Bug 5235

Summary: Newer Apache gives 403 Forbidden with the current thinlinc.conf directives
Product: ThinLinc Reporter: Samuel Mannehed <samuel>
Component: OtherAssignee: Peter Åstrand <astrand>
Status: CLOSED FIXED    
Severity: Normal Keywords: ossman_tester, prosaic
Priority: P2    
Version: trunk   
Target Milestone: 4.5.0   
Hardware: PC   
OS: Unknown   
Acceptance Criteria:
Attachments: suggested patch

Description Samuel Mannehed cendio 2014-08-28 09:36:20 CEST 
Created attachment 556 [details]
suggested patch

If you run for example Apache 2.4.10 you will get 403 Forbidden when trying to access https://<your-tl-server>/thinlinc/

Apache 2.4.3 (or maybe slightly earlier) added a new security feature that often results in this error. /var/log/httpd/ssl_error_log says:

[Wed Aug 27 16:14:19.120293 2014] [authz_core:error] [pid 29649] [client ::1:38134] AH01630: client denied by server configuration: /opt/thinlinc/share/web_integration/

This new security feature is requiring a user identity to access a directory. It is turned on by DEFAULT in the httpd.conf that ships with Apache. You can see the enabling of the feature with the directive

> Require all denied

This basically says to deny access to all users. To fix this problem we need to  add the following directive to all the directories we want to grant access to:

> Require all granted
Comment 2 Peter Åstrand cendio 2015-10-08 15:48:40 CEST 
On SLES12, it's even worse. 

After running tl-setup and enabling Web Integration, Apache no longer starts:

# systemctl status apache2.service
apache2.service - The Apache Webserver
   Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled)
   Active: failed (Result: exit-code) since Thu 2015-10-08 15:32:14 CEST; 10s ago
  Process: 29349 ExecStop=/usr/sbin/start_apache2 -D SYSTEMD -DFOREGROUND -k graceful-stop (code=exited, status=1/FAILURE)
  Process: 29332 ExecStart=/usr/sbin/start_apache2 -D SYSTEMD -DFOREGROUND -k start (code=exited, status=1/FAILURE)
 Main PID: 29332 (code=exited, status=1/FAILURE)

Oct 08 15:32:14 dhcp-254-194 start_apache2[29332]: Module "SSL" is not installed, ignoring.
Oct 08 15:32:14 dhcp-254-194 start_apache2[29332]: Check the APACHE_MODULES setting in /etc/sysconfig/apache2.
Oct 08 15:32:14 dhcp-254-194 start_apache2[29332]: AH00526: Syntax error on line 7 of /etc/apache2/conf.d/thinlinc.conf:
Oct 08 15:32:14 dhcp-254-194 start_apache2[29332]: Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configuration
Oct 08 15:32:14 dhcp-254-194 start_apache2[29349]: Module "SSL" is not installed, ignoring.
Oct 08 15:32:14 dhcp-254-194 start_apache2[29349]: Check the APACHE_MODULES setting in /etc/sysconfig/apache2.
Oct 08 15:32:14 dhcp-254-194 start_apache2[29349]: AH00526: Syntax error on line 7 of /etc/apache2/conf.d/thinlinc.conf:
Oct 08 15:32:14 dhcp-254-194 start_apache2[29349]: Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configuration

Indeed, on http://httpd.apache.org/docs/trunk/upgrading.html I can read:

Invalid command 'Require', perhaps misspelled or defined by a module not included in the server configuration, or Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configuration - load module mod_access_compat, or update configuration to 2.4 authorization directives.

Also: https://www.suse.com/documentation/sles-12/book_sle_admin/data/sec_apache2_configuration.html:

"""
NOTE: The Require all granted statement used to be expressed as

Order allow,deny
Allow from all

in previous versions of Apache. This old syntax is still supported by the mod_access_compat module. 
"""

My interpretation of this is that it is impossible to support both old and new Apache with a single configuration file.
Comment 4 Pierre Ossman cendio 2015-10-12 14:19:30 CEST 
Works well. Tested on RHEL 6 with Apache 2.2.15 and Fedora 23 with Apache 2.4.16.