2

I've configured a webserver more or less according to this tutorial (https://wiki.apache.org/httpd/PHP-FPM) and I can't get PHP to work. HTML-files are served fine. I get the following error message:

mod_authz_core.c(802): [client <myip>:36570] AH01626: authorization result of Require all denied: denied
mod_authz_core.c(802): [client <myip>:36570] AH01626: authorization result of <RequireAny>: denied
127.0.0.1 [client <myip>:36570] AH01630: client denied by server configuration: proxy:fcgi://127.0.0.1:9000/var/www/html/test.php

Here's my PHP file:

www@<server>:/var/www/html$ ls -l
-rw-rw----  1 www www-data    26 Sep  6 09:14 test.php

As you see the file is owned by "www". The webserver and "php-fpm" is running as "www-data".

Here's the basic configuration from the "apache.conf":

<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>

<Directory /usr/share>
        AllowOverride None
        Require all granted
</Directory>

<Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>

Here's the config for my virtual host:

<VirtualHost *:80>
  ServerAdmin admin@example.com

  DocumentRoot /var/www/html

  <Directory "/var/www/html">
    Options FollowSymLinks
    AllowOverride None
    Require all granted
  </Directory>

  ErrorLog /var/log/apache2/error.log

  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel debug

  CustomLog /var/log/apache2/access.log combined
  ServerSignature Off

  # Enable forwarding of php requests via php-fpm
  ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/html/$1
</VirtualHost>

I had the impression that the "Require all granted" part would prevent access to the php file and mod_authz would be happy with it.

I already checked that "php-fpm" is listening as is should:

www@<server>:/etc/php5/fpm/pool.d$ netstat -an | grep :9000
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN

Now I'm out of ideas on where to look next. Any suggestions?

Stephan Klein
  • 23
  • 1
  • 1
  • 4
  • Please make sure mod_php5 is disabled: `sudo a2dismod php5` – Francesco Abeni Sep 06 '16 at 12:16
  • mod_php5 isn't even installed. – Stephan Klein Sep 06 '16 at 12:51
  • Your blocks should not affect anything that is proxied as they only affect requests that Apache itself maps to a file system path (here it is the php-fpm process that is doing that). Look for any Location or Files blocks that are allowing/denying access. You shouldn't need it but you can try adding a require all granted to your virtual host. – Unbeliever Sep 06 '16 at 12:56
  • Thank you, that did the trick. Time to start reading on to really understand what's happening. – Stephan Klein Sep 06 '16 at 13:18
  • It was a check just to make sure, that's why I did not make an answer out of it. I spent some time reasoning on your question but did not find any evident issue @Unbeliever: please write your comment as answer. Glad it's sorted out! – Francesco Abeni Sep 06 '16 at 14:36

2 Answers2

5

As requested, here is the answer with some extra explanation.

The error "client denied by server configuration" has some very specific causes, all of which are detailed here http://wiki.apache.org/httpd/ClientDeniedByServerConfiguration

As I mentioned in the comment, <Directory> blocks do not affect any request that is proxied as they only affect requests that Apache itself maps to a file system path.

Look for any Location or Files blocks that are allowing/denying access to thebase URI path or .php files.

The solution I proposed which seems to have worked was to add the following block to the virtual host.

<Location />
  require all granted
</Location>

I would still suggest looking for other Location/Files blocks in the remainder of your configuration as there should be something else that caused the requests to be denied originally. Adding this block allowed the requested to start working because of the way Apache merges these sorts of blocks, as described in the following link.

https://httpd.apache.org/docs/current/sections.html

Unbeliever
  • 2,286
  • 1
  • 9
  • 17
0

It's very important to make the change in the section that is relevant to the Apache version that you run.

For example if you are running 2.4 then use the 2.4:

Require all granted

Peter V
  • 11
  • 1