Apache 2.4 replies with “403 Forbidden” for a CGI script, the configuration looks ok

apache-2.4cgimod-authperl

I installed a CGI script on a fresh installation of Apache 2.4 on Ubuntu server 14.04. Apache keeps replying with 403 Forbidden also if, to me, the configuration file is ok. The CGI is the Monitorix front-end, a system monitoring tool written in Perl.

The configuration file /etc/apache2/conf-enabled/monitorix.conf is:

Alias /monitorix /var/lib/monitorix/www
ScriptAlias /monitorix-cgi /var/lib/monitorix/www/cgi

<Directory /var/lib/monitorix/www/cgi/>
        DirectoryIndex monitorix.cgi
        Options ExecCGI
        <IfModule mod_authz_core.c>
                # Apache 2.4
                Require all granted
        </IfModule>
        <IfModule !mod_authz_core.c>
                # Apache 2.2
                Order deny,allow
                Allow from all
        </IfModule>
</Directory>

All files in /var/lib/monitorix/www and /var/lib/monitorix/www/cgi have at least read permission for all. Every time I try to access from URL /monitorix, in my Apache log I see lines:

[Mon Sep 01 06:57:52.995680 2014] [authz_core:error] [pid 17145] [client x.x.x.x:58879] AH01630: client denied by server configuration: /var/lib/monitorix/www
[Mon Sep 01 07:00:10.131166 2014] [authz_core:error] [pid 17145] [client x.x.x.x:58903] AH01630: client denied by server configuration: /var/lib/monitorix/www
[Mon Sep 01 07:00:11.102614 2014] [authz_core:error] [pid 17145] [client x.x.x.x:58903] AH01630: client denied by server configuration: /var/lib/monitorix/www
...

Plus, I cannot get why, when I try to access from URL /monitorix-cgi (I got the idea from the ScriptAlias directive) I get 200 Ok and I can see the Perl source of /var/lib/monitorix/www/cgi/monitorix.cgi.

Time ago I installed this tool on Debian and I had no problems, /monitorix worked as expected and /monitorix-cgi correctly gave me 403 Forbidden instead of showing the Perl source file.

Update: this issue has been reported to Monitorix and probably fixed (#69)

Best Answer

When you access /monitorix in a browser, you are accessing /var/lib/monitorix/www. Your Directory block allows access to /var/lib/monitorix/www/cgi, not /var/lib/monitorix/www. Either change the Alias to:

Alias /monitorix /var/lib/monitorix/www/cgi

or add an additional Directory block:

<Directory /var/lib/monitorix/www/>
    <IfModule mod_authz_core.c>
            # Apache 2.4
            Require all granted
    </IfModule>
    <IfModule !mod_authz_core.c>
            # Apache 2.2
            Order deny,allow
            Allow from all
    </IfModule>
</Directory>

As for seeing the source of the cgi, it's probably mod_cgi's configuration. Either it's not enabled or it's not set to handle *.cgi files. You may need to add:

AddHandler cgi-script .cgi

to your virtualhost or directory block. If that doesn't work, try this in your shell:

sudo a2enmod cgi

and follow the instructions to reload apache. If it still doesn't work, add a comment below and possibly update your question. I'll take another look and maybe set up a test system.

Related Solutions

Not able to run remote scipt from perl CGI script

CGI-scripts are usually run as the same user as the web server is run under - often the username wwwdata, or www. Since your key file is restricted your own username, huzefa, the webserver cannot access it.

If you were to allow the webserver user to use your own ssh key, then it would be possible for someone who found a security hole in your webserver to use your key and then login to any server that you have access to with that key. You probably don't want this.

There are a few ways to get around this without opening a huge security hole. The easiest is to simply set up a separate ssh key for this particular use:

Generate a new ssh key and place it in a directory that the web server user can access
Copy the public part of the key to the authorized_keys file on the server.
Edit the authorized_keys file so that the public key used by the web server can only be used to run that one script. For extra security, limit it to only allow connections from the IP address of your server. It should look something like this:

from="10.1.2.3",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/root/test.sh" ssh-dss AA.....

Apache LIMIT directive does not allow to see localhost project over LAN

I got the solution from this article

change the line

~~allow from 192.168.0.0-255~~ to

allow from 192.168.0.2/255.255.0.0

will lock Apache down to my internal LAN i.e. address range 192.168.0.2 to 192.168.0.255 only with subnet mask of 255.255.0.0

and it works with GET also, here is my final .htaccess

<Limit GET POST PUT DELETE>
 Order deny,allow
 Deny from all
 Allow from 127.0.0.1 ::1
 Allow from 192.168.0.2/255.255.0.0
</Limit>

Best Answer

Related Solutions

Not able to run remote scipt from perl CGI script

Apache LIMIT directive does not allow to see localhost project over LAN

Related Topic