5235 – Newer Apache gives 403 Forbidden with the current thinlinc.conf directives

Bug 5235 - Newer Apache gives 403 Forbidden with the current thinlinc.conf directives

Summary: Newer Apache gives 403 Forbidden with the current thinlinc.conf directives

Status:	CLOSED FIXED

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	trunk
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	4.5.0
Assignee:	Peter Åstrand

URL:
Keywords:	ossman_tester, prosaic

Depends on:
Blocks:

Reported:	2014-08-28 09:36 CEST by Samuel Mannehed
Modified:	2015-10-12 14:19 CEST (History)
CC List:	0 users

See Also:
Acceptance Criteria:

Attachments
suggested patch (366 bytes, patch) 2014-08-28 09:36 CEST, Samuel Mannehed	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Description Samuel Mannehed cendio

2014-08-28 09:36:20 CEST

Created attachment 556 [details]
suggested patch

If you run for example Apache 2.4.10 you will get 403 Forbidden when trying to access https://<your-tl-server>/thinlinc/

Apache 2.4.3 (or maybe slightly earlier) added a new security feature that often results in this error. /var/log/httpd/ssl_error_log says:

[Wed Aug 27 16:14:19.120293 2014] [authz_core:error] [pid 29649] [client ::1:38134] AH01630: client denied by server configuration: /opt/thinlinc/share/web_integration/

This new security feature is requiring a user identity to access a directory. It is turned on by DEFAULT in the httpd.conf that ships with Apache. You can see the enabling of the feature with the directive

> Require all denied

This basically says to deny access to all users. To fix this problem we need to  add the following directive to all the directories we want to grant access to:

> Require all granted

Comment 2 Peter Åstrand cendio

2015-10-08 15:48:40 CEST

On SLES12, it's even worse. 

After running tl-setup and enabling Web Integration, Apache no longer starts:

# systemctl status apache2.service
apache2.service - The Apache Webserver
   Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled)
   Active: failed (Result: exit-code) since Thu 2015-10-08 15:32:14 CEST; 10s ago
  Process: 29349 ExecStop=/usr/sbin/start_apache2 -D SYSTEMD -DFOREGROUND -k graceful-stop (code=exited, status=1/FAILURE)
  Process: 29332 ExecStart=/usr/sbin/start_apache2 -D SYSTEMD -DFOREGROUND -k start (code=exited, status=1/FAILURE)
 Main PID: 29332 (code=exited, status=1/FAILURE)

Oct 08 15:32:14 dhcp-254-194 start_apache2[29332]: Module "SSL" is not installed, ignoring.
Oct 08 15:32:14 dhcp-254-194 start_apache2[29332]: Check the APACHE_MODULES setting in /etc/sysconfig/apache2.
Oct 08 15:32:14 dhcp-254-194 start_apache2[29332]: AH00526: Syntax error on line 7 of /etc/apache2/conf.d/thinlinc.conf:
Oct 08 15:32:14 dhcp-254-194 start_apache2[29332]: Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configuration
Oct 08 15:32:14 dhcp-254-194 start_apache2[29349]: Module "SSL" is not installed, ignoring.
Oct 08 15:32:14 dhcp-254-194 start_apache2[29349]: Check the APACHE_MODULES setting in /etc/sysconfig/apache2.
Oct 08 15:32:14 dhcp-254-194 start_apache2[29349]: AH00526: Syntax error on line 7 of /etc/apache2/conf.d/thinlinc.conf:
Oct 08 15:32:14 dhcp-254-194 start_apache2[29349]: Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configuration

Indeed, on http://httpd.apache.org/docs/trunk/upgrading.html I can read:

Invalid command 'Require', perhaps misspelled or defined by a module not included in the server configuration, or Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configuration - load module mod_access_compat, or update configuration to 2.4 authorization directives.

Also: https://www.suse.com/documentation/sles-12/book_sle_admin/data/sec_apache2_configuration.html:

"""
NOTE: The Require all granted statement used to be expressed as

Order allow,deny
Allow from all

in previous versions of Apache. This old syntax is still supported by the mod_access_compat module. 
"""

My interpretation of this is that it is impossible to support both old and new Apache with a single configuration file.

Comment 4 Pierre Ossman cendio

2015-10-12 14:19:30 CEST

Works well. Tested on RHEL 6 with Apache 2.2.15 and Fedora 23 with Apache 2.4.16.

Note You need to log in before you can comment on or make changes to this bug.