Question

hi, I'm trying to install TWiki on Fedora 6. I followed the instructions one by one, but still have problem to open Configure in the browser. I receive all the time '403 Forbidden'. looks like Apache error. can someone help?

thanks, eran

Environment

-- EranKaufman - 05 Jun 2007

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

Can you post

• The exact error message - also from the Apache error log
• The twiki part of the Apache configuration.

Did you follow the TWikiOnRedHat?

-- KennethLavrsen - 06 Jun 2007

here's the apache log:

[root@localhost httpd]# more access_log 
::1 - - [04/Jun/2007:00:21:41 +0300] "GET / HTTP/1.1" 403 3956 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/200610
11 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [04/Jun/2007:00:21:41 +0300] "GET /icons/powered_by_fedora.png HTTP/1.1" 200 3034 "http://localhost/" "Mozilla/5.0 (X11; U; 
Linux i686; en-US; rv:1.8.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [04/Jun/2007:00:21:41 +0300] "GET /icons/apache_pb2.gif HTTP/1.1" 200 2414 "http://localhost/" "Mozilla/5.0 (X11; U; Linux i
686; en-US; rv:1.8.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [04/Jun/2007:00:21:41 +0300] "GET /favicon.ico HTTP/1.1" 404 283 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Ge
cko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
10.0.0.5 - - [04/Jun/2007:00:22:22 +0300] "GET / HTTP/1.1" 403 3956 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4)
 Gecko/20070515 Firefox/2.0.0.4"
10.0.0.5 - - [04/Jun/2007:00:22:22 +0300] "GET /icons/apache_pb2.gif HTTP/1.1" 200 2414 "http://10.0.0.2/" "Mozilla/5.0 (Windows; U;
 Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"
10.0.0.5 - - [04/Jun/2007:00:22:22 +0300] "GET /icons/powered_by_fedora.png HTTP/1.1" 200 3034 "http://10.0.0.2/" "Mozilla/5.0 (Wind
ows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"
10.0.0.5 - - [04/Jun/2007:00:22:22 +0300] "GET /favicon.ico HTTP/1.1" 404 282 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; r
v:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"
::1 - - [04/Jun/2007:00:24:19 +0300] "GET /favicon.ico HTTP/1.1" 404 283 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Ge
cko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
10.0.0.5 - - [04/Jun/2007:00:36:56 +0300] "GET / HTTP/1.1" 403 3956 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4)
 Gecko/20070515 Firefox/2.0.0.4"
10.0.0.5 - - [04/Jun/2007:00:36:56 +0300] "GET /icons/apache_pb2.gif HTTP/1.1" 304 - "http://10.0.0.2/" "Mozilla/5.0 (Windows; U; Wi
ndows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"
10.0.0.5 - - [04/Jun/2007:00:36:56 +0300] "GET /icons/powered_by_fedora.png HTTP/1.1" 304 - "http://10.0.0.2/" "Mozilla/5.0 (Windows
; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"
::1 - - [05/Jun/2007:14:40:53 +0300] "GET / HTTP/1.1" 403 3956 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/200610
11 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:14:41:01 +0300] "GET /icons/apache_pb2.gif HTTP/1.1" 200 2414 "http://localhost/" "Mozilla/5.0 (X11; U; Linux i
686; en-US; rv:1.8.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:14:41:02 +0300] "GET /icons/powered_by_fedora.png HTTP/1.1" 200 3034 "http://localhost/" "Mozilla/5.0 (X11; U; 
Linux i686; en-US; rv:1.8.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:14:41:03 +0300] "GET /favicon.ico HTTP/1.1" 404 283 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Ge
cko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
10.135.10.89 - - [05/Jun/2007:14:42:01 +0300] "GET / HTTP/1.1" 403 3956 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
 CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)"
10.135.10.89 - - [05/Jun/2007:14:42:02 +0300] "GET /icons/apache_pb2.gif HTTP/1.1" 200 2414 "http://10.135.10.75/" "Mozilla/4.0 (com
patible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)"
10.135.10.89 - - [05/Jun/2007:14:42:02 +0300] "GET /icons/powered_by_fedora.png HTTP/1.1" 200 3034 "http://10.135.10.75/" "Mozilla/4
.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)"
::1 - - [05/Jun/2007:15:31:05 +0300] "GET /favicon.ico HTTP/1.1" 404 283 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Ge
cko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:15:32:17 +0300] "GET /favicon.ico HTTP/1.1" 404 283 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Ge
cko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:16:04:12 +0300] "GET /favicon.ico HTTP/1.1" 404 283 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Ge
cko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:16:12:05 +0300] "GET /favicon.ico HTTP/1.1" 404 283 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Ge
cko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:16:14:28 +0300] "GET /favicon.ico HTTP/1.1" 404 283 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Ge
cko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:16:15:30 +0300] "GET /favicon.ico HTTP/1.1" 404 283 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Ge
cko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:16:16:44 +0300] "GET /favicon.ico HTTP/1.1" 404 283 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Ge
cko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:16:20:03 +0300] "GET /favicon.ico HTTP/1.1" 404 283 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Ge
cko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:17:07:56 +0300] "GET /favicon.ico HTTP/1.1" 404 283 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Ge
cko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:17:12:06 +0300] "GET /favicon.ico HTTP/1.1" 404 283 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Ge
cko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:17:41:06 +0300] "GET /favicon.ico HTTP/1.1" 404 283 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Ge
cko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:17:41:09 +0300] "GET /icons/powered_by_fedora.png HTTP/1.1" 304 - "http://localhost/" "Mozilla/5.0 (X11; U; Lin
ux i686; en-US; rv:1.8.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:17:41:09 +0300] "GET / HTTP/1.1" 403 3956 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/200610
11 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:17:41:12 +0300] "GET /icons/apache_pb2.gif HTTP/1.1" 304 - "http://localhost/" "Mozilla/5.0 (X11; U; Linux i686
; en-US; rv:1.8.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:17:41:23 +0300] "GET /twiki/bin/configure HTTP/1.1" 403 295 "http://twiki.org/cgi-bin/view/Codev/TWikiOnRedHat"
 "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:17:58:36 +0300] "GET /twiki/bin/configure HTTP/1.1" 403 295 "http://twiki.org/cgi-bin/view/Codev/TWikiOnRedHat"
 "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:18:10:53 +0300] "GET /icons/apache_pb2.gif HTTP/1.1" 304 - "http://localhost/" "Mozilla/5.0 (X11; U; Linux i686
; en-US; rv:1.8.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:18:10:52 +0300] "GET / HTTP/1.1" 403 3956 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/200610
11 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:18:10:55 +0300] "GET /icons/powered_by_fedora.png HTTP/1.1" 304 - "http://localhost/" "Mozilla/5.0 (X11; U; Lin
ux i686; en-US; rv:1.8.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:18:11:13 +0300] "GET /twiki/bin/configure HTTP/1.1" 403 295 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8
.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:18:11:45 +0300] "GET /twiki/bin/configure HTTP/1.1" 403 295 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8
.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:18:12:41 +0300] "GET /twiki/bin/configure HTTP/1.1" 403 295 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8
.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:18:15:44 +0300] "GET /twiki/bin/configure HTTP/1.1" 403 295 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8
.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"
::1 - - [05/Jun/2007:18:41:03 +0300] "GET /twiki/bin/configure HTTP/1.1" 403 295 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8
.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7"

here's the twiki apache configuration:
[root@localhost conf.d]# cat twiki.conf 
# Autogenerated httpd.conf file for TWiki.
# Generated at http://twiki.org/cgi-bin/view/TWiki/ApacheConfigGenerator

# We set an environment variable called blockAccess.
#
# Setting a BrowserMatchNoCase to ^$ is important. It prevents TWiki from
# including its own topics as URLs and also prevents other TWikis from
# doing the same. This is important to prevent the most obvious
# Denial of Service attacks.
#
# You can expand this by adding more BrowserMatchNoCase statements to
# block evil browser agents trying the impossible task of mirroring a twiki
#
# Example:
# BrowserMatchNoCase ^SiteSucker blockAccess
# BrowserMatchNoCase ^$ blockAccess

BrowserMatchNoCase ^Accoona blockAccess
BrowserMatchNoCase ^ActiveAgent blockAccess
BrowserMatchNoCase ^Attache blockAccess
BrowserMatchNoCase BecomeBot blockAccess
BrowserMatchNoCase ^bot blockAccess
BrowserMatchNoCase Charlotte/ blockAccess
BrowserMatchNoCase ^ConveraCrawler blockAccess
BrowserMatchNoCase ^CrownPeak-HttpAgent blockAccess
BrowserMatchNoCase ^EmailCollector blockAccess
BrowserMatchNoCase ^EmailSiphon blockAccess
BrowserMatchNoCase ^e-SocietyRobot blockAccess
BrowserMatchNoCase ^Exabot blockAccess
BrowserMatchNoCase ^FAST blockAccess
BrowserMatchNoCase ^FDM blockAccess
BrowserMatchNoCase ^GetRight/6.0a blockAccess
BrowserMatchNoCase ^GetWebPics blockAccess
BrowserMatchNoCase ^Gigabot blockAccess
BrowserMatchNoCase ^gonzo1 blockAccess
BrowserMatchNoCase ^Google\sSpider blockAccess
BrowserMatchNoCase ^ichiro blockAccess
BrowserMatchNoCase ^ie_crawler blockAccess
BrowserMatchNoCase ^iGetter blockAccess
BrowserMatchNoCase ^IRLbot blockAccess
BrowserMatchNoCase Jakarta blockAccess
BrowserMatchNoCase ^Java blockAccess
BrowserMatchNoCase ^KrakSpider blockAccess
BrowserMatchNoCase ^larbin blockAccess
BrowserMatchNoCase ^LeechGet blockAccess
BrowserMatchNoCase ^LinkWalker blockAccess
BrowserMatchNoCase ^Lsearch blockAccess
BrowserMatchNoCase ^Microsoft blockAccess
BrowserMatchNoCase ^MJ12bot blockAccess
BrowserMatchNoCase MSIECrawler blockAccess
BrowserMatchNoCase ^MSRBOT blockAccess
BrowserMatchNoCase ^noxtrumbot blockAccess
BrowserMatchNoCase ^NutchCVS blockAccess
BrowserMatchNoCase ^RealDownload blockAccess
BrowserMatchNoCase ^Rome blockAccess
BrowserMatchNoCase ^Roverbot blockAccess
BrowserMatchNoCase ^schibstedsokbot blockAccess
BrowserMatchNoCase ^Seekbot blockAccess
BrowserMatchNoCase ^SiteSnagger blockAccess
BrowserMatchNoCase ^SiteSucker blockAccess
BrowserMatchNoCase ^Snapbot blockAccess
BrowserMatchNoCase ^sogou blockAccess
BrowserMatchNoCase ^SpiderKU blockAccess
BrowserMatchNoCase ^SpiderMan blockAccess
BrowserMatchNoCase ^Squid blockAccess
BrowserMatchNoCase ^Teleport blockAccess
BrowserMatchNoCase ^User-Agent\: blockAccess
BrowserMatchNoCase VoilaBot blockAccess
BrowserMatchNoCase ^voyager blockAccess
BrowserMatchNoCase ^W3C blockAccess
BrowserMatchNoCase ^w3search blockAccess
BrowserMatchNoCase ^Web\sDownloader blockAccess
BrowserMatchNoCase ^WebCopier blockAccess
BrowserMatchNoCase ^WebDevil blockAccess
BrowserMatchNoCase ^WebSec blockAccess
BrowserMatchNoCase ^WebVac blockAccess
BrowserMatchNoCase ^Webwhacker blockAccess
BrowserMatchNoCase ^Webzip blockAccess
BrowserMatchNoCase ^Wells blockAccess
BrowserMatchNoCase ^WhoWhere blockAccess
BrowserMatchNoCase www\.netforex\.org blockAccess
BrowserMatchNoCase ^WX_mail blockAccess
BrowserMatchNoCase ^yacybot blockAccess
BrowserMatchNoCase ^ZIBB blockAccess
BrowserMatchNoCase ^$ blockAccess


# The ScriptAlias defines the bin directory as a directory where CGI
# scripts are allowed.
# The first parameter will be part of the URL to your installation e.g.
# http://my.co.uk/twiki/bin/view/...
# The second parameter must point to the physical path on your disc.
ScriptAlias /twiki/bin "/var/www/twiki/bin"

# The Alias defines a url that points to the root of the twiki installation.
# It is used to access files in the pub directory (attachments etc)
# It must come _after_ the ScriptAlias.
Alias /twiki "/var/www/twiki"

# This specifies the options on the TWiki scripts directory. The ExecCGI
# and SetHandler tell apache that it contains scripts. "Allow from all"
# lets any IP address access this URL.
<Directory "/var/www/twiki/bin">
    AllowOverride All
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess

    Options ExecCGI FollowSymLinks
    SetHandler cgi-script

    # Password file for TWiki users
    AuthUserFile /var/www/twiki/data/.htpasswd
    AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
    AuthType Basic
    
    # File to return on access control error (e.g. wrong password)
    # By convention this is the TWikiRegistration page, that allows users
    # to register with the TWiki. Apache requires this to be a *local* path.
    ErrorDocument 401 /twiki/bin/view/TWiki/TWikiRegistration

# Limit access to configure to specific IP addresses and or users.
# Make sure configure is not open to the general public.
# It exposes system details that can help attackers.
<FilesMatch "^(configure)$">
    SetHandler cgi-script
    Order Deny,Allow
    Deny from all

    Require user EranKaufman

</FilesMatch>

</Directory>

# This sets the options on the pub directory, which contains attachments and
# other files like CSS stylesheets and icons. AllowOverride None stops a
# user installing a .htaccess file that overrides these options.
# Note that files in pub are *not* protected by TWiki Access Controls,
# so if you want to control access to files attached to topics you need to
# block access to the specific directories same way as the ApacheConfigGenerator
# blocks access to the pub directory of the Trash web
<Directory "/var/www/twiki/pub">
    Options None
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess

    # Disable execusion of PHP scripts
    php_admin_flag engine off

    # This line will redefine the mime type for the most common types of scripts
    # It will also deliver HTML files as if they are text files
    AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi
</Directory>

# Security note: All other directories should be set so
# that they are *not* visible as URLs, so we set them as =deny from all=.
<Directory "/var/www/twiki/data">
    deny from all
</Directory>

<Directory "/var/www/twiki/templates">
    deny from all
</Directory>

<Directory "/var/www/twiki/lib">
    deny from all
</Directory>

<Directory "/var/www/twiki/locale">
    deny from all
</Directory>

<Directory "/var/www/twiki/tools">
    deny from all
</Directory>


[root@localhost conf.d]# 

sorry for the output... i didn't manage to put it in a nicer way....

-- EranKaufman - 07 Jun 2007

Using RequireUser that way doesn't work unless you have some other apache modules installed (I forget which).

I usually restrict configure so it's only accessible from a specific IP address (mine).

-- CrawfordCurrie - 09 Jun 2007