我正在尝试使用 apache 2.2 反向代理我的 tomcat 服务器并在路径 /tomcat-logs 上提供 tomcat 日志。这是在基于 ubuntu 12.04 的 Docker 映像中,但这不应该成为问题。
000-默认.conf:
<VirtualHost *:80>
Alias /tomcat-logs /var/log/tomcat7
ProxyPreserveHost on
ProxyPass /tomcat-logs !
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
httpd.conf:
<Directory />
Order deny,allow
Deny from all
</Directory>
<Directory /var/log/tomcat7>
Order allow,deny
Allow from all
AllowOverride None
Options +Indexes
</Directory>
反向代理按预期工作,但当我尝试访问 tomcat-logs/catalina.out 时,出现 403 Forbidden。来自 apache 日志的错误是:
(13)Permission denied: access to /tomcat-logs/catalina.out denied
我检查了日志文件和指向日志位置的目录的文件权限,它们都是 644 或 755。
我觉得奇怪的是,访问被拒绝消息显示的是“/tomcat-logs/catalina.out”而不是“/var/log/tomcat7/catalina.out”。
有人有什么想法吗?
更新
如果我进入http://localhost/tomcat-logs/我的网络浏览器,我的日志中会出现以下错误:
(13)Permission denied: access to /tomcat-logs/index.html denied
... Others similar to index.html
因此该Options +Indexes指令未被使用。因此我认为Directory /var/log/tomcat7被忽略了。这是什么原因造成的?
更新
如果我放弃反向代理并使用 DocumentRoot 而不是 Alias,我会收到同样的错误。
<VirtualHost *:80>
DocumentRoot /var/log/tomcat7
</VirtualHost>
错误是:
(13)Permission denied: access to /catalina.out denied
通过调试日志记录,完整日志是:
[Fri Jan 09 14:26:40 2015] [notice] Apache/2.2.22 (Ubuntu) configured -- resuming normal operations
[Fri Jan 09 14:26:40 2015] [info] Server built: Jul 22 2014 14:35:32
[Fri Jan 09 14:26:40 2015] [debug] worker.c(1757): AcceptMutex: sysvsem (default: sysvsem)
[Fri Jan 09 14:26:40 2015] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 428 for worker proxy:reverse
[Fri Jan 09 14:26:40 2015] [debug] proxy_util.c(1914): proxy: initialized worker 0 in child 428 for (*) min=0 max=25 smax=25
[Fri Jan 09 14:26:40 2015] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 429 for worker proxy:reverse
[Fri Jan 09 14:26:40 2015] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Fri Jan 09 14:26:40 2015] [debug] proxy_util.c(1914): proxy: initialized worker 0 in child 429 for (*) min=0 max=25 smax=25
[Fri Jan 09 14:27:07 2015] [error] [client 172.17.42.1] (13)Permission denied: access to /catalina.out denied
[Fri Jan 09 14:27:07 2015] [debug] mod_deflate.c(700): [client 172.17.42.1] Zlib: Compressed 289 to 219 : URL /catalina.out
sudo aa-status在主机上运行得到:
apparmor module is loaded.
18 profiles are loaded.
18 profiles are in enforce mode.
/sbin/dhclient
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/lightdm/lightdm-guest-session
/usr/lib/lightdm/lightdm-guest-session//chromium
/usr/lib/telepathy/mission-control-5
/usr/lib/telepathy/telepathy-*
/usr/lib/telepathy/telepathy-*//pxgsettings
/usr/lib/telepathy/telepathy-*//sanitized_helper
/usr/lib/telepathy/telepathy-ofono
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/mysqld-akonadi
/usr/sbin/mysqld-akonadi///usr/sbin/mysqld
/usr/sbin/tcpdump
docker-default
0 profiles are in complain mode.
10 processes have profiles defined.
10 processes are in enforce mode.
/sbin/dhclient (9937)
/usr/lib/telepathy/mission-control-5 (3463)
/usr/sbin/cups-browsed (1405)
/usr/sbin/cupsd (3849)
/usr/sbin/mysqld-akonadi///usr/sbin/mysqld (3481)
docker-default (14568)
docker-default (15403)
docker-default (15406)
docker-default (15408)
docker-default (15409)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
运行后aa-complain /etc/apparmor.d/docker仍然出现 403 错误。
答案1
我找到了一种解决方法,即使用 将 www-data 用户添加到 adm 组usermod -a -G adm www-data。有人能解释一下为什么这样做有效,但授予其他人读取和执行权限却/var/log/tomcat7不行吗?将此目录的组更改为 www-data 也不起作用。