具有别名的 Apache 反向代理,权限被拒绝

具有别名的 Apache 反向代理,权限被拒绝

我正在尝试使用 apache 2.2 反向代理我的 tomcat 服务器并在路径 /tomcat-logs 上提供 tomcat 日志。这是在基于 ubuntu 12.04 的 Docker 映像中,但这不应该成为问题。

000-默认.conf:

<VirtualHost *:80>
  Alias /tomcat-logs /var/log/tomcat7
  ProxyPreserveHost on
  ProxyPass /tomcat-logs !
  ProxyPass / http://localhost:8080/
  ProxyPassReverse / http://localhost:8080/
</VirtualHost>

httpd.conf:

<Directory />
  Order deny,allow
  Deny from all
</Directory>

<Directory /var/log/tomcat7>
  Order allow,deny
  Allow from all
  AllowOverride None
  Options +Indexes
</Directory>

反向代理按预期工作,但当我尝试访问 tomcat-logs/catalina.out 时,出现 403 Forbidden。来自 apache 日志的错误是:

(13)Permission denied: access to /tomcat-logs/catalina.out denied

我检查了日志文件和指向日志位置的目录的文件权限,它们都是 644 或 755。

我觉得奇怪的是,访问被拒绝消息显示的是“/tomcat-logs/catalina.out”而不是“/var/log/tomcat7/catalina.out”。

有人有什么想法吗?

更新

如果我进入http://localhost/tomcat-logs/我的网络浏览器,我的日志中会出现以下错误:

(13)Permission denied: access to /tomcat-logs/index.html denied
... Others similar to index.html

因此该Options +Indexes指令未被使用。因此我认为Directory /var/log/tomcat7被忽略了。这是什么原因造成的?

更新

如果我放弃反向代理并使用 DocumentRoot 而不是 Alias,我会收到同样的错误。

<VirtualHost *:80>
  DocumentRoot /var/log/tomcat7
</VirtualHost>

错误是:

(13)Permission denied: access to /catalina.out denied

通过调试日志记录,完整日志是:

[Fri Jan 09 14:26:40 2015] [notice] Apache/2.2.22 (Ubuntu) configured -- resuming normal operations
[Fri Jan 09 14:26:40 2015] [info] Server built: Jul 22 2014 14:35:32
[Fri Jan 09 14:26:40 2015] [debug] worker.c(1757): AcceptMutex: sysvsem (default: sysvsem)
[Fri Jan 09 14:26:40 2015] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 428 for worker proxy:reverse
[Fri Jan 09 14:26:40 2015] [debug] proxy_util.c(1914): proxy: initialized worker 0 in child 428 for (*) min=0 max=25 smax=25
[Fri Jan 09 14:26:40 2015] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 429 for worker proxy:reverse
[Fri Jan 09 14:26:40 2015] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Fri Jan 09 14:26:40 2015] [debug] proxy_util.c(1914): proxy: initialized worker 0 in child 429 for (*) min=0 max=25 smax=25
[Fri Jan 09 14:27:07 2015] [error] [client 172.17.42.1] (13)Permission denied: access to /catalina.out denied
[Fri Jan 09 14:27:07 2015] [debug] mod_deflate.c(700): [client 172.17.42.1] Zlib: Compressed 289 to 219 : URL /catalina.out

sudo aa-status在主机上运行得到:

apparmor module is loaded.
18 profiles are loaded.
18 profiles are in enforce mode.
  /sbin/dhclient
  /usr/lib/NetworkManager/nm-dhcp-client.action
  /usr/lib/connman/scripts/dhclient-script
  /usr/lib/cups/backend/cups-pdf
  /usr/lib/lightdm/lightdm-guest-session
  /usr/lib/lightdm/lightdm-guest-session//chromium
  /usr/lib/telepathy/mission-control-5
  /usr/lib/telepathy/telepathy-*
  /usr/lib/telepathy/telepathy-*//pxgsettings
  /usr/lib/telepathy/telepathy-*//sanitized_helper
  /usr/lib/telepathy/telepathy-ofono
  /usr/sbin/cups-browsed
  /usr/sbin/cupsd
  /usr/sbin/cupsd//third_party
  /usr/sbin/mysqld-akonadi
  /usr/sbin/mysqld-akonadi///usr/sbin/mysqld
  /usr/sbin/tcpdump
  docker-default
0 profiles are in complain mode.
10 processes have profiles defined.
10 processes are in enforce mode.
  /sbin/dhclient (9937) 
  /usr/lib/telepathy/mission-control-5 (3463) 
  /usr/sbin/cups-browsed (1405) 
  /usr/sbin/cupsd (3849) 
  /usr/sbin/mysqld-akonadi///usr/sbin/mysqld (3481) 
  docker-default (14568) 
  docker-default (15403) 
  docker-default (15406) 
  docker-default (15408) 
  docker-default (15409) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

运行后aa-complain /etc/apparmor.d/docker仍然出现 403 错误。

答案1

我找到了一种解决方法,即使用 将 www-data 用户添加到 adm 组usermod -a -G adm www-data。有人能解释一下为什么这样做有效,但授予其他人读取和执行权限却/var/log/tomcat7不行吗?将此目录的组更改为 www-data 也不起作用。

相关内容