Related
I try to run a Mezzio application on my server I do the following steps :
- Create a Mezzio project
composer create-project mezzio/mezzio-skeleton symphonie
I choose modular application, fast router, service manager, plates renderer and Whoops
I create my virtual host like this :
<VirtualHost *:80>
Alias /symphonie "/data/symphonie/public"
<Directory "/data/symphonie">
Options Indexes MultiViews FollowSymlinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
But when I enter this url in Google Chrome : https://app.inra.fr/symphonie/ I got a 404 error.
I have no messages in the apache logs. By cons all the links on the page redirects me to https://app.inra.fr/ and not to https://app.inra.fr/symphonie/
Here is the configuration of my server:
Centos 8
Apache 2.4 with rewrite module enabled
PHP 7.3
Do you have any leads to solve my problem?
thanks in advance
Shishi
Mezzio application does not have built-in support for base path.
You would need to handle following aspects:
web server rewrites for subfolder. Looks like you did that part.
middleware will need to be piped early to remove base path from request object before passing it further
base path url helper.
Mezzio provides url helper in mezzio/mezzio-helpers package. Middleware from the previous step could also be used to inject base path into url helper. If some of your middlewares use different ways to handle urls, those will need to be setup as well.
Mezzio documentation have the page covering this use case:
https://docs.mezzio.dev/mezzio/v3/cookbook/using-a-base-path/
It is not too detailed and pull requests to improve it are welcome ;)
When I am trying to hit from my api to authenticate user from keycloak, but its giving me error Invalid parameter: redirect_uri on keycloak page. I have created my own realm apart from master. keycloak is running on http. Please help me.
What worked for me was adding wildchar '*'. Although for production builds, I am going to be more specific with the value of this field. But for dev purposes you can do this.
Setting available under, keycloak admin console -> Realm_Name -> Cients -> Client_Name.
EDIT: DO NOT DO THIS IN PRODUCTION. Doing so creates a large security flaw.
If you are a .Net Devloper Please Check below Configurations
keycloakAuthentication options class set
CallbackPath = RedirectUri,//this Property needs to be set other wise it will show invalid redirecturi error
I faced the same error. In my case, the issue was with Valid Redirect URIs was not correct. So these are the steps I followed.
First login to keycloack as an admin user.
Then Select your realm(maybe you will auto-direct to the realm). Then you will see below screen
Select Clients from left panel.
Then select relevant client which you configured for your app.
By default, you will be Setting tab, if not select it.
My app was running on port 3000, so my correct setting is like below.
let say you have an app runs on localhost:3000, so your setting should be like this
If you're getting this error because of a new realm you created
You can directly change the URL in the URL bar to get past this error. In the URL that you are redirected to (you may have to look in Chrome dev tools for this URL), change the realm from master to the one you just created, and if you are not using https, then make sure the redirect_uri is also using http.
If you're getting this error because you're trying to setup Keycloak on a public facing domain (not localhost)
Step 1)
Follow this documentation to setup a MySql database (link's broken. If you find some good alternative documentation that works for you, feel free to update this link and remove this message). You may also need to refer to this documentation.
Step 2)
Run the command update REALM set ssl_required = 'NONE' where id = 'master';
Note:
At this point, you should technically be able to login, but version 4.0 of Keycloak is using https for the redirect uri even though we just turned off https support. Until Keycloak fixes this, we can get around this with a reverse proxy. A reverse proxy is something we will want to use anyhow to easily create SSL/TLS certificates without having to worry about Java keystores.
Note 2: After writing these instructions, Keycloak come out with their own proxy. They then stopped supporting it and recommended using oauth2 proxy instead. It is lacking some features the Keycloak proxy had, and an unoffical version of that proxy is still being maintained here. I haven't tried using either of these proxies, but at this point, you might want to stop following my directions and use one of those instead.
Step 3) Install Apache. We will use Apache as a reverse proxy (I tried NGINX, but NGINX had some limitations that got in the way). See yum installing Apache (CentOs 7), and apt-get install Apache (Ubuntu 16), or find instructions for your specific distro.
Step 4) Run Apache
Use sudo systemctl start httpd (CentOs) or sudo systemctl start apache2 (Ubuntu)
Use sudo systemctl status httpd (CentOs) or sudo systemctl status apache2
(Ubuntu) to check if Apache is running. If you see in green text the words active (running) or if the last entry reads Started The Apache HTTP Server. then you're good.
Step 5) We will establish a SSL connection with the reverse proxy, and then the reverse proxy will communicate to keyCloak over http. Because this http communication is happening on the same machine, you're still secure. We can use Certbot to setup auto-renewing certificates.
If this type of encryption is not good enough, and your security policy requires end-to-end encryption, you will have to figure out how to setup SSL through WildFly, instead of using a reverse proxy.
Note:
I was never actually able to get https to work properly with the admin portal. Perhaps this may have just been a bug in the beta version of Keycloak 4.0 that I'm using. You're suppose to be able to set the SSL level to only require it for external requests, but this did not seem to work, which is why we set https to none in step #2. From here on we will continue to use http over an SSH tunnel to manage the admin settings.
Step 6)
Whenever you try to visit the site via https, you will trigger an HSTS policy which will auto-force http requests to redirect to https. Follow these instructions to clear the HSTS rule from Chrome, and then for the time being, do not visit the https version of the site again.
Step 7)
Configure Apache. Add the virtual host config in the code block below. If you've never done this, then the first thing you'll need to do is figure out where to add this config file.
On RHEL and some other distros
you'll need to find where your httpd.conf or apache2.conf file is located. That config file should be loading virtual host config files from another folder such as conf.d.
If you are using Ubuntu or Debian,
your config files will be located in /etc/apache2/sites-available/ and you'll have an extra step of needing to enable them by running the command sudo a2ensite name-of-your-conf-file.conf. That'll create a symlink in /etc/apache2/sites-enabled/ which is where Apache looks for config files on Ubuntu/Debian (and remember the config file was placed in sites-available, slightly different).
All distros
Once you've found the config files, change out, or add, the following virtual host entries in your config files. Make sure you don't override the already present SSL options that where generated by certbot. When done, your config file should look something like this.
<VirtualHost *:80>
RewriteEngine on
#change https redirect_uri parameters to http
RewriteCond %{request_uri}\?%{query_string} ^(.*)redirect_uri=https(.*)$
RewriteRule . %1redirect_uri=http%2 [NE,R=302]
#uncomment to force https
#does not currently work
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI}
#forward the requests on to keycloak
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
RewriteEngine on
#Disable HSTS
Header set Strict-Transport-Security "max-age=0; includeSubDomains;" env=HTTPS
#change https redirect_uri parameters to http
RewriteCond %{request_uri}\?%{query_string} ^(.*)redirect_uri=https(.*)$
RewriteRule . %1redirect_uri=http%2 [NE,R=302]
#forward the requests on to keycloak
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
#Leave the items added by certbot alone
#There should be a ServerName option
#And a bunch of options to configure the location of the SSL cert files
#Along with an option to include an additional config file
</VirtualHost>
</IfModule>
Step 8) Restart Apache. Use sudo systemctl restart httpd (CentOs) or sudo systemctl restart apache2 (Ubuntu).
Step 9)
Before you have a chance to try to login to the server, since we told Keycloak to use http, we need to setup another method of connecting securely. This can be done by either installing a VPN service on the keycloak server, or by using SOCKS. I used a SOCKS proxy. In order to do this, you'll first need to setup dynamic port forwarding.
ssh -N -D 9905 user#example.com
Or set it up via Putty.
All traffic sent to port 9905 will now be securely routed through an SSH tunnel to your server. Make sure you whitelist port 9905 on your server's firewall.
Once you have dynamic port forwarding setup, you will need to setup your browser to use a SOCKS proxy on port 9905. Instructions here.
Step 10) You should now be able to login to the Keycloak admin portal. To connect to the website go to http://127.0.0.1, and the SOCKS proxy will take you to the admin console. Make sure you turn off the SOCKS proxy when you're done as it does utilize your server's resources, and will result in a slower internet speed for you if kept on.
Step 11) Don't ask me how long it took me to figure all of this out.
IMPORTANT UPDATE IN KEYCLOAK 18
In the newest keycloak 18, they have deprecated the redirect_uri variable for the openid connect logout -> https://www.keycloak.org/docs/latest/upgrading/index.html#openid-connect-logout
Go to keycloak admin console > SpringBootKeycloak> Cients>login-app page.
Here in valid-redirect uris section add
http://localhost:8080/sso/login
This will help resolve indirect-uri problem
For me, I had a missing trailing slash / in the value for Valid Redirect URIs
[For Keycloak version 18 or Higher]
None of the mentioned solutions should be working if you are using Keycloak 18 or a higher version.
According to the version 18 release note. Keycloak does not support logout with redirect_uri anymore. you need to include post_logout_redirect_uri and id_token_hint as parameters.
Please check the answer of this question for more information.
keycloak: using react user can login but when I try logout I get a message "Invalid parameter: redirect_uri"
Log in the Keycloak admin console website, select the realm and its client, then make sure all URIs of the client are prefixed with the protocol, that is, with http:// for example. An example would be http://localhost:8082/*
Another way to solve the issue, is to view the Keycloak server console output, locate the line stating the request was refused, copy from it the redirect_uri displayed value and paste it in the * Valid Redirect URIs field of the client in the Keycloak admin console website. The requested URI is then one of the acceptables.
If you're seeing this problem after you've made a modification to the Keycloak context path, you'll need to make an additional change to a redirect url setting:
Change <web-context>yourchange/auth</web-context> back to
<web-context>auth</web-context> in standalone.xml
Restart Keycloak and navigate to the login page (/auth/admin)
Log in and select the "Master" realm
Select "Clients" from the side menu
Select the "security-admin-console" client from the list that appears
Change the "Valid Redirect URIs" from /auth/admin/master/console/* to
/yourchange/auth/admin/master/console/*
Save and sign out. You'll again see the "Invalid redirect url" message after signing out.
Now, put in your original change
<web-context>yourchange/auth</web-context> in standalone.xml
Restart Keycloak and navigate to the login page (which is now
/yourchange/auth/admin)
Log in and enjoy
I faced the same issue. I rectified it by going to the particular client under the realm respectively therein redirect URL add * after your complete URL.
I had the same problem with "localhost" in the redirect URL. Change to 127.0.0.1 in the "Valid Redirect URIs" field of clients config (KeyCloak web admin console). It works for me.
It seems that this problem can occur if you put whitespace in your Realm name. I had name set to Debugging Realm and I got this error. When I changed to DebuggingRealm it worked.
You can still have whitespace in the display name. Odd that keycloak doesn't check for this on admin input.
even I faced the same issue. I rectified it by going to the particular client under the realm respectively therein redirect URL add * after your complete URL.
THE PROBLEM WILL BE SOLVED
Example:
redirect URI: http:localhost:3000/myapp/generator/*
Looking at the exact rewrite was key for me. the wellKnownUrl lookup was returning "http://127.0.01:7070/" and I had specified "http://localhost:7070" ;-)
I faced the Invalid parameter: redirect_uri problem problem while following spring boot and keycloak example available at http://www.baeldung.com/spring-boot-keycloak. when adding the client from the keycloak server we have to provide the redirect URI for that client so that keycloak server can perform the redirection.
When I faced the same error multiple times, I followed copying correct URL from keycloak server console and provided in the valid Redirect URIs space and it worked fine!
This error is also thrown when your User does not have the expected Role delegated in User definition(Set role for the Realm in drop down).
Your redirect URI in your code(keycloak.init) should be the same as the redirect URI set on Keycloak server (client -> Valid Uri)
Ran into this problem too. After two days of pulling my hair out I discovered that the URLs in Keycloak are case sensitive. However the browser coverts the URL to lowercase, which means that uppercase URLs in Keycloak will never work.
e.g. my server name is MYSERVER (hostname returns MYSERVER)
Keycloak URLs are https://MYSERVER:8080/*
Browse to https://myserver:8080 -> fails invalid_url
Browse to https://MYSERVER:8080 -> fails invalid_url
Change Keycloak URLs to https://myserver:8080/*
Browse to https://myserver:8080 -> works
Browse to https://MYSERVER:8080 -> works
We also saw this, but only on certain URLs. After seeing this clue, I realized that the Java URI constructor has to be able to decode it,
like so URI uri = URI.create(redirectUri);
We had a { and } in our URLs which normally worked fine, but when going through two layers of URL decode/encode, Java decided the { and } were invalid.
We'll be changing our curly braces to something else to get around the double encode/decode issue.
I know other people provided the same answer, but my reputation was not high enough to upvote them. In the redirect menu, Mine had a redirect of " 0.0.0.0:8080/* ". I added
(actualIP) followed by :8080/* and it worked.
In your client, set the origin of your request. In my case, localhost:3000 (javaScript client)
If you are using the Authorization Code Flow then the response_type query param must be equal to code. See https://www.keycloak.org/docs/3.3/server_admin/topics/sso-protocols/oidc.html
You need to check the keycloak admin console for fronted configuration. It must be wrongly configured for redirect url and web origins.
If you're trying to redirect to the keycloak login page after logout (as I was), that is not allowed by default but also needs to be configured in the "Valid Redirect URIs" setting in the admin console of your client.
Check that the value of the redirect_uri parameter is whitelisted for the client that you are using. You can manage the configuration of the client via the admin console.
The redirect uri should match exactly with one of the whitelisted redirect uri's, or you can use a wildcard at the end of the uri you want to whitelist. See: https://www.keycloak.org/docs/latest/server_admin/#_clients
Note that using wildcards to whitelist redirect uri's is allowed by Keycloak, but is actually a violation of the OpenId Connect specification. See the discussion on this at https://lists.jboss.org/pipermail/keycloak-dev/2018-December/011440.html
My issue was caused by the wrong client_id (OPENID_CLIENT_ID) I had defined in the deployment.yaml. Make sure this field is assigned with the one in Keycloak client id.
The problem seems related to an invalid value in Valid Redirect URIs field. You can try with one of these tips:
set the same value of Client ID (if it's a URL) making it end with /* , or
tryingToLearn 's reponse [https://stackoverflow.com/a/51420355/97799] (but beware of security issues).
I into this due to a malformed redirect url in the keycloak client:
https://http://192.168.1.10/hub/oauth_callback
As soon as I took out https:// the error
I'm using version 20.0.2 and, for me, the solution was to simply add a '+' in the "Valid post logout redirect URIs" field:
As stated in the help balloon, "A value of '+' will use the list of valid redirect uris".
I faced a similar issue because I create a realm with two words and had a space on it. eg Test Realm, this gave me this error. I put an underscore and was good to go eg, Test_Realm.
Is it not possible in Mamp Pro 4 to have both http and https? The application I am working on requires both depending on the page.
I must be missing something as it makes no sense when I enable SSL only https works and http then stops working.
I tried going through the http.conf, but really have no idea whats causing this.
I think it just generates the vhost for https only and then removes http. Doesn't even look like you can manually edit it.
Any suggestion would be great.
Well to update my own post and if anyone else has this problem.
The software is currently not capable of this on the same hostname.
According to Mamp support you have to create two hosts with the same name (e.g. sample.app and sample.app.).
Enable one of the "sample.app" hostnames to use SSL
Enable the second host entry "sample.app" to not use SSL. (Don't forget to hold Alt or Option when clicking on +)
Point both to the same directory.
Mamp will highlight this in red, as its warning that you have two of the same hostnames.
So currently this is the only solution I am aware of for this issue.
Hope they resolve this in future updates as a lot of applications, especially ecommerce rely on the ability to switch between http and https.
You can see this on the Mamp Pro documentation here.
I got a simple solution by edit template:
Open Mamp Pro
File > Edit Template > Apache > httpd-ssl.conf
Add these line after
<VirtualHost *:80>
ServerName MAMP_SSLVirtualHost_ServerName_MAMP
MAMP_SSLVirtualHost_ServerAdmin_MAMP
MAMP_SSLVirtualHost_DirectoryIndex_MAMP
DocumentRoot MAMP_SSLVirtualHost_DocumentRoot_MAMP
</VirtualHost>
Mamp Pro 5 in 2020 Update
To tag onto MrDuy's great response, as the Alt Click on the + doesn't seem to work in V5, editing the httpd-ssl.conf template seems to be the way to go.
However MrDuy's answer assumes you're using port 80 for HTTP inside MAMP, which is not the default 8888. Additionally, and I can't speak for MAMP PRO 4 users, the snippet needs to be placed before the MAMP_SSLVirtualHost_iteration_end_MAMP line at the bottom of the file, as obviously this is the end marker that MAMP uses to conduct its iteration of the hosts in the GUI.
TLDR;
Follow the first two steps in MrDuy's answer:
Open MAMP Pro
File > Edit Template > Apache > httpd-ssl.conf
Then, at the bottom of the file, locate the line with MAMP_SSLVirtualHost_iteration_end_MAMP Before this line, paste the following:
<VirtualHost *:8888>
ServerName MAMP_SSLVirtualHost_ServerName_MAMP
MAMP_SSLVirtualHost_ServerAdmin_MAMP
MAMP_SSLVirtualHost_DirectoryIndex_MAMP
DocumentRoot MAMP_SSLVirtualHost_DocumentRoot_MAMP
</VirtualHost>
It would've been niced to use the placeholder markers MAMP uses in it's non SSL config file (MAMP_VirtualHost_IP_MAMP, MAMP_VirtualHost_Port_MAMP etc) but obviously these aren't passed in the file. Which means that if you decide to change the HTTP port, you must also manually update this file.
#MAMP, can't we make this a default? :`(
Cheers!
I get this error when trying to access localhost via a browser.
AH01630: client denied by server configuration
I checked my site folder permissions using:
sudo chmod 777 -R *
Here is my configuration file:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /home/user-name/www/myproject
<Directory />
Options FollowSymLinks
AllowOverride all
Allow from all
</Directory>
<Location />
Allow from all
Order Deny,Allow
</Location>
<Directory /home/user-name/www/myproject/>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride all
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride all
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
If you are using Apache 2.4
You have to check allow and deny rules
Check out http://httpd.apache.org/docs/2.4/upgrading.html#access
In 2.2, access control based on client hostname, IP address, and other
characteristics of client requests was done using the directives
Order, Allow, Deny, and Satisfy.
In 2.4, such access control is done in the same way as other
authorization checks, using the new module mod_authz_host.
The new directive is Require:
2.2 configuration:
Order allow,deny
Allow from all
2.4 configuration:
Require all granted
Also don't forget to restart the apache server after these changes (# service httpd restart)
For all directories write Require all granted instead of Allow from all
Update
If the above doesn't work then also remove this below mentioned line:
Order allow,deny
Double check that the DocumentRoot path is correct. That can cause this error.
I made the same changes that ravisorg suggested to OSX 10.10 Yosemite that upgrades Apache to version 2.4. Below are the changes that were added to http.conf.
<Directory />
AllowOverride none
Require all denied
</Directory>
<Directory /Volumes/Data/Data/USER/Sites/>
AllowOverride none
Require all granted
</Directory>
The problem is in VirtualHost but probablely is not
Require all granted
Confirm your config is correct,here is correct sample
This drove me absolutely nuts for a day and a half but I found a solution if all other solutions have been tried unsuccessfully.
This is for macOS.
Go to activity Monitor (spotlight search for: activity)
In activity monitor search for httpd which is the Apache service
Select the one that belongs to root and click X on the top left to close it.
At that point I immediately stopped getting 403 errors and everything started working as expected. Weird thing is i didn't even have to restart apache it just worked, i guess it restarted itself when i went to my localhost, I honestly don't know but I guess the problem is Apache not actually restarting when using apachectl restart, or stop or start. Hope this helps someone.
For me, all proposed solutions won't worked. This can help, if you use cgi, fastcig or fpm as proxy you have to add a location in your vhost to avoid this problem. This allows 404 to be passthrough proxy.
<Location />
require all granted
</Location>
in my case,
i'm using macOS Mojave (Apache/2.4.34). There was an issue in virtual host settings at /etc/apache2/extra/httpd-vhosts.conf file. after adding the required directory tag my problem was gone.
Require all granted
Hope the full virtual host setup structure will save you.
<VirtualHost *:80>
DocumentRoot "/Users/vagabond/Sites/MainProjectFolderName/public/"
ServerName project.loc
<Directory /Users/vagabond/Sites/MainProjectFolderName/public/>
Require all granted
</Directory>
ErrorLog "/Users/vagabond/Sites/logs/MainProjectFolderName.loc-error_log"
CustomLog "/Users/vagabond/Sites/logs/MainProjectFolderName.loc-access_log" common
</VirtualHost>
all you've to do replace the MainProjectFolderName with your exact ProjectFolderName.
I got resolved my self after spending couple of hours.
I installed Apache/2.4.7 (Ubuntu) through coookbook in vagrant vm.
/etc/apache2/apache2.conf file does not have <VirtualHost *:80> element by default.
I did two changes to get it done
added <VirtualHost *:80>
added
Options Indexes FollowSymLinks
AllowOverride all
Allow from all
then finally I just booted vm..
Has anyone thought about that wamp server default not include the httpd-vhosts.conf file.
My approach is to remove the note below
conf
# Virtual hosts
Include conf/extra/httpd-vhosts.conf
in httpd.conf file.
That is all.
If you tail the error log and reload the page, you should see some more information as to the exact problem.
Grab the environment variables so ${APACHE_LOG_DIR} will actually work...
source /etc/apache2/envvars
Then tail and watch...
tail -f ${APACHE_LOG_DIR}/error.log
This was driving me crazy. Finally figured out what the problem was:
I was using direct paths for the error log and they were wrong.
Why does Apache give a vague (and wrong) error message? Instead use a correct and useful error message like: Path for ErrorLog directive "/wrong/path/and/filename.log" is invalid.
Anyway, to fix make sure your error log directives look something like this:
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
If you are using Apache 2.4 in WampServer on windows OS.
You need to open https-vhosts.conf file in notepad.
C:\wamp64\bin\apache\apache2.4.37\conf\extra\https-vhosts.conf
If you unable to find above file. check screenshot below
<VirtualHost *:80>
ServerName localhost
DocumentRoot c:/wamp64/www
<Directory "c:/wamp64/www/">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require local
</Directory>
</VirtualHost>
In above code Replace
Require local
with
Require all granted
And save it. Restart Apache service and try again.
For me, I had actually updated the Allow and Deny rules based on the 2.4 standard.
Require all granted
However, this was still causing me to receive the same AH01630 error. I found another thread and it suggested reinstalling apache2. Somehow this worked! If anyone cares to explain why, that would be helpful.
Credit to: AH01630: client denied by server configuration but require all granted is set (Apache 2.4, CentOs)
...
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
...
If you have https host then don't forget to make Require all granted changes for ssl config too.
Also, sometimes it's useful to check permissions as the apache user:
# ps -eFH | grep http # get the username used by httpd
...
apache 18837 2692 0 119996 9328 9 10:33 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
# su -s/bin/bash apache # switch to that user
bash-4.2$ whoami
apache
bash-4.2$ cd /home
bash-4.2$ ls
bash-4.2$ cd mysite.com
bash-4.2$ ls
bash-4.2$ cat file-which-does-not-work.txt
When using Ubuntu check whether the CGI module is enabled. If not:
sudo a2enmod cgi
Ensure that any user-specific configs are included!
If none of the other answers on this page for you work, here's what I ran into after hours of floundering around.
I used user-specific configurations, with Sites specified as my UserDir in /private/etc/apache2/extra/httpd-userdir.conf. However, I was forbidden access to the endpoint http://localhost/~jwork/.
I could see in /var/log/apache2/error_log that access to /Users/jwork/Sites/ was being blocked. However, I was permitted to access the DocumentRoot, via http://localhost/. This suggested that I didn't have rights to view the ~jwork user. But as far as I could tell by ps aux | egrep '(apache|httpd)' and lsof -i :80, Apache was running for the jwork user, so something was clearly not write with my user configuration.
Given a user named jwork, here was my config file:
/private/etc/apache2/users/jwork.conf
<Directory "/Users/jwork/Sites/">
Require all granted
</Directory>
This config is perfectly valid. However, I found that my user config wasn't being included:
/private/etc/apache2/extra/httpd-userdir.conf
## Note how it's commented out by default.
## Just remove the comment to enable your user conf.
#Include /private/etc/apache2/users/*.conf
Note that this is the default path to the userdir conf file, but as you'll see below, it's configurable in httpd.conf. Ensure that the following lines are enabled:
/private/etc/apache2/httpd.conf
Include /private/etc/apache2/extra/httpd-userdir.conf
# ...
LoadModule userdir_module libexec/apache2/mod_userdir.so
For those who stuck at this error as me and nothing helped from above: check if problem folder from error.log actually exists on your server. Mine was generated automatically by Django in wrong place (was messed with static root, then manage.py collectstatic). Have no idea why one can not name errors correctly.
I actually solved this one by adding the directory access to the :80 entry.
<Directory "c:/whatever-directory-you-use/">
AllowOverride All
Require all granted
</Directory>
Before everyone gets all 'security' on me, under my specific circumstances this is not a security issue.
If you are using a remote resource, I'd recommend instead make sure your CURL request goes via HTTPS / TLS, then this directory entry goes on the 443 port.
I ran into this problem when setting up virtual hosts on a new server, and having the sites hosted outside of the standard /var/www/html path. There are two main things that you need to consider (and for example purposes, let's say you are setting up a site in /opt/my-site)
On a default 2.4 installation, there is an explicit denial of access to the root filesystem, and then it only gives access to /var/www/html. So you'll need to give the web server access to read from the new directory with something like this:
<Directory /opt/mysite>
Require all granted
</Directory>
Once you've done that, then make sure the DocumentRoot for your virtual host is somewhere under that path you've granted access to above.
<VirtualHost *:80>
ServerName neatwebsite.com
DocumentRoot /opt/my-site/html
</VirtualHost>
When I ran into this problem, I had all the VirtualHosts set up fine, but forgot to allow read from the directory structure (so I was missing the directive). You'll need to consider both these directives, and how they work together.
For Wamp 3 (Apache 2.4), besides putting the server online as described in the other answers, in the Virtual Hosts file conf/extra/httpd-vhosts.conf
you might need to replace
Require local
with
Require all granted
This is applicable if in httpd.conf you have
Include conf/extra/httpd-vhosts.conf
Beside missing Order and Allow directives mentioned in other answers be aware that a non-matching regular expression of a DirectoryMatch directive may also cause this error.
If the requested path is /home/user-foo1bar/www/myproject/ the folloing matcher won't match
<DirectoryMatch "/home/user-[a-z]+/www/myproject/">
...
</DirectoryMatch>
thus, even a valid access configuration might cause this error.
Because this thread is the first thing that pops up when searching for the error mentioned I would like to add another possible cause for this error: you may have mod_evasive active and the client seeing this error simply has crossed the limits configured in your mod_evasive.conf
This is especially a cause worth investigating if you are suddenly getting this error for a client that had no problems before and nothing else has changed.
(if mod_evasive is the cause then the error will go away by itself if the client just temporarily stops trying to access the site; however it may be a sign that you have configured too tight limits)
In case you are like me and tried all the answers above and none helped, remember to check if your apache2.conf has a line like IncludeOptional conf-enabled/*.conf and then check each of the .conf files in that folder.
Mine had a security.conf file that included this section (which needed to be removed/modified to not block the .php files I needed to run):
<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|install\.php|php\.info|readme\.md|README\.md|readme\.html|bb-config\.php|\.htaccess|\.htpasswd|readme\.txt|timthumb\.php|error_log|error\.log|PHP_errors\.log|\.sv$
Require all denied
</FilesMatch>
I don't know where that file came from unless at some point I went down a rabbit hole of trying to secure my apache configuration, found this conf, added it, and then totally forgot about it.
One obscure (having just dealt with it), yet possible, cause of this is an internal mod_rewrite rule, in the main config file (not .htaccess) that writes to a path which exists at the root of the server file system. Say you have a /media directory in your site, and you rewrite something like this:
RewriteRule /some_image.png /media/some_other_location.png
If you have a /media directory at the root of your server, the rewrite will be attempted to that (resulting in the access denied error) rather than the one in your site directory, since the file system root is checked first by mod_rewrite, for the existence of the first directory in the path, before your site directory.
The problem may be that directive is not under < Directory>
https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html#requiredirectives
The directive can be referenced within a < Directory>, < Files>, or < Location> section as well as .htaccess files to control access to particular parts of the server. Access can be controlled based on the client hostname or IP address.
I got another one that may be useful to someone.
Was receiving the same error message after upgrading from PHP 5.6 => 7.0. We had changed the PHP upload settings, and forgot to change once copied over.
Even though i wasn't uploading images at the time, Silverstripe (our CMS) was refusing to save and throwing that error. Increased the image upload size and it worked straight away.
In case this helps anyone Googling around like I was, I had this error message trying to access a SVG file on my server, e.g. https://example.com/images/file.svg. Other file types seemed fine, just SVG were failing.
I hunted around /etc/httpd conf files and checked every require all denied type of configuration, and just could not find what config was having this effect.
I turned LogLevel to debug in the VirtualHost config and could see the mod_authz_core logging specifying there was a 'Require all denied' in effect:
[Mon Jun 10 13:09:54.321022 2019] [authz_core:debug] [pid 23459:tid 140576341206784] mod_authz_core.c(817): [client 127.0.0.1:54626] AH01626: authorization result of Require all denied: denied
[Mon Jun 10 13:09:54.321038 2019] [authz_core:debug] [pid 23459:tid 140576341206784] mod_authz_core.c(817): [client 127.0.0.1:54626] AH01626: authorization result of <RequireAny>: denied
[Mon Jun 10 13:09:54.321082 2019] [authz_core:error] [pid 23459:tid 140576341206784] [client 127.0.0.1:54626] AH01630: client denied by server configuration: /home/blah/htdocs/images/file.svg
Through blind testing I moved the file to the root of the web root, and found I could then access it at https://example.com/file.svg .. so it only failed in the 'images' folder. This led me to an .htaccess file in the images folder that I had no idea was there.
Turns out Zen Cart 1.5 comes with an images/.htaccess file that has:
# deny *everything*
<FilesMatch ".*">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order Allow,Deny
Deny from all
</IfModule>
</FilesMatch>
# but now allow just *certain* necessary files:
<FilesMatch "(?i).*\.(jpe?g|gif|webp|png|swf)$" >
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
Order Allow,Deny
Allow from all
</IfModule>
</FilesMatch>
This was very annoying and I hope this might remind others to check .htaccess files at every level of the file system leading to the file you're having trouble accessing in case there is this kind of tom foolery going on.
This "bug" is actually the new normal behavior of Apache 2.4. In my case, I had a very specific rule to deny access to any folder or file with name starting with ".", so I had to set an exception for a particular public folder that requires such odd name.
For the record my particular Rewrite rule is:
RewriteRule "(?!\.trusted)(^|/)\." - [F]
This rule [F]obits everything starting with "." but .trusted, thanks to the magic of regex "?!" negation.
can anyone help me with this ?
i'm following a zend framework tutorial http://www.youtube.com/watch?v=BOwSfKXKpZQ quickstart (2) I seem to have everything working ok and have craeted a new project called square and can acceess the index page ok - "http://127.0.0.1:8888/square/".
I have also created a new controller called Test , but when i try and access it - "http://127.0.0.1:8888/square/test" i get a 404 error ?? i've tried to solve this but cant seem to get anywhere ??
looks easy on the tutorial !
im using EasyPHP as my testing server.
thanks in advance
It looks like you've dropped your Zend project in the "square" directory, which will work for the index controller but other routes will not match. The "/square/test" route is most likely looking for SquareController::testAction.
What I didn't see at the beginning of that youtube demo is where he set up the virtual host. I'm not familiar with EasyPHP, so there might be an easier way to do it, but you can give your site a local name, we'll call it "square.local", and then you don't have to include the square prefix in the url.
VirtualHost Config:
<VirtualHost *:8888>
ServerName square.local
DocumentRoot /path/to/www/square
</VirtualHost>
Also add square.local to your windows hosts file (C:\Windows\system32\drivers\etc\hosts):
127.0.0.1 localhost square.local
Now you can go to http://square.local to get to IndexController. http://square.local/test to get to TestController, etc.
To start: in applications/configs/application.ini, set
resources.frontController.params.displayExceptions = 1
so that the 404 page can report what module/controller/action the system thinks is being requested.