7

This is my first time using Amazon EC2. I'm running a server with Apache 2.4.6, and I can't seem to get it working when I access the public DNS or Elastic IP address. The error message I get is:

Forbidden You don't have permission to access /index.html on this server.

I have checked the permissions of this file (755). I have a VirtualHost block in my httpd.conf file as follows:

Listen 80
NameVirtualHost *:80

<VirtualHost *:80>
    DocumentRoot "/var/www/html"
    ServerName my-ec2-public-dns-url
</VirtualHost>

My Security Group settings in AWS are set to Anywhere for both HTTP and HTTPS.

When I check the error log, it says:

AH00132: file permissions deny server access: /var/www/html/index.html

What am I doing wrong?

Peter Mortensen
  • 2,318
  • 5
  • 23
  • 24
kaoscify
  • 175
  • 1
  • 1
  • 7
  • FYI, this has nothing to do with EC2, so I removed that tag. – EEAA Dec 09 '14 at 22:40
  • @EEAA Okay, no problem. I thought it may be related due to the Security Group settings. Any idea how I can fix this issue? Thanks. – kaoscify Dec 09 '14 at 22:44
  • 3
    Security groups are a **network** level function, whereas the error you're getting is at the **application** level. – EEAA Dec 09 '14 at 22:45
  • What is the file's security context? – Michael Hampton Dec 09 '14 at 23:05
  • @MichaelHampton Apologies, I'm not sure if I follow correctly so excus my response. It's just a regular index.html file that I put up for testing purposes. – kaoscify Dec 09 '14 at 23:08
  • How did you "put up" the file? What is the output of `ls -Z /var/www/html/index.html`? – Michael Hampton Dec 09 '14 at 23:11
  • @MichaelHampton I first put it in `/home/my-username` using Filezilla. Then I moved it using PuTTY to `/var/www/html`. The output of your command is: `-rwxr-xr-x my-username my-username unconfined_u:object_r:user_home_t:s0 /var/www/html/index.html` – kaoscify Dec 09 '14 at 23:16
  • 3
    http://serverfault.com/a/487239/126632 When working on an SELinux-enabled system, you should always copy instead of moving files (and delete the original if necessary). – Michael Hampton Dec 09 '14 at 23:35

1 Answers1

19

Try check the existing permissions on the file: 

ls -l index.html

Fix them if necessary: 

chmod 644 index.html

If all the standard permissions are correct and you still get a Permission Denied error, you should check for extended-permissions. For example you can use the command setenforce 0 to turn off SELinux and check to see if the problem goes away. If so, ls -alZ can be used to view SELinux permission and chcon to fix them.

Eg: 

sudo chcon -R -v -t httpd_sys_rw_content_t index.html
Federico Sierra
  • 3,589
  • 1
  • 20
  • 26
  • 3
    Thank you so much for your help. This was it. I just used the `chcon` command without turning off SELinux. Could elaborate more as to why this was needed? SELinux just added another layer of protection to the files? – kaoscify Dec 09 '14 at 23:29
  • 2
    SELinux is a set of kernel modifications and user-space tools. SELinux has a labeling system where every process and every object (files, directories, etc.) gets a label. Then a large rules database, called policy, is loaded into the kernel. The kernel, based on the policy, controls what each process can do based on its label, and the label of the object it is trying to access. For example SELinux allows a process with the Apache label `(httpd_t)` to share data labeled as "read/only Apache content" `(httpd_sys_content_thttpd_sys_content_rw_t)`.See http://selinuxproject.org/page/Main_Page – Federico Sierra Dec 09 '14 at 23:37
  • 2
    There are numerous questions about 403 errors with Apache, and none of them mentioned SELinux as the cause of it. After an intense search I finally found this answer. Well done, Federico. – Gendarme Aug 14 '16 at 17:48
  • 1
    @mapr I found this [source](https://www.linuxtopia.org/online_books/getting_started_with_SELinux/SELinux_overview.html) helpful to understand the basics of SELinux security context – the accountant Jul 13 '18 at 00:13