1

CentOS 7.1 - Apache 2.4.6

Default configuration contains the following:

....
<Directory />
    AllowOverride none
    Require all denied
</Directory>
...
DocumentRoot "/var/www/html"

If I change the DocumentRoot, I get:

403 - You don't have permission to access / on this server.

After hours of quadruple checking Directory configuration and filesystem permissions, I tried removing the block above... SUCCESS! Everything works.

  • Is this supposed to happen?
  • Am I doing something wrong?
  • What are the security implications?

The entirety of my changes are replacing the default section with:

DocumentRoot "/srv/http"
<Directory "/srv/http">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    allow from all
</Directory>
beanaroo
  • 113
  • 4
  • i don't understant your question, but if you are trying to remove folder browsing you need to set `Options -Indexes`, if you want to set a default page you need `DirectoryIndex index.html` – Froggiz Nov 08 '15 at 12:21
  • `DirectoryIndex` exists and even setting `Options none` makes no difference. My question is: How can I keep the above block explicitly denying root filesystem access? – beanaroo Nov 08 '15 at 12:29
  • / message is relative to web server root, not to system root – Froggiz Nov 08 '15 at 12:50
  • @Froggiz Exactly why I want to keep it restricted. – beanaroo Nov 08 '15 at 13:00

2 Answers2

1

Apache 2.2 uses the following configuration to declare access to certain directories:

Order deny,allow
Deny from all

Apache 2.4 uses the following:

Require all denied

More info here. It's rather strange that you manage to get it working with the 1st configuration style because that works only on apache 2.2. Try running this:

httpd -v

It will output the apache version you are using and maybe it will help you clear some stuff up in your mind.

Mihai T.
  • 46
  • 4
  • Thank you, very much. I had just discovered this and typed my own answer before noticing yours. All that time spent troubleshooting could have been saved by reading the official documentation instead of obviously outdated textbooks. – beanaroo Nov 08 '15 at 12:56
0

It seems that in the Directory configuration for the DocumentRoot path, access needs to be specified as follows in order for it to override the top-level denial:

Require all granted

I guess I have a lot more reading to do... as per Apache Docs:

The Allow Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use.

beanaroo
  • 113
  • 4