4

I'm running Apache 2.4.7 on debian unstable. I'm getting 403 errors when I try to run supysonic using the mod_wsgi module. I turned the LogLevel for wsgi and authz_core up to trace6, but I'm still not getting any useful messages. Note that I'm using mod_access_compat, so the Order ... Allow combination is valid.

I'd like to see specifically what config file (for instance some .htaccess file somewhere, or one of the standard apache or debian config files) and what line contains the rule that generates a 403 error.

I have manually walked the tree, checking at each level that the user the web server is running as has read permissions for files, and read and execute for directories.

my /etc/apache2/apache.conf file iincludes the line:

LogLevel info authz_core:trace6 wsgi:trace6

The apache config file for supysonic, /etc/apache2/conf-enabled/supysonic.conf is:

WSGIScriptAlias /supysonic /mnt/large_vol/home/bminton/public_html/programs/supysonic
<Directory /mnt/large_vol/home/bminton/public_html/programs/supysonic>
    WSGIApplicationGroup %{GLOBAL}
    Order deny,allow
    Allow from all
</Directory>

The error log contains the following lines: 

[Wed Jan 15 08:40:34.106119 2014] [authz_core:debug] [pid 13558] mod_authz_core.c(802): [client 127.0.0.1:58438] AH01626: authorization result of Require all denied: denied
[Wed Jan 15 08:40:34.106197 2014] [authz_core:debug] [pid 13558] mod_authz_core.c(802): [client 127.0.0.1:58438] AH01626: authorization result of <RequireAny>: denied
[Wed Jan 15 08:40:34.106208 2014] [authz_core:error] [pid 13558] [client 127.0.0.1:58438] AH01630: client denied by server configuration: /mnt/large_vol/home/bminton/public_html/programs/supysonic
[Wed Jan 15 08:40:34.113336 2014] [:info] [pid 13571] mod_wsgi (pid=13571): Initializing Python.
[Wed Jan 15 08:40:34.154407 2014] [:info] [pid 13571] mod_wsgi (pid=13571): Attach interpreter ''.
Brian Minton
  • 256
  • 7
  • 15

1 Answers1

3

A 403 error is related to user authorization, it's not really about you application code.

You said you were using apache version 2.4, then this is certainaly wrong:

Order deny,allow
Allow from all

This should now be written this way (1 line only):

Require all granted
regilero
  • 1,470
  • 1
  • 9
  • 14
  • 2
    I am using mod_access_compat. That doesn't answer the question, which apache config file, and which line, is triggering the 403. – Brian Minton Jan 20 '14 at 19:16
  • 1
    ok, try to raise the debug level on the other activated auth modules (and test the require all granted syntax in case of mod_access_compat error), then add debug level on mod_access_compact also. – regilero Jan 21 '14 at 09:25
  • Here are the reuslts with all at `trace6`: `[Thu Jan 23 11:39:18.510535 2014] [authz_core:debug] [pid 26607] mod_authz_core.c(802): [client 166.137.12.32:53010] AH01626: authorization result of Require all denied: denied [Thu Jan 23 11:39:18.543881 2014] [authz_core:debug] [pid 26607] mod_authz_core.c(802): [client 166.137.12.32:53010] AH01626: authorization result of : denied [Thu Jan 23 11:39:18.543943 2014] [authz_core:error] [pid 26607] [client 166.137.12.32:53010] AH01630: client denied by server configuration: /mnt/large_vol/home/bminton/public_html/programs/supysonic/rest ` – Brian Minton Jan 23 '14 at 16:43
  • 1
    It still doesn't tell me which file has the relevant Require line that i triggering the error. – Brian Minton Jan 23 '14 at 16:49
  • I posted all the messages I saw in the apache error log. I'm using mod_access_compat because I have tons of conf files still using the old syntax. – Brian Minton Jan 24 '14 at 14:03
  • 2
    here's my LogLevel line: `LogLevel info wsgi:trace6 auth_basic:trace6 authn_core:trace6 authnz_external:trace6 authz_host:trace6 authn_file:trace6 authz_core:trace6 authz_owner:trace6`. I didn't get any more debugging info in the error log at the time of the request. If you like, I can paste the whole log on pastebin. The logs show lots of lines showing authorization granted, or denied, but not the config file triggering it, which is not very helpful. I'd be willing to try changing all my configs to the new require syntax, but that would be a huge pain, since I have lots of config files. – Brian Minton Jan 24 '14 at 16:58
  • 1
    well, showing the logs could be a good thing. Logs won't tell you the line of original config, but maybe somewhere the detail of what you have in the Require. And try altering only this single place of configuration with the new syntax, not the whole configurations files. – regilero Jan 24 '14 at 17:48