On Feb 20, 2009, at 8:38 PM, Graham Dumpleton wrote:
> > > > On Feb 21, 7:09 am, "Schindler, Nathan" > <[email protected]> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> >> >>>> -----Original Message----- >>>> From: [email protected] >>> [mailto:[email protected]] >>>> On Behalf Of Nate >>>> Sent: Thursday, February 19, 2009 12:30 PM >>>> To: Trac Users >>>> Subject: [Trac] "client denied by server configuration" in Apache >>>> error log >> >>>> We have Apache (2.2.3 on RHEL5) slightly hardened - in httpd.conf, >>>> "Deny from all" is specified within <Directory >>> "/var/www/html">. This >>>> is overridden in the Apache config file for Trac with >>> "Allow from all" >>>> within <Location /projects>, where all of our Trac projects reside. >> >>>> When a user hits the site, a line similar to the following >>> is logged: >> >>>> [<date>] [error] [client <client IP>] client denied by server >>>> configuration: /var/www/html/<project>, referer: >>>> https://<server>/projects/<project>/ >> >>>> Nothing in the project config or Apache config point to >>> /var/www/html >>>> or have a path relative to the web root that doesn't include / >>>> projects/. The rendered page source also doesn't include >>> any apparent >>>> incorrect links. >> >>>> This seems related tohttp://lists.edgewall.com/archive/trac/2005- >>>> June/003277.html >> >>>> Anyone have any idea what's causing these log entries? >> >>>> Thanks in advance, >>>> Nate >> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of Noah Kantrowitz >>> Sent: Friday, February 20, 2009 11:41 AM >>> To: [email protected] >>> Subject: [Trac] Re: "client denied by server configuration" >>> in Apache error log >> >>> Apache still does a directory ACL check on $DOC_ROOT + >>> $REQ_PATH as if the request was going to go the filesystem, >>> even if it ends up being captured later on by another >>> handler. Just point docroot at an empty folder somewhere (not >>> the trac env!) and then make a Directory block that grants >>> Allow to all. >> >>> --Noah >> >> Thanks, but I'm still a little unclear. If that's the case, why >> don't I see similar log entries from requests to Subversion? It's >> configured essentially the same way as Trac, with <Location> >> directives pointing to /repos/<repo name> (relative to the Apache >> docroot). >> Since Apache errors aren't logged when hitting Subversion with the >> same <Location> "Allow" restrictions in place as Trac, I suspected >> Trac javascripts or possibly mod_python. > > It is the way that mod_python is inserted into Apache processing. Use > mod_wsgi and you will not have this problem as it works by using an > actual file as entry point, where as mod_python tries to do it with > Location directives which doesn't circumvent normal URL matching rules > properly. Ditto on DAV SVN changing the path resolution and thus that ACL check. --Noah --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
