Question

TWiki is running fine but my apache error log is getting bigger and bigger. There are lots of entries like '[Sun Oct 10 14:14:32 2004] [error] [client 10.0.16.250] client denied by server configuration: /my/path/to/twiki/MYWEB' The DocumentRoot is /my/path/to/twiki/

Clients are not authorized to view the documentroot. Instead the are redirected to /my/path/to/twiki/bin/view. But why does TWiki generate links like the one above which do not exist (/my/path/to/twiki/pub/MYWEB and /my/path/to/twiki/data/MYWEB exists). The testenv script does not report any error.

$pubDir  = "/my/path/to/twiki/pub";
$dataDir = "/my/path/to/twiki/data";

Thanks for your help.

Environment

-- MatthiasKay - 11 Oct 2004

I'm seeing this too, with TWikiRelease02Sep2004 (which is all but identical), and it's driving me insane.

-- AdamSpiers - 22 Apr 2005

Answer

Why do you deny access to the document root? If it's just to autoload twiki instead of the default installation page, use the redirect mechanism in RedirectIndexToTWiki.

-- MattWilkie - 14 Oct 2004

I deny access because a) it's a potential security risk not to, and b) there's nothing immediately under the DocumentRoot which the client needs - it only needs stuff under bin/ and pub/. Furthermore, I already have a redirect mechanism set up like the one you refer to. Please realise that I am seeing these errors even though they don't correspond to any HTTP request made. In other words, a request to http://mytwiki/bin/view/Main/WebHome is causing a spurious Client denied by server configuration error for /my/document/root/Main, which is a non-existent and nonsensical path, even though there was a valid HTTP response returning the rendered WebHome topic correctly.

I can be sure that there is no corresponding request to http://mytwiki/Main because:

• there is no corresponding entry in the access.log
• a tcpdump of network traffic shows no such HTTP request

Therefor there is something causing these spurious errors internally within the web server, and I'm fairly sure it's in the TWiki code. I've already ruled out mod_perl.

[later ...] I'm making progress with my investigations. I'm pretty sure it's related to the unconventional way in which TWiki shuns the conventional way of delimiting the beginning of the QUERYSTRING segment of the URL with a question mark, instead starting it with a forward slash. I suspect that this interacts badly with the locking down of the filesystem path DocumentRoot points to, for some reason.

[even later ...] Ahah! It's an Apache "feature" related to TWiki's use of PATH_INFO in TwikiUrls: http://archive.apache.org/gnats/2260. Hrm, how very annoying.

-- AdamSpiers - 22 Apr 2005