Apache Directory Index forbidden by rule on CentOS

On an old CentOS 4 system, I had problems getting a simple directory indexing working. The log files were showing only the message:

[Fri Mar 14 16:15:09 2014] [error] [client 192.168.x.y] Directory index forbidden by rule: /data/www/www.yourwebsite.com/

After a bit of fiddling around, it was clear my configuration was fine, and something else was going on. I turned to the Wisdom Of The Internet for a hint, and found this thread on linuxforums.com: apparently, if there’s no index file in the docroot, the directory indexing is forbidden by default. Indeed, testing with a subdirectory, the listing was working.

So, if you need to list your docroot too, edit /etc/httpd/conf.d/welcome.conf and comment out the whole locationmatch section:

#<LocationMatch "^/+$">
#    Options -Indexes
#    ErrorDocument 403 /error/nolisting.html

Apache limits on Debian

If you happen to use Debian systems on your webservers, you may have noticed that Apache won’t use the limits specified in /etc/security/limits.conf:

# grep www-data /etc/security/limits.conf 
www-data - nofile 65535
www-data - nproc 65535
# for i in $(pidof apache2); do cat /proc/$i/limits; done | grep files | sort | uniq -c
     34 Max open files            8192                 8192                 files 

The “Debian Way”, as documented on the website, is to specify the limits for Apache in /etc/apache2/envvars:

## If you need a higher file descriptor limit, uncomment and adjust the
## following line (default is 8192):
APACHE_ULIMIT_MAX_FILES='ulimit -n 65536'

This requires a full restart, a reload won’t do:

# service apache2 restart
[ ok ] Restarting web server: apache2 ... waiting .
# for i in $(pidof apache2); do cat /proc/$i/limits; done | grep files | sort | uniq -c
     24 Max open files            65536                65536                files

Annoying, isn’t it? :)

OpenVPN –crl-verify fails with ‘keys/crl.pem’: No such file or directory

Today I had to generate a new Certification Authority (CA) and all certificates for an OpenVPN server. After restarting it, I found this error in the log files:

Options error: --crl-verify fails with 'keys/crl.pem': No such file or directory
Options error: Please correct these errors.
Use --help for more information.

it turns out, easy-rsa had a script to generate a crl (Certificate Revocation List), but it wasn’t present in my (CentOS based) install.

I just had to go to my easy-rsa directory (yours may be different), include the easy-rsa config and run that command:

# cd /etc/openvpn/easy-rsa
# source vars
# openssl ca -gencrl -out ${KEY_DIR}/crl.pem -config $KEY_CONFIG

After restarting OpenVPN, everything worked fine.

Note, this will also solve problems that show errors similar to:

Thu Mar  6 18:42:09 2014 TLS: Initial packet from [AF_INET], sid=2494fce7 cfff3a67
Thu Mar  6 18:42:09 2014 CRL: cannot read CRL from file keys/crl.pem
Thu Mar  6 18:42:09 2014 Exiting due to fatal error

when a client tries to contact the server.