解决Apache下403 Forbidden错误

解决Apache下403 Forbidden错误

出现这样的问题一般有两种可能性。

一种可能性是DocumentRoot选项的设置,如果在安装好apache2后修改了该选项,并且忘记了配置该新目录的访问权限就会出现这样的情况。

比如apache2安装好后默认的参数如下:

DocumentRoot /usr/local/www/data
<directory "/usr/local/www/data">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</directory>

我们常常会重新指定web文件存放的目录,比如设定DocumentRoot /var/www这时往往会忽略了对后面的Directory 项的修改,必须将里面的路径同时修改为 /var/www才行,否则将会访问所有目录都出现 403 forbidden错误。

今天在公司电脑上安装Apache,版本2.2.8,装完刚测试可以;配置了下php的php.in文件再次localhost打开发现错误:HTTP 错误 403 - 禁止访问,即403 Forbidden:You don't have permission to access / on this server.权限又不够了?
马上打开apache的配置文件httpd.conf,逐行检查。在大约快一半的地方有以下这段代码:

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

发现了吧。

由于配置了php后,这里的“Deny from all”已经拒绝了一切连接。把该行改成“allow from all”,修改后的代码如下,问题解决。

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    allow from all
</Directory>

另外一种可能性出现在我们配置了不同的VirtualHost,并且有某个VirtualHost的DocumentRoot不在全局的DocumentRoot目录下,这时必须在全局种单独增加对该目录的Directory 项进行设置,否则该VirtualHost下的所有访问均会出现403 forbidden错误。

这个问题是因为Apache2对于权限和安全的更高要求,对分布在不同磁盘上的目录文件进行严格管理,我们进行web规划的时候必须注意这一点。
试试下面的步骤:

  • 第一:看看是不是Directory配置错了,好像一般不会是这个原因
  • 第二:看看User Group指定的用户有没有权限访问那个目录,否则用chown修改目录的所有者
  • 第三:看看是不是seLinux搞得鬼,一般没事把selinux停了再重启linux,selinux的配置文件在/etc/selinux/config,改成disable
  • 第四:我把所有的都做了发现还是不行,那么可能是apache是用root安装的,把apache卸了用一个非root用户重新安装。

终极解决办法:如果以上都不行的话!!!

Forbidden You don't have permission to access / ~ web on this server. Additionally, a 403 Forbidden error was encountered while trying to use an Error Document to handle the request.

Apache/2.0.54 (CentOS) Server at 127.0.0.1 Port 80

  一般出现这个问题,直观地会想到的目录的存取权限问题,查了很久,调了很久也没有解决问题。

其间曾想到是否Selinux的问题,进去看了一圈,没有发现什么要改的地方。(后来的事实证明,有时候直觉是很准的,能否找到答案,区别往往是:是否在直觉上走的更深入)。

  问题的解决用Google以Apache 403搜了好一会,终于在一个博客里看到,作者遇到和我完全相同的问题:Apache、目录的配置都没问题,但就是不能显示页面。

而解决方法恰恰就是修改Selinux对public_html的访问控制。

用以下命令修改文件夹安全属性

chcon -R -t httpd_user_content_t public_html/

关联知识的总结:

Fedora Core 5 SELinux FAQ http://fedora.redhat.com/docs/selinux-faq-fc5/#faq-entry-public_html 

Q:  How do I make a user public_html directory work under SELinux?

A: This process presumes that you have enabled user public HTML directories in your Apache configuration file, /etc/httpd/conf/httpd.conf. 

    This process only covers serving static Web content. For more information about Apache HTTP and SELinux, refer to http://fedora.redhat.com/docs/selinux-apache-fc3/.If you do not already have a ~/public_html directory, create it and populate it with the files and folders to be served.cd ~mkdir public_htmlcp /path/to/content ~/public_htmlAt this point, httpd is configured to serve the contents, but you still receive a 403 forbidden error. This is because httpd is not allowed to read the security type for the directory and files as they are created in the user's home directory. Change the security context of the folder and its contents recursively using the -R option:ls -Z -d public_html/drwxrwxr-x  auser    auser    user_u:object_r:user_home_t      public_htmlchcon -R -t httpd_user_content_t public_html/ls -Z -d public_html/drwxrwxr-x  auser    auser    user_u:object_r:httpd_user_content_t public_html/ls -Z public_html/-rw-rw-r--  auser    auser    user_u:object_r:httpd_user_content_t bar.html-rw-rw-r--  auser    auser    user_u:object_r:httpd_user_content_t baz.html-rw-rw-r--  auser    auser    user_u:object_r:httpd_user_content_t foo.htmlYou may notice at a later date that the user field, set here to user_u, is changed to system_u. This does not affect how the targeted policy works. The field that matters is the type field.Your static webpages should now be served correctly. If you continue to have errors, ensure that the Boolean which enables user home directories is enabled. You can set it using system-config-securitylevel. Select the SELinux tab, and then select the Modify SELinux Policy area. Select Allow HTTPD to read home directories. The changes take effect immediately.

    所用命令解析:ls -Z -d public_html/#显示文件/目录的安全语境-Z, --contextDisplay  security context so it fits on most displays.  Displays only mode, user, group, security context and file name.-d, --directorylist directory entries instead of contents, and do not dereference symbolic linkschcon -R -t httpd_user_content_t public_html/#修改文件/目录的安全语境-R, --recursivechange files and directories recursively-t, --typeset type TYPE in the target security context   http://www.webjx.com/server/dns-524.html


» 本文链接:https://blog.java-zone.org/archives/138.html
» 转载请注明来源:Java地带  » 《解决Apache下403 Forbidden错误》

» 本文章为Java地带整理创作,欢迎转载!转载请注明本文地址,谢谢!
» 部分内容收集整理自网络,如有侵权请联系我删除!

» 订阅本站:https://blog.java-zone.org/feed/

标签: Apache

评论已关闭