"Forbidden" on the server, but not at home

7 views
Skip to first unread message

ProgVal

unread,
Dec 30, 2010, 9:36:29 AM12/30/10
to modwsgi
Hi,

I have a problem with mod_wsgi: I have the same config at home and on
the server, but it works at home (Debian), and not on the server
(Gentoo): Apache returns a "Forbidden" error.
the virtualhost: http://paste.pocoo.org/show/JM5fGuX5gh8Ezz30T2q6/
the .htaccess: http://paste.pocoo.org/show/y1ewc2jlzOL3X0OEYK7n/
mod_rewrite and mod_wsgi are both loaded

Thank you in advance,
ProgVal

Jason Garber

unread,
Dec 30, 2010, 2:14:39 PM12/30/10
to mod...@googlegroups.com
Hi ProgVal, I'm pretty sure this list prefers to have configs posted in the email body rather than links.  Please re-post. Also, I suggest you include a bit more information about your situation and other relevant configurations from apache, etc...  Thanks!



--
You received this message because you are subscribed to the Google Groups "modwsgi" group.
To post to this group, send email to mod...@googlegroups.com.
To unsubscribe from this group, send email to modwsgi+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.


Graham Dumpleton

unread,
Dec 30, 2010, 4:31:09 PM12/30/10
to mod...@googlegroups.com
Post the exact error messages you get in the Apache error log file for
the request.

My talk and slides at:

http://code.google.com/p/modwsgi/wiki/WhereToGetHelp?tm=6#Conference_Presentations

covers a couple of the reasons you might get Forbidden.

BTW your configuration has a couple of other things done in a poor
way, but I'll comment on that later when have time.

Graham

ProgVal

unread,
Dec 30, 2010, 4:33:28 PM12/30/10
to mod...@googlegroups.com

Problem solved on IRC, including bad things in the config.
Thanks for your help and you time.

Graham Dumpleton

unread,
Dec 30, 2010, 4:42:43 PM12/30/10
to mod...@googlegroups.com
Post your current configuration so I can still point out the other
things potentially wrong with it. Unless that is you don't want to
know.

Graham

ProgVal

unread,
Dec 30, 2010, 4:49:18 PM12/30/10
to mod...@googlegroups.com

Android handles line ends bad, so I send you a direct link to a file containing the config : https://github.com/HardwareWiki/HardwareWiki/raw/master/README
Note that putting the websites in /home/apache is not my decision, but the system admin's one.

Graham Dumpleton

unread,
Dec 30, 2010, 5:56:26 PM12/30/10
to mod...@googlegroups.com
On 31 December 2010 08:49, ProgVal <pro...@gmail.com> wrote:
> Android handles line ends bad, so I send you a direct link to a file
> containing the config :
> https://github.com/HardwareWiki/HardwareWiki/raw/master/README
> Note that putting the websites in /home/apache is not my decision, but the
> system admin's one.

The bits I take issue with are:

<Location '/static'>
SetHandler None
</Location>

When using mod_wsgi at least, there is no reason for using SetHandler
to override handler used back to be None. The reason you have to in
your case is because you have used 'SetHandler wsgi-script'. That
shouldn't be done as a general rule. It is preferable to more specific
and use:

AddHandler wsgi-script .py

<Location />
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_URI} !^/index.py
RewriteCond %{REQUEST_URI} !^/static/
RewriteRule ^(.*)$ index.py/$1 [PT]
Options Indexes MultiViews FollowSymLinks ExecCGI
SetHandler wsgi-script
Order allow,deny
Allow from all
</Location>

It is bad security practice to put:

Order allow,deny
Allow from all

inside of a Location block, especially for '/'.

Reason being that doing it this way gives permission to Apache to
serve up files from anywhere in the file system. Thus is somehow alias
got set up to refer to root of file system, anything, including stuff
in /etc could be downloaded.

You should really remove those lines from Location block and rely on
those in the Directory block for
'/home/apache/http/progval/HardwareWiki'. By restricting in to a
specific directory on the file system is much more secure.

You also have FollowSymLinks option. Unless you really need that you
shouldn't use it.

The SetHandler (now AddHandler), should also be in the directory block.

With a few other changes, would instead suggest something like:

DocumentRoot /home/apache/http/progval/HardwareWiki

<Directory "/home/apache/http/progval/HardwareWiki">
Options Indexes MultiViews FollowSymLinks ExecCGI

Order allow,deny
Allow from all

AddHandler wsgi-script .py

<Files "index.py">
Options Includes
SetOutputFilter INCLUDES
AcceptPathInfo On
</Files>
</Directory>

<Location />
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_URI} !^/index.py
RewriteCond %{REQUEST_URI} !^/static/
RewriteRule ^(.*)$ index.py/$1 [PT]
</Location>

I have left the rewrite rules in Location block for now, but only
because can't be bother working out equivalent when it also is pushed
into the Directory block as well.

In short, it is always a bad idea to use a Location block for '/'.

You should also have a read of:

http://code.google.com/p/modwsgi/wiki/ConfigurationGuidelines#The_Apache_Alias_Directive

as I think that section likely gives you want you are needing. The
rewrite rules are simpler and also documents the fixup for SCRIPT_NAME
forced to be root of site.

Graham

Reply all
Reply to author
Forward
0 new messages