Apache2 tries to access top-level directory when using ScriptAlias

Question

I'm using Munin-cgi as my servers' monitoring system. One moment i realized that i have strange and very annoying notes in my error.log whilst everything kept running well and without errors.

At the moment i commented out everything in my apache config for Munin, and errors are still appearing.

Here is my config:

<VirtualHost *:80>
<Directory />
  Options -MultiViews
</Directory>
ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
</VirtualHost>

So if i call the script:

http://<server>/munin-cgi/munin-cgi-graph/DOMAIN/HOST/PICTURE.png?&size_x=800&size_y=400

I get the following error in error.log:

[Thu Oct 20 22:40:32.016850 2016] [authz_core:error] [pid 25196] [client 192.168.235.77:46192] AH01630: client denied by server configuration: /var/www/DOMAIN

That's it. I see nothing suspicious even with maximum trace level turned on. Script is working, and i see its output, but every time a call that script, Apache removes /munin-cgi/munin-cgi-graph/ and tries to access http://<server>//DOMAIN/HOST/PICTURE.png. Even if i create file /var/www/DOMAIN/HOST/PICTURE.png/index.html the cgi script still continues to be called, and obviously, messages in error.log disappear.

Maybe there is an error somewhere outside the file in top-level apache configuration files, but i still cannot find it.

The only way to stop warnings was to write

<Location />
    Require all granted
</Location>

But of course it's not secure

UPD: This is the log for mod_rewrite turned on:

[Thu Oct 20 19:33:38.672038 2016] [rewrite:trace2] [pid 5132] mod_rewrite.c(477): [client <SKIP>] <CLIENT> - - [<SERVER>/sid#7f5e5ef59470][rid#7f5e5ee990a0/initial] init rewrite engine with requested uri /munin-cgi/munin-cgi-graph/<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png
[Thu Oct 20 19:33:38.672139 2016] [rewrite:trace3] [pid 5132] mod_rewrite.c(477): [client <SKIP>] <CLIENT> - - [<SERVER>/sid#7f5e5ef59470][rid#7f5e5ee990a0/initial] applying pattern '^/munin-cgi/favicon.ico' to uri '/munin-cgi/munin-cgi-graph/<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png'
[Thu Oct 20 19:33:38.672157 2016] [rewrite:trace3] [pid 5132] mod_rewrite.c(477): [client <SKIP>] <CLIENT> - - [<SERVER>/sid#7f5e5ef59470][rid#7f5e5ee990a0/initial] applying pattern '^/munin-cgi/.*static/(.*)' to uri '/munin-cgi/munin-cgi-graph/<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png'
[Thu Oct 20 19:33:38.672169 2016] [rewrite:trace3] [pid 5132] mod_rewrite.c(477): [client <SKIP>] <CLIENT> - - [<SERVER>/sid#7f5e5ef59470][rid#7f5e5ee990a0/initial] applying pattern '^/munin-cgi/(.*\\.html)?$' to uri '/munin-cgi/munin-cgi-graph/<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png'
[Thu Oct 20 19:33:38.672179 2016] [rewrite:trace3] [pid 5132] mod_rewrite.c(477): [client <SKIP>] <CLIENT> - - [<SERVER>/sid#7f5e5ef59470][rid#7f5e5ee990a0/initial] applying pattern '^/munin-cgi/munin-cgi-graph/(.*)' to uri '/munin-cgi/munin-cgi-graph/<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png'
[Thu Oct 20 19:33:38.672189 2016] [rewrite:trace2] [pid 5132] mod_rewrite.c(477): [client <SKIP>] <CLIENT> - - [<SERVER>/sid#7f5e5ef59470][rid#7f5e5ee990a0/initial] rewrite '/munin-cgi/munin-cgi-graph/<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png' -> '/munin-cgi/<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png'
[Thu Oct 20 19:33:38.672198 2016] [rewrite:trace3] [pid 5132] mod_rewrite.c(477): [client <SKIP>] <CLIENT> - - [<SERVER>/sid#7f5e5ef59470][rid#7f5e5ee990a0/initial] applying pattern '^/munin-cgi/(.*.png)$' to uri '/munin-cgi/<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png'
[Thu Oct 20 19:33:38.672209 2016] [rewrite:trace2] [pid 5132] mod_rewrite.c(477): [client <SKIP>] <CLIENT> - - [<SERVER>/sid#7f5e5ef59470][rid#7f5e5ee990a0/initial] rewrite '/munin-cgi/<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png' -> '/munin-cgi/munin-cgi-graph/<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png'
[Thu Oct 20 19:33:38.672221 2016] [rewrite:trace2] [pid 5132] mod_rewrite.c(477): [client <SKIP>] <CLIENT> - - [<SERVER>/sid#7f5e5ef59470][rid#7f5e5ee990a0/initial] forcing '/munin-cgi/munin-cgi-graph/<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png' to get passed through to next API URI-to-filename handler
[Thu Oct 20 19:33:38.672453 2016] [rewrite:trace2] [pid 5132] mod_rewrite.c(477): [client <SKIP>] <CLIENT> - - [<SERVER>/sid#7f5e5ef59470][rid#7f5e5ee910a0/subreq] init rewrite engine with requested uri /<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png
[Thu Oct 20 19:33:38.672464 2016] [rewrite:trace3] [pid 5132] mod_rewrite.c(477): [client <SKIP>] <CLIENT> - - [<SERVER>/sid#7f5e5ef59470][rid#7f5e5ee910a0/subreq] applying pattern '^/munin-cgi/favicon.ico' to uri '/<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png'
[Thu Oct 20 19:33:38.672471 2016] [rewrite:trace3] [pid 5132] mod_rewrite.c(477): [client <SKIP>] <CLIENT> - - [<SERVER>/sid#7f5e5ef59470][rid#7f5e5ee910a0/subreq] applying pattern '^/munin-cgi/.*static/(.*)' to uri '/<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png'
[Thu Oct 20 19:33:38.672477 2016] [rewrite:trace3] [pid 5132] mod_rewrite.c(477): [client <SKIP>] <CLIENT> - - [<SERVER>/sid#7f5e5ef59470][rid#7f5e5ee910a0/subreq] applying pattern '^/munin-cgi/(.*\\.html)?$' to uri '/<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png'
[Thu Oct 20 19:33:38.672494 2016] [rewrite:trace3] [pid 5132] mod_rewrite.c(477): [client <SKIP>] <CLIENT> - - [<SERVER>/sid#7f5e5ef59470][rid#7f5e5ee910a0/subreq] applying pattern '^/munin-cgi/munin-cgi-graph/(.*)' to uri '/<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png'
[Thu Oct 20 19:33:38.672510 2016] [rewrite:trace3] [pid 5132] mod_rewrite.c(477): [client <SKIP>] <CLIENT> - - [<SERVER>/sid#7f5e5ef59470][rid#7f5e5ee910a0/subreq] applying pattern '^/munin-cgi/(.*.png)$' to uri '/<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png'
[Thu Oct 20 19:33:38.672517 2016] [rewrite:trace1] [pid 5132] mod_rewrite.c(477): [client <SKIP>] <CLIENT> - - [<SERVER>/sid#7f5e5ef59470][rid#7f5e5ee910a0/subreq] pass through /<DOMAIN>/<HOST>/bind9-pinpoint=1476918806,1476955256.png

I suspect the issue may live in the parts of the config that appear to be missing. — Daniel Widrick, Oct 21 '16 at 13:50
Would you please tell me how to get fully compiled config for the Virtualhost? — Diver, Oct 21 '16 at 13:57

Unbeliever · Answer 1 · 2016-10-21T14:05:34.327

1

Don't put a <Directory /> block in your vhosts, there should only be one in the global context and you should leave it alone. The argument to the <Directory> directive is a file system path not a URI path.

You need a directory block to allow access to the target of your ScriptAlias. Something like:

<Directory "/usr/lib/munin/cgi/munin-cgi-graph">
   require all granted
</Directory>

Without this, Apache is not allowed to serve anything from that file system directory.

edited Oct 21 '16 at 14:05

answered Oct 21 '16 at 14:03

Unbeliever

2,336
1
10
19

Well, i put a `` only to be sure it's not a MultiViewvs issue. I don't have it in production state. – Diver Oct 21 '16 at 14:05
And i also have `Require all granted`. And i see no difference with an absence of this string – Diver Oct 21 '16 at 14:06
Then the problem lies in configuration we have not seen yet. – Unbeliever Oct 21 '16 at 14:56
2 Unbeliever: The configuration is divided into small files, each of them contains only separate directives. They do not intersect, afaik – Diver Oct 21 '16 at 15:01
When you say `Apache removes`, do you mean the URL changes in the browser? If so then it sounds like a rogue `Redirect` or `RewriteRule`. If the URL doesn't change in the browser it will be `RewriteRule`. I'm afraid this still looks like a case of conflicting configuration to me. – Unbeliever Oct 24 '16 at 06:27
No, URL does not change. The problem persists even when i use wget. And Apache returns 200 OK. When I say 'removes' I try to guess internal Apache logic – Diver Oct 24 '16 at 20:17
The to troubleshoot why your request gets re-written to an image file, you'll need to enable mod_rewrite logging. Details on the 2 major apache versions here: http://wiki.apache.org/httpd/RewriteLog – Unbeliever Oct 25 '16 at 06:03
Okay, I already have logs with mod_rewrite turned on, and now i posted it in my original question. It uses stanard munin's rules. After scanning it starts to scan the same rules already with 'removed' part as a "subreq" process – Diver Oct 26 '16 at 15:29
I think you need to set the rewrite trace level higher, at least `trace5` which I think prints all messages. – Unbeliever Oct 28 '16 at 13:26
It's on level 8 – Diver Oct 28 '16 at 14:31
I thinking it must be the munin rewrite rules then, you may need to talk to someone who know munin – Unbeliever Oct 28 '16 at 16:14
As i already told, the bug persists even if i turn the RewriteEngine off completely. You asked me to turn it on to get the log – Diver Oct 29 '16 at 13:20
@Diver The rewrite engine can be turned on in may ways in many contexts. If it is *still happening* then rewrites are still being applied. I'm afraid this kind of forum is not really ideal for troubleshooting complex issues. – Unbeliever Oct 30 '16 at 07:18
Well, possible. But the problem is present even with very small config without anything, which is in my original post – Diver Oct 30 '16 at 22:40
Then that would also point to the munin rewrite configuration. – Unbeliever Oct 30 '16 at 22:55
But I've completely turned it off by using "RewriteEngine off" – Diver Nov 02 '16 at 17:05

Apache2 tries to access top-level directory when using ScriptAlias

1 Answers1