On Feb 21, 7:09 am, "Schindler, Nathan"
<[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>
>
> > > -----Original Message-----
> > > From: [email protected]
> > [mailto:[email protected]]
> > > On Behalf Of Nate
> > > Sent: Thursday, February 19, 2009 12:30 PM
> > > To: Trac Users
> > > Subject: [Trac] "client denied by server configuration" in Apache
> > > error log
>
> > > We have Apache (2.2.3 on RHEL5) slightly hardened - in httpd.conf,
> > > "Deny from all" is specified within <Directory
> > "/var/www/html">. This
> > > is overridden in the Apache config file for Trac with
> > "Allow from all"
> > > within <Location /projects>, where all of our Trac projects reside.
>
> > > When a user hits the site, a line similar to the following
> > is logged:
>
> > > [<date>] [error] [client <client IP>] client denied by server
> > > configuration: /var/www/html/<project>, referer:
> > > https://<server>/projects/<project>/
>
> > > Nothing in the project config or Apache config point to
> > /var/www/html
> > > or have a path relative to the web root that doesn't include /
> > > projects/. The rendered page source also doesn't include
> > any apparent
> > > incorrect links.
>
> > > This seems related tohttp://lists.edgewall.com/archive/trac/2005-
> > > June/003277.html
>
> > > Anyone have any idea what's causing these log entries?
>
> > > Thanks in advance,
> > > Nate
>
> > -----Original Message-----
> > From: [email protected]
> > [mailto:[email protected]] On Behalf Of Noah Kantrowitz
> > Sent: Friday, February 20, 2009 11:41 AM
> > To: [email protected]
> > Subject: [Trac] Re: "client denied by server configuration"
> > in Apache error log
>
> > Apache still does a directory ACL check on $DOC_ROOT +
> > $REQ_PATH as if the request was going to go the filesystem,
> > even if it ends up being captured later on by another
> > handler. Just point docroot at an empty folder somewhere (not
> > the trac env!) and then make a Directory block that grants
> > Allow to all.
>
> > --Noah
>
> Thanks, but I'm still a little unclear. If that's the case, why don't I see
> similar log entries from requests to Subversion? It's configured essentially
> the same way as Trac, with <Location> directives pointing to /repos/<repo
> name> (relative to the Apache docroot).
> Since Apache errors aren't logged when hitting Subversion with the same
> <Location> "Allow" restrictions in place as Trac, I suspected Trac
> javascripts or possibly mod_python.
It is the way that mod_python is inserted into Apache processing. Use
mod_wsgi and you will not have this problem as it works by using an
actual file as entry point, where as mod_python tries to do it with
Location directives which doesn't circumvent normal URL matching rules
properly.
Graham
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/trac-users?hl=en
-~----------~----~----~----~------~----~------~--~---
