Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-382

Apache 's Error Document does not work on any directories except for document root

    XMLWordPrintable

    Details

      Description

      Setup Error document using

      ErrorDocument 403 /error/HTTP_FORBIDDEN.html
      

      or another directory eg

      ErrorDocument 403 /abc/HTTP_FORBIDDEN.html
      

      The following error will be encountered as agent tries to display the forbidden page in the XXXX directory

      You don't have permission to access /XXXX/ on this server.
      
      Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request. 
      

      This is what is showing in the strace

      Notice the handle_exit() is error

      15501 16:23:42 [00007fa9ee8d65c4] fstat(17, {st_dev=makedev(8, 17), st_ino=15741232, st_mode=S_IFREG|0640, st_nlink=1, st_uid=1002, st_gid=1002, st_blksize=4096, st_blocks=13424, st_size=6866609, st_atime=2017/03/23-14:41:06, st_mtime=2017/03/23-16:23:42, st_ctime=2017/03/23-16:23:42}) = 0 <0.000221>
      15501 16:23:42 [00007fa9eedc143d] write(17, "2017-03-23 16:23:42.146 +0800   DEBUG [0x7fa9f01a5740:15507][source/process.c:303] setup_request_data(): original request url: http://eave.internal.example.com:8000/cannotaccess.html", 182) = 182 <0.000223>
      15501 16:23:42 [00007fa9eedc143d] write(17, "\n", 1) = 1 <0.000237>
      15501 16:23:42 [00007fa9eedc1abd] fsync(17) = 0 <0.003287>
      15501 16:23:42 [00007fa9ee8d65c4] fstat(17, {st_dev=makedev(8, 17), st_ino=15741232, st_mode=S_IFREG|0640, st_nlink=1, st_uid=1002, st_gid=1002, st_blksize=4096, st_blocks=13424, st_size=6866792, st_atime=2017/03/23-14:41:06, st_mtime=2017/03/23-16:23:42, st_ctime=2017/03/23-16:23:42}) = 0 <0.000223>
      15501 16:23:42 [00007fa9eedc143d] write(17, "2017-03-23 16:23:42.146 +0800   DEBUG [0x7fa9f01a5740:15507][source/process.c:320] setup_request_data(): no token in query parameters", 133) = 133 <0.000232>
      15501 16:23:42 [00007fa9eedc143d] write(17, "\n", 1) = 1 <0.000232>
      15501 16:23:42 [00007fa9eedc1abd] fsync(17) = 0 <0.003300>
      15501 16:23:42 [00007fa9ee8d65c4] fstat(17, {st_dev=makedev(8, 17), st_ino=15741232, st_mode=S_IFREG|0640, st_nlink=1, st_uid=1002, st_gid=1002, st_blksize=4096, st_blocks=13424, st_size=6866926, st_atime=2017/03/23-14:41:06, st_mtime=2017/03/23-16:23:42, st_ctime=2017/03/23-16:23:42}) = 0 <0.000222>
      15501 16:23:42 [00007fa9eedc143d] write(17, "2017-03-23 16:23:42.146 +0800   ERROR [0x7fa9f01a5740:15507] setup_request_data(): path_info /HTTP_FORBIDDEN.html is not part of the normalized request url http://eave.internal.example.com:8000/cannotaccess.html", 211) = 211 <0.000246>     <============================
      15501 16:23:42 [00007fa9eedc143d] write(17, "\n", 1) = 1 <0.000238>
      15501 16:23:42 [00007fa9eedc1abd] fsync(17) = 0 <0.003245>
      15501 16:23:42 [00007fa9ee8d65c4] fstat(17, {st_dev=makedev(8, 17), st_ino=15741232, st_mode=S_IFREG|0640, st_nlink=1, st_uid=1002, st_gid=1002, st_blksize=4096, st_blocks=13424, st_size=6867138, st_atime=2017/03/23-14:41:06, st_mtime=2017/03/23-16:23:42, st_ctime=2017/03/23-16:23:42}) = 0 <0.000238>
      15501 16:23:42 [00007fa9eedc143d] write(17, "2017-03-23 16:23:42.146 +0800   DEBUG [0x7fa9f01a5740:15507][source/process.c:2130] handle_exit(): (entry status: error)", 120) = 120 <0.000238>
      15501 16:23:42 [00007fa9eedc143d] write(17, "\n", 1) = 1 <0.000245>
      15501 16:23:42 [00007fa9eedc1abd] fsync(17) = 0 <0.003311>
      15501 16:23:42 [00007fa9ee8d65c4] fstat(17, {st_dev=makedev(8, 17), st_ino=15741232, st_mode=S_IFREG|0640, st_nlink=1, st_uid=1002, st_gid=1002, st_blksize=4096, st_blocks=13424, st_size=6867259, st_atime=2017/03/23-14:41:06, st_mtime=2017/03/23-16:23:42, st_ctime=2017/03/23-16:23:42}) = 0 <0.000221>
      15501 16:23:42 [00007fa9eedc143d] write(17, "2017-03-23 16:23:42.146 +0800   ERROR [0x7fa9f01a5740:15507] handle_exit(): status: error", 89) = 89 <0.000219>
      15501 16:23:42 [00007fa9eedc143d] write(17, "\n", 1) = 1 <0.000221>
      15501 16:23:42 [00007fa9eedc1abd] fsync(17) = 0 <0.003305>
      15501 16:23:42 [00007fa9ee8d65c4] fstat(17, {st_dev=makedev(8, 17), st_ino=15741232, st_mode=S_IFREG|0640, st_nlink=1, st_uid=1002, st_gid=1002, st_blksize=4096, st_blocks=13424, st_size=6867349, st_atime=2017/03/23-14:41:06, st_mtime=2017/03/23-16:23:42, st_ctime=2017/03/23-16:23:42}) = 0 <0.000223>
      15501 16:23:42 [00007fa9eedc143d] write(17, "2017-03-23 16:23:42.146 +0800   DEBUG [0x7fa9f01a5740:15507][source/apache/agent22.c:898] amagent_auth_handler(): exit status: error (5)", 136) = 136 <0.000219>
      15501 16:23:42 [00007fa9eedc143d] write(17, "\n", 1) = 1 <0.000221>
      15501 16:23:42 [00007fa9eedc1abd] fsync(17) = 0 <0.003321>
      15501 16:23:42 [00007fa9eedc09b1] futex(0x7fa9ec6a3050, FUTEX_WAIT, 0, {0, 999999355} <unfinished ...>
      15502 16:23:43 [00007fa9ef20acd7] <... rt_sigtimedwait resumed> {si_signo=SIGRTMIN, si_code=SI_TIMER, si_pid=2, si_uid=0, si_value=15121520}, NULL, 8) = 32 <0.996643>
      15502 16:23:43 [00007fa9ee8e5701] clone( <unfinished ...>
      15761 16:23:43 [00007fa9eedbad64] set_robust_list(0x7fa9e14159e0, 24 <unfinished ...>
      15502 16:23:43 [00007fa9ee8e5701] <... clone resumed> child_stack=0x7fa9e1414fb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7fa9e14159d0, tls=0x7fa9e1415700, child_tidptr=0x7fa9e14159d0) = 15761 <0.001279>
      15761 16:23:43 [00007fa9eedbad64] <... set_robust_list resumed> ) = 0 <0.000818>
      15502 16:23:43 [00007fa9ef20acd7] rt_sigtimedwait([RTMIN],  <unfinished ...>
      15761 16:23:43 [00007fa9ef20adda] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 <0.000406>
      15761 16:23:43 [00007fa9ee8dfee7] madvise(0x7fa9e0c15000, 8368128, MADV_DONTNEED) = 0 <0.000412>
      15761 16:23:43 [00007fa9eedbae54] _exit(0) = ?
      15761 16:23:43 [????????????????] +++ exited with 0 +++
      

      In contrast to a working strace

      Notice the handle_exit() is "entry status: access denied"

      16144 16:29:11 [00007f31abe485c4] fstat(17, {st_dev=makedev(8, 17), st_ino=15741232, st_mode=S_IFREG|0640, st_nlink=1, st_uid=1002, st_gid=1002, st_blksize=4096, st_blocks=13440, st_size=6877055, st_atime=2017/03/23-14:41:06, st_mtime=2017/03/23-16:29:11, st_ctime=2017/03/23-16:29:11}) = 0 <0.000234>
      16144 16:29:11 [00007f31ac33343d] write(17, "2017-03-23 16:29:11.337 +0800   DEBUG [0x7f31ad717740:16149][source/process.c:1396] validate_policy(): cached entry: http://eave.internal.example.com:8000/cannotaccess.html, resource: http://eave.internal.example.com:8000/cannotaccess.html, status: exact match", 260) = 260 <0.000228>
      16144 16:29:11 [00007f31ac33343d] write(17, "\n", 1) = 1 <0.000228>
      16144 16:29:11 [00007f31ac333abd] fsync(17) = 0 <0.003337>
      16144 16:29:11 [00007f31abe485c4] fstat(17, {st_dev=makedev(8, 17), st_ino=15741232, st_mode=S_IFREG|0640, st_nlink=1, st_uid=1002, st_gid=1002, st_blksize=4096, st_blocks=13448, st_size=6877316, st_atime=2017/03/23-14:41:06, st_mtime=2017/03/23-16:29:11, st_ctime=2017/03/23-16:29:11}) = 0 <0.000231>
      16144 16:29:11 [00007f31ac33343d] write(17, "2017-03-23 16:29:11.337 +0800 WARNING [0x7f31ad717740:16149] validate_policy(): decision: deny, reason: no action decisions found", 129) = 129 <0.000230>
      16144 16:29:11 [00007f31ac33343d] write(17, "\n", 1) = 1 <0.000231>
      16144 16:29:11 [00007f31ac333abd] fsync(17) = 0 <0.003334>
      16144 16:29:11 [00007f31abe485c4] fstat(17, {st_dev=makedev(8, 17), st_ino=15741232, st_mode=S_IFREG|0640, st_nlink=1, st_uid=1002, st_gid=1002, st_blksize=4096, st_blocks=13448, st_size=6877446, st_atime=2017/03/23-14:41:06, st_mtime=2017/03/23-16:29:11, st_ctime=2017/03/23-16:29:11}) = 0 <0.000219>
      16144 16:29:11 [00007f31ac33343d] write(17, "2017-03-23 16:29:11.337 +0800   DEBUG [0x7f31ad717740:16149][source/process.c:1545] validate_policy(): method: GET, decision: deny, reason: empty or no matching policy found", 173) = 173 <0.000216>
      16144 16:29:11 [00007f31ac33343d] write(17, "\n", 1) = 1 <0.000223>
      16144 16:29:11 [00007f31ac333abd] fsync(17) = 0 <0.003088>
      16144 16:29:11 [00007f31abe485c4] fstat(17, {st_dev=makedev(8, 17), st_ino=15741232, st_mode=S_IFREG|0640, st_nlink=1, st_uid=1002, st_gid=1002, st_blksize=4096, st_blocks=13448, st_size=6877620, st_atime=2017/03/23-14:41:06, st_mtime=2017/03/23-16:29:11, st_ctime=2017/03/23-16:29:11}) = 0 <0.000259>
      16144 16:29:11 [00007f31ac33343d] write(17, "2017-03-23 16:29:11.337 +0800   DEBUG [0x7f31ad717740:16149][source/process.c:2130] handle_exit(): (entry status: access denied)", 128) = 128 <0.000263>     <=============================
      16144 16:29:11 [00007f31ac33343d] write(17, "\n", 1) = 1 <0.000261>
      16144 16:29:11 [00007f31ac333abd] fsync(17) = 0 <0.003479>
      16144 16:29:11 [00007f31abe485c4] fstat(17, {st_dev=makedev(8, 17), st_ino=15741232, st_mode=S_IFREG|0640, st_nlink=1, st_uid=1002, st_gid=1002, st_blksize=4096, st_blocks=13448, st_size=6877749, st_atime=2017/03/23-14:41:06, st_mtime=2017/03/23-16:29:11, st_ctime=2017/03/23-16:29:11}) = 0 <0.000258>
      16144 16:29:11 [00007f31ac33343d] write(17, "2017-03-23 16:29:11.337 +0800   DEBUG [0x7f31ad717740:16149][source/apache/agent22.c:898] amagent_auth_handler(): exit status: forbidden (3)", 140) = 140 <0.000300>
      16144 16:29:11 [00007f31ac33343d] write(17, "\n", 1) = 1 <0.000265>
      16144 16:29:11 [00007f31ac333abd] fsync(17) = 0 <0.003208>
      

      Workaround

      Move the 403 page into the root directory
      
      ErrorDocument 403 /HTTP_FORBIDDEN.html
      

        Attachments

          Issue Links

            Activity

              People

              mareks Mareks Malnacs
              sam.phua Sam Phua
              Votes:
              2 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: