10

When I access Apache web server using localhost from same web server PC, it shows Apache2 Ubuntu default page.

But when I access Apache web server using 192.168.0.2, it is giving 403 Forbidden error (Forbidden You don't have permission to access / on this server).

Web Server details

  • Ubuntu 14.04 LTS
  • Apache version 2.4.7

Ownership Commands

www-data sudo adduser ftpuser www-data
sudo chown -R www-data:ftpuser /var/www
sudo chmod -R g+rwX /var/www

In etc/apache2/apache2.conf file

ServerName 192.168.0.2

<Directory/>
    AllowOverride All
    Require all granted
</Directory>

In etc/apache2/port.conf file

NameVirtualHost *:80
Listen *:80

Virtual Host for one website

<VirtualHost *:80>
    ServerName mysite
    DocumentRoot /var/www/mysite
    <Directory /var/www/mysite>
        Options None FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>    
</VirtualHost>

What settings do I need to do at which place? Please help...

K Ahir
  • 242
  • I would throw out ServerName 192.168.0.2 line as ServerName directive should have the name like www.server.com and not the IP number. I think this could solve the problem. For ServerName you should enter the name of the server if you have it. ServerName allows name based virtual hosting, which allows to have more web sites on the same IP. – nobody Aug 12 '16 at 10:54
  • @nobody, already removed it from file but still no success. – K Ahir Aug 12 '16 at 11:18

3 Answers3

9

1. You should configure your /etc/hosts file like that:

127.0.0.1   localhost
127.0.0.1   test-site
127.0.1.1   my-hostname
# The following lines are desirable for IPv6 capable hosts. etc...

Where test-site is the second "localhost". And my-hostname is the "System hostname" defined in /etc/hostname.

2. You should define and enable a Virtual Host (VH):

There is a default HTTP VH. It's placed in /etc/apache2/sites-available/. The filename is 000-default.conf. You have to edit it (you can rename it, if you want, or make some other .conf files, based on it) and after that you have to enable it.

You can enable it manually through creation of "soft, symbolic link": 

sudo ln -s /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-enabled/

Or you can use Apache2 tool called a2ensite, which make the same: 

sudo a2ensite 000-default.conf

Let's assume there has 3 Virtual Hosts, enabled SSL, and registered private domain (SOS.info for an example):

/etc/apache2/sites-available/http.SOS.info.conf
/etc/apache2/sites-available/https.SOS.info.conf

And one which is created for the purposes of this topic:

/etc/apache2/sites-available/http.test-site.conf

The content of First 2 VHs is:

$ cat /etc/apache2/sites-available/http.SOS.info.conf

<VirtualHost *:80>    
    ServerName SOS.info
    ServerAlias www.SOS.info
    ServerAdmin admin@SOS.info

    # Redirect Requests to SSL
    Redirect permanent "/" "https://SOS.info/"

    ErrorLog ${APACHE_LOG_DIR}/http.SOS.info.error.log
    CustomLog ${APACHE_LOG_DIR}/http.SOS.info.access.log combined       
</VirtualHost>

This one redirects all HTTP requests to HTTPS.

$ cat /etc/apache2/sites-available/https.SOS.info.conf

<IfModule mod_ssl.c>    
    <VirtualHost _default_:443>    
        ServerName SOS.info
        ServerAlias www.SOS.info
        ServerAdmin admin@SOS.info

        DocumentRoot /var/www/html  

        SSLEngine on    
        SSLCertificateFile /etc/ssl/certs/SOS.info.crt
        SSLCertificateKeyFile /etc/ssl/private/SOS.info.key
        SSLCertificateChainFile /etc/ssl/certs/SOS.info.root-bundle.crt
        #etc..
    </VirtualHost>    
</IfModule>

This is the HTTPS VH.

The content of these two files can be posted in one file, but in this case their management (a2ensite/a2dissite)will be more difficult.

The third Virtual Host is that, which is created for our purposes:

$ cat /etc/apache2/sites-available/http.test-site.conf

<VirtualHost *:80>
    ServerName test-site
    ServerAlias test-site.SOS.info

    DocumentRoot /var/www/test-site
    DirectoryIndex index.html

    ErrorLog ${APACHE_LOG_DIR}/test-site.error.log
    CustomLog ${APACHE_LOG_DIR}/test-site.access.log combined

    <Directory /var/www/test-site>
        # Allow .htaccess 
        AllowOverride All
        Allow from All
    </Directory>    
</VirtualHost>

3. With this configuration you should access:

http://localhost     # pointed to the directory of the mine Domain 
https://localhost    # iin our case: /var/www/html (SOS.info), but you should get an error, because the SSL certificate

http://SOS.info      # which redirects to https://SOS.info
https://SOS.info     # you should have valid SSL certificate

http://www.SOS.info  # which is allied to http://SOS.info and redirects to https://SOS.info
https://www.SOS.info # which is allied to https://SOS.info

On the main example you should access and:

http://test-site           # pointed to the directory /var/www/test-site
http://test-site.SOS.info  # which is allied to http://test-site

Try to open the site in the web browser or just try (in the terminal) with next commands:

$ curl -L http://test-site/index.html
$ curl -L http://test-site.SOS.info/index.html

Of course, you need to have some index.html pages in their DocumentRoot :)

I will leave next notes by reason of pedantry :)

4. You need properly configured `/etc/apache2/apache2.conf`.

Ii is good idea to spend some time to improve your server's security. These manuals are about the security configuration: 1st and 2nd. Here you can get free SSL certificate. These sites will help you to check your progress: 1st and 2nd.

According to above security manuals /etc/apache2/apache2.conf file must looks like:

Mutex file:${APACHE_LOCK_DIR} default

PidFile ${APACHE_PID_FILE}

Timeout 60

#KeepAlive Off
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5

HostnameLookups Off

ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn

IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

Include ports.conf

<Directory />
    Options None FollowSymLinks 
    AllowOverride None
    Require all denied
</Directory>

<Directory /var/www/>
    Options None FollowSymLinks 
    AllowOverride None
    Require all granted
</Directory>

AccessFileName .htaccess
<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf

# Hide Server type in the http error-pages 
ServerSignature Off
ServerTokens Prod

# Etag allows remote attackers to obtain sensitive information 
FileETag None

# Disable Trace HTTP Request
TraceEnable off

# Set cookie with HttpOnly and Secure flag.
# a2enmod headers
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

# Clickjacking Attack
Header always append X-Frame-Options SAMEORIGIN

# CX-XSS Protection
Header set X-XSS-Protection "1; mode=block"

# Disable HTTP 1.0 Protocol
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]

# Change the server banner @ ModSecurity 
# Send full server signature so ModSecurity can alter it
ServerTokens Full
# Alter the web server signature sent by Apache
<IfModule security2_module>
    SecServerSignature "Apache 1.3.26"
</IfModule>
Header set Server "Apache 1.3.26"
Header unset X-Powered-By

# Hde TCP Timestamp
#   gksu gedit /etc/sysctl.conf
#   >> net.ipv4.tcp_timestamps = 0
# Test: sudo hping3 SOS.info -p 443 -S --tcp-timestamp -c 1

# Disable -SSLv2 -SSLv3 and weak Ciphers
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

5. Set up the Firewall.

To allow/deny external access to your web server you can use UFW (Uncomplicated Firewall):

sudo ufw allow http
sudo ufw allow https

To allow only tcp protocol use:

sudo ufw allow http/tcp
sudo ufw allow https/tcp

You can use and the port number directly:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Just in case you can reload the "rules table":

sudo ufw reload

You can use and UFW's GUI interface, called gufw. 

sudo apt update
sudo apt install gufw
gufw &

Choice the Office profile. It will set: Status:ON, Incoming:Deny and Outgoing:Allow and add your rules.

6. If you have a router don't forget to forward some ports:

If you have a router and you want your web server to be accessible from Internet, don’t forget to add some port forwarding. Something like this.

pa4080
  • 29,831
  • 000-default.conf file is already there in /etc/apache2/sites-enabled/ folder. So should I still enable it using above command? Please let me know. – K Ahir Aug 12 '16 at 11:31
  • If it is already there you do not need to use them. – pa4080 Aug 12 '16 at 11:36
  • Maybe you will find the reasons of this error in /var/log/apache2/error.log. – pa4080 Aug 12 '16 at 11:36
  • I have updated my comment. – pa4080 Aug 12 '16 at 11:47
  • Getting this error message... [Fri Aug 12 17:18:37.224182 2016] [mpm_prefork:notice] [pid 4335] AH00169: caught SIGTERM, shutting down [Fri Aug 12 17:18:40.679317 2016] [mpm_prefork:notice] [pid 4571] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.19 configured -- resuming normal operations [Fri Aug 12 17:18:40.679382 2016] [core:notice] [pid 4571] AH00094: Command line: '/usr/sbin/apache2' – K Ahir Aug 12 '16 at 11:56
  • I read again your issue. I think you need to open http port in your firewall. I will update my comment again. – pa4080 Aug 12 '16 at 11:59
  • All these commands are already applied for firewall: sudo ufw enable, sudo ufw allow 80, sudo ufw allow from 192.168.0.0/24 to any port 80 – K Ahir Aug 12 '16 at 12:05
  • I know it's stupid, but did you restart the services or the system at all? – pa4080 Aug 12 '16 at 12:13
  • yes, I have did it... also please check ownership commands I am using and I have mentioned them in my original question... – K Ahir Aug 12 '16 at 12:15
  • I don't think this is the problem but... In my system I made a user apache:apache ( $ id apache $ uid=1001(apache) gid=1001(apache) groups=1001(apache) ) similar to yours www-data:ftpuser. This user is owner of entire Apache2 directory: $ sudo chown -R apache:apache /etc/apache2/ – pa4080 Aug 12 '16 at 12:31
  • Another idea. In your case I think ServerName directive is placed in wrong place. It must be in the Virtual Host .conf file not in apache2.conf. – pa4080 Aug 12 '16 at 12:36
  • ok, using settings you suggested, I am able to access web server using ip address as well as localhost. But if I create new virtual host (ex: mywebsite) then again it is giving same forbidden error... any suggestion for it? btw... ty very much for all help... – K Ahir Aug 12 '16 at 13:17
  • Could you show me your Virtual Host .conf files? Later this evening I will try to give you an example with my configuration. – pa4080 Aug 12 '16 at 14:55
  • Here you go my completely remade post. – pa4080 Aug 13 '16 at 00:16
  • Ty for your all hard work... I have added virtualhost code in my original questions. Please have a look at it. – K Ahir Aug 13 '16 at 04:29
  • Does we solved the problem? – pa4080 Aug 13 '16 at 07:20
  • Yes, by referring your help, I made changes in my virtualhost and it is working now... I have put virtualhost code in my initial question... now I am not able to connect to virtual host from other ubuntu pcusing dreamweaver. Can you help with that plase? It will be big help for me... – K Ahir Aug 13 '16 at 07:37
  • Let us continue this discussion in chat. – pa4080 Aug 13 '16 at 07:56
  • Hi, finally I resolved the ftp connection issue... ty again for your all help – K Ahir Aug 13 '16 at 14:10
  • /etc/hosts... I have wasted 30 mins for such an obvious reason x-) Thanks ! – leaf Aug 12 '17 at 08:12
4

Please change the ownership of the directory where you're serving your files from using command: 

sudo chown -R www-data:www:data <directory_where_you_serve_files_from>
Shady Programmer
  • 571
  • Sorry to not mention in my question but I have already assigned ownership to specific group and user for /var/www folder. – K Ahir Aug 12 '16 at 11:19
0

I am supposed to link you to this answer where solved my problem.

First of all, add permissions to the folder:

sudo chmod -R 775 /var/www

Then add this text:

<Directory /var/www/html>
  AllowOverride All
</Directory>

To the end of this file:

/etc/apache2/sites-available/000-default.conf
Amir Fo
  • 61