Ubuntu – getting a 403 in attempting to access view-source:https://ccachicago.pragmatometer.com/admin/static/css/base.css

aliasapache-2.2djangoUbuntuvirtualhost

I've been trying by hook or by crook to get /admin/static/ served up in an Apache SSL VirtualHost, preferably by Apache (which is forwarding SSL traffic to a Django Gunicorn instance), or barring Apache, at least Gunicorn serving up static content while I work on a better solution.

I'm getting an Apache-served 403, and all the permissions I've checked suggest that the /usr/lib/python2.7/dist-packages/django/contrib/admin/static/ directory (and parents as needed) are readable and executable by the user running the server.

Can you see anything wrong in the VirtualHost below which would explain why Apache isn't serving up the directory in question as an Aliased directory?

<VirtualHost *:443>
    ServerName ccachicago.pragmatometer.com

    Alias /media/ "/home/jonathan/ccachicago/media/"
    <Directory "/home/jonathan/ccachicago/media/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

    Alias /admin/static/ "/usr/lib/python2.7/dist-packages/django/contrib/admin/static/"
    <Directory "/usr/lib/python2.7/dist-packages/django/contrib/admin/static/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

    ProxyPass /media/ !
    ProxyPass /admin/static/ !
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

     SSLEngine On
     SSLCertificateFile /etc/apache2/ssl/ssl.crt
     SSLCertificateKeyFile /etc/apache2/ssl/ssl.key
    ServerAdmin CJSHayward@PObox.com
</VirtualHost>

–UPDATE–

I get the same 403 error page if I comment out the deny/allow lines. The logfile has:

[Mon Jan 27 21:52:34.297099 2014] [authz_core:error] [pid 4818] [client 205.197.161.146:44895] AH01630: client denied by server configuration: /usr/lib/python2.7/dist-packages/django/contrib/admin/static/css

So something in my configuration is apparently not working; I now have:

<VirtualHost *:443>
    ServerName ccachicago.pragmatometer.com

    Alias /media/ "/home/jonathan/ccachicago/media/"
    ErrorLog /var/log/apache2/error.log
    <Directory "/home/jonathan/ccachicago/media/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

    Alias /admin/static/ "/usr/lib/python2.7/dist-packages/django/contrib/admin/static/"
    <Directory "/usr/lib/python2.7/dist-packages/django/contrib/admin/static/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        #Order deny,allow
        #Deny from all
        #Allow from 127.0.0.0/255.0.0.0 ::1/128
        #Allow from 0.0.0.0 ::1/128
        #Allow from all
    </Directory>

    ProxyPass /media/ !
    ProxyPass /admin/static/ !
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

     SSLEngine On
     SSLCertificateFile /etc/apache2/ssl/ssl.crt
     SSLCertificateKeyFile /etc/apache2/ssl/ssl.key
    ServerAdmin CJSHayward@PObox.com
</VirtualHost>

Best Answer

You're only allowing access from 127.0.0.0 and ::1. Are you sure that you are accessing the site via these addresses? I would first disable the access restrictions and see what happens from there.

Your Log snippet shows that you're not accessing the server from 127.0.0.1 or ::1 so the access restrictions you have in place will deny access when they are in force.

Related Solutions

Linux – Apache2 quietly breaking, won’t make apache2.pid

Hmm, I am pretty suspicious of the config file

/etc/apache2/vhosts.d/30_subversion_ssl_vhost.conf

When you remove the '-D SSL' you will cause all parts of the configuration files that are enclosed in ... to be skipped. The default SSL vhost file on my Gentoo box is wrapped in that tag so I wonder if, by removing the '-D SSL', you are preventing the config in 30_subversion_ssl_vhost.conf from being run at all and if that is what is allowing Apache to start.

If you temporarily remove the file 30_subversion_ssl_vhost.conf from /etc/apache2/vhosts.d does Apache run? Are there any other SSL related vhost.conf files in vhosts.d? My reasonably fresh/unused Apache install's vhosts.d directory looks like this:

# pwd && ls
/etc/apache2/vhosts.d
00_default_ssl_vhost.conf  00_default_vhost.conf  default_vhost.include

edit 1:

So much for that theory :) I am now wondering if the problem is with the Apache SSL setup itself. I apologize if I am covering ground you have already checked but I am wondering if you could do the following to help verify your Apache install.

On my Apache install with working SSL the use flags are as follows:

# emerge -av apache

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild     U ] www-servers/apache-2.2.11-r2 [2.2.11] USE="ssl -debug -doc -ldap (-selinux) -sni -static -suexec -threads" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias -asis -auth_digest -authn_dbd -cern_meta -charset_lite -dbd -dumpio -ident -imagemap -log_forensic -proxy -proxy_ajp -proxy_balancer -proxy_connect -proxy_ftp -proxy_http -substitute -version" APACHE2_MPMS="-event -itk -peruser -prefork -worker" 64 kB

In particular do you have the 'ssl' USE flag set?

Also, could you use equery to verify the integrity of your apache2 install? If you do not have the equery command you can install it by running 'emerge -av gentoolkit'. The following command should verify the integrity of your apache install:

equery check apache

On my server the above command gives the following output:

[ Checking www-servers/apache-2.2.11 ]
!!! /etc/apache2/vhosts.d/00_default_ssl_vhost.conf has wrong mtime (is 1256620928, should be 1246793824)
!!! /etc/apache2/modules.d/00_default_settings.conf has wrong mtime (is 1246796304, should be 1246793824)
!!! /etc/conf.d/apache2 has incorrect md5sum
 * 429 out of 432 files good

edit 2:

Well the install looks good to me, so much for theory 2. I am wondering if we can coax Apache into giving some more information on startup. In /etc/conf.d/apache2 if you change your APACHE2_OPTS line from:

APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D SSL -D SSL_DEFAULT_VHOST -D LANGUAGE"

APACHE2_OPTS="-X -e debug -D DEFAULT_VHOST -D INFO -D SSL -D SSL_DEFAULT_VHOST -D LANGUAGE"

and then start Apache (/etc/init.d/apache2 start) the daemon should stay in the foreground (the -X flag) and output debuging messages as it starts (the -e debug option). Maybe this will give a clue as to why it is dying on startup.

Apache2 Permission denied: access to / denied

Remove:

Options FollowSymLinks
AllowOverride None
Order Deny,Allow
Deny from all

Best Answer

Related Solutions

Linux – Apache2 quietly breaking, won’t make apache2.pid

Apache2 Permission denied: access to / denied

Related Topic