Apache 2.4.6 on Ubuntu Server: Client denied by server configuration (PHP FPM) [While loading PHP file]

Question

Today I was updated Ubuntu server 13.04 (Raring Ringtail) → 13.10 (Saucy Salamander).

And my Apache 2 installation is broken.

Here my configuration:

File `error.log`

[Fri Oct 18 10:48:07.237170 2013] [:notice] [pid 8292:tid 139804677900160] FastCGI: process manager initialized (pid 8292)
[Fri Oct 18 10:48:07.241185 2013] [mpm_event:notice] [pid 8289:tid 139804677900160] AH00489: Apache/2.4.6 (Ubuntu) mod_fastcgi/mod_fastcgi-SNAP-0910052141 configured -- resuming normal operations
[Fri Oct 18 10:48:07.241652 2013] [core:notice] [pid 8289:tid 139804677900160] AH00094: Command line: '/usr/sbin/apache2'
[Fri Oct 18 10:48:28.313923 2013] [authz_core:error] [pid 8294:tid 139804573181696]   [client 81.219.59.75:3536] AH01630: client denied by server configuration: /usr/lib/cgi-bin/php5-fcgi

File `default.conf`

#EU
<VirtualHost *:80>
    #ServerName
    DocumentRoot /var/www/dev_stable

    DirectoryIndex index.php index.html index.htm

    <Directory /var/www/dev_stable>
          Options Indexes FollowSymLinks MultiViews

          AllowOverride all
          Require all granted
    </Directory>
</VirtualHost>

File `mods-enabled/fastcgi.conf`

#<IfModule mod_fastcgi.c>
#  AddHandler fastcgi-script .fcgi
# FastCgiWrapper /usr/lib/apache2/suexec
#  FastCgiIpcDir /var/lib/apache2/fastcgi
#</IfModule>


<IfModule mod_fastcgi.c>
    AddHandler php5-fcgi .php
    Action php5-fcgi /php5-fcgi
    Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
    FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -socket /var/run/php5-fpm.sock -pass-header Authorization
</Ifmodule>

When I trying to load the file via the browser I got:

site_name/TEST/

Forbidden

You don't have permission to access /php5-fcgi/TEST/index.php on this server.

What should I to fix it?

Maybe you miss a `Allow from all`? http://stackoverflow.com/questions/10351167/apache-client-denied-by-server-configuration — Qben, Oct 18 '13 at 09:13
http://httpd.apache.org/docs/2.4/upgrading.html#run-time - # apache 2.4 change `Allow from all` and `Order` to `Require` — Jan Czarny, Oct 18 '13 at 09:15
Also it would be good to see the configuration that map `site_name/TEST/` to `/php5-fcgi/TEST`. — Qben, Oct 18 '13 at 09:15

score 115 · Accepted Answer · edited Dec 27 '16 at 19:01

115

I have exactly the same issue. I ran a couple of virtual hosts on my local machine for developing.

First, I changed /etc/apache2/conf-available/php5-fpm.conf. I replaced every

Order Deny,Allow
Deny from all

to

Require all granted

The configuration has to be enabled by a2enconf php5-fpm. I did the same with my virtual hosts configurations and made the replacements.

I think this is not advised for security reasons, but as long as I use my server for local purposes only I can live with it.

edited Dec 27 '16 at 19:01

Peter Mortensen

30,738
21
105
131

answered Oct 18 '13 at 14:18

user1259341

1,166
1
8
2

22

in apache2.conf -> replace or delete ` AllowOverride none Require all denied ` – Jan Czarny Oct 31 '13 at 12:50

score 40 · Answer 2 · edited Dec 27 '16 at 20:49

40

I ran into this exact issue upon a new install of Apache 2.4. After a few hours of googling and testing I finally found out that I also had to allow access to the directory that contains the (non-existent) target of the Alias directive. That is, this worked for me:

# File: /etc/apache2/conf-available/php5-fpm.conf
<IfModule mod_fastcgi.c>
    AddHandler php5-fcgi .php
    Action php5-fcgi /php5-fcgi
    Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
    FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -socket /var/run/php5-fpm.sock -pass-header Authorization

    # NOTE: using '/usr/lib/cgi-bin/php5-cgi' here does not work,
    #   it doesn't exist in the filesystem!
    <Directory /usr/lib/cgi-bin>
        Require all granted
    </Directory>
</Ifmodule>

edited Dec 27 '16 at 20:49

Peter Mortensen

30,738
21
105
131

answered Apr 10 '14 at 23:34

whyscream

669
6
11

Worth noting that I switched my entire php5-fpm.conf to the one above to get mine to work rather than just adding in the directory part. – Fabor Jun 03 '14 at 11:04
1

Adding `` tag for cgi-bin solved my problem! – Geremia Mar 09 '16 at 03:14
Thanks @whyscream, this solved my problem. Actually, this Directory grant is defined in **serve-cgi-bin.conf**, but is loaded only if you enable cgi.load! I would improve the solution by adding the definition from serve-cgi-bin.conf: ` AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Require all granted ` – scavenger Jan 28 '18 at 06:06

score 22 · Answer 3 · edited Dec 27 '16 at 19:04

22

I ran into a similar problem today (but with mod_wsgi). It might be an Apache 2.2-to-2.4 problem. A comprehensive list of changes can be found here.

For me, it helped to add an additional <Directory>-entry for every path the error-log was complaining about and filling the section with Require all granted.

So in your case you could try

<Directory /usr/lib/cgi-bin/php5-fcgi>
    Require all granted
    Options FollowSymLinks
</Directory>

and I had to move my configuration file from folder conf.d to folder sites-enabled.

All in all, that did the trick for me, but I don't guarantee it works in your case as well.

edited Dec 27 '16 at 19:04

Peter Mortensen

30,738
21
105
131

answered Oct 18 '13 at 22:36

OBu

4,977
3
29
45

3

+1 for the link to the Apache 2.2->2.4 change list. This should be required reading for everybody about to upgrade. – Zilk Nov 26 '13 at 11:27
What file does that go into? `/etc/apache2/apache2.conf`? Some file in `/etc/apache2/mods-enabled/`? Somewhere else? – Peter Mortensen Dec 27 '16 at 19:07

Luke · Answer 4 · 2013-11-25T18:58:37.593

20

I recently ran into the same problem. I had to change my virtual hosts from:

<VirtualHost *:80>
  ServerName local.example.com

  DocumentRoot /home/example/public

  <Directory />
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>

To:

<VirtualHost *:80>
  ServerName local.example.com

  DocumentRoot /home/example/public

  <Directory />
    Options All
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>

edited Nov 25 '13 at 18:58

answered Nov 24 '13 at 23:59

Luke

20,878
35
119
178

Beautiful, transfer a bunch of domains from a 2.2 server to a 2.4 server and kept the vhost.conf file to save time.. changed all to this and it fixed everything. Thanks so much – unc0nnected Jun 10 '15 at 10:52
thanks a lot. This helps me on windows 10 with xampp 5.6 – kolodi Apr 28 '16 at 07:41

score 9 · Answer 5 · edited Dec 27 '16 at 20:50

9

In apache2.conf, replace or delete <Directory /> AllowOverride None Require all denied </Directory>, like suggested Jan Czarny.

For example:

<Directory />
    Options FollowSymLinks
    AllowOverride None
    #Require all denied
    Require all granted
</Directory>

This worked in Ubuntu 14.04 (Trusty Tahr).

edited Dec 27 '16 at 20:50

Peter Mortensen

30,738
21
105
131

answered Jul 03 '14 at 12:41

user3801675

91
1
1

That hit me exactly after upgrading to Ubunto 14.04...Thanks. – khmarbaise Apr 13 '19 at 21:30
Does this affect safety? – Skora May 05 '19 at 16:25

score 8 · Answer 6 · answered Dec 22 '13 at 12:45

Your virtualhost filename should be mysite.com.conf and should contain this info

<VirtualHost *:80>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    ServerName mysite.com
    ServerAlias www.mysite.com

    ServerAdmin info@mysite.com
    DocumentRoot /var/www/mysite

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

<Directory "/var/www/mysite">
Options All
AllowOverride All
Require all granted
</Directory>


    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

score 3 · Answer 7 · edited Feb 08 '15 at 18:43

I don't think that replacing "Require all denied" with "Require all granted" in this directive:

<Directory>

    Options FollowSymLinks
    AllowOverride None
    #Require all denied
    Require all granted
</Directory>

as suggested by Jan Czarny and seonded by user3801675 is the most secure way of solving this problem.

According to the Apache configuration files, that line denies access to the entirety of your server's filesystem. Replacing it might indeed allow access to your virtual host folders but at the price of allowing access to your entire computer as well!

Gev Balyan's approach seems to be the most secure approach here. It was the answer to the "access denied problems" plaguing me after setting up my new Apache server this morning.

This is not an answer but a comment. – DrCord Sep 23 '16 at 18:17 — DrCord, Sep 23 '16 at 18:17

score 1 · Answer 8 · edited Jul 21 '15 at 21:38

1

And I simply got this error because I used a totally different DocumentRoot directory.

My main DocumentRoot was the default /var/www/html and on the VirtualHost I used /sites/example.com

I have created a link on /var/www/html/example.com (to /sites/example.com). DocumentRoot was set to /var/www/html/example.com

It worked like a charm.

edited Jul 21 '15 at 21:38

BuZZ-dEE

6,075
12
66
96

answered Jul 21 '15 at 20:42

user5140921

11
1

score 0 · Answer 9 · answered Apr 07 '19 at 20:53

I had the same issue after upgrading my system. In my case, the problem was caused by the order of loading configuration files. In the /etc/httpd/httpd.confinitally it was defined as follows:

IncludeOptional conf.d/*.conf
IncludeOptional sites-enabled/*.conf

After some hours of attempts, I tried the following order:

IncludeOptional sites-enabled/*.conf
IncludeOptional conf.d/*.conf

And it works fine now.

score 0 · Answer 10 · answered May 17 '19 at 10:07

I had the following configuration in my httpd.conf that denied executing the wpadmin/setup-config.php file from wordpress. Removing the |-config part solved the problem. I think this httpd.conf is from plesk but it could be some default suggested config from wordpress, i don't know. Anyway, I could safely add it back after the setup finished.

<LocationMatch "(?i:(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html)))">
                        Require all denied
                </LocationMatch>

score -3 · Answer 11 · answered Dec 03 '13 at 06:10

-3

For those of you on AWS (Amazon Web Services), remember to add a rule for your SSL port (in my case 443) to your security groups. I was getting this error because I forgot to open the port.

3 hours of tearing my hair out later...

answered Dec 03 '13 at 06:10

user2766838

13
1
5

This answer is completely unrelated to this error message. – Berend de Boer Apr 04 '14 at 19:33

Apache 2.4.6 on Ubuntu Server: Client denied by server configuration (PHP FPM) [While loading PHP file]

File `error.log`

File `default.conf`

File `mods-enabled/fastcgi.conf`

11 Answers11

Linked

Apache 2.4.6 on Ubuntu Server: Client denied by server configuration (PHP FPM) [While loading PHP file]

File error.log

File default.conf

File mods-enabled/fastcgi.conf

11 Answers11

Linked

File `error.log`

File `default.conf`

File `mods-enabled/fastcgi.conf`