Apache 403 Forbidden after hardening - moving out of /var/www

g4njawizard · September 30, 2021, 6:08am

I wanted to harden my Raspberry and therefore I copied my /var/www/nextcloud folder to /opt
So for this case I have 2 folders and I want to test my Apache2.4 config with the new directory.
Permissions for www-data is fine. He can edit and list all content inside
drwxr-x--- 14 www-data www-data 4.0K Sep 29 15:33 nextcloud

I use this config:


Alias / "/opt/nextcloud/"

<IfModule mod_ssl.c>

    <VirtualHost *:80>
        RewriteEngine On
        RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
        RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
    </VirtualHost>

    <VirtualHost _default_:443>

     ServerAdmin admin@example.com
     ServerName ncloud.example.com
     DocumentRoot /opt/nextcloud/

     <Directory /opt/nextcloud/>
       Require all granted
#       Options +FollowSymlinks
       AllowOverride All
       Options FollowSymlinks MultiViews
#       Require all denied
#       Order allow,deny
#       allow from all
     <IfModule mod_dav.c>
        Dav off
      </IfModule>

       SetEnv HOME /opt/nextcloud
       SetEnv HTTP_HOME /opt/nextcloud
     </Directory>
     <IfModule http2_module>
       ProtocolsHonorOrder On
       Protocols h2 h2c http/1.1
       H2Direct on
     </IfModule>
 
     <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15768000; preload"
        Header set X-XSS-Protection "1; mode=block"
        Header set X-Content-Type-Options nosniff
        Header set X-Robots-Tag none
        Header set X-Frame-Options SAMEORIGIN
        Header set Referrer-Policy no-referrer
     </IfModule>

     SSLEngine on
     SSLCertificateFile /etc/ssl/certs/ncloud.crt
     SSLCertificateKeyFile /etc/ssl/private/ncloud.key

   </VirtualHost>
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

</IfModule>

When I change the Alias / to Alias / /var/www/nextcloud/ it works fine, but then it uses the old directory. Only when I try Alias / /opt/nextcloud/ I get 403…
As you can see, I commented out some of the Directory options… I tried several but none of them works. I dont have SELinux so this is not an issue.

bb77 · September 30, 2021, 8:00am

Hi @g4njawizard

Did it actually copy all the files and subbfolders including the . files?

If not, try using…

cp -r /var/www/nextcloud/. /opt/nextcloud

or

rsync -av /var/www/nextcloud/ /opt/nextcloud

g4njawizard · September 30, 2021, 8:06am

Hi, yes I did that. cp directory is not working without -r, so yes cp -r was done. Permissions and owner is the same as before.
to make sure www-data was working properly I also rerun:
chown -R www-data:www-data /opt/nextcloud

/etc/apache2# sudo -u www-data ls -lisa /opt/nextcloud/
total 168
267424  4 drwxr-x--- 14 www-data www-data  4096 Sep 29 15:33 .
 32002  4 drwxr-xr-x  6 root     root      4096 Sep 29 15:30 ..
274143  4 drwxr-xr-x 43 www-data www-data  4096 Sep 29 15:30 3rdparty
275407  4 drwxr-x--- 83 www-data www-data  4096 Sep 29 15:33 apps
267442 20 -rw-r--r--  1 www-data www-data 19327 Sep 29 15:30 AUTHORS
658056  4 drwxr-x---  2 www-data www-data  4096 Sep 29 15:33 config
274128  4 -rw-r--r--  1 www-data www-data  3924 Sep 29 15:30 console.php
275380 36 -rw-r--r--  1 www-data www-data 34520 Sep 29 15:30 COPYING
267443  4 drwxr-xr-x 22 www-data www-data  4096 Sep 29 15:30 core
274129  8 -rw-r--r--  1 www-data www-data  5163 Sep 29 15:30 cron.php
658062  4 drwxr-x---  4 www-data www-data  4096 Sep 29 15:33 data
275382  4 -rw-r--r--  1 www-data www-data  3868 Sep 29 19:39 .htaccess
267425  4 -rw-r--r--  1 www-data www-data   156 Sep 29 15:30 index.html
275383  4 -rw-r--r--  1 www-data www-data  3454 Sep 29 15:30 index.php
384937  4 drwxr-xr-x  6 www-data www-data  4096 Sep 29 15:30 lib
267438  4 -rw-r--r--  1 www-data www-data   283 Sep 29 15:30 occ
393361  4 drwxr-xr-x  2 www-data www-data  4096 Sep 29 15:30 ocm-provider
267426  4 drwxr-xr-x  2 www-data www-data  4096 Sep 29 15:30 ocs
267439  4 drwxr-xr-x  2 www-data www-data  4096 Sep 29 15:30 ocs-provider
279868  4 -rw-r--r--  1 www-data www-data  3139 Sep 29 15:33 public.php
275387  8 -rw-r--r--  1 www-data www-data  5340 Sep 29 15:30 remote.php
274130  4 drwxr-xr-x  4 www-data www-data  4096 Sep 29 15:30 resources
267441  4 -rw-r--r--  1 www-data www-data    26 Sep 29 15:30 robots.txt
275406  4 -rw-r--r--  1 www-data www-data  2452 Sep 29 15:30 status.php
275388  4 drwxr-x---  3 www-data www-data  4096 Sep 29 15:30 themes
275384  4 drwxr-x---  2 www-data www-data  4096 Sep 29 15:30 updater
275379  4 -rw-r--r--  1 www-data www-data   101 Sep 29 15:30 .user.ini
275381  4 -rw-r--r--  1 www-data www-data   402 Sep 29 15:30 version.php

bb77 · September 30, 2021, 8:45am

Hmm, im not sure what else could cause the issue. But I have to say that i’m not very familiar with nginx… But maybe you could still try the rsync command with the -a option, just to make sure that there is no issue with permissions.

The -a stands for archive mode. It copies files recursively and keeps the timestamps, user/group ownership, file permissions and symbolic links.

g4njawizard · September 30, 2021, 8:47am

Its apache, not nginx

bb77 · September 30, 2021, 8:49am

You got me. If only I had looked again before I answered

Still, I can’t think of anything else. If everything was copied 1:1 and the path was adjusted everywhere, it should work imho

bb77 · September 30, 2021, 9:09am

I tested it on my test instance with rsync -av and it worked right away. The only relevant difference in your config compared to mine is the Alias directive at the beginning, which I don’t have.