I have been advised to chroot my apache2 installation to better secure the sensitive content on the rest of the server. I have installed and setup mod_security properly and can see in the logs that it is chrooting apache2 properly, but systemctl is having problems verifying that the service is running. When I run:
service apache2 start
it hangs for 20 seconds and then reports as failed:
The apache2 instance did not start within 20 seconds. Please read the log files to discover problems ... (warning).
but if I check the processes, I can see that various apache2 services are running. If I try accessing my website, I get a 403 Forbidden error. Here is my grep'ed /etc/apache2/apache2.conf:
Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
SecChrootDir /var/www
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
ServerName localhost
and this is my /etc/apache2/sites-enabled/site.com.conf:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
<Directory /var/www>
AllowOverride None
Require all granted
</Directory>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Some recent /var/log/apache2/error.log:
[Mon Feb 22 00:26:02.746084 2016] [mpm_prefork:notice] [pid 2766] AH00169: caught SIGTERM, shutting down
[Mon Feb 22 00:26:27.000946 2016] [:notice] [pid 2978] ModSecurity: chroot checkpoint #1 (pid=2978 ppid=2975)
[Mon Feb 22 00:26:27.001010 2016] [:notice] [pid 2978] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.
[Mon Feb 22 00:26:27.001016 2016] [:notice] [pid 2978] ModSecurity: APR compiled version="1.5.1"; loaded version="1.5.1"
[Mon Feb 22 00:26:27.001022 2016] [:notice] [pid 2978] ModSecurity: PCRE compiled version="8.35 "; loaded version="8.35 2014-04-04"
[Mon Feb 22 00:26:27.001028 2016] [:notice] [pid 2978] ModSecurity: LUA compiled version="Lua 5.1"
[Mon Feb 22 00:26:27.001032 2016] [:notice] [pid 2978] ModSecurity: LIBXML compiled version="2.9.1"
[Mon Feb 22 00:26:27.001068 2016] [:notice] [pid 2978] ModSecurity: StatusEngine call: "2.8.0,Apache/2.4.10 (Debian),1.5.1/1.5.1,8.35/8.35 2014-04-04,Lua 5.1,2.9.1,d5"
[Mon Feb 22 00:26:27.223832 2016] [:notice] [pid 2978] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
[Mon Feb 22 00:26:28.000065 2016] [:notice] [pid 2979] ModSecurity: chroot checkpoint #2 (pid=2979 ppid=1)
[Mon Feb 22 00:26:28.000103 2016] [:notice] [pid 2979] ModSecurity: chroot successful, path=/var/www
[Mon Feb 22 00:26:28.003129 2016] [mpm_prefork:notice] [pid 2979] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Feb 22 00:26:28.003162 2016] [core:notice] [pid 2979] AH00094: Command line: '/usr/sbin/apache2'
[Mon Feb 22 00:26:51.576466 2016] [authz_core:error] [pid 2983] [client 65.29.162.224:50484] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:27:35.093394 2016] [authz_core:error] [pid 2984] [client 80.65.51.221:5624] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:27:35.108471 2016] [authz_core:error] [pid 2985] [client 80.65.51.221:10799] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:27:35.137950 2016] [authz_core:error] [pid 2986] [client 80.65.51.221:64057] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:28:48.924836 2016] [authz_core:error] [pid 2987] [client 150.70.173.47:53051] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:33:48.875421 2016] [authz_core:error] [pid 3032] [client 65.29.162.224:50567] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:33:49.977038 2016] [authz_core:error] [pid 3032] [client 65.29.162.224:50567] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:34:06.848570 2016] [mpm_prefork:notice] [pid 2979] AH00169: caught SIGTERM, shutting down
[Mon Feb 22 00:34:28.000025 2016] [:notice] [pid 3821] ModSecurity: chroot checkpoint #1 (pid=3821 ppid=3818)
[Mon Feb 22 00:34:28.000106 2016] [:notice] [pid 3821] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.
[Mon Feb 22 00:34:28.000112 2016] [:notice] [pid 3821] ModSecurity: APR compiled version="1.5.1"; loaded version="1.5.1"
[Mon Feb 22 00:34:28.000118 2016] [:notice] [pid 3821] ModSecurity: PCRE compiled version="8.35 "; loaded version="8.35 2014-04-04"
[Mon Feb 22 00:34:28.000123 2016] [:notice] [pid 3821] ModSecurity: LUA compiled version="Lua 5.1"
[Mon Feb 22 00:34:28.000128 2016] [:notice] [pid 3821] ModSecurity: LIBXML compiled version="2.9.1"
[Mon Feb 22 00:34:28.000163 2016] [:notice] [pid 3821] ModSecurity: StatusEngine call: "2.8.0,Apache/2.4.10 (Debian),1.5.1/1.5.1,8.35/8.35 2014-04-04,Lua 5.1,2.9.1,d5"
[Mon Feb 22 00:34:28.182087 2016] [:notice] [pid 3821] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
[Mon Feb 22 00:34:29.000835 2016] [:notice] [pid 3822] ModSecurity: chroot checkpoint #2 (pid=3822 ppid=1)
[Mon Feb 22 00:34:29.000871 2016] [:notice] [pid 3822] ModSecurity: chroot successful, path=/var/www
[Mon Feb 22 00:34:29.003978 2016] [mpm_prefork:notice] [pid 3822] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Feb 22 00:34:29.004010 2016] [core:notice] [pid 3822] AH00094: Command line: '/usr/sbin/apache2'
[Mon Feb 22 00:34:31.541762 2016] [authz_core:error] [pid 3827] [client 65.29.162.224:50568] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:51:43.647330 2016] [authz_core:error] [pid 3829] [client 65.29.162.224:50919] AH01630: client denied by server configuration: /var/www, referer: http://xxxxxxxxxx.com/
[Mon Feb 22 01:00:25.730427 2016] [authz_core:error] [pid 3831] [client 208.91.115.10:47458] AH01630: client denied by server configuration: /var/www
Let me know if there's any more information I should provide.