AH00035: access to / denied 403 Forbidden Django mod-wsgi

apache-2.4 mod-wsgi

I am trying to configure apache with Django using mod-wsgi. But I am getting the following error

AH00035: access to / denied (filesystem path '/home/ec2-user/ezvoice') because search permissions are missing on a component of the path

URL is showing 403 forbidden Here is the conf file

LoadModule wsgi_module "/home/ec2-user/venv/lib/python3.7/site-packages/mod_wsgi/server/mod_wsgi-py37.cpython-37m-x86_64-linux-gnu.so"
<VirtualHost *:80>
        DocumentRoot /home/ec2-user/

        Alias /static /home/ec2-user/ezvoice/sub_app/static
        <Directory /home/ec2-user/ezvoice/sub_app/static>
                Options FollowSymLinks
                Order allow,deny
                Require all granted
        </Directory>


        WSGIDaemonProcess ezvoice python-path=/home/ec2-user/ezvoice:/home/ec2-user/venv/lib/python3.7/site-packages
        WSGIProcessGroup ezvoice
        WSGIScriptAlias / /home/ec2-user/ezvoice/main_app/wsgi.py
    ErrorLog /home/ec2-user/ezvoice/log-error.log
    CustomLog /home/ec2-user/ezvoice/custom-error.log combined
        <Directory /home/ec2-user/ezvoice/main_app>
                <Files wsgi.py>
                        Require all granted
                </Files>
        </Directory>
</VirtualHost>

The directory structure is as follow

home
-ec2-user
--ezvoice
---main_app
----asgi.py
----settings.py
---sub_app
----views.py
--venv
---bin
---include
---lib

I have tried to set permission as follow

sudo chown ec2-user ezvoice
sudo chown -R ec2-user /usr/local/lib/python3.7
sudo chown ec2-user /usr/local/bin
sudo chown ec2-user /usr/local/lib

"Search permissions are missing" means that the Apache user (probably apache, or www-data) doesn't have permission to traverse the directory tree all the way down to /home/ec2-user/ezvoice. You can debug this with namei -l, which will show you a long listing of all of the directory paths down to a file or directory, starting from /. For example:

$ namei -l /home/testuser
f: /home/testuser
dr-xr-xr-x root     root  /
drwxr-xr-x root     root  home
drwx------ testuser users testuser

When you do this for /home/ec2-user/ezvoice, you'll probably see that one of the directories along the path - maybe /, judging from the error message - is missing the x permission for group or other, which allows users to traverse the directory tree through that directory.

A simple solution is to give all users the traverse permission on all of those directories:

chmod go+x / /home /home/ec2-user /home/ec2-user/ezvoice

Then compare the output of namei -l again to see what changed. If you don't want to grant such broad permissions, you could do it more carefully for just the Apache user, with a file ACL:

setfacl -m u:apache:x / /home /home/ec2-user /home/ec2-user/ezvoice

Note, changing the ownership of Python isn't a good idea. You should be able to fix the permissions of the files that Python and Apache read, rather than the programs themselves.

Related

How can I change the localSID for a SAMBA Server?
Combine Apache authetication providers (file & LDAP)
How to identify all IPv6 addresses for a user
How do I set up Unison to open the meld GUI when I choose to merge in the Unison GUI
CENTOS 8 - cannot bind to UDP port from service
Multiple Audiodevices in RDP Session [closed]
How do I find what version of WSUS I have installed on Windows Server 2012?
Find out who stopped a process (7zip) [closed]
Differences between VMware and XCP-ng hipervisor
Windows Server 2019 LMHOSTS File Does Not Work
Getting a RAID controller to surface scan on a sane schedule
Why does mailutils depend on mariadb-common and mysql-common and what are *-common packages in the first place?