Apache2 on Debian: Getting forbidden when accessing local website

Question

So I want to configure the folder /home/web as my webserver because I have folders there representing all the sites I'm developing. I recently switched from Centos to Debian so I'm reinstalling everything.

My current webpage is fh. The permissions are as follows (This is inside /home/web:

drwxrwxr-x. 6 ariela www-data 4096 May 15 06:33 fh 

I've modified /etc/apache2/apach2.conf so that the default /var/www/html dir looks like this:

<Directory /home/web> Order allow,deny Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> 

After that I've changed /etc/apache2/sites-available/000-default.conf to read like this:

<VirtualHost *:80> # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /home/web # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf </VirtualHost> 

But after all of that redirecting my browser to localhost/fh I get the Forbidden message and the log shows:

[Wed May 15 07:24:53.129930 2019] [authz_core:error] [pid 8159] [client ::1:56998] AH01630: client denied by server configuration: /home/web/fh [Wed May 15 07:24:53.183159 2019] [authz_core:error] [pid 8159] [client ::1:56998] AH01630: client denied by server configuration: /home/web/favicon.ico, referer: http://localhost/fh 

What am I missing?

Answer 1

The problem is twofold:

• You had a typo in the Directory name (howe vs. home)
• You had added a line Order allow,deny which is the old style of access control, and that expects a corresponding allow from all type of rule, not the new Require all granted

So fix the typo, remove the Order line, and it should work.

Answer 2

First off, you should add your <Directory> block to your <VirtualHost> configuration. It should not be necessary to edit /etc/apache2/apache2.conf.

Apache 2.2

If you're using Apache 2.2, then Require all granted is invalid syntax.

http://httpd.apache.org/docs/2.4/mod/mod_access_compat.html#order

Deny,Allow

First, all Deny directives are evaluated; if any match, the request is denied unless it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.

So if we use Order Deny,Allow here and don't specify any Allow or Deny rules, then access is allowed.

<Directory /home/web> Order Deny,Allow Options Indexes FollowSymLinks AllowOverride None </Directory> 

Alternative:

<Directory /home/web> Order Allow,Deny Allow from all Options Indexes FollowSymLinks AllowOverride None </Directory> 

Apache 2.4

If you're using an Apache 2.4, then Order, Allow and Deny are deprecated syntax. Use Require instead:

<Directory /home/web> Require all granted Options Indexes FollowSymLinks AllowOverride None </Directory> 

See: https://httpd.apache.org/docs/2.4/upgrading.html#run-time