| Man I love you (well, sort of anyway😇).
Thanks a lot, the location thing was it. Now everything works.
Have a great day ---markus---
Do you have a „Location“ based access grant in your config? In my (CentOS) Apache config I have this statement: # Specific to Apache 2.4
<Location /cgi-bin/WebObjects/>
<Limit GET POST OPTIONS >
Require all granted
</Limit>
Require all denied
</Location>
I have also commented out all ScriptAlias* directives in all apache config files. Logging can be enabled by setting a WebObjectsLog directive: # To change the logging options, read the following comments:
# The option name is "WebObjectsLog" and the first value indicates the path of the log file.
# The second value indicates the log level. There are five, in decreasing informational order:
# "Debug", "Info", "Warn", "Error", "User"
#
# Note: To enable logging, touch '/tmp/logWebObjects' as the administrator user (usually root).
# After apache starts, you'll have to change the owner permissions to 'www'.
# Type: sudo chown www /Library/WebObjects/Logs/WebObjects.log
# See <rdar://problem/5296267> /tmp/logWebObjects insecure tempfile in WebObjects
#
# The following line is the default:
# WebObjectsLog /tmp/WebObjects.log Debug
For simple applications you could also completely discard the WOAdaptor and use the standard proxy mechanism. Single instance deployments don’t even need a balancer setup: # in the site config:
ProxyPass /cgi-bin/WebObjects/App.woa http://localhost:2001/cgi-bin/WebObjects/App.woa
ProxyPassReverse /cgi-bin/WebObjects/App.woa http://localhost:2001/cgi-bin/WebObjects/App.woa
<Proxy http://localhost:2001/cgi-bin/WebObjects/App.woa/>
Require all granted
Options none
RequestHeader append x-webobjects-adaptor-version "mod_proxy"
</Proxy>
Ralf On 18 Jun 2021, at 12:48, Markus Ruggiero (rucotec) wrote: Thanks Jesse, yeah, I tried all. All files are w:r including /Library/WebObjects/Configuration/* where SiteConfig.xml lives. JavaMonitor is writing the SiteConfig.xml, wotaskd uses it and it is readable for anything Apache.
Apache running under _www or, as I just now tried running it under my own uid, makes no difference. The error_log shows this line:
I tried with cgi-bin as well as apps.
For me this indicates something in WOAdaptor not being right. When I google this error everyone is pointing to Apache config where in some places Require all allowed is needed. That is there and Apache can serve static filesystem based resources. As the error points to /apps as the resource that is not accessible this again points to WOAdaptor. /apps is NOT a file system path (no <Directory> block in http.conf) but is part of the adaptor URL (set in JavaMonitor as http://woapps/apps/WebObjects). Seems that WOAdaptor does not properly take over and then of course Apache would try to access this non-existing path.
This brings me to the next question: how do I debug WOAdaptor? Or am I going nuts?
Something else: I compared all the LoadModule directives in httpd.conf with those on the customer deployment and made sure there weren’t modules excluded. Nothing helped. Next is probably to virtualise the client deployment machine, strip it down to the bare minimum and run it as a test deployment server inside VMWare. Maybe last resort....
---markus---
Well, gosh, it just has to be apache and the OS — run down the list of suspects
"client denied by server configuration" is reported so that’s basically the OS saying you can’t read — I think?
I can’t read your rules, but since apache doesn’t seem to barf did you check user and OS level stuff carefully?
- the user that is running apache? - the actual folder and parent folder settings? - read those folders as that user from the command line?
Other random tests regarding OS level file permissions?
I’m no expert here, but I’m pretty sure those files gotta be 755 and it seems like the apache log is reporting a filesystem level permission error…?
This is a new setup. Up to now I have had a dedicated deployment machine that works. As this is for a customer I do not want to touch it.
We have a weird problem that only shows when more than one instance of the same app is running. To be able to debug and analyze this I thought I’d configure my dev machine so that I can deploy to it easily without disturbing anything productive.
Yes, of course mod_webobjects is loaded. This is the full wo_apache.config:
LoadModule WebObjects_module /Users/Shared/Developer/Libraries/Wonder/ApacheWOAdaptor/Apache2.4/macOS/mod_WebObjects.so WebObjectsAlias /apps/WebObjects
all the other nice stuff in there is commented and not active.
If on a command line I type apachectl -F
I get a whole list of known directives and there are many WO related ons. Where else would Apache get those if not through mod_webobjects? This indicates that the module is properly loaded.
Sounds like apache, are you sure things like mod_webobjects are loaded and those base things?
I can’t read apache rules…sorry! They are all just random characters to me…I guess the questions is what’s changed or is this a new setup giving you a hard time?
Probably missing something so basic that I simply do not see it. Must be too hot outside (33 Celsius) and no aircon in the office (31 Celsius). Hope someone can point me in the right direction.
Deployment setup on my dev machine (MBpro, macOS Catalina, JRE 15). Apache installed via homebrew (Apache/2.4.46 (Unix)), Apple's Apache not in use
Apache configured with various virtual hosts, resolved through /etc/hosts. This all works, Apache serves static resources from these hosts.
JavaMonitor runs, wotaskd runs, Apache loads WOAdaptor by including wo_apache.conf apachectl -F knows about WOAdaptor, so I assume it is properly loaded
wo_apache.conf has this line: WebObjectsAlias /apps/WebObjects
The Apache config file http.conf has this line # ScriptAliasMatch ^/cgi-bin/((?!(?i:webobjects)).*$) "/usr/local/var/www/CGI-Executables/$1" ScriptAliasMatch ^/apps/((?!(?i:webobjects)).*$) "/usr/local/var/www/CGI-Executables/$1"
(tried both variants, with cgi-bin and the one with apps)
In WOMonitor this is the URL to the adaptor: (woapps being one of my virtual hosts)
When I try to access an installed app the browser reports an error "You don't have permission to access this resource”
and Apache puts a message into the error log file: [Thu Jun 17 13:43:57.329921 2021] [authz_core:error] [pid 42093] [client 127.0.0.1:64420] AH01630: client denied by server configuration: /apps
/apps is not a directory but the first part of the WO URL and thus should go to the WOAdaptor. Has the ScriptAliasMatch (see above) anything to do with this?
Thanks for any help ---markus---
Markus Ruggiero
4051 Basel / Switzerland mobile +41 79 508 4701
Markus Ruggiero
4051 Basel / Switzerland mobile +41 79 508 4701
Markus Ruggiero
4051 Basel / Switzerland mobile +41 79 508 4701
Markus Ruggiero
4051 Basel / Switzerland mobile +41 79 508 4701
|