(nginx) Apache Forbidden error (at random): No error logs

Question

I am running an Nginx server, but as of late I am randomly getting "Forbidden" errors by Apache, and it seems to never happen at "first" visit, only after refreshing/browsing for a while.

What is more, is that my "designated" error logs for httpd (/var/etc/httpd/logs/error_log and /var/logs/httpd/....) are empty. I guess they should be empty since I am running NGINX, but the error is shown by Apache, so I figured it should be here at first. However I later learned that httpd is inactive.

My designated Nginx logs work. By accessing my server via www.example.com (virtual.conf), I see access and error logs. The error logs show some random stuff not related to this issue.

By accessing my site via IP (default.conf), I am getting access logs, but error logs are empty.

So I assume this issue is not caused by NGINX, HTTPD is "disabled", but I am getting random "Forbidden" Apache errors on any page after some time of browsing.

Additional info

I raised both my hard/soft ulimit to 166384, restarted my server, etc. Apache is running as root for some reason (which is weird since I mentioned that httpd shows as 'disabled').

Nginx default.conf (config for accessing the server via IP)

    server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    access_log  /var/log/nginx/access2.log  main;
    error_log  /var/log/nginx/error2.log warn;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}

Apache config (hashtag lines removed to reduce size)

ServerRoot "/etc/httpd"


PidFile run/httpd.pid


Timeout 60


KeepAlive Off


MaxKeepAliveRequests 100


KeepAliveTimeout 15


<IfModule prefork.c>
StartServers       8
MinSpareServers    5
MaxSpareServers   20
ServerLimit      256
MaxClients       256
MaxRequestsPerChild  4000
</IfModule>


<IfModule worker.c>
StartServers         4
MaxClients         300
MinSpareThreads     25
MaxSpareThreads     75 
ThreadsPerChild     25
MaxRequestsPerChild  0
</IfModule>


LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule version_module modules/mod_version.so


Include conf.d/*.conf


User apache
Group apache




ServerAdmin root@localhost


#ServerName www.example.com:80


UseCanonicalName Off


DocumentRoot "/var/www/html"

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>


<Directory "/var/www/html">


    Options Indexes FollowSymLinks


    AllowOverride None

#
# Controls who can get stuff from this server.
#
    Order allow,deny
    Allow from all

</Directory>

<IfModule mod_userdir.c>
    #
    # UserDir is disabled by default since it can confirm the presence
    # of a username on the system (depending on home directory
    # permissions).
    #
    UserDir disabled

    #
    # To enable requests to /~user/ to serve the user's public_html
    # directory, remove the "UserDir disabled" line above, and uncomment
    # the following line instead:
    # 
    #UserDir public_html

</IfModule>



DirectoryIndex index.html index.html.var


AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>


TypesConfig /etc/mime.types

DefaultType text/plain


<IfModule mod_mime_magic.c>
#   MIMEMagicFile /usr/share/magic.mime
    MIMEMagicFile conf/magic
</IfModule>


HostnameLookups Off


ErrorLog logs/error_log


LogLevel warn


LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent


CustomLog logs/access_log combined


ServerSignature On


Alias /icons/ "/var/www/icons/"

<Directory "/var/www/icons">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<IfModule mod_dav_fs.c>
    # Location of the WebDAV lock database.
    DAVLockDB /var/lib/dav/lockdb
</IfModule>


ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"


<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable Charset=UTF-8


AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^


DefaultIcon /icons/unknown.gif


ReadmeName README.html
HeaderName HEADER.html


AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw


LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW


ForceLanguagePriority Prefer Fallback


AddDefaultCharset UTF-8

AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz


AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl


AddHandler type-map var

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml


Alias /error/ "/var/www/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
    <Directory "/var/www/error">
        AllowOverride None
        Options IncludesNoExec
        AddOutputFilter Includes html
        AddHandler type-map var
        Order allow,deny
        Allow from all
        LanguagePriority en es de fr
        ForceLanguagePriority Prefer Fallback
    </Directory>


</IfModule>
</IfModule>

BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

Nginx virtual.conf (for accessing the website via TLD, shows errors, but none in regards to "forbidden" error)

server {
    listen       80;
    server_name  example.com www.example.como;
    access_log   /var/log/nginx/example.com.access.log;
    error_log    /var/log/nginx/example.com.error.log;
    root  /home/admin/www/html/example.com/public_html;
    client_max_body_size 1536m;
    keepalive_timeout  10000;
    client_header_timeout 10000;
    client_body_timeout 10000;



    error_page   404 500 502 503 504  /50x.html;
    location = /50x.html {
        root   html;
    }

    location / {
        index index.php;
        try_files $uri $uri/ /index.php?$args;
    }

    location /favicon.ico {
        auth_basic off;
        allow all;
    }


    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    location ~ \.php$ {
        include /etc/nginx/fastcgi_params;
        fastcgi_pass  127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /home/admin/www/html/example.com/public_html$fastcgi_script_name;
    }



}

Update

I am now at least seeing some errors. Here is audit.log. The first line shows a successful page load. The second is what happens when I get a 'forbidden' message.

type=USER_END msg=audit(1431718801.541:128164): user pid=29115 uid=496 auid=496 ses=9205 msg='op=PAM:session_close acct="nginx" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

type=USER_AUTH msg=audit(1431718816.337:128165): user pid=8621 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="?" exe="/usr/sbin/saslauthd" hostname=? addr=? terminal=? res=failed'

Here's another type of error:

type=USER_LOGIN msg=audit(1431722833.290:130074): user pid=10064 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=My ip here terminal=ssh res=failed'

Do you have an index file available for the path that returns `403` ? In case not, this will imply a directory listing wich is generally not allowed...Also posting your Apache config relevant to this problem could help. — krisFR, May 12 '15 at 20:27
Hello thank you. I have updated my question with config code. Also, this error is not produced on specific pages, but rather randomly anywhere after browsing for a while. — pufAmuf, May 12 '15 at 21:07
So is apache (httpd) running or not? What does `ps aux` say about that? Also, can you post the `dig A yourdomain.com` output? Perhaps you have multiple A records, pointing to different servers. — Halfgaar, May 15 '15 at 14:00
`ps aux` definitely confirms that httpd is NOT running. Multiple nginx instances are, however. I'll go check on my domain records, however I don't think I mentioned, that this config has been running fine for 1 year. The only recent change I made, was installing postfix to send mail via gmail. — pufAmuf, May 15 '15 at 14:34
The `answer` section for `dig A` has only one record. The 'Authority' and 'Additional' section have more info: `dns1.registrar-servers.com. 505 IN A 173.245.58.17 dns1.registrar-servers.com. 505 IN A 185.61.155.14 dns1.registrar-servers.com. 505 IN A 162.252.53.61 dns2.registrar-servers.com. 505 IN A 72.20.53.50 dns2.registrar-servers.com. 505 IN A 162.252.53.60 dns2.registrar-servers.com. 505 IN A 173.245.59.16 dns3.registrar-servers.com. 505 IN A 173.245.58.45 dns3.registrar-servers.com. 505 IN A ... ETC` — pufAmuf, May 15 '15 at 14:41
Do you have any cron jobs that may be periodically updating permissions of directories or files? Is SELinux enabled (getenforce) and do you see any denies in audit.log? Is /home/admin/www/ NFS mounted? I see you are using fastcgi, do you see tcp retransmits increasing when this happens? (Watch netstat -s using watch -d -n300 --no-title). What is your local port range? sysctl -a | grep range and did you reserve port 9000? — Aaron, May 15 '15 at 17:07
No cron jobs, SELinux is disabled, but I found something interesting from audit.log. See my update. I will do the rest of the tests you mentioned now. — pufAmuf, May 15 '15 at 19:52
/home/admin/www/ is not NFS mounted, port 9000 os reserved for CSlistener (twice), and my port range is `net.ipv4.ip_local_port_range = 32768 61000 net.ipv4.ping_group_range = 1 0` — pufAmuf, May 15 '15 at 20:46
Your question would be better if you were to post the following: 1) complete nginx configuration 2) URLs that exhibit the 403 3) the screenshot of the error AND the HTTP headers that you see when you get it. 4) your architecture (is it just the single server with client -> nginx -> php vai fastcgi ?) If multiple nginx instances are running, are they using the same config, or are they just threads (please post the output of `pstree`) — Cameron Kerr, May 18 '15 at 23:37
It appears that another client at my serverhousing location could have assigned himself the same IP I have. It would explain the apache "forbidden" error even though I don't run Apache... It would also explain the "lack of" errors in my logs. I am doing tests these past 2 days to see if the error comes up again - so far so good. By the way, the only reason I found out this could be the issue is because of a Putty error, telling me that the `server host key rsa2` changed. — pufAmuf, May 19 '15 at 19:44

score 3 · Accepted Answer · answered May 20 '15 at 23:57

3

This post serves to tell you not to trust your ISP when they repeat "all is ok from their side" for three weeks.

I received this error while using Putty. The server's host key does not match the one PuTTY has cached in the registry.

It turns out that another client at my ISP accidentally set my IP as their own, so there were two machines connected to one IP. It also explains the Apache errors - it was a different server giving them.

answered May 20 '15 at 23:57

pufAmuf

105
1
3
14

1

You could have diagnosed this by failing the access log while testing; you would have noticed that there were logs missing. – Cameron Kerr May 21 '15 at 09:29
1

Just as a FYI: You can install `ipwatchd` to detect IP conflicts. – Halfgaar May 21 '15 at 13:22

(nginx) Apache Forbidden error (at random): No error logs

1 Answers1