Apache2 On Fedora - Getting Rid Of The 403

If understanding Linux is an important part of your work and you want to know how to properly configure a RedHat-based distro like Fedora or CentOS, then carry on reading.

Photo of Greg Harvey
Tue, 2009-05-05 10:20By greg

Apache2 on the Fedora core (in my case Fedora 10) can be a fiddly beast. In fact, if you're a total Linux n00b I would say don't bother with the core Apache2 and MySQL - just install XAMPP, which gives you everything right out of the box. It is *not* secure but as long as we're talking about a fire-walled home computer here it is fine.

However if, like me, understanding Linux is an important part of your work and you want to know how to properly configure a RedHat-based distro like Fedora or CentOS, then forget XAMPP and carry on reading.

Before I continue, I am no world expert on this and if I am inaccurate or just plain wrong about anything in this post, please do let me know! (Commenting is off right now due to spam issues, but will be re-enabled soon enough.) The following is what I *think* is true from a lot of Googling and some personal experience.

In Fedora there are two main complications that can affect your Apache2 setup:

1. SELinux (additional Linux security enabled by default)

2. UserDir (Apache module for controlling httpd access to /home)

Bear that in mind as it will become significant, but before we get in to that, let's get Apache2 installed and get some level of access (if you haven't already):

su -c "yum -y install httpd"

su -c "/sbin/service httpd start"

Of course, you can also install Apache2 using the package manager in the GUI and start it with the GUI Services manager. That achieved, go to http:// 127.0.0.1 and you'll get the Fedora Apache test page, as expected. Put some files in /var/www/html and you'll get results.

But I don't want my files there. I want my files in my home directory. In my case, I have all my projects checked out in to /home/gharvey/workspace. I also want my various applications within the workspace to have their own local domain name, so I'm going to enable NamedVirtualHost (as I always used to with XAMPP on Windows) and create a virtual host entry to one of my projects, using something like su -c "gedit /etc/httpd/conf/httpd.conf" (which will open httpd.conf in the GUI editor as root):

#

# Use name-based virtual hosting.

# NameVirtualHost *:80

ServerName drivingforce DocumentRoot /home/gharvey/workspace/driving-force/trunk/www ServerAdmin "webadmin@drupaler.co.uk"

Options Includes FollowSymLinks Order allow,deny AllowOverride All Allow from all And in my local hosts file, su -c "gedit /etc/hosts", I'll add: 127.0.0.1 driving-force

So now in a web browser I can go to http:// driving-force and see what happens. What *should* happen is a big fat 403, Forbidden error message. This is because the directory we wish to access from Apache is in the /home directory and this is locked down by default in Fedora. Resolving this for me took four steps. Firstly, make sure the Linux permissions are ok (everyone can read and execute): chmod -R 755 /home/gharvey/workspace chmod 755 /home/gharvey Note you *must* apply the same chmod command to any directories in the path to where the documents you intend to serve lie, hence needing to do the root of my home directory as well. If you don't want to give access to all users, you can add the apache user to the private group for that user - this will require a reboot. In this case group is gharvey so the command is something like this: usermod -a -G gharvey apache chmod -R 750 /home/gharvey/workspace chmod 750 /home/gharvey (Thanks to sideways at the Fedora Forums for that tip.) Second, and this is where the SELinux stuff comes in, make sure the "label" applied to your files permits Apache to access them (you can read up more about SELinux elsewhere): chcon -t httpd_sys_content_t -R $HOME/workspace Thirdly we look at the second complication I listed at the start, UserDir. I'm not sure why, but it seems the UserDir module needs to be correctly configured as well for this to work? I am not sure I'm correct on this, but I am leaving it alone as things now work. I have this in my httpd.conf,

su -c "gedit /etc/httpd/conf/httpd.conf":

#

# UserDir is disabled by default since it can confirm the presence # of a username on the system (depending on home directory # permissions).

# UserDir disabled UserDir enabled gharvey

#

# To enable requests to /~user/ to serve the user's public_html

# directory, remove the "UserDir disabled" line above, and uncomment # the following line instead:

#

#UserDir public_html UserDir workspace Note I *added* a line enabling the gharvey user and added another line saying that workspace is the default permitted user directory. Save then restart Apache, su -c "httpd -k restart".

You should now be able to access your workspace directory like so:

http:// 127.0.0.1/~gharvey

So to get to my test application I can do this:

http:// 127.0.0.1/~gharvey/driving-force/trunk/www

If that works, you're nearly there! Finally, reboot the computer. Again, I'm not sure this is a necessary step, but you're better safe than sorry. At one point I didn't think things were working, but they seemed OK after a reboot, so go figure! Could well be a quirk of SELinux or something like that. I have no idea, but my computer *seemed* to need it.

When you come back up, http:// driving-force should now work. SELinux is still enabled, for additional security *and* your projects can live in your home directory. Pimms all round! =)