Apache permission denied

Asked 16/8, 2012 at 17:27 Answered 16/8, 2012 at 18:23

Solved php apache permissions httpd.conf

I've just installed a new Apache 2.4.2 with Php fast cgi build on windows.

Then I modified the httpd.conf adding the following:

LoadModule fcgid_module modules/mod_fcgid.so  
FcgidInitialEnv PHPRC "C:/SITE/PHP"
AddHandler fcgid-script .php
FcgidWrapper "C:/SITE/PHP/php-cgi.exe" .php

DocumentRoot "C:/SITE/localhost/www"
<Directory "C:/SITE/localhost/www">
    Order allow,deny
    Allow from all
</Directory>

However when I try to open my site, it says:

Forbidden You don't have permission to access / on this server.

Any ideas what might be the problem?

Casilde answered 16/8, 2012 at 17:27 Comment(12)

What are the permissions on index.php? – Writing 16/8, 2012 at 17:29

Well, I've got no idea honestly. Weren't the above lines supposed to give Allow for all files? I get the same reply for what ever request to the server: eg http://127.0.0.1/asdasdasd - the same outcome. – Casilde 16/8, 2012 at 17:32

No... allow/deny are directives for whether apache serves the resource to client - but apache still needs access to read the file. Think of apache as a user on your computer... if you dont give it access to the files then it cant serve them. – Valenba 16/8, 2012 at 17:35

Aha, I understand now. I wonder, how could I give enough permissions to apache though? Is it being restricted by some config, or by Windows itself? Is there anyway to find out / trouble shoot this? I would appreciate some advice. – Casilde 16/8, 2012 at 17:38

It is extremely rare that permissions are the problem here, the average user's home Windows installation is much more forgiving (read: insecure) than *nix from that point of view. Crucial point - have you restarted Apache since you modified httpd.conf? – Floydflss 16/8, 2012 at 17:39

sure thing... I did/ though I installed it in a weird way. I just ran httpd.exe -k install from administrator and it did the job. maybe there is something wrong with that part? – Casilde 16/8, 2012 at 17:39

Well one point that immediately springs to mind is that your <Directory> section is missing at least one crucial directive - you will need an Options ExecCGI directive in it. You should also probably add an explicit AllowOverride all (or none) directive. Also Order and Allow are deprecated - you should use the new Require directives provided by mod_authz_host if you are using 2.4.x – Floydflss 16/8, 2012 at 17:44

httpd -k install handles a manual service installation and is not it any way incorrect and won't be causing the problem. Are you running a VC10 build from ApacheLounge? – Floydflss 16/8, 2012 at 17:44

@Casilde OK well first thing to do is add an Options ExecCGI directive to the <Directory> section and restart Apache. If that doesn't work we'll take it from there. – Floydflss 16/8, 2012 at 17:46

@ DaveRandom Options ExecCGI didn't change anything. How could I use the Require directive? – Casilde 16/8, 2012 at 17:50

let us continue this discussion in chat – Floydflss 16/8, 2012 at 17:51

Possible duplicate of #9110679. Possible solution: as of Apache 2.4 the access control directives order, allow, deny and satisfy are deprecated. Make sure you are running a lower version when using these directives, or use Require instead. – Cess 22/11, 2013 at 0:7

This was the correct way to do it: (thanks to DaveRandom)

<Directory "C:/SITE/localhost/www">
    Options ExecCGI
    AllowOverride all
    Require all granted
</Directory>

Dave Random explains further:

After a little experimentation with this, I have discovered the nuance that makes this the correct answer, which is specific to Apache 2.3+. It seems that mod_authz_host directives take precedence over mod_access_compat directives, and this bubbles all the way up the directory tree. What this means is that if you are migrating from Apache 2.2 to Apache 2.4 and you use your 2.2 httpd.conf verbatim, it will work.

If, however, you perform a new install of 2.4 and base your config on the default 2.4 httpd.conf, Allow directives won't work, because the default top level section uses a Require all denied directive instead of Deny from all, and this takes precedence over any subsequent Allow directives higher up the tree. The long of the short of this is that if you are migrating your Order/Allow/Deny directives to their equivalent Requires, then you must chance all of them or you will find you get 403s you weren't expecting.

Casilde answered 16/8, 2012 at 18:23 Comment(9)

After a little experimentation with this, I have discovered the nuance that makes this the correct answer, which is specific to Apache 2.3+. It seems that mod_authz_host directives take precedence over mod_access_compat directives, and this bubbles all the way up the directory tree. What this means is that if you are migrating from Apache 2.2 to Apache 2.4 and you use your 2.2 httpd.conf verbatim, it will work. [continued in next comment] – Floydflss 16/8, 2012 at 23:34

If, however, you perform a new install of 2.4 and base your config on the default 2.4 httpd.conf, Allow directives won't work, because the default top level <Directory /> section uses a Require all denied directive instead of Deny from all, and this takes precedence over any subsequent Allow directives higher up the tree. The long of the short of this is that if you are migrating your Order/Allow/Deny directives to their equivalent Requires, then you must chance all of them or you will find you get 403s you weren't expecting. – Floydflss 16/8, 2012 at 23:36

@ Anonymous It seems, after the playing around that I have done (and, more to the point, re-reading the manual properly) that Options ExecCGI is not required for mod_fcgid, it only has an effect on mod_cgi. AllowOverride all is also not required to make it work - but without it (or at least an AllowOverride directive that permits something) you cannot use .htaccess files. I highly recommend you read and understand the manual for what these directives do and the possible values. – Floydflss 16/8, 2012 at 23:43

Yeah, I also noticed the deny from all from the main dir, when I was reviewing the config. Thanks for clarifying even more and contributing to the investigation and solution on this issue. – Casilde 17/8, 2012 at 10:48

@DaveRandom, thanks for the detailed explanation! I just tried to set up my old site on a new box that has the new mod_authz_host settings, and the Require all denied in my httpd.conf was overriding my old mod_access_compat Allow all in my VirtualHosts. I just updated my VirtualHosts to the equivalent Requires, and all is well! – Ephrayim 15/1, 2013 at 23:28

That's for all the info Dave! You are a gentleman and a scholar. – Ventricose 23/8, 2013 at 18:44

For anyone interested in the 2.2 -> 2.4 changes see here: httpd.apache.org/docs/trunk/upgrading.html – Ventricose 23/8, 2013 at 18:45

I just installed PHP 5.5 VC11 NTS on Apache 2.4 VC11 (from Apache Lounge) on Windows 8.1 (64-bit). For me, the Options ExecCGI was the difference. Without it, Apache would not start any FCGI process, it just returned 403 permission denied. – Lamrert 4/2, 2014 at 22:59

Calling it precedence is wrong. They have a "RequireAll"-relation in Apache jargon. So if "Require all denied" is set, there is no undoing this with whatever "Allow deny " construct you can think of. Likewise, if "Deny from all" is active, there is no "Require" directive to undo that. To confuse even more, using "Satisfy any" gives reversed logic to the above. To confuse a second time, disregarding Deny/Allow/Satisfy, "Require all granted <CR>Require all denied" has an implicit any relation, thus access is granted! – Emotion 25/1, 2016 at 23:37

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags