Apache HTTP Server Config - Forbidden Error After Configuring httpd.conf

I've seen many posts on many forums and newsgroups where people have run into problems getting Forbidden 403 errors after setting up Apache and modifying the httpd.conf file to their liking on their server.

Most have replied that the cause of the problem is that the directory in question doesn't have the right options set on it and they go into detail explaining that they need to add things like:
Options +FollowSymLinks
to their httpd.conf for that directory.

They're accurate, but their description isn't full enough to solve the problem. What I've found is that there are two things that need to be configured first off in httpd.conf to ensure success with your specific "DocumentRoot".

In the default httpd.conf file are two lines (with comments) that go hand-in-hand:
(using a default installation of Apache on Windows XP as an example.)
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"

... and the other section (contents excluded) as follows ...
# This should be changed to whatever you set DocumentRoot to.


In-between these two sections is a section that sets ALL directories to a "default" set of VERY restrictive features.

Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all

The problem I've found (and I've made this mistake several times myself; so I'm documenting it here to hopefully help someone else fix the same mistake that causes the Forbidden message...) is that people change the DocumentRoot setting to where they want the default folder for serving up documents to be... but don't change the second section that matches the original DocumentRoot's path.

The reason the forbidden error happens is because that section inbetween restricts ALL directories, and the section after (that originally has the old DocumentRoot path) lifts the restrictions... but since it's still pointing to the old DocumentRoot and not the one you've changed to... it's lifted the restrictions on the wrong path; leaving your REAL DocumentRoot restricted and therefore causing the Forbidden message.

I hope this helps someone save hours of frustration trying to find out where to add the Overide +FollowSymLinks, etc... when it's already done for you in the original httpd.conf, you just need match the paths in that Directory section with your DocumentRoot setting.

NOTE: I'm not the ultimate guru on httpd.conf... there may be more secure ways to handle this and I'd love for someone to leave comments here on better ways. I just know this way works to get you up and running fast to solve the Forbidden problem.

Apache rocks. Happy HTTPing!

1 comment:

That One Guy said...

So the real solution here is to make sure there is a <Directory> section related to the directory a given site Apache is hosting.

I ended up adding a site whose files were in a completely different directory than I'd set up my DocumentRoot to be.

I had to add an extra <Directory> section for that exact filepath in my httpd.conf with the appropriate security settings so Apache wouldn't give me the Forbidden message.

Hope this helps someone else!