Develop Reference

Apache2 Ubuntu getting a cgi program to run 403 error from /usr/lib/cgi-bin

Well its 2022 and httpf.conf no longer exists. its seems to be split up into site-available, and conf-available, I can't figure it out and I can't find any instructions on how to get a simple helloworld perl script to run (in runs fine from the command line" "perl hw.pl")
The index.html page works fine in firefox, and by changing the 000-default.conf I was able to at least get the script "localhost/cgi-bin/hw.pl" to change from a 404 error to a 403 error by adding the section as marked:
leslie#jl-vr0sr4:/etc/apache2/sites-available$ pwd
/etc/apache2/sites-available
jleslie#jl-vr0sr4:/etc/apache2/sites-available$ cat 000-default.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
# JL:: 221116 uncomment out the include to allow cgi-bin
# Include conf-available/serve-cgi-bin.conf
#JL:: 221116 did nothing. Lets add the below:
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
AddHandler cgi-script .pl
</Directory>
#JL:: 221116 ok, that changed the 404 not found error
# to a 403 forbidden error what gives?
# Forbidden
#
# You don't have permission to access this resource.
# Apache/2.4.52 (Ubuntu) Server at 127.0.0.1 Port 80
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
So how do I now get it to actually run?
Did I do anything make a mistake in my conf file?
I also want to be able to run .exe .cgi and .sh files from /cgi-bin/ how do specify them as well?
Here is the test hello worl perl script I tried to run:
jleslie#jl-vr0sr4:/usr/lib/cgi-bin$ ll
/usr/lib/cgi-bin
total 44
drwxr-xr-x 2 root root 4096 Nov 16 09:17 ./
drwxrwxrwx 115 root root 4096 Nov 14 13:07 ../
-rwxrwxrwx 1 jleslie jleslie 30144 Nov 16 08:51 fh_fe.exe*
-rwxr-xr-x 1 root root 76 Nov 16 09:17 hw.pl*
jleslie#jl-vr0sr4:/usr/lib/cgi-bin$ cat hw.pl
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "Hello, World.";
jleslie#jl-vr0sr4:/usr/lib/cgi-bin$

OK, I finally figured it out. No thanks to the apache folks who keep changing the rules and fail to document properly how do do the most basic:
start an apache server
set up a cgi-bin directory.
They'll gladly spend pages talking about virtual hosts, and double nested hyper-crayon whatevers, but not the most basic setup: a webserver that can run cgi-bin programs. Unbelievable. /end gripe.
Anyway I edited :
/etc/apache2/sites-available/000-default.conf
with this code, to both fix and document what is necessary:
31 # JL:: 221116 uncomment out the include to allow cgi-bin
32
33 # Include conf-available/serve-cgi-bin.conf
34
35 #JL:: 221116 did nothing. Lets add the below:
36
37
38 #ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
39 #<Directory "/usr/lib/cgi-bin">
40 ScriptAlias /cgi-bin/ /var/www/cgi-bin/
41 <Directory "/var/www/cgi-bin">
42 AllowOverride None
43 Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
44 Order allow,deny
45 Allow from all
46 AddHandler cgi-script .pl .exe .cgi .sh
47 </Directory>
48
49 #JL:: 221116 ok, that changed the 404 not found error
50 # to a 403 forbidden error what gives?
51 # Forbidden
52 #
53 # You don't have permission to access this resource.
54 # Apache/2.4.52 (Ubuntu) Server at 127.0.0.1 Port 80
55
56 # here is the fix. run this at the command line:
57
58 ### RUNME ****> cd /etc/apache2/mods-enabled
59 ### RUNME ****> sudo ln -s ../mods-available/cgi.load
60
61
62 </VirtualHost>
63
Here is the complete history (with my mistakes, don't bother with them,) of the session that fixed the issue:
1807 cd /etc/apache2/sites-available/
1808 vi 000-default.conf
1809 sudo systemctl stop apache2
1810 sudo systemctl start apache2
1811 cd ..
1812 cd conf-available/
1813 ll
1814 vi serve-cgi-bin.conf
1815 cd ../sites-available/
1816 ll
1817 vi 000-default.conf
1818 pwd
1819 cd /etc/apache2/mods-enabled
1820 sudo ln -s ../mods-available/cgi.load
1821 ll
1822 sudo systemctl stop apache2
1823 sudo systemctl start apache2
please note in the documentation the double secret "turn on cgi-bin" by making the soft link. It took me over an hour of searching on the internet to find that one. - J

403 Errors on Apache server

I changed home directory of Apache "/var/www/html" into "/gwanwoonam/web"
After that, web server returns 403 Error - Forbidden
You don't have permission to access /info.php on this server.
How Can I fixed that
I googled, and found Solution on permission and SELinux.
I turned off SELinux, So It is disabled.
[gwanwoonam#localhost web]$ getenforce
Disabled
Secondly I tried to edit conf file
sudo vim /etc/httpd/conf/httpd.conf
<Directory />
AllowOverride none
#Require all denied
Require all granted
Allow from all
</Directory>
...
DocumentRoot "/home/gwanwoonam/web"
...
<Directory "/home/gwanwoonam/web">
AllowOverride None
# Allow open access:
Require all granted
Allow from all
</Directory>
...
<Directory "/home/gwanwoonam/web">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
Allow from all
</Directory>
...
And, I put the permission 777 at web directory, sub folder and files of it.
drwxrwxrwx. 2 gwanwoonam gwanwoonam 40 Jul 21 12:19 web
-rwxrwxrwx. 1 gwanwoonam gwanwoonam 106 Jul 21 11:52 index.html
-rwxrwxrwx. 1 gwanwoonam gwanwoonam 66 Jul 21 12:19 info.php
However, I cannot solve this problem..
How Can I find solution?
LOGS
[Sun Jul 21 14:04:57.852935 2019] [core:error] [pid 1918] (13)Permission denied: [client ::1:51512] AH00035: access to /favicon.ico denied (filesystem path '/home/gwanwoonam/web') because search permissions are missing on a component of the path, referer: localhost
[Sun Jul 21 14:05:00.422975 2019] [core:error] [pid 1923] (13)Permission denied: [client 127.0.0.1:42228] AH00035: access to / denied (filesystem path '/home/gwanwoonam/web') because search permissions are missing on a component of the path

In your question you showed this:
drwxrwxrwx. 2 gwanwoonam gwanwoonam 40 Jul 21 12:19 web
-rwxrwxrwx. 1 gwanwoonam gwanwoonam 106 Jul 21 11:52 index.html
-rwxrwxrwx. 1 gwanwoonam gwanwoonam 66 Jul 21 12:19 info.php
Note that index.html and info.php are not under the web directory. Therefore Apache cannot find them since you told it DocumentRoot "/home/gwanwoonam/web".
Move your files into /home/gwanwoonam/web, then Apache will see them.
Then, to ensure you do not have a permissions issue, at the filesystem level, run this:
chmod 755 /home/gwanwoonam/web
find /home/gwanwoonam/web -type d -exec chmod 755 {} \;
find /home/gwanwoonam/web -type f -exec chmod 644 {} \;
This will put permissions
drwxr-xr-x on all directories (including /home/gwanwoonam/web)
and
-rw-r--r-- on files.
This way your Apache should be able to read all files under web, and return them back to you.

Add the line below to your existing code:
restorecon -r /home/gwanwoonam/web

Apache 2.4 executes only some CGI scripts

I'm using Apache 2.4.7 on Ubuntu 14.04.5 in a VirtualBox VM. Things are almost working...
Some of my cgi scripts run/execute, but other scripts only display the source for the script. There are no errors or interesting entries in the access.log or error.log files.
Update: After further troubleshooting, I believe the problem was browser caching (sigh!) After force reloading (Cmd-Shift-R on Mac),
they all execute as desired. (I believe the scripts that executed properly the
first time were those that I tested when I had the configuration
correct; the ones that simply listed their source were the ones I tested first.)
For the record, the settings below are working correctly now.
All scripts end in .cgi, all invoke #!/usr/bin/perl as the first line, all have the same permissions (with +x). I have appended the ls of the "cgi" directory, and the site's config file.
What am I missing that would cause some files to execute, while others list? Many thanks!
CGI directory, with permissions:
wnr#wnr-VirtualBox:/usr/local/webview/www/flow$ ls -al *.cgi
-rwxr-xr-x 1 wnr wnr 89720 Aug 9 2013 adhoc.cgi
-rwxr-xr-x 1 wnr wnr 10535 Apr 2 2013 adhocClick.cgi
-rwxr-xr-x 1 wnr wnr 6155 Mar 19 2012 adhocIf.cgi
-rwxr-xr-x 1 wnr wnr 929 Feb 25 2013 configdump.cgi
-rwxr-xr-x 1 wnr wnr 13325 Apr 8 2013 exporter.cgi
-rwxr-xr-x 1 wnr wnr 6624 Mar 19 2012 flow-collector-stats.cgi
-rwxr-xr-x 1 wnr wnr 2716 May 9 12:28 getFilter.cgi
-rwxr-xr-x 1 wnr wnr 124 May 9 12:48 hirich.cgi
-rwxr-xr-x 1 wnr wnr 88514 May 9 12:27 render.cgi
-rwxr-xr-x 1 wnr wnr 8242 Apr 1 2013 weblog.cgi
Note: weblog.cgi and hirich.cgi both execute as expected, the others simply list the source code...
Here's the site's config file:
wnr#wnr-VirtualBox:/usr/local/webview/www/flow$ cat /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
Alias "/webview" "/usr/local/webview/www"
<Directory "/usr/local/webview/www" >
# Options Indexes Includes FollowSymLinks ExecCGI
Options Indexes Includes FollowSymLinks ExecCGI
Require all granted
AllowOverride All
SetEnv no-gzip 1
AddHandler cgi-script .cgi
</Directory>
# <Directory "/usr/local/webview/www/flow" >
# Options +FollowSymLinks +ExecCGI
# AddHandler cgi-script .cgi
# </Directory>
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Check if you can execute the scripts directly on the shell, like so:
$ ./script.cgi
Your shebang might contain a trailing \r, a common trick is to replace #!/usr/bin/perl with #!/usr/bin/perl -w

Update: After further troubleshooting, I believe the problem was browser caching (sigh!) After force reloading (Cmd-Shift-R on Mac), they all execute as desired.
This explains why some of the scripts executed, and some didn't, even though they all had the same permissions and were in the same directory.
I believe the scripts that executed properly the first time were those that I tested when I had the configuration correct; the ones that simply listed their source were the ones I tested first.
For the record, the settings above are working correctly now.
And always remember: if your browser isn't showing what you expect, Force Reload.

Unable to view an image on apache web server

I'm having issue where an image from my index.htm file is not being able to displayed. The contents of index.htm file are as below:
[root#docker1:/etc/httpd/conf]:cat /var/www/html/index.htm
<!DOCTYPE html>
<html>
<head>
<title>httpd server</title>
</head>
<body>
<h1>
First H1 Tag
</h1>
<p> My First para</p>
<h1> Second H1 tag .</h1>
<p>My Second Para</p>
Google
<img src="http://192.168.1.6/lord_shiva_on_bull.jpg" alt="Shiva" width="200" height="200">
</body>
</html>
[root#docker1:/etc/httpd/conf]:
Some extract from configuration:
ServerRoot "/etc/httpd"
[root#docker1:/etc/httpd/conf]:ls -larth /var/www/html/lord_shiva_on_bull.jpg
-rwxrwxrwx. 1 jim jim 165K Aug 13 11:54 /var/www/html/lord_shiva_on_bull.jpg
[root#docker1:/etc/httpd/conf]:ls -larth /var/www/html/
total 172K
-rwxrwxrwx. 1 jim jim 165K Aug 13 11:54 lord_shiva_on_bull.jpg
drwxrwxrwx. 2 root root 6 Aug 13 12:21 src
drwxr-xr-x. 4 root root 31 Aug 13 13:04 ..
-rwxrwxrwx. 1 root root 323 Aug 13 13:08 index.htm
drwxr-xr-x. 3 root root 61 Aug 13 13:08 .
[root#docker1:/etc/httpd/conf]:ls -ld /var/www/html/
drwxr-xr-x. 3 root root 61 Aug 13 13:08 /var/www/html/
[root#docker1:/etc/httpd/conf]:id apache
uid=48(apache) gid=48(apache) groups=48(apache)
[root#docker1:/etc/httpd/conf]:grep "apache" httpd.conf
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
User apache
Group apache
# http://httpd.apache.org/docs/2.4/mod/core.html#options
[root#docker1:/etc/httpd/conf]:
I'm totally confused as to what is the issue? Would greatly appreciate input from learned Guru's

The dots at the end of the permissions such as
drwxr-xr-x.
indicates those paths are under the jurisdiction of SELinux.
If you have made sure Apache HTTPD process has search (for directories) and read for files permissions for all the path until reaching the image files and you still get Permission Denied, you must review your Operative System logs relating the denial of access by SELinux.

See if you have selinux policy enabled.If yes,then for testing try by disabling it and test the same.
You can use cmd : 'getenforce' to get the status of selinux in linux and use 'setenforce 0' to disable it.

nginx, php-fpm and tilde user directories

I'm using nginx and php5-fpm on a Debian system.
I want my server to serve like so;
ip/index.html serves the static html page (or files) at the nginx web root
and likewise, ip/somefile.php (or index.php) serves PHP through php-fpm
ip/~user/index.html serves the static html page (or files) in /home/user/public_html
and likewise, ip/~user/somefile.php (or index.php) serves PHP through php-fpm
(where ip is either an IPv4 or IPv6 address).
Here is my configuration for nginx:
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
server_name _;
root /usr/share/nginx/www;
index index.php index.html index.htm;
# Deny access to all dotfiles
location ~ /\. {
deny all;
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
try_files $uri = 404; # Prevents exploit
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
}
# Serve user directories
location ~ ^/~(.+?)(/.*)?$ {
alias /home/$1/public_html$2;
autoindex on;
}
}
And for php-fpm:
; Start a new pool named 'www'.
; the variable $pool can we used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = www-data
group = www-data
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses on a
; specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /var/run/php5-fpm.sock
; Set listen(2) backlog.
; Default Value: 128 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 128
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0666
;listen.owner = www-data
;listen.group = www-data
;listen.mode = 0666
; List of ipv4 addresses of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; ... and more that doesn't matter, just defaults
Both static files and PHP work in nginx web root (ip/blah.html or ip/blah.php), static files also work in user directories (ip/~user/blah.html) however PHP is giving 404 in user directories.
Can someone help me fix my config?
Edit: some ls -las incase it's a permission issue.
kvanb#pegasus:~$ ls -la
total 32
drwxr-xr-x 3 kvanb sudo 4096 Jan 4 04:04 .
drwxr-xr-x 6 root root 4096 Jan 4 01:36 ..
-rw------- 1 kvanb kvanb 570 Jan 4 02:54 .bash_history
-rw-r--r-- 1 kvanb sudo 220 Jan 4 01:36 .bash_logout
-rw-r--r-- 1 kvanb sudo 3392 Jan 4 01:36 .bashrc
-rw-r--r-- 1 kvanb sudo 675 Jan 4 01:36 .profile
drwxr-xr-x 2 kvanb sudo 4096 Jan 4 03:41 public_html
-rw------- 1 kvanb sudo 3303 Jan 4 04:04 .viminfo
kvanb#pegasus:~/public_html$ ls -la
total 20
drwxr-xr-x 2 kvanb sudo 4096 Jan 4 03:41 .
drwxr-xr-x 3 kvanb sudo 4096 Jan 4 04:04 ..
-rwxr-xr-x 1 kvanb sudo 21 Jan 4 03:40 index.php
-rwxr-xr-x 1 kvanb sudo 20 Jan 4 03:09 info.php
-rw-r--r-- 1 kvanb sudo 4 Jan 4 03:41 test.html
kvanb#pegasus:/usr/share/nginx/www$ ls -la
total 20
drwxr-xr-x 2 root root 4096 Jan 4 03:28 .
drwxr-xr-x 3 root root 4096 Jan 4 01:34 ..
-rw-r--r-- 1 root root 383 Jul 7 2006 50x.html
-rw-r--r-- 1 root root 151 Oct 4 2004 index.html
-rw-r--r-- 1 root root 20 Jan 4 03:28 info.php

You'll need to add this rule before the initial php one:
# Serve user directories php files
location ~ ^/~(.+?)(/.*\.php)$ {
alias /home/$1/public_html;
autoindex on;
include /etc/nginx/fastcgi_params;
try_files $2 = 404; # Prevents exploit
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
}
This one matches all php files in the user directory, directing them through php-fpm. The php rule you have matches all these php files, but tries to find them in the wrong directory.

I came across this whilst trying to solve a similar problem. So I'll add the solution I found when I got to it. This was on Arch, but it is systemd related.
This solution is for my development machine, and for good reasons, you shouldn't run a public site from your /home folder.
I configured php-fpm and nginx to run as my user. Edit the following file, and remove the ProtectHome=true line
sudo vi /etc/systemd/system/multi-user.target.wants/php-fpm.service
Reload, and restart everything;
systemctl daemon-reload
systemctl restart nginx.service
systemctl restart php-fpm.service