1

I installed a CGI script on a fresh installation of Apache 2.4 on Ubuntu server 14.04. Apache keeps replying with 403 Forbidden also if, to me, the configuration file is ok. The CGI is the Monitorix front-end, a system monitoring tool written in Perl.

The configuration file /etc/apache2/conf-enabled/monitorix.conf is:

Alias /monitorix /var/lib/monitorix/www ScriptAlias /monitorix-cgi /var/lib/monitorix/www/cgi <Directory /var/lib/monitorix/www/cgi/> DirectoryIndex monitorix.cgi Options ExecCGI <IfModule mod_authz_core.c> # Apache 2.4 Require all granted </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order deny,allow Allow from all </IfModule> </Directory>

All files in /var/lib/monitorix/www and /var/lib/monitorix/www/cgi have at least read permission for all. Every time I try to access from URL /monitorix, in my Apache log I see lines:

[Mon Sep 01 06:57:52.995680 2014] [authz_core:error] [pid 17145] [client x.x.x.x:58879] AH01630: client denied by server configuration: /var/lib/monitorix/www [Mon Sep 01 07:00:10.131166 2014] [authz_core:error] [pid 17145] [client x.x.x.x:58903] AH01630: client denied by server configuration: /var/lib/monitorix/www [Mon Sep 01 07:00:11.102614 2014] [authz_core:error] [pid 17145] [client x.x.x.x:58903] AH01630: client denied by server configuration: /var/lib/monitorix/www ...

Plus, I cannot get why, when I try to access from URL /monitorix-cgi (I got the idea from the ScriptAlias directive) I get 200 Ok and I can see the Perl source of /var/lib/monitorix/www/cgi/monitorix.cgi.

Time ago I installed this tool on Debian and I had no problems, /monitorix worked as expected and /monitorix-cgi correctly gave me 403 Forbidden instead of showing the Perl source file.

Update: this issue has been reported to Monitorix and probably fixed (#69)

Improve this question
4
  • What is in your logs? Commented Sep 1, 2014 at 8:36
  • @PeterHorvath What logs? I posted the Apache error log. In /var/log/monitorix* there are many files, but no line is added when trying to connect, and I can't see errors. I'm not a Perl developer, I do not know if there are logs somewhere else... Commented Sep 1, 2014 at 9:44
  • are you using a WAF (Web Application Firewall) ? Commented Sep 18, 2014 at 15:23
  • @thanasisk I don't think so, except if something came preinstalled with Ubuntu 14.04 Server or Apache 2.4. I only checked for mod_security and it's not installed. Commented Sep 18, 2014 at 15:26

3 Answers 3

Reset to default
5
+50

When you access /monitorix in a browser, you are accessing /var/lib/monitorix/www. Your Directory block allows access to /var/lib/monitorix/www/cgi, not /var/lib/monitorix/www. Either change the Alias to:

Alias /monitorix /var/lib/monitorix/www/cgi

or add an additional Directory block:

<Directory /var/lib/monitorix/www/> <IfModule mod_authz_core.c> # Apache 2.4 Require all granted </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order deny,allow Allow from all </IfModule> </Directory>

As for seeing the source of the cgi, it's probably mod_cgi's configuration. Either it's not enabled or it's not set to handle *.cgi files. You may need to add:

AddHandler cgi-script .cgi

to your virtualhost or directory block. If that doesn't work, try this in your shell:

sudo a2enmod cgi

and follow the instructions to reload apache. If it still doesn't work, add a comment below and possibly update your question. I'll take another look and maybe set up a test system.

Improve this answer
4
  • Great! I needed to enable cgi module and add the second Directory block. Changing the Alias as you suggested made the app half-working: I think it uses some files from www/ and scripts from /www/cgi, so... Here is the entire working config file Commented Sep 18, 2014 at 16:04
  • You can keep the alias you had, you just needed to allow it with a directory block. Sounds like you should change the alias back and keep the new directory block. - ok, good, looks like you did that already. Commented Sep 18, 2014 at 16:09
  • If you want to clean it up a bit, you only need the IfModule directives in the /www level directory block. /www/cgi will inherit them. Commented Sep 18, 2014 at 16:11
  • Yep! I will award the bounty ASAP (23h left). Thank you very much Jeff! Commented Sep 18, 2014 at 16:11
1

I think you need a Require line:

Require all granted
Improve this answer
2
  • It's there, I wrote all my config in my question. Commented Sep 8, 2014 at 14:07
  • Sorry, didn't see it. Commented Sep 8, 2014 at 14:15
0

The following config worked for me (Apache 2.4):

<VirtualHost *:443> ServerName your.server.com DocumentRoot "/var/lib/monitorix/www" AddHandler cgi-script .cgi Alias /cgi /var/lib/monitorix/www/cgi <Directory "/var/lib/monitorix/www"> Require all granted </Directory> <Directory "/var/lib/monitorix/www/cgi"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Require all granted </Directory> </VirtualHost>

The /etc/monitorix/monitorix.conf, looks like: 

 base_url = / base_cgi = /cgi

And disable the build-in httpd service:

<httpd_builtin> enabled = n
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.