This question about Installation of Foswiki, Configuration, Using an extension: Answered

YouDontHavePermissionToAccessOnThisServer

I'm using 1.1.9 Debian package installation under Linux Mint Debian (Betsy) Edition. It is pretty much like the real Debian package.

After some additional downloadings and a patching (that prevented configure to save modifications) I got configure script running/saving with no errors.

Simliked generated /etc/foswiki/apache.conf to /etc/apache2/conf-enabled, and restarted apache2 (2.4.10) server. rewrite.load module was also anabled to avoid apache from not restarting.

All relevant foswiki files are www-data user/group assigned,

Still "You don't have permission to access /foswiki/bin/view/Main/ on this server". displays upon trying to access foswiki.

Did not used apache config generator because it says not to use for debian package

Below is foswiki.conf I simlinked to /etc/apache2/conf-enalbed from /etc/foswiki/apache.conf

# Autogenerated httpd.conf file for Foswiki.
# Generated at http://foswiki.org/Support/ApacheConfigGenerator

# We set an environment variable called blockAccess.
#
# Setting a BrowserMatchNoCase to ^$ is important. It prevents Foswiki from
# including its own topics as URLs and also prevents other Foswikis from
# doing the same. This is important to prevent the most obvious
# Denial of Service attacks.
#
# You can expand this by adding more BrowserMatchNoCase statements to
# block evil browser agents trying the impossible task of mirroring a foswiki
#
# Example:
# BrowserMatchNoCase ^SiteSucker blockAccess
# BrowserMatchNoCase ^$ blockAccess

#support the cgi-bin url's
RedirectMatch ^/cgi-bin/foswiki/(.*)$ /foswiki/bin/$1

RedirectMatch ^/foswiki/?$ /foswiki/bin/view$1
RedirectMatch ^/foswiki(/([A-Z].*)?)?$ /foswiki/bin/view$1

#see /etc/foswiki/ShorterUrl.conf to activate ShorterUrls

# The ScriptAlias defines the bin directory as a directory where CGI
# scripts are allowed.
# The first parameter will be part of the URL to your installation e.g.
# http://my.co.uk/foswiki/bin/view/...
# The second parameter must point to the physical path on your disc.
ScriptAlias /foswiki/bin "/var/lib/foswiki/bin"

# The Alias defines a url that points to the root of the foswiki installation.
# It is used to access files in the pub directory (attachments etc)
# It must come _after_ the ScriptAlias.
Alias /foswiki/pub "/var/lib/foswiki/pub"

# Block access to typical spam related attachments
# Except the System directory which is read only and does have attached html files.
SetEnvIf Request_URI "foswiki/pub/.*\.[hH][tT][mM][lL]?$" blockAccess
SetEnvIf Request_URI "foswiki/pub/System/.*\.[hH][tT][mM][lL]?$" !blockAccess

# This specifies the options on the Foswiki scripts directory. The ExecCGI
# and SetHandler tell apache that it contains scripts. "Allow from all"
# lets any IP address access this URL.
<Directory "/var/lib/foswiki/bin">
    AllowOverride all
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess

    Options ExecCGI FollowSymLinks
    SetHandler cgi-script

    # Password file for Foswiki users
    AuthUserFile /var/lib/foswiki/data/.htpasswd
    AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
    AuthType Basic

    # File to return on access control error (e.g. wrong password)
    ErrorDocument 401 /foswiki/bin/view/System/UserRegistration

# Make sure configure is not open to the general public.
# It exposes system details that can help attackers.
<FilesMatch "^(configure)$">
    SetHandler cgi-script
    Require user admin
</FilesMatch>

# When using Apache type login the following defines the Foswiki scripts
# that makes Apache ask the browser to authenticate. It is correct that
# scripts such as view are not authenticated.
#<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|rest|.*auth).*">
#   require valid-user
#</FilesMatch>

</Directory>

# This sets the options on the pub directory, which contains attachments and
# other files like CSS stylesheets and icons. AllowOverride None stops a
# user installing a .htaccess file that overrides these options.
# Note that files in pub are *not* protected by Foswiki Access Controls,
# so if you want to control access to files attached to topics you need to
# block access to the specific directories same way as the ApacheConfigGenerator
# blocks access to the pub directory of the Trash web
<Directory "/var/lib/foswiki/pub">
    Options None
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess

    # This line will redefine the mime type for the most common types of scripts
    AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi

    #for TWikiCompatibility - or even to make 'attachment not found's more user friendly
    ErrorDocument 404 /foswiki/bin/viewfile

#
#add an Expires header that is sufficiently in the future that the browser does not even ask if its uptodate
# reducing the load on the server significantly
#IF you can, you should enable this - it _will_ improve your foswiki experience, even if you set it to under one day.
# you may need to enable expires_module in your main apache config
#LoadModule expires_module libexec/httpd/mod_expires.so
#AddModule mod_expires.c
#<ifmodule mod_expires.c>
#  <filesmatch "\.(jpg|gif|png|css|js)$">
#       ExpiresActive on
#       ExpiresDefault "access plus 11 days"
#   </filesmatch>
#</ifmodule>
#

</Directory>

# Spammers are known to attach their stuff and then move it to trash where it remains unnoticed.
# We prevent viewing any attachments directly from pub
<Directory "/var/lib/foswiki/pub/Trash">
   deny from all
</Directory>

# Security note: All other directories should be set so
# that they are *not* visible as URLs, so we set them as =deny from all=.
<Directory "/var/lib/foswiki/data">
    deny from all
</Directory>

<Directory "/var/lib/foswiki/templates">
    deny from all
</Directory>

<Directory "/var/lib/foswiki/lib">
    deny from all
</Directory>

<Directory "/var/lib/foswiki/locale">
    deny from all
</Directory>

<Directory "/var/lib/foswiki/tools">
    deny from all
</Directory>

<Directory "/var/lib/foswiki/working">
    deny from all

-- AntonioVega - 20 May 2015

Which version of apache is installed on your Linux system? The configuration included with the debian packages have not been updated to support apache 2.4.

Could you confirm that you have mod_access_compat activated. That will improve backwards compatibility for the configuration

Unfortunately the developer who supported the debian packages is not currently participating, so the packages are becoming a bit stale.

Please attach a snippet of your apache logs showing the exact failure that occurs when accessing a bin script.

-- GeorgeClark - 21 May 2015

George: apache version is 2.14.10-10 , mod_access_compat is activated, config is running but I failed to follow "installation guide part 2" link, which would signify that foswiki is runing correctly. The following is a snippet of apache logs showing entries on that transition.

From access.log

127.0.0.1 - admin [21/May/2015:10:19:37 -0500] "GET /foswiki/bin/configure?action=resource;resource=favicon.ico HTTP/1.1" 200 1364 "-" "Mozilla/5.0 (X11; Linux i686; rv:37.0) Gecko/20100101 Firefox/37.0"

127.0.0.1 - - [21/May/2015:10:20:13 -0500] "GET /foswiki/bin/view/System/InstallationGuidePart2 HTTP/1.1" 403 547 "http://localhost/foswiki/bin/configure" "Mozilla/5.0 (X11; Linux i686; rv:37.0) Gecko/20100101 Firefox/37.0" 127.0.0.1 - - [21/May/2015:10:20:13 -0500] "GET /favicon.ico HTTP/1.1" 404 500 "-" "Mozilla/5.0 (X11; Linux i686; rv:37.0) Gecko/20100101 Firefox/37.0"

From errors.log

[Thu May 21 10:19:37.751322 2015] [cgi:error] [pid 6282:tid 2987391808] [client 127.0.0.1:49685] AH01215: Name "CGI::LIST_CONTEXT_WARN" used only once: possible typo at /var/lib/foswiki/bin/configure line 277.

[Thu May 21 10:20:13.155270 2015] [authz_core:error] [pid 6310:tid 3037723456] [client 127.0.0.1:49689] AH01630: client denied by server configuration: /var/lib/foswiki/bin/view, referer: http://localhost/foswiki/bin/configure

-- AntonioVega - 21 May 2015

This is apache config related. maybe mod_access_compat is not quite as compatible as would be hoped. You might try editing the apache configuration and using the Apache 2.4 style syntax. For example for the bin directory:

    <RequireAll>
        Require all granted
        Require not env blockAccess
    </RequireAll>

The issue with the ApacheConfigGenerator, is that it doesn't have all the correct paths for a debian install. But the access rules will be fine, so consider using the output of ApacheConfigGenerator for more guidance.

-- GeorgeClark - 21 May 2015

George: following your suggestion and despite the ApacheConfigGenerator topic does tell you NOT to use it for Debian package , the resulted foswiki.conf file worked for me.

-- AntonioVega - 21 May 2015
 

QuestionForm edit

Subject Installation of Foswiki, Configuration, Using an extension
Extension DebianPackage
Version Foswiki 1.1.9
Status Answered
Related Topics
Topic revision: r5 - 21 May 2015, AntonioVega
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy