AH01630:客户端被服务器配置拒绝,从一个虚拟主机重定向到另一个
AH01630: client denied by server configuration, redirected from one virtualhost to another
总结
我已经通读了一大堆 Google 结果和 Whosebug 问题,但还是想不通。核心问题似乎是:
- 基本设置是
Apache/2.4.10、libapache2-mod-wsgi-py3 4.3.0-1 和烧瓶 1.0.2
- 在我使用 certbot
设置 HTTPS 之前,它工作正常
- 使用虚拟主机在单独的
.conf 文件中设置了两个子域。除了目录和项目 names/URLs 之外,.conf 文件是相同的
- Apache 日志表明请求以某种方式从
project_2 URL 重定向到 project_1 WSGI 脚本,我不明白为什么
- 如果有人能给我指出正确的方向,我将永远感激
Apache 日志:
[ssl:debug] ssl_engine_kernel.c(243): AH02034: Initial (No.1) HTTPS request received for child 67 (server project_2.domain.com:443)
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all denied: denied
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of <RequireAny>: denied
[authz_core:error] AH01630: client denied by server configuration: /home/username/projects/project_1/app/run_site.wsgi
[ssl:debug] ssl_engine_kernel.c(243): AH02034: Subsequent (No.2) HTTPS request received for child 68 (server project_2.domain.com:443), ref$
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all denied: denied, referer: https://www.project_2.domain.com/
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of <RequireAny>: denied, referer: https://www.project_2.domain.com/
authz_core:error] AH01630: client denied by server configuration: /home/username/projects/project_1/app/run_site.wsgi, referer: https://www.project_2.domain.com/
Apache .conf 文件
/etc/apache2/sites-available/project_2.conf
WSGIDaemonProcess project_2 user=username group=username threads=5
WSGIScriptAlias / "/home/username/projects/project_2/run_site.wsgi"
<VirtualHost *:80>
ServerName project_2.domain.com
ServerAlias www.project_2.domain.com
<Directory "/home/username/projects/project_2/">
WSGIProcessGroup project_2
WSGIApplicationGroup %{GLOBAL}
WSGIScriptReloading On
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/notifier_error.log
CustomLog ${APACHE_LOG_DIR}/notifier_access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.project_2.domain.com [OR]
RewriteCond %{SERVER_NAME} =project_2.domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
/etc/apache2/sites-available/project_2-乐-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName project_2.domain.com
ServerAlias www.project_2.domain.com
<Directory "/home/username/projects/project_2/">
WSGIProcessGroup project_2
WSGIApplicationGroup %{GLOBAL}
WSGIScriptReloading On
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/project_2_error.log
CustomLog ${APACHE_LOG_DIR}/project_2_access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.project_2.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.project_2.domain.com/privkey.pem
</VirtualHost>
</IfModule>
sudo apachectl -S:
VirtualHost configuration:
*:443 is a NameVirtualHost
default server project_1.domain.com (/etc/apache2/sites-enabled/project_1-le-ssl.conf:2)
port 443 namevhost project_1.domain.com (/etc/apache2/sites-enabled/project_1-le-ssl.conf:2)
alias www.project_1.domain.com
port 443 namevhost project_2.domain.com (/etc/apache2/sites-enabled/project_2-le-ssl.conf:2)
alias www.project_2.domain.com
*:80 is a NameVirtualHost
default server project_1.domain.com (/etc/apache2/sites-enabled/project_1.conf:4)
port 80 namevhost project_1.domain.com (/etc/apache2/sites-enabled/project_1.conf:4)
alias www.project_1.domain.com
port 80 namevhost project_2.domain.com (/etc/apache2/sites-enabled/project_2.conf:4)
alias www.project_2.domain.com
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33
好的,我发现了我的错误。当我设置 certbot 时,我将这两行都移到了虚拟主机之外:
WSGIDaemonProcess project_2 user=username group=username threads=5
WSGIScriptAlias / "/home/username/projects/project_2/run_site.wsgi"
这导致我的两个 .conf 文件中有两行 WSGIScriptAlias 行,其中一行覆盖了另一行。解决此问题的方法是在脚本 project_1.conf 和 project_2.conf 中将 WSGIScriptAlias 引入虚拟主机,并手动将其添加回 project_1-le-ssl.conf 和 project_2-le-ssl.conf
生成 .conf 示例:
WSGIDaemonProcess project_2 user=username group=username threads=5
<VirtualHost *:80>
ServerName project_2.domain.com
ServerAlias www.project_2.domain.com
WSGIScriptAlias / "/home/username/projects/project_2/run_site.wsgi"
<Directory "/home/username/projects/project_2/">
WSGIProcessGroup project_2
WSGIApplicationGroup %{GLOBAL}
WSGIScriptReloading On
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/notifier_error.log
CustomLog ${APACHE_LOG_DIR}/notifier_access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.project_2.domain.com [OR]
RewriteCond %{SERVER_NAME} =project_2.domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
总结
我已经通读了一大堆 Google 结果和 Whosebug 问题,但还是想不通。核心问题似乎是:
- 基本设置是
Apache/2.4.10、libapache2-mod-wsgi-py3 4.3.0-1和烧瓶1.0.2 - 在我使用 certbot 设置 HTTPS 之前,它工作正常
- 使用虚拟主机在单独的
.conf文件中设置了两个子域。除了目录和项目 names/URLs 之外,.conf 文件是相同的
- Apache 日志表明请求以某种方式从
project_2URL 重定向到project_1WSGI 脚本,我不明白为什么 - 如果有人能给我指出正确的方向,我将永远感激
Apache 日志:
[ssl:debug] ssl_engine_kernel.c(243): AH02034: Initial (No.1) HTTPS request received for child 67 (server project_2.domain.com:443)
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all denied: denied
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of <RequireAny>: denied
[authz_core:error] AH01630: client denied by server configuration: /home/username/projects/project_1/app/run_site.wsgi
[ssl:debug] ssl_engine_kernel.c(243): AH02034: Subsequent (No.2) HTTPS request received for child 68 (server project_2.domain.com:443), ref$
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of Require all denied: denied, referer: https://www.project_2.domain.com/
[authz_core:debug] mod_authz_core.c(809): AH01626: authorization result of <RequireAny>: denied, referer: https://www.project_2.domain.com/
authz_core:error] AH01630: client denied by server configuration: /home/username/projects/project_1/app/run_site.wsgi, referer: https://www.project_2.domain.com/
Apache .conf 文件
/etc/apache2/sites-available/project_2.conf
WSGIDaemonProcess project_2 user=username group=username threads=5
WSGIScriptAlias / "/home/username/projects/project_2/run_site.wsgi"
<VirtualHost *:80>
ServerName project_2.domain.com
ServerAlias www.project_2.domain.com
<Directory "/home/username/projects/project_2/">
WSGIProcessGroup project_2
WSGIApplicationGroup %{GLOBAL}
WSGIScriptReloading On
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/notifier_error.log
CustomLog ${APACHE_LOG_DIR}/notifier_access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.project_2.domain.com [OR]
RewriteCond %{SERVER_NAME} =project_2.domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
/etc/apache2/sites-available/project_2-乐-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName project_2.domain.com
ServerAlias www.project_2.domain.com
<Directory "/home/username/projects/project_2/">
WSGIProcessGroup project_2
WSGIApplicationGroup %{GLOBAL}
WSGIScriptReloading On
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/project_2_error.log
CustomLog ${APACHE_LOG_DIR}/project_2_access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.project_2.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.project_2.domain.com/privkey.pem
</VirtualHost>
</IfModule>
sudo apachectl -S:
VirtualHost configuration:
*:443 is a NameVirtualHost
default server project_1.domain.com (/etc/apache2/sites-enabled/project_1-le-ssl.conf:2)
port 443 namevhost project_1.domain.com (/etc/apache2/sites-enabled/project_1-le-ssl.conf:2)
alias www.project_1.domain.com
port 443 namevhost project_2.domain.com (/etc/apache2/sites-enabled/project_2-le-ssl.conf:2)
alias www.project_2.domain.com
*:80 is a NameVirtualHost
default server project_1.domain.com (/etc/apache2/sites-enabled/project_1.conf:4)
port 80 namevhost project_1.domain.com (/etc/apache2/sites-enabled/project_1.conf:4)
alias www.project_1.domain.com
port 80 namevhost project_2.domain.com (/etc/apache2/sites-enabled/project_2.conf:4)
alias www.project_2.domain.com
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33
好的,我发现了我的错误。当我设置 certbot 时,我将这两行都移到了虚拟主机之外:
WSGIDaemonProcess project_2 user=username group=username threads=5
WSGIScriptAlias / "/home/username/projects/project_2/run_site.wsgi"
这导致我的两个 .conf 文件中有两行 WSGIScriptAlias 行,其中一行覆盖了另一行。解决此问题的方法是在脚本 project_1.conf 和 project_2.conf 中将 WSGIScriptAlias 引入虚拟主机,并手动将其添加回 project_1-le-ssl.conf 和 project_2-le-ssl.conf
生成 .conf 示例:
WSGIDaemonProcess project_2 user=username group=username threads=5
<VirtualHost *:80>
ServerName project_2.domain.com
ServerAlias www.project_2.domain.com
WSGIScriptAlias / "/home/username/projects/project_2/run_site.wsgi"
<Directory "/home/username/projects/project_2/">
WSGIProcessGroup project_2
WSGIApplicationGroup %{GLOBAL}
WSGIScriptReloading On
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/notifier_error.log
CustomLog ${APACHE_LOG_DIR}/notifier_access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.project_2.domain.com [OR]
RewriteCond %{SERVER_NAME} =project_2.domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>