TNorth Posted January 8, 2005 Share Posted January 8, 2005 Bonjour, Je vais essayer de résumer le problème : La config : Debian Testing sur x86 Apache/2.0.52, PHP/4.3.10-2 Le dossier Web : /var/www/ (contient index.php, parfaitement exécutée par le serveur) Un dossier projet/ dedans. Il se trouve que quelque soient les permissions que je mette dessus et sur le index.php qu'il contient, j'ai une 403 Forbidden Ensuite, il y a une subtilité : ce dossier contient un lien symbolique 'ln -s ...' vers /home/projet/ Les permissions d'écriture sont données à /home/projet/ pour le groupe 'projet' auquel j'appartiens (en tant qu'utilisateur). (Le but étant que tous les utilisateurs de la machine puissent modifier son contenu). Et là, toujours 403 :( Voici encore mon apache2.conf, désolé, c'est long Par ailleurs, ce fichier me semble incomplet j'ai essayé de lui ajouter des bribes, mais sans succès. # Based upon the NCSA server configuration files originally by Rob McCool.# Changed extensively for the Debian package by Daniel Stone <daniel@sfarc.net> # and also by Thom May <thom@debian.org>. # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # NOTE! If you intend to place this on an NFS (or otherwise network) # mounted filesystem then please read the LockFile documentation # (available at <URL:http://www.apache.org/docs/mod/core.html#lockfile>); # you will save yourself a lot of trouble. ServerRoot "/etc/apache2" # The LockFile directive sets the path to the lockfile used when Apache # is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or # USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at # its default value. The main reason for changing it is if the logs # directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL # DISK. The PID of the main server process is automatically appended to # the filename. LockFile /var/lock/apache2/accept.lock # PidFile: The file in which the server should record its process # identification number when it starts. PidFile /var/run/apache2.pid # Timeout: The number of seconds before receives and sends time out. Timeout 300 # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate. KeepAlive On # MaxKeepAliveRequests: The maximum number of requests to allow # during a persistent connection. Set to 0 to allow an unlimited amount. # We recommend you leave this number high, for maximum performance. MaxKeepAliveRequests 100 # KeepAliveTimeout: Number of seconds to wait for the next request from the # same client on the same connection. KeepAliveTimeout 15 ## ## Server-Pool Size Regulation (MPM specific) ## # prefork MPM # StartServers ......... number of server processes to start # MinSpareServers ...... minimum number of server processes which are kept spare # MaxSpareServers ...... maximum number of server processes which are kept spare # MaxClients ........... maximum number of server processes allowed to start # MaxRequestsPerChild .. maximum number of requests a server process serves <IfModule prefork.c> StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxClients 20 MaxRequestsPerChild 0 </IfModule> # pthread MPM # StartServers ......... initial number of server processes to start # MaxClients ........... maximum number of server processes allowed to start # MinSpareThreads ...... minimum number of worker threads which are kept spare # MaxSpareThreads ...... maximum number of worker threads which are kept spare # ThreadsPerChild ...... constant number of worker threads in each server process # MaxRequestsPerChild .. maximum number of requests a server process serves <IfModule worker.c> StartServers 2 MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 </IfModule> # perchild MPM # NumServers ........... constant number of server processes # StartThreads ......... initial number of worker threads in each server process # MinSpareThreads ...... minimum number of worker threads which are kept spare # MaxSpareThreads ...... maximum number of worker threads which are kept spare # MaxThreadsPerChild ... maximum number of worker threads in each server process # MaxRequestsPerChild .. maximum number of connections per server process (then it dies) <IfModule perchild.c> NumServers 5 StartThreads 5 MinSpareThreads 5 MaxSpareThreads 10 MaxThreadsPerChild 20 MaxRequestsPerChild 0 AcceptMutex fcntl </IfModule> User www-data Group www-data # The following directives define some format nicknames for use with # a CustomLog directive (see below). LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent # Global error log. ErrorLog /var/log/apache2/error.log # Include module configuration: Include /etc/apache2/mods-enabled/*.load Include /etc/apache2/mods-enabled/*.conf # Include all the user configurations: Include /etc/apache2/httpd.conf # Include ports listing Include /etc/apache2/ports.conf # Include generic snippets of statements Include /etc/apache2/conf.d/[^.#]* #Let's have some Icons, shall we? Alias /icons/ "/usr/share/apache2/icons/" <Directory "/usr/share/apache2/icons"> Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all </Directory> # Set up the default error docs. # # Customizable error responses come in three flavors: # 1) plain text 2) local redirects 3) external redirects # # Some examples: #ErrorDocument 500 "The server made a boo boo." #ErrorDocument 404 /missing.html #ErrorDocument 404 "/cgi-bin/missing_handler.pl" #ErrorDocument 402 http://www.example.com/subscription_info.html # # # Putting this all together, we can Internationalize error responses. # # We use Alias to redirect any /error/HTTP_<error>.html.var response to # our collection of by-error message multi-language collections. We use # includes to substitute the appropriate text. # # You can modify the messages' appearance without changing any of the # default HTTP_<error>.html.var files by adding the line; # # Alias /error/include/ "/your/include/path/" # # which allows you to create your own set of files by starting with the # /usr/local/apache2/error/include/ files and # copying them to /your/include/path/, even on a per-VirtualHost basis. # <IfModule mod_negotiation.c> <IfModule mod_include.c> Alias /error/ "/usr/share/apache2/error/" <Directory "/usr/share/apache2/error"> AllowOverride None Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var Order allow,deny Allow from all LanguagePriority en es de fr ForceLanguagePriority Prefer Fallback </Directory> ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var ErrorDocument 410 /error/HTTP_GONE.html.var ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var ErrorDocument 415 /error/HTTP_SERVICE_UNAVAILABLE.html.var ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var </IfModule> </IfModule> #Ajouté, TNorth, 01.2005 ServerAdmin tnorth@bluewin.ch DocumentRoot "/var/www/" <Directory "/var/www/"> Options Indexes Includes FollowSymLinks # AllowOverride = All pour donner la priorité aux fichiers .htaccess AllowOverride All order allow,deny # allow from = all pour permettre à tout le monde d'accéder aux documents allow from all DirectoryIndex index.html index.cgi index.pl index.php index.xhtml </Directory> #Fin ajouté TNorth # UserDir is now a module #UserDir public_html #UserDir disabled root #<Directory /home/*/public_html> # AllowOverride FileInfo AuthConfig Limit # Options Indexes SymLinksIfOwnerMatch IncludesNoExec #</Directory> AccessFileName .htaccess <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> UseCanonicalName Off TypesConfig /etc/mime.types DefaultType text/plain HostnameLookups Off IndexOptions FancyIndexing VersionSort AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip AddIconByType (TXT,/icons/text.gif) text/* AddIconByType (IMG,/icons/image2.gif) image/* AddIconByType (SND,/icons/sound2.gif) audio/* AddIconByType (VID,/icons/movie.gif) video/* # This really should be .jpg. AddIcon /icons/binary.gif .bin .exe AddIcon /icons/binhex.gif .hqx AddIcon /icons/tar.gif .tar AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip AddIcon /icons/a.gif .ps .ai .eps AddIcon /icons/layout.gif .html .shtml .htm .pdf AddIcon /icons/text.gif .txt AddIcon /icons/c.gif .c AddIcon /icons/p.gif .pl .py AddIcon /icons/f.gif .for AddIcon /icons/dvi.gif .dvi AddIcon /icons/uuencoded.gif .uu AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl AddIcon /icons/tex.gif .tex AddIcon /icons/bomb.gif core AddIcon /icons/back.gif .. AddIcon /icons/hand.right.gif README AddIcon /icons/folder.gif ^^DIRECTORY^^ AddIcon /icons/blank.gif ^^BLANKICON^^ # This is from Matty J's patch. Anyone want to make the icons? #AddIcon /icons/dirsymlink.jpg ^^SYMDIR^^ #AddIcon /icons/symlink.jpg ^^SYMLINK^^ DefaultIcon /icons/unknown.gif ReadmeName README.html HeaderName HEADER.html IndexIgnore .??* *~ *# HEADER* RCS CVS *,t AddEncoding x-compress Z AddEncoding x-gzip gz tgz AddLanguage da .dk AddLanguage nl .nl AddLanguage en .en AddLanguage et .et AddLanguage fr .fr AddLanguage de .de AddLanguage el .el AddLanguage it .it AddLanguage ja .ja AddLanguage pl .po AddLanguage ko .ko AddLanguage pt .pt AddLanguage no .no AddLanguage pt-br .pt-br AddLanguage ltz .ltz AddLanguage ca .ca AddLanguage es .es AddLanguage sv .se AddLanguage cz .cz AddLanguage ru .ru AddLanguage tw .tw AddLanguage zh-tw .tw LanguagePriority en da nl et fr de el it ja ko no pl pt pt-br ltz ca es sv tw #AddDefaultCharset ISO-8859-1 AddCharset ISO-8859-1 .iso8859-1 .latin1 AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen AddCharset ISO-8859-3 .iso8859-3 .latin3 AddCharset ISO-8859-4 .iso8859-4 .latin4 AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk AddCharset ISO-2022-JP .iso2022-jp .jis AddCharset ISO-2022-KR .iso2022-kr .kis AddCharset ISO-2022-CN .iso2022-cn .cis AddCharset Big5 .Big5 .big5 # For russian, more than one charset is used (depends on client, mostly): AddCharset WINDOWS-1251 .cp-1251 .win-1251 AddCharset CP866 .cp866 AddCharset KOI8-r .koi8-r .koi8-ru AddCharset KOI8-ru .koi8-uk .ua AddCharset ISO-10646-UCS-2 .ucs2 AddCharset ISO-10646-UCS-4 .ucs4 AddCharset UTF-8 .utf8 AddCharset GB2312 .gb2312 .gb AddCharset utf-7 .utf7 AddCharset utf-8 .utf8 AddCharset big5 .big5 .b5 AddCharset EUC-TW .euc-tw AddCharset EUC-JP .euc-jp AddCharset EUC-KR .euc-kr AddCharset shift_jis .sjis AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps AddType application/x-tar .tgz # To use CGI scripts outside /cgi-bin/: # #AddHandler cgi-script .cgi # To use server-parsed HTML files # <FilesMatch "\.shtml(\..+)?$"> SetOutputFilter INCLUDES </FilesMatch> # If you wish to use server-parsed imagemap files, use # #AddHandler imap-file map BrowserMatch "Mozilla/2" nokeepalive BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 # # The following directive disables redirects on non-GET requests for # a directory that does not include the trailing slash. This fixes a # problem with Microsoft WebFolders which does not appropriately handle # redirects for folders with DAV methods. # BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefu lly BrowserMatch "^WebDrive" redirect-carefully BrowserMatch "^gnome-vfs" redirect-carefully BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully # Allow server status reports, with the URL of http://servername/server-status # Change the ".your_domain.com" to match your domain to enable. # #<Location /server-status> # SetHandler server-status # Order deny,allow # Deny from all # Allow from .your_domain.com #</Location> # Allow remote server configuration reports, with the URL of # http://servername/server-info (requires that mod_info.c be loaded). # Change the ".your_domain.com" to match your domain to enable. # #<Location /server-info> # SetHandler server-info # Order deny,allow # Deny from all # Allow from .your_domain.com #</Location> # Include the virtual host configurations: Include /etc/apache2/sites-enabled/[^.#]* (ouf !) Link to comment Share on other sites More sharing options...
Sandeman Posted January 8, 2005 Share Posted January 8, 2005 quelques pistes : quels sont les droits du user qui fait tourner apache ? ps faux [ grep apache si ce user n'a pas les droits d'aller dans /home/projets, apache va faire du 403 tu mets dans ce que tu as rajouté le filtrage pas .htaccess... mais as-tu créé un fichier .htaccess ? que dit tail /var/log/apache/access.log ? Link to comment Share on other sites More sharing options...
TNorth Posted January 8, 2005 Author Share Posted January 8, 2005 root 2514 0.0 1.7 11708 4504 ? Ss 10:25 0:00 /usr/sbin/apache2 -k start -DSSL www-data 2515 0.0 1.1 10296 2988 ? S 10:25 0:00 \_ /usr/sbin/apache2 -k start -DSSL www-data 2517 0.0 1.8 11832 4852 ? S 10:25 0:00 \_ /usr/sbin/apache2 -k start -DSSL www-data 2518 0.0 1.8 11708 4660 ? S 10:25 0:00 \_ /usr/sbin/apache2 -k start -DSSL www-data 2519 0.0 1.8 11708 4660 ? S 10:25 0:00 \_ /usr/sbin/apache2 -k start -DSSL www-data 2520 0.0 1.8 11708 4652 ? S 10:25 0:00 \_ /usr/sbin/apache2 -k start -DSSL www-data 2521 0.0 1.8 11708 4652 ? S 10:25 0:00 \_ /usr/sbin/apache2 -k start -DSSL www-data 2632 0.0 1.8 11708 4652 ? S 10:28 0:00 \_ /usr/sbin/apache2 -k start -DSSL Pourtant j'ai fait un chown .projet /usr/sbin/apache2 Sinon je n'ai pas de htacces... faut supprimer quoi ? (je me perds dans ce fichier de conf :( ) tail /var/log/apache2/access.log[...] "Mozilla/5.0 (Windows; U; Win98; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0" 192.168.0.2 - - [08/Jan/2005:10:41:57 +0100] "GET /favicon.ico HTTP/1.1" 404 311 "-" "Mozilla/5.0 (Windows; U; Win98; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0" 192.168.0.2 - - [08/Jan/2005:11:13:23 +0100] "GET /projet/ HTTP/1.1" 403 427 "-" "Mozilla/5.0 (Windows; U; Win98; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0" 192.168.0.2 - - [08/Jan/2005:11:13:23 +0100] "GET /favicon.ico HTTP/1.1" 404 311 "-" "Mozilla/5.0 (Windows; U; Win98; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0" (tu veux pas plutot error.log :) [sat Jan 08 10:41:57 2005] [error] [client 192.168.0.2] File does not exist: /var/www/favicon.ico [sat Jan 08 11:13:23 2005] [error] [client 192.168.0.2] (13)Permission denied: access to /projet/ denied [sat Jan 08 11:13:23 2005] [error] [client 192.168.0.2] File does not exist: /var/www/favicon.ico (edit2 : je travaille ici par SSH, l'écran de la machine en question m'explose les yeux !) (edit 3 : voila l'arborescence et ses droits:) ls -lR.: total 8 drwxr-xr-x 2 root projet 4096 Jan 8 11:23 projet -rw-rwxr-- 1 root projet 26 Jan 5 19:33 index.php ./projet: total 4 lrwxrwxrwx 1 root projet 18 Jan 8 11:23 current -> /home/projet/current/ -rwxrwxrwx 1 root projet 20 Jan 8 10:31 index.php Link to comment Share on other sites More sharing options...
TNorth Posted January 8, 2005 Author Share Posted January 8, 2005 Up Y a pas un forum orienté apache, sinon, pour poser mes questions ? Link to comment Share on other sites More sharing options...
gauret Posted January 8, 2005 Share Posted January 8, 2005 Tu peux augmenter le log level d'apache et regarder dans le error_log, au pire. Si tu veux savoir si c'est le lien symbolique qui coince, supprime-le temporairement. Link to comment Share on other sites More sharing options...
theocrite Posted January 9, 2005 Share Posted January 9, 2005 Pourtant j'ai fait un chown .projet /usr/sbin/apache2Je ne vois pas l'intérêt. Il est très bien en root:root.Alors le apache2.conf à l'air bon (j'ai pratiquement la même chose et les liens symboliques fonctionnent) Fais plutôt un tail -10, parce que là, c'est un peu léger (et change le log level comme le dit Gauret) (edit2 : je travaille ici par SSH, l'écran de la machine en question m'explose les yeux !) Il dit qu'il n'as plus de genoux. (edit 3 : voila l'arborescence et ses droits:) ls -lR .: total 8 drwxr-xr-x 2 root projet 4096 Jan 8 11:23 projet -rw-rwxr-- 1 root projet 26 Jan 5 19:33 index.php ./projet: total 4 lrwxrwxrwx 1 root projet 18 Jan 8 11:23 current -> /home/projet/current/ -rwxrwxrwx 1 root projet 20 Jan 8 10:31 index.php Si c'est ton /home/projet, alors tu as un lien récursif. Si c'est ton /var/www, alors les fichiers doivent tous être en www-data. Apparament si il exécute parce qu'il est dans le même groupe qu'apache (projet), mais c'est super crade. N'oublies pas que tu as ces lignes dans ton apache2.conf : User www-data Group www-data Link to comment Share on other sites More sharing options...
TNorth Posted January 13, 2005 Author Share Posted January 13, 2005 Hello ! Je réapparais tard, dsl. Voila j'ai modifié le groupe de apache, c'est parfait :) Maintenant c'est mysql qui fait des siennes : j'aimerai avoir des bases en dehors de /var/lib/mysql/ avec un lien ln -s /home/projet/mysql/ nom_base dedans. Évidement, mysql tourne en mysql.mysql et ne passe pas dans le lien symbolique. D'ailleurs, phpmyadmin ne voit pas de nouvelles bases :( Comment changer le groupe de mysql ? my.cnf contient les infos de users, mais il aime pas qu'on mette user=mysql.projet Y a une possbilité pas trop foireuse, ou je fais un cron qui syncronise les 2 réps ? Link to comment Share on other sites More sharing options...
TNorth Posted January 13, 2005 Author Share Posted January 13, 2005 Précision : mysql ne semble pas suivre les liens symboliques, mêmes lui appartenant (mysql.mysql), contrairement aux indications de http://dev.mysql.com/doc/mysql/fr/Changing_MySQL_user.html Les droits en lecture, écriture et exécution lui sont pourtant donnés. Link to comment Share on other sites More sharing options...
theocrite Posted January 13, 2005 Share Posted January 13, 2005 Pourquoi bouger les bases mysql ? Met plutôt un lien symbolique de projet vers mysql avec les droits qui vont bien. Link to comment Share on other sites More sharing options...
TNorth Posted January 14, 2005 Author Share Posted January 14, 2005 Je pourrais mais c'est darcs, un système de gestion de projet, qui travaille dans ces dossiers et qui est incapable de suivre un lien symbolique. Il peut par contre suivre un lien physique, mais comme on peut pas faire de liens physiques sur les dossiers... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.