Apache 403 Forbidden Error
I am using an Ubuntu server deploying a Django app.
The exact error that I got is:
Forbidden
You don't have permission to access this resource.
In /etc/apache2/sites-enabled/portfolio.conf, I copied 000-default.conf and added the following lines:
Alias /static /home/kailicen/portfolio/static
<Directory /home/kailicen/portfolio/static>
Require all granted
</Directory>
<Directory /home/kailicen/portfolio/portfolio>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIScriptAlias / /home/kailicen/portfolio/portfolio/wsgi.py
WSGIDaemonProcess django_app python-path=/home/kailicen/portfolio python-home=/home/kailicen/portfolio/venv
WSGIProcessGroup django_app
I also wrote the permission to my project directory:
drwxrwxr-x 7 kailicen www-data 4096 Aug 10 06:48 portfolio
I don't know what goes wrong. Hope you can help me out. Thanks in advance.
3 Replies
<Directory /home/kailicen/portfolio/
Apache on Ubuntu runs under www-data, which wouldn’t typically have access to your user’s home directory.
Apache files usually live under /var/www (on my servers, it’s /srv/www) both of which are not under another user’s home folder, and can be set to be “owned by” www-data.
WSGIDaemonProcess django_app python-path=/home/portfolio/portfolio
I think you’ve missed out “kailicen” from this path - /home/kailicen/portfolio/portfolio
@andysh
Thanks for spotting the mistake! I fixed that '/home/kailicen/portfolio/portfolio', but still get the same error:/
For www-data, I did change the owner to it:
sudo chown :www-data portfolio/
Btw, I am following coreyms's Django deployment tutorial.
@andysh writes:
Apache files usually live under /var/www (on my servers, it’s /srv/www) both of which are not under another user’s home folder, and can be set to be “owned by” www-data.
Files served by Apache can live anywhere as long as Apache is configured correctly to serve them. Those files do not have to be "owned-by" Apache (www-data) but typically must be world-readable (-r--r--r--). If the files are owned by Apache, they must be at least user-readable (-r--------).
If Apache writes to files/directories, they must be owned in part by Apache…at least by group www-data and at least group-writable. Typically, I set up these files/directories with ownership stevewi:www-data and permissions of -rw-rw-r-- for files and -rwxrwxr-x for directories.
That being said, I think @kailicen has a permissions problem. I don't know anything about Django or Python but this config:
WSGIDaemonProcess django_app python-path=/home/kailicen/portfolio python-home=/home/kailicen/portfolio/venv
WSGIProcessGroup django_app
looks to me like the Django app is running as a different process (doh!) as a different user/group. There must be a socket allowing Apache to communicate with it. Make sure the ownership/permissions of the socket file (typically in /var/run) are correct. The socket must be readable/writable by www-data. Adjust accordingly if not.
Note to the OP… Local-domain sockets (née Unix-domain sockets), by definition, are local-only. Info read/written using them does not cross system boundaries. There is no security issue with using them and being lax about permissions (unless some bad actor has invaded from the outside world and hijacks them for its own nefarious purposes…in which case you have much bigger problems than the lax permissions on a local-domain socket).
-- sw