I have configured my Apache by myself and have tried to load phpMyAdmin on a virtual host, but I received:
我自己配置了Apache,并尝试在虚拟主机上加载phpMyAdmin,但我收到了:
403 Forbidden You don't have permission to access / on this server
你没有权限访问这个服务器。
My httpd.conf
我的httpd . conf
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.2> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
# with ServerRoot set to "C:/Program Files (x86)/Apache Software Foundation/Apache2.2" will be interpreted by the
# server as "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/foo.log".
#
# NOTE: Where filenames are specified, you must use forward slashes
# instead of backslashes (e.g., "c:/apache" instead of "c:\apache").
# If a drive letter is omitted, the drive on which httpd.exe is located
# will be used by default. It is recommended that you always supply
# an explicit drive letter in absolute paths to avoid confusion.
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to point the LockFile directive
# at a local disk. If you wish to share the same ServerRoot for multiple
# httpd daemons, you will need to change at least LockFile and PidFile.
#
ServerRoot "C:/Program Files (x86)/Apache Software Foundation/Apache2.2"
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 127.0.0.1:80
Include conf/vhosts.conf
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule authn_alias_module modules/mod_authn_alias.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbd_module modules/mod_authn_dbd.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
#LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule cache_module modules/mod_cache.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule cgi_module modules/mod_cgi.so
#LoadModule charset_lite_module modules/mod_charset_lite.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule dav_lock_module modules/mod_dav_lock.so
#LoadModule dbd_module modules/mod_dbd.so
#LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
#LoadModule disk_cache_module modules/mod_disk_cache.so
#LoadModule dumpio_module modules/mod_dumpio.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule ext_filter_module modules/mod_ext_filter.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule filter_module modules/mod_filter.so
#LoadModule headers_module modules/mod_headers.so
#LoadModule ident_module modules/mod_ident.so
#LoadModule imagemap_module modules/mod_imagemap.so
LoadModule include_module modules/mod_include.so
#LoadModule info_module modules/mod_info.so
LoadModule isapi_module modules/mod_isapi.so
#LoadModule ldap_module modules/mod_ldap.so
#LoadModule logio_module modules/mod_logio.so
LoadModule log_config_module modules/mod_log_config.so
#LoadModule log_forensic_module modules/mod_log_forensic.so
#LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule mime_module modules/mod_mime.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule negotiation_module modules/mod_negotiation.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
#LoadModule reqtimeout_module modules/mod_reqtimeout.so
#LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule ssl_module modules/mod_ssl.so
#LoadModule status_module modules/mod_status.so
#LoadModule substitute_module modules/mod_substitute.so
#LoadModule unique_id_module modules/mod_unique_id.so
#LoadModule userdir_module modules/mod_userdir.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule version_module modules/mod_version.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule php5_module "c:/Program Files/php/php5apache2_2.dll"
<IfModule !mpm_netware_module>
<IfModule !mpm_winnt_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User daemon
Group daemon
</IfModule>
</IfModule>
# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin webmaster@somenet.com
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.somenet.com:80
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs"
#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
DirectoryIndex index.html index.php
</IfModule>
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error.log"
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
CustomLog "logs/access.log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
#CustomLog "logs/access.log" combined
</IfModule>
<IfModule alias_module>
#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.somenet.com/bar
#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/cgi-bin/"
</IfModule>
<IfModule cgid_module>
#
# ScriptSock: On threaded servers, designate the path to the UNIX
# socket used to communicate with the CGI daemon of mod_cgid.
#
#Scriptsock logs/cgisock
</IfModule>
#
# "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
#
# DefaultType: the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value. If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain
<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig conf/mime.types
#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi
# For type maps (negotiated resources):
#AddHandler type-map var
#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
AddType application/x-httpd-php .php
</IfModule>
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
#MIMEMagicFile conf/magic
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.somenet.com/subscription_info.html
#
#
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited
#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall is used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
#
#EnableMMAP off
#EnableSendfile off
# Supplemental configuration
#
# The configuration files in the conf/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.
# Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf
# Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
#Include conf/extra/httpd-autoindex.conf
# Language settings
#Include conf/extra/httpd-languages.conf
# User home directories
#Include conf/extra/httpd-userdir.conf
# Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf
# Virtual hosts
#Include conf/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf
# Various default settings
#Include conf/extra/httpd-default.conf
# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
PHPIniDir "c:/Program Files/php"
and vhosts.conf:
和vhosts.conf:
NameVirtualHost 127.0.0.1:80
<VirtualHost 127.0.0.1:80>
DocumentRoot i:/projects/webserver/__tools/phpmyadmin/
ServerName dbadmin.tools
</VirtualHost>
33 个解决方案
#1
565
Update October 2016
4 years ago, since this answer is used as a reference by many, and while I learned a lot from security perspective during these years, I feel I am responsible to clarify some important notes, and I've update my answer accordingly.
4年前,由于这个答案被很多人用作参考,在这些年里我从安全角度学到了很多东西,我觉得我有责任澄清一些重要的注意事项,我也相应地更新了我的答案。
The original answer is correct but not safe for some production environments, in addition I would like to explain some issues that you might fall into while setting up your environment.
最初的答案是正确的,但对于某些生产环境来说是不安全的,另外,我还想解释一些您在设置环境时可能会遇到的问题。
If you are looking for a quick solution and SECURITY IS NOT A MATTER, i.e development env, skip and read the original answer instead
如果你正在寻找一个快速的解决方案,安全不是问题,我。e开发env,跳过并阅读原来的答案。
Many scenarios can lead to 403 Forbidden:
许多场景可能导致403被禁止:
A. Directory Indexes (from mod_autoindex.c
)
When you access a directory and there is no default file found in this directory AND Apache Options Indexes
is not enabled for this directory.
当您访问一个目录时,在这个目录中没有找到默认的文件,并且这个目录没有启用Apache Options索引。
A.1. DirectoryIndex
option example
DirectoryIndex index.html default.php welcome.php
DirectoryIndex指数。html违约。php welcome.php
A.2. Options Indexes
option
If set, apache will list the directory content if no default file found (from the above ???????? option)
如果设置了,apache将列出目录内容,如果没有找到默认文件(从上面的选项)
If none of the conditions above is satisfied
You will receive a 403 Forbidden
你将收到403的禁止。
Recommendations
- You should not allow directory listing unless REALLY needed.
- 除非确实需要,否则不应该允许目录列表。
- Restrict the default index
DirectoryIndex
to the minimum. - 将默认索引DirectoryIndex限制到最小值。
- If you want to modify, restrict the modification to the needed directory ONLY, for instance, use
.htaccess
files, or put your modification inside the<Directory /my/directory>
directive - 如果您想要修改,只需将修改限制在需要的目录中,例如,使用.htaccess文件,或者将修改放在 <目录 my directory> 指令中。
B. deny,allow
directives (Apache 2.2)
Mentioned by @Radu, @Simon A. Eugster in the comments You request is denied, blacklisted or whitelisted by those directives.
@Radu, @Simon A. Eugster在你请求的评论中提到的,被这些指令拒绝,被列入黑名单或被白名单。
I will not post a full explanation, but I think some examples may help you understand, in short remember this rule:
我不会发表完整的解释,但我认为一些例子可以帮助你理解,简而言之,这条规则:
IF MATCHED BY BOTH, THE LAST IS WILL WIN
如果两者都匹配,最后一个就会赢。
Order allow,deny
Deny will win if matched by both directives (even if an allow
directive is written after the deny
in the conf)
如果两个指令匹配,Deny将获胜(即使在conf中拒绝了允许指令)
Order deny,allow
allow will win if matched by both directives
如果两个指令匹配,允许将获胜。
Example 1
Order allow,deny
Allow from localhost mydomain.com
Only localhost and *.mydomain.com can access this, all other hosts are denied
只有localhost和*.mydomain.com可以访问这个,所有其他主机都被拒绝。
Example 2
Order allow,deny
Deny from evil.com
Allow from safe.evil.com # <-- has no effect since this will be evaluated first
All requests are denied, the last line may trick you, but remember that if matched by both the last win rule (here Deny is the last), same as written:
所有请求都被拒绝,最后一行可能会欺骗您,但请记住,如果最后一个win规则(此处拒绝是最后一个)匹配,则与所写的相同:
Order allow,deny
Allow from safe.evil.com
Deny from evil.com # <-- will override the previous one
Example 4
Order deny,allow
Allow from site.com
Deny from untrusted.site.com # <-- has no effect since this will be matched by the above `Allow` directive
Requests are accepted from all hosts
所有主机都接受请求。
Example 4: typical for public sites (allow unless blacklisted)
Order allow,deny
Allow from all
Deny from hacker1.com
Deny from hacker2.com
Example 5: typical for intranet and secure sites (deny unless whitelisted)
Order deny,allow
Deny from all
Allow from mypc.localdomain
Allow from managment.localdomain
C. Require
directive (Apache 2.4)
Apache 2.4 use a new module called mod_authz_host
Apache 2.4使用一个名为mod_authz_host的新模块。
Require all granted
=> Allow all requests
要求所有的=>允许所有请求。
Require all denied
=> Deny all requests
要求全部拒绝=>拒绝所有请求。
Require host safe.com
=> Only from safe.com are allowed
只允许使用safe.com网站的主机safe.com =>。
D. Files permissions
One thing that most people do it wrong is configuring files permissions,
大多数人做错的一件事是配置文件权限,
The GOLDEN RULE is
黄金法则是
STARTS WITH NO PERMISSION AND ADD AS PER YOUR NEED
从没有权限开始,根据您的需要添加。
In linux:
在linux中:
-
Directories should have the
Execute
permission目录应该具有执行权限。
-
Files should have the
Read
permission文件应该具有读权限。
-
YES, you are right DO NOT ADD
Execute
permission for files是的,您是正确的,不要添加对文件的执行权限。
for instance, I use this script to setup the folders permissions
例如,我使用这个脚本设置文件夹的权限。
# setting permissions for /var/www/mysite.com
# read permission ONLY for the owner
chmod -R /var/www/mysite.com 400
# add execute for folders only
find /var/www/mysite.com -type d -exec chmod -R u+x {} \;
# allow file uploads
chmod -R /var/www/mysite.com/public/uploads u+w
# allow log writing to this folder
chmod -R /var/www/mysite.com/logs/
I posted this code as an example, setup may vary in other situations
我将此代码作为示例发布,在其他情况下设置可能会有所不同。
Original Answer
I faced the same issue, but I solved it by setting the options directive either in the global directory setting in the httpd.conf or in the specific directory block in httpd-vhosts.conf:
我遇到了同样的问题,但是我通过在httpd中的全局目录设置中设置选项指令来解决它。conf或在httpd-vhosts.conf中的特定目录块中:
Options Indexes FollowSymLinks Includes ExecCGI
By default, your global directory settings is (httpd.conf line ~188)
:
默认情况下,全局目录设置是(httpd)。相依~ 188行):
<Directory />
Options FollowSymLinks
AllowOverride All
Order deny,allow
Allow from all
</Directory>
set the options to : Options Indexes FollowSymLinks Includes ExecCGI
将选项设置为:options索引FollowSymLinks包括ExecCGI。
Finally, it should look like:
最后,它应该是:
<Directory />
#Options FollowSymLinks
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Order deny,allow
Allow from all
</Directory>
Also try changing Order deny,allow
and Allow from all
lines by Require all granted
.
也试着改变顺序,拒绝,允许和允许从所有的线,要求所有的批准。
Appendix
Directory Indexes source code (some code remove for brevity)
if (allow_opts & OPT_INDEXES) {
return index_directory(r, d);
} else {
const char *index_names = apr_table_get(r->notes, "dir-index-names");
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01276)
"Cannot serve directory %s: No matching DirectoryIndex (%s) found, and "
"server-generated directory index forbidden by "
"Options directive",
r->filename,
index_names ? index_names : "none");
return HTTP_FORBIDDEN;
}
#2
171
I understand this issue is resolved but I happened to solve this same problem on my own.
我知道这个问题已经解决了,但是我自己也解决了这个问题。
The cause of
的原因
Forbidden You don't have permission to access / on this server
禁止您访问/访问此服务器。
is actually the default configuration for an apache directory in httpd.conf
.
实际上是httpd.conf中apache目录的默认配置。
#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory "/">
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all # the cause of permission denied
</Directory>
Simply changing Deny from all
to Allow from all
should solve the permission problem.
简单地改变拒绝一切允许从所有应该解决权限问题。
Alternatively, a better approach would be to specify individual directory permissions on virtualhost configuration.
或者,更好的方法是在virtualhost配置上指定单独的目录权限。
<VirtualHost *:80>
....
# Set access permission
<Directory "/path/to/docroot">
Allow from all
</Directory>
....
</VirtualHost>
As of Apache-2.4, however, access control is done using the new module mod_authz_host
(Upgrading to 2.4 from 2.2). Consequently, the new Require
directive should be used.
但是,在Apache-2.4中,访问控制是使用新的模块mod_authz_host完成的(从2.2升级到2.4)。因此,应该使用新的要求指令。
<VirtualHost *:80>
....
# Set access permission
<Directory "/path/to/docroot">
Require all granted
</Directory>
....
</VirtualHost>
#3
114
A common gotcha for directories hosted outside of the default /var/www/ is that the Apache user doesn't just need permissions to the directory and subdirectories where the site is being hosted. Apache requires permissions to all the directories all the way up to the root of the file system where the site is hosted. Apache automatically gets permissions assigned to /var/www/ when it's installed, so if your host directory is directly underneath that then this doesn't apply to you. Edit: Daybreaker has reported that his Apache was installed without correct access permissions to the default directory.
在缺省/var/www/的外部托管的目录的一个常见问题是,Apache用户不仅需要访问站点所在的目录和子目录的权限。Apache需要所有目录的权限,直到站点所在的文件系统的根目录。在安装时,Apache会自动获得分配给/var/www/的权限,因此,如果您的主机目录直接在下面,那么这就不适用于您。编辑:Daybreaker报告说,他的Apache安装没有正确的访问权限到默认目录。
For example, you've got a development machine and your site's directory is:
例如,您有一个开发机器,您的站点的目录是:
/username/home/Dropbox/myamazingsite/
You may think you can get away with:
你可能认为你可以逃避:
chgrp -R www-data /username/home/Dropbox/myamazingsite/
chmod -R 2750 /username/home/Dropbox/myamazingsite/
because this gives Apache permissions to access your site's directory? Well that's correct but it's not sufficient. Apache requires permissions all the way up the directory tree so what you need to do is:
因为这给了Apache访问站点目录的权限?这是正确的,但还不够。Apache需要权限一直到目录树,所以你需要做的是:
chgrp -R www-data /username/
chmod -R 2750 /username/
Obviously I would not recommend giving access to Apache on a production server to a complete directory structure without analysing what's in that directory structure. For production it's best to keep to the default directory or another directory structure that's just for holding web assets.
显然,我不建议在不分析目录结构的情况下,让生产服务器上的Apache访问完整的目录结构。对于生产,最好保存到默认目录或另一个目录结构,这只是用来保存web资产的。
Edit2: as u/chimeraha pointed out, if you're not sure what you're doing with the permissions, it'd be best to move your site's directory out of your home directory to avoid potentially locking yourself out of your home directory.
Edit2:正如u/chimeraha所指出的,如果你不确定你的权限是什么,最好将你的站点的目录从你的主目录中移出,以避免可能把你自己锁在你的主目录下。
#4
53
Some configuration parameters have changed in Apache 2.4. I had a similar issue when I was setting up a Zend Framework 2 application. After some research, here is the solution:
在Apache 2.4中,一些配置参数发生了变化。我在创建Zend Framework 2应用程序时遇到了类似的问题。在一些研究之后,这里有一个解决方案:
Incorrect Configuration
不正确的配置
<VirtualHost *:80>
ServerName zf2-tutorial.localhost
DocumentRoot /path/to/zf2-tutorial/public
SetEnv APPLICATION_ENV "development"
<Directory /path/to/zf2-tutorial/public>
DirectoryIndex index.php
AllowOverride All
Order allow,deny #<-- 2.2 config
Allow from all #<-- 2.2 config
</Directory>
</VirtualHost>
Correct Configuration
正确的配置
<VirtualHost *:80>
ServerName zf2-tutorial.localhost
DocumentRoot /path/to/zf2-tutorial/public
SetEnv APPLICATION_ENV "development"
<Directory /path/to/zf2-tutorial/public>
DirectoryIndex index.php
AllowOverride All
Require all granted #<-- 2.4 New configuration
</Directory>
</VirtualHost>
If you are planning to migrate from Apache 2.2 to 2.4, here is a good reference: http://httpd.apache.org/docs/2.4/upgrading.html
如果您打算从Apache 2.2迁移到2.4,这里有一个很好的参考:http://httpd.apache.org/docs/2.4/upgrad. html。
#5
33
With Apache 2.2
与Apache 2.2
Order Deny,Allow
Allow from all
With Apache 2.4
与Apache 2.4
Require all granted
From http://httpd.apache.org/docs/2.4/en/upgrading.html
从http://httpd.apache.org/docs/2.4/en/upgrading.html
#6
23
If you are using a WAMP server then try this:
如果您使用的是WAMP服务器,请尝试以下方法:
-
Single click on the WAMP server icon at the taskbar
单击任务栏上的WAMP服务器图标。
-
Select the option put online
选择放到网上的选项。
-
Your server will restart automatically
您的服务器将自动重启。
-
Then try to access your localwebsite
然后尝试访问您的本地网站。
#7
22
On Ubuntu 14.04 using Apache 2.4, I did the following:
在使用Apache 2.4的Ubuntu 14.04上,我做了如下工作:
Add the following in the file, apache2.conf (under /etc/apache2
):
在文件中添加以下内容,apache2。conf(/etc/apache2以下):
<Directory /home/rocky/code/documentroot/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
and reload the server:
并重新加载服务器:
sudo service apache2 reload
Edit: This also works on OS X Yosemite with Apache 2.4. The all-important line is
编辑:这也适用于Apache 2.4的OS X Yosemite。最重要的是
Require all granted
要求所有授予
#8
14
I solved my problem by adding my user to httpd.conf
.
我通过将用户添加到httpd.conf解决了我的问题。
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
#User daemon
User my_username
Group daemon
#9
13
This article Creating virtual hosts on Apache 2.2 helps me (point 9) permissions to the top virtual hosts directory.
这篇文章创建了Apache 2.2上的虚拟主机,帮助我(点9)权限到*虚拟主机目录。
I simply add this lines to my vhosts.conf file:
我只是将这条线添加到我的vhosts中。配置文件:
<Directory I:/projects/webserver>
Order Deny,Allow
Allow from all
</Directory>
#10
13
If you are using CentOS with SELinux Try:
如果你正在使用CentOS与SELinux尝试:
sudo restorecon -r /var/www/html
See more: https://www.centos.org/forums/viewtopic.php?t=6834#p31548
看到更多:https://www.centos.org/forums/viewtopic.php?t=6834 # p31548
#11
8
I was getting the same error and couldn't figure out the problem for ages. If you happen to be on a Linux distribution that includes SELinux such as CentOS, you need to make sure SELinux permissions are set correctly for your document root files or you will get this error. This is a completely different set of permissions to the standard file system permissions.
我也犯了同样的错误,很久没能解决这个问题了。如果您碰巧在一个包含SELinux(例如CentOS)的Linux发行版上,您需要确保对您的文档根文件正确设置SELinux权限,否则您将会得到这个错误。这是对标准文件系统权限的完全不同的权限集。
I happened to use the tutorial Apache and SELinux, but there seems to be plenty around once you know what to look for.
我碰巧使用了教程Apache和SELinux,但是一旦您知道要查找什么,似乎就会有很多。
#12
5
If you are using MAMP Pro the way to fix this is by checking the Indexes
checkbox under the Hosts
- Extended
tab.
如果您正在使用MAMP Pro,那么可以通过在主机-扩展选项卡下检查索引复选框来解决这个问题。
In MAMP Pro v3.0.3 this is what that looks like:
在MAMP Pro v3.0.3中是这样的:
#13
4
There is another way to solve this problem. Let us say you want to access directory "subphp" which exist at /var/www/html/subphp
, and you want to access it using 127.0.0.1/subphp
and you receive error like this:
有另一种方法来解决这个问题。假设您希望访问位于/var/www/html/subphp中的目录“subphp”,您希望使用127.0.0.1/subphp访问它,您会收到这样的错误:
You don't have permission to access /subphp/ on this server.
您没有权限访问/subphp/在此服务器上。
Then change the directory permissions from "None" to "access files". A command-line user can use the chmod command to change the permission.
然后将目录权限从“None”改为“access files”。命令行用户可以使用chmod命令更改权限。
#14
3
I use Mac OS X, in my case, I just forget to enable php in apache, all I need to do is to uncomment one line from /etc/apache2/httpd.conf
:
我使用Mac OS X,在我的例子中,我忘记了在apache中启用php,我所需要做的就是将一条行从/etc/apache2/httpd.conf中取消注释:
LoadModule php5_module libexec/apache2/libphp5.so
ref this article for detail.
参考这篇文章的细节。
#15
2
(In Windows and Apache 2.2.x)
(在Windows和Apache 2.2.x中)
The "Forbidden" error is also the result of not having virtual hosts defined.
“禁止”错误也是没有定义虚拟主机的结果。
As noted by Julien, if you intend to use virtual hosts.conf
, then go to the httpd file and uncomment the following line:
正如Julien所指出的,如果您打算使用虚拟主机。然后转到httpd文件并取消注释:
#Include conf/extra/httpd-vhosts.conf
Then add your virtual hosts definitions in conf/extra/httpd-vhosts.conf
and restart Apache.
然后在conf/extra/httpd-vhosts中添加虚拟主机定义。conf并重新启动Apache。
#16
2
I had the same issue, but due to the fact that I changed the path on apache to a folder outside var/www, I started running into problems.
我有同样的问题,但由于我将apache的路径更改为var/www外的文件夹,我开始遇到问题。
I fixed it by creating a symlink in var/www/html > home/dev/project which seemed to do the trick, without having to change any permissions...
我通过在var/www/html > home/dev/project中创建了一个符号链接来解决这个问题,这似乎是一个技巧,而不必改变任何权限……
#17
2
I ran into this problem, and my solution was moreso that www-data didn't own the proper folders, and instead I set it for one of the users to own it. (I was trying to do a bit of fancy, but erroneous trickery to get ftp to play nicely.)
我遇到了这个问题,我的解决方案是moreso, www-data没有拥有正确的文件夹,而我将它设置为一个用户拥有它。(我试着去做一些花哨的,但错误的花招,让ftp玩得很好。)
After running:
在运行:
chown -R www-data:www-data /var/www/html
The machine started serving data again. You can see who currently owns the folder by means of
机器又开始提供数据了。您可以看到谁目前拥有该文件夹的方法。
ls -l /var/www/html
#18
2
This solution doesn't Allow from all
I just want to change my public directory www, and access it from my PC, and mobile connected by Wifi. I've Ubuntu 16.04.
我只是想改变我的公共目录www,并从我的PC*问它,通过Wifi连接移动。我的Ubuntu 16.04。
-
So, first, I modified /etc/apache2/sites-enabled/000-default.conf and I changed the line DocumentRoot /var/www/html for my new public directory DocumentRoot "/media/data/XAMPP/htdocs"
因此,首先,我修改了/etc/apache2/sites-enabled/000-default。conf和我更改了新的公共目录DocumentRoot“/media/data/XAMPP/htdocs”的行DocumentRoot /var/www/html。
-
Then I modified /etc/apache2/apache2.conf, and I put the permissions for localhost, and my mobile, this time I used the IP address, I know it is not completely safe, but it's OK for my purposes.
然后我修改/etc/apache2/apache2.conf,我给localhost和我的手机设置了权限,这次我使用了IP地址,我知道它不是完全安全的,但是我的目的是可以的。
<Directory/> Options FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from localhost 10.42.0.11 </Directory>
#19
0
I had the same issue for a specific controller only - which was really weird. I had a folder in the root of the CI folder that had the same name as the controller I was trying to access... Because of that, CI was directing the request to this directory instead of the controller itself.
我对一个特定的控制器也有同样的问题——这真的很奇怪。我在CI文件夹的根目录中有一个文件夹,它与我试图访问的控制器的名称相同。因此,CI将请求指向该目录而不是控制器本身。
After removing this folder (which was there a bit by mistake), it all worked fine.
删除了这个文件夹之后(这里有一点错误),一切都很正常。
To be more clear, here is what it looked like:
更清楚的是,这就是它的样子:
/ci/controller/register.php
/ci/register/
I had to remove /ci/register/
.
我得把/ci/注册/注册。
#20
0
Check exactly where you are putting your files, don't nest them in the Documents folder.
检查你的文件放在哪里,不要把它们放在文件夹里。
For instance I made the mistake of putting my code in the Documents folder of as mentioned this isn't going to work because Documents is explicitly only available to YOU and not APACHE. Try moving it up one directory and you may not see this issue.
例如,我犯了错误,把我的代码放在前面提到的文档文件夹中,这是行不通的,因为文档只对您开放,而不是APACHE。尝试将它移动到一个目录中,您可能不会看到这个问题。
Move folder from:
移动文件夹:
/Users/YOURUSERNAME/Documents/code
/用户/ YOURUSERNAME /文件/代码
To here: /Users/YOURUSERNAME/code
到这里:/用户/ YOURUSERNAME /代码
#21
0
Just to bring another contribution as I ran to this problem too:
为了给这个问题带来另一个贡献:
I had a VirtualHost configured that I did not want to. I have commented out the line where the include for the vhost occured, and it worked.
我配置了一个我不想要的虚拟主机。我已经注释掉了包含vhost的行,并且它起作用了。
#22
0
You can change youralias.conf
file like this code:
你可以改变youralias。conf文件如下:
Alias /Quiz/ "h:/MyServer/Quiz/"
<Directory "h:/MyServer/Quiz/">
Options Indexes FollowSymLinks
AllowOverride all
<IfDefine APACHE24>
Require local
</IfDefine>
<IfDefine !APACHE24>
Order Deny,Allow
Deny from all
Allow from localhost ::1 127.0.0.1
</IfDefine>
</Directory>
#23
0
Remember that the correct file to be configured in this situation is not the httpd.conf in the phpMyAdmin alias, but in bin/apache/your_version/conf/httpd.conf
.
请记住,在这种情况下配置的正确文件不是httpd。conf在phpMyAdmin别名中,但在bin/apache/your_version/conf/httpd.conf中。
Look for the following line:
寻找以下路线:
DocumentRoot "c:/wamp/www/"
#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Allow from all
</Directory>
Make sure it is set to Allow from all
...
确保它被设置为允许所有…
If not, phpMyAdmin might even work, but not your root and other folders under it. Also, remember to restart WAMP and then put online...
如果不是,phpMyAdmin甚至可以工作,但不是根目录下的其他文件夹。另外,记得重新启动WAMP,然后放到网上…
This solved my headache.
这解决了我的头痛。
#24
0
I had this issue when using SSHFS to mount the files in my VirtualBox guest from my local filesystem before running a docker build. In the end, the "fix" was to copy all the files to the VirtualBox instance rather than building from inside the SSHFS mount, and then run the build from there.
在运行docker构建之前,我使用SSHFS在我的VirtualBox客户文件中装入我的VirtualBox客户机中的文件时遇到了这个问题。最后,“修复”是将所有文件复制到VirtualBox实例,而不是从SSHFS挂载中构建,然后从那里运行构建。
#25
0
WORKING Method (unless there is no other problem)
工作方法(除非没有其他问题)
By default, Apache is not restricting access from IPv4 (common external IP address)
默认情况下,Apache不限制使用IPv4(公共外部IP地址)
What are restricted are the commands given in 'httpd.conf
'.
限制的是“httpd.conf”中给出的命令。
Replace all
替换所有
<Directory />
AllowOverride none
Require all denied
</Directory>
with
与
<Directory />
AllowOverride none
# Require all denied
</Directory>
hence removing out all restriction given to Apache.
因此取消了对Apache的所有限制。
Replace Require local
with Require all granted
for the C:/wamp/www/ directory.
替换要求本地要求所有授予的C:/wamp/www/目录。
<Directory "c:/wamp/www/">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
# Require local
</Directory>
#26
0
Try this and don't add anything Order allow,deny
and others:
试试这个,不要添加任何订单允许,拒绝和其他:
AddHandler cgi-script .cgi .py
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Require all granted
Allow from all
</Directory>
sudo a2enmod cgi
sudo service apache2 restart
#27
0
After changing the configuration files don't forget to Restart All Services
.
更改配置文件后,不要忘记重新启动所有服务。
I wasted three hours of my time on it.
我浪费了我三个小时的时间。
#28
0
This is pretty ridiculous, but I got the 403 Forbidden when the file I was trying to download wasn't there on the filesystem. The apache error is not very accurate in this case, and the whole thing worked after I simply put the file where it was supposed to be.
这很荒谬,但是我在试图下载的文件没有在文件系统上时被禁止了。在这种情况下,apache的错误并不十分准确,在我简单地把文件放到应该是的地方之后,整个事情就开始了。
#29
0
We had modsec enabled, check the site's error log for an modsec ID then enter a locationmatch for the file in the vhost (or .htaccess I guess):
我们启用了modsec,检查站点的错误日志,然后输入modsec ID,然后在vhost(或.htaccess)中输入文件的locationmatch:
<LocationMatch "/yourlocation/index.php">
<IfModule security2_module>
SecRuleRemoveById XXXXXXX
</IfModule>
</LocationMatch>
#30
0
Just to add another potential gotcha to this growing list, my problem (running CentOS 6.8) was with a particular virtualhost which worked fine on a different server, the issue turned out to be a faulty .htaccess file using mod_rewrite:
为了在这个不断增长的列表中添加另一个潜在的问题,我的问题(运行CentOS 6.8)是在一个特定的虚拟主机上运行的,在另一个服务器上运行良好,这个问题被证明是一个错误的。htaccess文件使用mod_rewrite:
In .htaccess, this caused a 403 error: <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / </IfModule>
在.htaccess中,这导致了403错误:
Adding FollowSymLinks as the first line fixed the issue: <IfModule mod_rewrite.c> Options +FollowSymLinks RewriteEngine On RewriteBase / </IfModule>
添加FollowSymLinks作为第一行修复问题:
#1
565
Update October 2016
4 years ago, since this answer is used as a reference by many, and while I learned a lot from security perspective during these years, I feel I am responsible to clarify some important notes, and I've update my answer accordingly.
4年前,由于这个答案被很多人用作参考,在这些年里我从安全角度学到了很多东西,我觉得我有责任澄清一些重要的注意事项,我也相应地更新了我的答案。
The original answer is correct but not safe for some production environments, in addition I would like to explain some issues that you might fall into while setting up your environment.
最初的答案是正确的,但对于某些生产环境来说是不安全的,另外,我还想解释一些您在设置环境时可能会遇到的问题。
If you are looking for a quick solution and SECURITY IS NOT A MATTER, i.e development env, skip and read the original answer instead
如果你正在寻找一个快速的解决方案,安全不是问题,我。e开发env,跳过并阅读原来的答案。
Many scenarios can lead to 403 Forbidden:
许多场景可能导致403被禁止:
A. Directory Indexes (from mod_autoindex.c
)
When you access a directory and there is no default file found in this directory AND Apache Options Indexes
is not enabled for this directory.
当您访问一个目录时,在这个目录中没有找到默认的文件,并且这个目录没有启用Apache Options索引。
A.1. DirectoryIndex
option example
DirectoryIndex index.html default.php welcome.php
DirectoryIndex指数。html违约。php welcome.php
A.2. Options Indexes
option
If set, apache will list the directory content if no default file found (from the above ???????? option)
如果设置了,apache将列出目录内容,如果没有找到默认文件(从上面的选项)
If none of the conditions above is satisfied
You will receive a 403 Forbidden
你将收到403的禁止。
Recommendations
- You should not allow directory listing unless REALLY needed.
- 除非确实需要,否则不应该允许目录列表。
- Restrict the default index
DirectoryIndex
to the minimum. - 将默认索引DirectoryIndex限制到最小值。
- If you want to modify, restrict the modification to the needed directory ONLY, for instance, use
.htaccess
files, or put your modification inside the<Directory /my/directory>
directive - 如果您想要修改,只需将修改限制在需要的目录中,例如,使用.htaccess文件,或者将修改放在 <目录 my directory> 指令中。
B. deny,allow
directives (Apache 2.2)
Mentioned by @Radu, @Simon A. Eugster in the comments You request is denied, blacklisted or whitelisted by those directives.
@Radu, @Simon A. Eugster在你请求的评论中提到的,被这些指令拒绝,被列入黑名单或被白名单。
I will not post a full explanation, but I think some examples may help you understand, in short remember this rule:
我不会发表完整的解释,但我认为一些例子可以帮助你理解,简而言之,这条规则:
IF MATCHED BY BOTH, THE LAST IS WILL WIN
如果两者都匹配,最后一个就会赢。
Order allow,deny
Deny will win if matched by both directives (even if an allow
directive is written after the deny
in the conf)
如果两个指令匹配,Deny将获胜(即使在conf中拒绝了允许指令)
Order deny,allow
allow will win if matched by both directives
如果两个指令匹配,允许将获胜。
Example 1
Order allow,deny
Allow from localhost mydomain.com
Only localhost and *.mydomain.com can access this, all other hosts are denied
只有localhost和*.mydomain.com可以访问这个,所有其他主机都被拒绝。
Example 2
Order allow,deny
Deny from evil.com
Allow from safe.evil.com # <-- has no effect since this will be evaluated first
All requests are denied, the last line may trick you, but remember that if matched by both the last win rule (here Deny is the last), same as written:
所有请求都被拒绝,最后一行可能会欺骗您,但请记住,如果最后一个win规则(此处拒绝是最后一个)匹配,则与所写的相同:
Order allow,deny
Allow from safe.evil.com
Deny from evil.com # <-- will override the previous one
Example 4
Order deny,allow
Allow from site.com
Deny from untrusted.site.com # <-- has no effect since this will be matched by the above `Allow` directive
Requests are accepted from all hosts
所有主机都接受请求。
Example 4: typical for public sites (allow unless blacklisted)
Order allow,deny
Allow from all
Deny from hacker1.com
Deny from hacker2.com
Example 5: typical for intranet and secure sites (deny unless whitelisted)
Order deny,allow
Deny from all
Allow from mypc.localdomain
Allow from managment.localdomain
C. Require
directive (Apache 2.4)
Apache 2.4 use a new module called mod_authz_host
Apache 2.4使用一个名为mod_authz_host的新模块。
Require all granted
=> Allow all requests
要求所有的=>允许所有请求。
Require all denied
=> Deny all requests
要求全部拒绝=>拒绝所有请求。
Require host safe.com
=> Only from safe.com are allowed
只允许使用safe.com网站的主机safe.com =>。
D. Files permissions
One thing that most people do it wrong is configuring files permissions,
大多数人做错的一件事是配置文件权限,
The GOLDEN RULE is
黄金法则是
STARTS WITH NO PERMISSION AND ADD AS PER YOUR NEED
从没有权限开始,根据您的需要添加。
In linux:
在linux中:
-
Directories should have the
Execute
permission目录应该具有执行权限。
-
Files should have the
Read
permission文件应该具有读权限。
-
YES, you are right DO NOT ADD
Execute
permission for files是的,您是正确的,不要添加对文件的执行权限。
for instance, I use this script to setup the folders permissions
例如,我使用这个脚本设置文件夹的权限。
# setting permissions for /var/www/mysite.com
# read permission ONLY for the owner
chmod -R /var/www/mysite.com 400
# add execute for folders only
find /var/www/mysite.com -type d -exec chmod -R u+x {} \;
# allow file uploads
chmod -R /var/www/mysite.com/public/uploads u+w
# allow log writing to this folder
chmod -R /var/www/mysite.com/logs/
I posted this code as an example, setup may vary in other situations
我将此代码作为示例发布,在其他情况下设置可能会有所不同。
Original Answer
I faced the same issue, but I solved it by setting the options directive either in the global directory setting in the httpd.conf or in the specific directory block in httpd-vhosts.conf:
我遇到了同样的问题,但是我通过在httpd中的全局目录设置中设置选项指令来解决它。conf或在httpd-vhosts.conf中的特定目录块中:
Options Indexes FollowSymLinks Includes ExecCGI
By default, your global directory settings is (httpd.conf line ~188)
:
默认情况下,全局目录设置是(httpd)。相依~ 188行):
<Directory />
Options FollowSymLinks
AllowOverride All
Order deny,allow
Allow from all
</Directory>
set the options to : Options Indexes FollowSymLinks Includes ExecCGI
将选项设置为:options索引FollowSymLinks包括ExecCGI。
Finally, it should look like:
最后,它应该是:
<Directory />
#Options FollowSymLinks
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Order deny,allow
Allow from all
</Directory>
Also try changing Order deny,allow
and Allow from all
lines by Require all granted
.
也试着改变顺序,拒绝,允许和允许从所有的线,要求所有的批准。
Appendix
Directory Indexes source code (some code remove for brevity)
if (allow_opts & OPT_INDEXES) {
return index_directory(r, d);
} else {
const char *index_names = apr_table_get(r->notes, "dir-index-names");
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01276)
"Cannot serve directory %s: No matching DirectoryIndex (%s) found, and "
"server-generated directory index forbidden by "
"Options directive",
r->filename,
index_names ? index_names : "none");
return HTTP_FORBIDDEN;
}
#2
171
I understand this issue is resolved but I happened to solve this same problem on my own.
我知道这个问题已经解决了,但是我自己也解决了这个问题。
The cause of
的原因
Forbidden You don't have permission to access / on this server
禁止您访问/访问此服务器。
is actually the default configuration for an apache directory in httpd.conf
.
实际上是httpd.conf中apache目录的默认配置。
#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory "/">
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all # the cause of permission denied
</Directory>
Simply changing Deny from all
to Allow from all
should solve the permission problem.
简单地改变拒绝一切允许从所有应该解决权限问题。
Alternatively, a better approach would be to specify individual directory permissions on virtualhost configuration.
或者,更好的方法是在virtualhost配置上指定单独的目录权限。
<VirtualHost *:80>
....
# Set access permission
<Directory "/path/to/docroot">
Allow from all
</Directory>
....
</VirtualHost>
As of Apache-2.4, however, access control is done using the new module mod_authz_host
(Upgrading to 2.4 from 2.2). Consequently, the new Require
directive should be used.
但是,在Apache-2.4中,访问控制是使用新的模块mod_authz_host完成的(从2.2升级到2.4)。因此,应该使用新的要求指令。
<VirtualHost *:80>
....
# Set access permission
<Directory "/path/to/docroot">
Require all granted
</Directory>
....
</VirtualHost>
#3
114
A common gotcha for directories hosted outside of the default /var/www/ is that the Apache user doesn't just need permissions to the directory and subdirectories where the site is being hosted. Apache requires permissions to all the directories all the way up to the root of the file system where the site is hosted. Apache automatically gets permissions assigned to /var/www/ when it's installed, so if your host directory is directly underneath that then this doesn't apply to you. Edit: Daybreaker has reported that his Apache was installed without correct access permissions to the default directory.
在缺省/var/www/的外部托管的目录的一个常见问题是,Apache用户不仅需要访问站点所在的目录和子目录的权限。Apache需要所有目录的权限,直到站点所在的文件系统的根目录。在安装时,Apache会自动获得分配给/var/www/的权限,因此,如果您的主机目录直接在下面,那么这就不适用于您。编辑:Daybreaker报告说,他的Apache安装没有正确的访问权限到默认目录。
For example, you've got a development machine and your site's directory is:
例如,您有一个开发机器,您的站点的目录是:
/username/home/Dropbox/myamazingsite/
You may think you can get away with:
你可能认为你可以逃避:
chgrp -R www-data /username/home/Dropbox/myamazingsite/
chmod -R 2750 /username/home/Dropbox/myamazingsite/
because this gives Apache permissions to access your site's directory? Well that's correct but it's not sufficient. Apache requires permissions all the way up the directory tree so what you need to do is:
因为这给了Apache访问站点目录的权限?这是正确的,但还不够。Apache需要权限一直到目录树,所以你需要做的是:
chgrp -R www-data /username/
chmod -R 2750 /username/
Obviously I would not recommend giving access to Apache on a production server to a complete directory structure without analysing what's in that directory structure. For production it's best to keep to the default directory or another directory structure that's just for holding web assets.
显然,我不建议在不分析目录结构的情况下,让生产服务器上的Apache访问完整的目录结构。对于生产,最好保存到默认目录或另一个目录结构,这只是用来保存web资产的。
Edit2: as u/chimeraha pointed out, if you're not sure what you're doing with the permissions, it'd be best to move your site's directory out of your home directory to avoid potentially locking yourself out of your home directory.
Edit2:正如u/chimeraha所指出的,如果你不确定你的权限是什么,最好将你的站点的目录从你的主目录中移出,以避免可能把你自己锁在你的主目录下。
#4
53
Some configuration parameters have changed in Apache 2.4. I had a similar issue when I was setting up a Zend Framework 2 application. After some research, here is the solution:
在Apache 2.4中,一些配置参数发生了变化。我在创建Zend Framework 2应用程序时遇到了类似的问题。在一些研究之后,这里有一个解决方案:
Incorrect Configuration
不正确的配置
<VirtualHost *:80>
ServerName zf2-tutorial.localhost
DocumentRoot /path/to/zf2-tutorial/public
SetEnv APPLICATION_ENV "development"
<Directory /path/to/zf2-tutorial/public>
DirectoryIndex index.php
AllowOverride All
Order allow,deny #<-- 2.2 config
Allow from all #<-- 2.2 config
</Directory>
</VirtualHost>
Correct Configuration
正确的配置
<VirtualHost *:80>
ServerName zf2-tutorial.localhost
DocumentRoot /path/to/zf2-tutorial/public
SetEnv APPLICATION_ENV "development"
<Directory /path/to/zf2-tutorial/public>
DirectoryIndex index.php
AllowOverride All
Require all granted #<-- 2.4 New configuration
</Directory>
</VirtualHost>
If you are planning to migrate from Apache 2.2 to 2.4, here is a good reference: http://httpd.apache.org/docs/2.4/upgrading.html
如果您打算从Apache 2.2迁移到2.4,这里有一个很好的参考:http://httpd.apache.org/docs/2.4/upgrad. html。
#5
33
With Apache 2.2
与Apache 2.2
Order Deny,Allow
Allow from all
With Apache 2.4
与Apache 2.4
Require all granted
From http://httpd.apache.org/docs/2.4/en/upgrading.html
从http://httpd.apache.org/docs/2.4/en/upgrading.html
#6
23
If you are using a WAMP server then try this:
如果您使用的是WAMP服务器,请尝试以下方法:
-
Single click on the WAMP server icon at the taskbar
单击任务栏上的WAMP服务器图标。
-
Select the option put online
选择放到网上的选项。
-
Your server will restart automatically
您的服务器将自动重启。
-
Then try to access your localwebsite
然后尝试访问您的本地网站。
#7
22
On Ubuntu 14.04 using Apache 2.4, I did the following:
在使用Apache 2.4的Ubuntu 14.04上,我做了如下工作:
Add the following in the file, apache2.conf (under /etc/apache2
):
在文件中添加以下内容,apache2。conf(/etc/apache2以下):
<Directory /home/rocky/code/documentroot/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
and reload the server:
并重新加载服务器:
sudo service apache2 reload
Edit: This also works on OS X Yosemite with Apache 2.4. The all-important line is
编辑:这也适用于Apache 2.4的OS X Yosemite。最重要的是
Require all granted
要求所有授予
#8
14
I solved my problem by adding my user to httpd.conf
.
我通过将用户添加到httpd.conf解决了我的问题。
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
#User daemon
User my_username
Group daemon
#9
13
This article Creating virtual hosts on Apache 2.2 helps me (point 9) permissions to the top virtual hosts directory.
这篇文章创建了Apache 2.2上的虚拟主机,帮助我(点9)权限到*虚拟主机目录。
I simply add this lines to my vhosts.conf file:
我只是将这条线添加到我的vhosts中。配置文件:
<Directory I:/projects/webserver>
Order Deny,Allow
Allow from all
</Directory>
#10
13
If you are using CentOS with SELinux Try:
如果你正在使用CentOS与SELinux尝试:
sudo restorecon -r /var/www/html
See more: https://www.centos.org/forums/viewtopic.php?t=6834#p31548
看到更多:https://www.centos.org/forums/viewtopic.php?t=6834 # p31548
#11
8
I was getting the same error and couldn't figure out the problem for ages. If you happen to be on a Linux distribution that includes SELinux such as CentOS, you need to make sure SELinux permissions are set correctly for your document root files or you will get this error. This is a completely different set of permissions to the standard file system permissions.
我也犯了同样的错误,很久没能解决这个问题了。如果您碰巧在一个包含SELinux(例如CentOS)的Linux发行版上,您需要确保对您的文档根文件正确设置SELinux权限,否则您将会得到这个错误。这是对标准文件系统权限的完全不同的权限集。
I happened to use the tutorial Apache and SELinux, but there seems to be plenty around once you know what to look for.
我碰巧使用了教程Apache和SELinux,但是一旦您知道要查找什么,似乎就会有很多。
#12
5
If you are using MAMP Pro the way to fix this is by checking the Indexes
checkbox under the Hosts
- Extended
tab.
如果您正在使用MAMP Pro,那么可以通过在主机-扩展选项卡下检查索引复选框来解决这个问题。
In MAMP Pro v3.0.3 this is what that looks like:
在MAMP Pro v3.0.3中是这样的:
#13
4
There is another way to solve this problem. Let us say you want to access directory "subphp" which exist at /var/www/html/subphp
, and you want to access it using 127.0.0.1/subphp
and you receive error like this:
有另一种方法来解决这个问题。假设您希望访问位于/var/www/html/subphp中的目录“subphp”,您希望使用127.0.0.1/subphp访问它,您会收到这样的错误:
You don't have permission to access /subphp/ on this server.
您没有权限访问/subphp/在此服务器上。
Then change the directory permissions from "None" to "access files". A command-line user can use the chmod command to change the permission.
然后将目录权限从“None”改为“access files”。命令行用户可以使用chmod命令更改权限。
#14
3
I use Mac OS X, in my case, I just forget to enable php in apache, all I need to do is to uncomment one line from /etc/apache2/httpd.conf
:
我使用Mac OS X,在我的例子中,我忘记了在apache中启用php,我所需要做的就是将一条行从/etc/apache2/httpd.conf中取消注释:
LoadModule php5_module libexec/apache2/libphp5.so
ref this article for detail.
参考这篇文章的细节。
#15
2
(In Windows and Apache 2.2.x)
(在Windows和Apache 2.2.x中)
The "Forbidden" error is also the result of not having virtual hosts defined.
“禁止”错误也是没有定义虚拟主机的结果。
As noted by Julien, if you intend to use virtual hosts.conf
, then go to the httpd file and uncomment the following line:
正如Julien所指出的,如果您打算使用虚拟主机。然后转到httpd文件并取消注释:
#Include conf/extra/httpd-vhosts.conf
Then add your virtual hosts definitions in conf/extra/httpd-vhosts.conf
and restart Apache.
然后在conf/extra/httpd-vhosts中添加虚拟主机定义。conf并重新启动Apache。
#16
2
I had the same issue, but due to the fact that I changed the path on apache to a folder outside var/www, I started running into problems.
我有同样的问题,但由于我将apache的路径更改为var/www外的文件夹,我开始遇到问题。
I fixed it by creating a symlink in var/www/html > home/dev/project which seemed to do the trick, without having to change any permissions...
我通过在var/www/html > home/dev/project中创建了一个符号链接来解决这个问题,这似乎是一个技巧,而不必改变任何权限……
#17
2
I ran into this problem, and my solution was moreso that www-data didn't own the proper folders, and instead I set it for one of the users to own it. (I was trying to do a bit of fancy, but erroneous trickery to get ftp to play nicely.)
我遇到了这个问题,我的解决方案是moreso, www-data没有拥有正确的文件夹,而我将它设置为一个用户拥有它。(我试着去做一些花哨的,但错误的花招,让ftp玩得很好。)
After running:
在运行:
chown -R www-data:www-data /var/www/html
The machine started serving data again. You can see who currently owns the folder by means of
机器又开始提供数据了。您可以看到谁目前拥有该文件夹的方法。
ls -l /var/www/html
#18
2
This solution doesn't Allow from all
I just want to change my public directory www, and access it from my PC, and mobile connected by Wifi. I've Ubuntu 16.04.
我只是想改变我的公共目录www,并从我的PC*问它,通过Wifi连接移动。我的Ubuntu 16.04。
-
So, first, I modified /etc/apache2/sites-enabled/000-default.conf and I changed the line DocumentRoot /var/www/html for my new public directory DocumentRoot "/media/data/XAMPP/htdocs"
因此,首先,我修改了/etc/apache2/sites-enabled/000-default。conf和我更改了新的公共目录DocumentRoot“/media/data/XAMPP/htdocs”的行DocumentRoot /var/www/html。
-
Then I modified /etc/apache2/apache2.conf, and I put the permissions for localhost, and my mobile, this time I used the IP address, I know it is not completely safe, but it's OK for my purposes.
然后我修改/etc/apache2/apache2.conf,我给localhost和我的手机设置了权限,这次我使用了IP地址,我知道它不是完全安全的,但是我的目的是可以的。
<Directory/> Options FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from localhost 10.42.0.11 </Directory>
#19
0
I had the same issue for a specific controller only - which was really weird. I had a folder in the root of the CI folder that had the same name as the controller I was trying to access... Because of that, CI was directing the request to this directory instead of the controller itself.
我对一个特定的控制器也有同样的问题——这真的很奇怪。我在CI文件夹的根目录中有一个文件夹,它与我试图访问的控制器的名称相同。因此,CI将请求指向该目录而不是控制器本身。
After removing this folder (which was there a bit by mistake), it all worked fine.
删除了这个文件夹之后(这里有一点错误),一切都很正常。
To be more clear, here is what it looked like:
更清楚的是,这就是它的样子:
/ci/controller/register.php
/ci/register/
I had to remove /ci/register/
.
我得把/ci/注册/注册。
#20
0
Check exactly where you are putting your files, don't nest them in the Documents folder.
检查你的文件放在哪里,不要把它们放在文件夹里。
For instance I made the mistake of putting my code in the Documents folder of as mentioned this isn't going to work because Documents is explicitly only available to YOU and not APACHE. Try moving it up one directory and you may not see this issue.
例如,我犯了错误,把我的代码放在前面提到的文档文件夹中,这是行不通的,因为文档只对您开放,而不是APACHE。尝试将它移动到一个目录中,您可能不会看到这个问题。
Move folder from:
移动文件夹:
/Users/YOURUSERNAME/Documents/code
/用户/ YOURUSERNAME /文件/代码
To here: /Users/YOURUSERNAME/code
到这里:/用户/ YOURUSERNAME /代码
#21
0
Just to bring another contribution as I ran to this problem too:
为了给这个问题带来另一个贡献:
I had a VirtualHost configured that I did not want to. I have commented out the line where the include for the vhost occured, and it worked.
我配置了一个我不想要的虚拟主机。我已经注释掉了包含vhost的行,并且它起作用了。
#22
0
You can change youralias.conf
file like this code:
你可以改变youralias。conf文件如下:
Alias /Quiz/ "h:/MyServer/Quiz/"
<Directory "h:/MyServer/Quiz/">
Options Indexes FollowSymLinks
AllowOverride all
<IfDefine APACHE24>
Require local
</IfDefine>
<IfDefine !APACHE24>
Order Deny,Allow
Deny from all
Allow from localhost ::1 127.0.0.1
</IfDefine>
</Directory>
#23
0
Remember that the correct file to be configured in this situation is not the httpd.conf in the phpMyAdmin alias, but in bin/apache/your_version/conf/httpd.conf
.
请记住,在这种情况下配置的正确文件不是httpd。conf在phpMyAdmin别名中,但在bin/apache/your_version/conf/httpd.conf中。
Look for the following line:
寻找以下路线:
DocumentRoot "c:/wamp/www/"
#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Allow from all
</Directory>
Make sure it is set to Allow from all
...
确保它被设置为允许所有…
If not, phpMyAdmin might even work, but not your root and other folders under it. Also, remember to restart WAMP and then put online...
如果不是,phpMyAdmin甚至可以工作,但不是根目录下的其他文件夹。另外,记得重新启动WAMP,然后放到网上…
This solved my headache.
这解决了我的头痛。
#24
0
I had this issue when using SSHFS to mount the files in my VirtualBox guest from my local filesystem before running a docker build. In the end, the "fix" was to copy all the files to the VirtualBox instance rather than building from inside the SSHFS mount, and then run the build from there.
在运行docker构建之前,我使用SSHFS在我的VirtualBox客户文件中装入我的VirtualBox客户机中的文件时遇到了这个问题。最后,“修复”是将所有文件复制到VirtualBox实例,而不是从SSHFS挂载中构建,然后从那里运行构建。
#25
0
WORKING Method (unless there is no other problem)
工作方法(除非没有其他问题)
By default, Apache is not restricting access from IPv4 (common external IP address)
默认情况下,Apache不限制使用IPv4(公共外部IP地址)
What are restricted are the commands given in 'httpd.conf
'.
限制的是“httpd.conf”中给出的命令。
Replace all
替换所有
<Directory />
AllowOverride none
Require all denied
</Directory>
with
与
<Directory />
AllowOverride none
# Require all denied
</Directory>
hence removing out all restriction given to Apache.
因此取消了对Apache的所有限制。
Replace Require local
with Require all granted
for the C:/wamp/www/ directory.
替换要求本地要求所有授予的C:/wamp/www/目录。
<Directory "c:/wamp/www/">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
# Require local
</Directory>
#26
0
Try this and don't add anything Order allow,deny
and others:
试试这个,不要添加任何订单允许,拒绝和其他:
AddHandler cgi-script .cgi .py
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Require all granted
Allow from all
</Directory>
sudo a2enmod cgi
sudo service apache2 restart
#27
0
After changing the configuration files don't forget to Restart All Services
.
更改配置文件后,不要忘记重新启动所有服务。
I wasted three hours of my time on it.
我浪费了我三个小时的时间。
#28
0
This is pretty ridiculous, but I got the 403 Forbidden when the file I was trying to download wasn't there on the filesystem. The apache error is not very accurate in this case, and the whole thing worked after I simply put the file where it was supposed to be.
这很荒谬,但是我在试图下载的文件没有在文件系统上时被禁止了。在这种情况下,apache的错误并不十分准确,在我简单地把文件放到应该是的地方之后,整个事情就开始了。
#29
0
We had modsec enabled, check the site's error log for an modsec ID then enter a locationmatch for the file in the vhost (or .htaccess I guess):
我们启用了modsec,检查站点的错误日志,然后输入modsec ID,然后在vhost(或.htaccess)中输入文件的locationmatch:
<LocationMatch "/yourlocation/index.php">
<IfModule security2_module>
SecRuleRemoveById XXXXXXX
</IfModule>
</LocationMatch>
#30
0
Just to add another potential gotcha to this growing list, my problem (running CentOS 6.8) was with a particular virtualhost which worked fine on a different server, the issue turned out to be a faulty .htaccess file using mod_rewrite:
为了在这个不断增长的列表中添加另一个潜在的问题,我的问题(运行CentOS 6.8)是在一个特定的虚拟主机上运行的,在另一个服务器上运行良好,这个问题被证明是一个错误的。htaccess文件使用mod_rewrite:
In .htaccess, this caused a 403 error: <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / </IfModule>
在.htaccess中,这导致了403错误:
Adding FollowSymLinks as the first line fixed the issue: <IfModule mod_rewrite.c> Options +FollowSymLinks RewriteEngine On RewriteBase / </IfModule>
添加FollowSymLinks作为第一行修复问题: