Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Apache error AH01630: client denied by server configuration

Description

The default installation of shibboleth-embedded-ds via RPM results in authorization errors in the Apache error_log:

{{
[Fri May 26 09:07:19.809687 2017] [authz_core:error] [pid 2941] [client IP_ADDRESS:51710] AH01630: client denied by server configuration: /etc/shibboleth-ds/idpselect_config.js
}}

Apache 2.4 uses a new syntax for authorization, so "Allow from all" ( < 2.4 syntax) needs to be "Require all granted".

A conditionalized version of shibboleth-ds.conf that works on both CentOS 6 and CentOS 7 is attached.

I could make this change available for git pull if you don't mind your code going up on GitHub.

Environment

CentOS 7

Attachments

1
  • 26 May 2017, 03:27 PM

Activity

Show:

Takeshi Nishimura April 26, 2019 at 3:38 AM

Confirmed with shibboleth-embedded-ds-1.2.2-3.1.noarch on CentOS 7. Thanks!

Scott Cantor April 24, 2019 at 2:15 PM

Release with this patch is done, packages will be forthcoming.

Unidentified Legacy Account April 23, 2019 at 1:26 PM
Edited

The config works for me as per the below for httpd 2.4+:

<Location /shibboleth-ds>     <IfVersion >= 2.4>       Require all granted     </IfVersion>     <IfVersion < 2.4>       Allow from all     </IfVersion>     <IfModule mod_shib.c>       AuthType shibboleth       ShibRequestSetting requireSession false       require shibboleth     </IfModule>   </Location>

As it stands, the shibboleth-embedded-ds-1.2.1-3.1.noarch RPM is currently broken out the box due to the above.

Rod Widdowson April 1, 2019 at 2:58 PM

I'm going to ask Scott to look at this since I'm the least Apache-knowledgeable person on the team.

The config (post patch) reads:

<Location /shibboleth-ds> <IfVersion >= 2.4> Require all granted </IfVersion> <IfVersion < 2.4> Allow from all </IfVersion> <IfModule mod_shib.c> AuthType shibboleth ShibRequestSetting requireSession false require shibboleth </IfModule> </Location>

Which seems to say "Make sure that shibboleth knows about it", but also "We do not need a session to proceed" and finally (in version specific speak) "Free access to all".

's comment is that for /Shibboleth.sso we say for 2.4

<Location /Shibboleth.sso> AuthType None Require all granted </Location>

and for 2.2

<Location /Shibboleth.sso>
Satisfy Any
Allow from all
</Location>

So for the DS so we care about the difference in the first line. I haven't a clue.

Rod Widdowson March 3, 2019 at 1:09 PM

Good spot. I applied this on autopilot...

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created May 26, 2017 at 3:28 PM
Updated June 24, 2021 at 1:59 PM
Resolved April 24, 2019 at 1:59 PM
Configure

Flag notifications