0

I installed a CGI script on a fresh installation of Apache 2.4 on Ubuntu server 14.04. Apache keeps replying with 403 Forbidden also if, to me, the configuration file is ok. The CGI is the Monitorix front-end, a system monitoring tool written in Perl.

The configuration file /etc/apache2/conf-enabled/monitorix.conf is:

Alias /monitorix /var/lib/monitorix/www
ScriptAlias /monitorix-cgi /var/lib/monitorix/www/cgi

<Directory /var/lib/monitorix/www/cgi/>
        DirectoryIndex monitorix.cgi
        Options ExecCGI
        <IfModule mod_authz_core.c>
                # Apache 2.4
                Require all granted
        </IfModule>
        <IfModule !mod_authz_core.c>
                # Apache 2.2
                Order deny,allow
                Allow from all
        </IfModule>
</Directory>

All files in /var/lib/monitorix/www and /var/lib/monitorix/www/cgi have at least read permission for all. Every time I try to access from URL /monitorix, in my Apache log I see lines:

[Mon Sep 01 06:57:52.995680 2014] [authz_core:error] [pid 17145] [client x.x.x.x:58879] AH01630: client denied by server configuration: /var/lib/monitorix/www
[Mon Sep 01 07:00:10.131166 2014] [authz_core:error] [pid 17145] [client x.x.x.x:58903] AH01630: client denied by server configuration: /var/lib/monitorix/www
[Mon Sep 01 07:00:11.102614 2014] [authz_core:error] [pid 17145] [client x.x.x.x:58903] AH01630: client denied by server configuration: /var/lib/monitorix/www
...

Plus, I cannot get why, when I try to access from URL /monitorix-cgi (I got the idea from the ScriptAlias directive) I get 200 Ok and I can see the Perl source of /var/lib/monitorix/www/cgi/monitorix.cgi.

Time ago I installed this tool on Debian and I had no problems, /monitorix worked as expected and /monitorix-cgi correctly gave me 403 Forbidden instead of showing the Perl source file.

Update: this issue has been reported to Monitorix and probably fixed (#69)

lorenzo-s
  • 347
  • 4
  • 10
  • 19
  • What is in your logs? – peterh Sep 01 '14 at 08:36
  • @PeterHorvath What logs? I posted the Apache error log. In `/var/log/monitorix*` there are many files, but no line is added when trying to connect, and I can't see errors. I'm not a Perl developer, I do not know if there are logs somewhere else... – lorenzo-s Sep 01 '14 at 09:44
  • are you using a WAF (Web Application Firewall) ? – thanasisk Sep 18 '14 at 15:23
  • @thanasisk I don't think so, except if something came preinstalled with Ubuntu 14.04 Server or Apache 2.4. I only checked for `mod_security` and it's not installed. – lorenzo-s Sep 18 '14 at 15:26

3 Answers3

5

When you access /monitorix in a browser, you are accessing /var/lib/monitorix/www. Your Directory block allows access to /var/lib/monitorix/www/cgi, not /var/lib/monitorix/www. Either change the Alias to:

Alias /monitorix /var/lib/monitorix/www/cgi

or add an additional Directory block:

<Directory /var/lib/monitorix/www/>
    <IfModule mod_authz_core.c>
            # Apache 2.4
            Require all granted
    </IfModule>
    <IfModule !mod_authz_core.c>
            # Apache 2.2
            Order deny,allow
            Allow from all
    </IfModule>
</Directory>

As for seeing the source of the cgi, it's probably mod_cgi's configuration. Either it's not enabled or it's not set to handle *.cgi files. You may need to add:

AddHandler cgi-script .cgi

to your virtualhost or directory block. If that doesn't work, try this in your shell:

sudo a2enmod cgi

and follow the instructions to reload apache. If it still doesn't work, add a comment below and possibly update your question. I'll take another look and maybe set up a test system.

Jeff Snider
  • 3,272
  • 18
  • 17
  • Great! I needed to enable `cgi` module **and** add the second `Directory` block. Changing the `Alias` as you suggested made the app *half-working*: I think it uses some files from `www/` and scripts from `/www/cgi`, so... [Here is the entire working config file](http://pastebin.com/raw.php?i=8diQS7qK) – lorenzo-s Sep 18 '14 at 16:04
  • You can keep the alias you had, you just needed to allow it with a directory block. Sounds like you should change the alias back and keep the new directory block. - ok, good, looks like you did that already. – Jeff Snider Sep 18 '14 at 16:09
  • If you want to clean it up a bit, you only need the IfModule directives in the /www level directory block. /www/cgi will inherit them. – Jeff Snider Sep 18 '14 at 16:11
  • Yep! I will award the bounty ASAP (23h left). Thank you very much Jeff! – lorenzo-s Sep 18 '14 at 16:11
1

I think you need a Require line:

Require all granted
Daniel Scott
  • 430
  • 3
  • 11
0

The following config worked for me (Apache 2.4):

<VirtualHost *:443>                                                                                                                                                                                        
        ServerName your.server.com                                                                                                                                                                      
        DocumentRoot "/var/lib/monitorix/www"                                                                                                                                                              

        AddHandler cgi-script .cgi                                                                                                                                                                         

        Alias /cgi /var/lib/monitorix/www/cgi                                                                                                                                                              

        <Directory "/var/lib/monitorix/www">                                                                                                                                                               
                Require all granted                                                                                                                                                                        
        </Directory>                                                                                                                                                                                       

        <Directory "/var/lib/monitorix/www/cgi">                                                                                                                                                           
                AllowOverride None                                                                                                                                                                         
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch                                                                                                                                         
                Require all granted                                                                                                                                                                        
        </Directory>                                                                                                                                                                                       
</VirtualHost>

The /etc/monitorix/monitorix.conf, looks like: 

    base_url = /                                                                                                                                                                                               
    base_cgi = /cgi

And disable the build-in httpd service:

<httpd_builtin>                                                                                                                                                                                        
            enabled = n
Melroy van den Berg
  • 127
  • 9