate web server for that. I run a smoothwall firewall that supports different zones for different access levels from the outside, red for the internet, green for the wired network, purple for wireless and orange for things that need higher levels of access to and from the outside.

I believe I might have a quite different approach to security as well, since I build my firewalls with OpenBSD and would never do that with Linux.

In any case (I am afraid I am repeating myself) the idea to just open up for the world on some complaint isn’t something I would advertise.

Oki Doki. I won’t say that anymore. Hope you’re happy again now.