authz_core keeps denying access

Question

I've configured a webserver more or less according to this tutorial (https://wiki.apache.org/httpd/PHP-FPM) and I can't get PHP to work. HTML-files are served fine. I get the following error message:

mod_authz_core.c(802): [client <myip>:36570] AH01626: authorization result of Require all denied: denied
mod_authz_core.c(802): [client <myip>:36570] AH01626: authorization result of <RequireAny>: denied
127.0.0.1 [client <myip>:36570] AH01630: client denied by server configuration: proxy:fcgi://127.0.0.1:9000/var/www/html/test.php

Here's my PHP file:

www@<server>:/var/www/html$ ls -l
-rw-rw----  1 www www-data    26 Sep  6 09:14 test.php

As you see the file is owned by "www". The webserver and "php-fpm" is running as "www-data".

Here's the basic configuration from the "apache.conf":

<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>

<Directory /usr/share>
        AllowOverride None
        Require all granted
</Directory>

<Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>

Here's the config for my virtual host:

<VirtualHost *:80>
  ServerAdmin admin@example.com

  DocumentRoot /var/www/html

  <Directory "/var/www/html">
    Options FollowSymLinks
    AllowOverride None
    Require all granted
  </Directory>

  ErrorLog /var/log/apache2/error.log

  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel debug

  CustomLog /var/log/apache2/access.log combined
  ServerSignature Off

  # Enable forwarding of php requests via php-fpm
  ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/html/$1
</VirtualHost>

I had the impression that the "Require all granted" part would prevent access to the php file and mod_authz would be happy with it.

I already checked that "php-fpm" is listening as is should:

www@<server>:/etc/php5/fpm/pool.d$ netstat -an | grep :9000
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN

Now I'm out of ideas on where to look next. Any suggestions?

Answer 1

As requested, here is the answer with some extra explanation.

The error "client denied by server configuration" has some very specific causes, all of which are detailed here http://wiki.apache.org/httpd/ClientDeniedByServerConfiguration

As I mentioned in the comment, <Directory> blocks do not affect any request that is proxied as they only affect requests that Apache itself maps to a file system path.

Look for any Location or Files blocks that are allowing/denying access to thebase URI path or .php files.

The solution I proposed which seems to have worked was to add the following block to the virtual host.

<Location />
  require all granted
</Location>

I would still suggest looking for other Location/Files blocks in the remainder of your configuration as there should be something else that caused the requests to be denied originally. Adding this block allowed the requested to start working because of the way Apache merges these sorts of blocks, as described in the following link.

https://httpd.apache.org/docs/current/sections.html

Answer 2

It's very important to make the change in the section that is relevant to the Apache version that you run.

For example if you are running 2.4 then use the 2.4:

Require all granted