1

I installed a CGI script on a fresh installation of Apache 2.4 on Ubuntu server 14.04. Apache keeps replying with 403 Forbidden also if, to me, the configuration file is ok. The CGI is the Monitorix front-end, a system monitoring tool written in Perl.

The configuration file /etc/apache2/conf-enabled/monitorix.conf is:

Alias /monitorix /var/lib/monitorix/www
ScriptAlias /monitorix-cgi /var/lib/monitorix/www/cgi

<Directory /var/lib/monitorix/www/cgi/>
        DirectoryIndex monitorix.cgi
        Options ExecCGI
        <IfModule mod_authz_core.c>
                # Apache 2.4
                Require all granted
        </IfModule>
        <IfModule !mod_authz_core.c>
                # Apache 2.2
                Order deny,allow
                Allow from all
        </IfModule>
</Directory>

All files in /var/lib/monitorix/www and /var/lib/monitorix/www/cgi have at least read permission for all. Every time I try to access from URL /monitorix, in my Apache log I see lines:

[Mon Sep 01 06:57:52.995680 2014] [authz_core:error] [pid 17145] [client x.x.x.x:58879] AH01630: client denied by server configuration: /var/lib/monitorix/www
[Mon Sep 01 07:00:10.131166 2014] [authz_core:error] [pid 17145] [client x.x.x.x:58903] AH01630: client denied by server configuration: /var/lib/monitorix/www
[Mon Sep 01 07:00:11.102614 2014] [authz_core:error] [pid 17145] [client x.x.x.x:58903] AH01630: client denied by server configuration: /var/lib/monitorix/www
...

Plus, I cannot get why, when I try to access from URL /monitorix-cgi (I got the idea from the ScriptAlias directive) I get 200 Ok and I can see the Perl source of /var/lib/monitorix/www/cgi/monitorix.cgi.

Time ago I installed this tool on Debian and I had no problems, /monitorix worked as expected and /monitorix-cgi correctly gave me 403 Forbidden instead of showing the Perl source file.

Update: this issue has been reported to Monitorix and probably fixed (#69)

lorenzo-s
  • 357

3 Answers3

5

When you access /monitorix in a browser, you are accessing /var/lib/monitorix/www. Your Directory block allows access to /var/lib/monitorix/www/cgi, not /var/lib/monitorix/www. Either change the Alias to:

Alias /monitorix /var/lib/monitorix/www/cgi

or add an additional Directory block:

<Directory /var/lib/monitorix/www/>
    <IfModule mod_authz_core.c>
            # Apache 2.4
            Require all granted
    </IfModule>
    <IfModule !mod_authz_core.c>
            # Apache 2.2
            Order deny,allow
            Allow from all
    </IfModule>
</Directory>

As for seeing the source of the cgi, it's probably mod_cgi's configuration. Either it's not enabled or it's not set to handle *.cgi files. You may need to add:

AddHandler cgi-script .cgi

to your virtualhost or directory block. If that doesn't work, try this in your shell:

sudo a2enmod cgi

and follow the instructions to reload apache. If it still doesn't work, add a comment below and possibly update your question. I'll take another look and maybe set up a test system.

Jeff Snider
  • 3,292
1

I think you need a Require line:

Require all granted
Daniel Scott
  • 440
0

The following config worked for me (Apache 2.4):

<VirtualHost *:443>                                                                                                                                                                                        
        ServerName your.server.com                                                                                                                                                                      
        DocumentRoot "/var/lib/monitorix/www"                                                                                                                                                              

        AddHandler cgi-script .cgi                                                                                                                                                                         

        Alias /cgi /var/lib/monitorix/www/cgi                                                                                                                                                              

        <Directory "/var/lib/monitorix/www">                                                                                                                                                               
                Require all granted                                                                                                                                                                        
        </Directory>                                                                                                                                                                                       

        <Directory "/var/lib/monitorix/www/cgi">                                                                                                                                                           
                AllowOverride None                                                                                                                                                                         
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch                                                                                                                                         
                Require all granted                                                                                                                                                                        
        </Directory>                                                                                                                                                                                       
</VirtualHost>

The /etc/monitorix/monitorix.conf, looks like: 

    base_url = /                                                                                                                                                                                               
    base_cgi = /cgi

And disable the build-in httpd service:

<httpd_builtin>                                                                                                                                                                                        
            enabled = n
Melroy van den Berg
  • 147