我有一个简单的VHost设置,如下所示:
<VirtualHost *:443>
ServerName my.server.com
# SSL setup
DocumentRoot /srv/www/htdocs/
HostnameLookups Off
UseCanonicalName Off
ServerSignature Off
<Directory "/srv/www/htdocs">
Options +Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
我的/srv/www/htdocs包含几个符号链接,例如release.FollowSymLinks已启用,但 Apache 仍然抱怨
[Sat Sep 21 17:16:26.988517 2019] [core:error] [pid 28117] [client x.x.x.x:39412] AH00037: Symbolic link not allowed or link target not accessible: /srv/www/htdocs/releases
这是输出namei -om /srv/www/htdocs/releases:
f: /srv/www/htdocs/releases
drwxr-xr-x root root /
drwxr-xr-x root root srv
drwxr-xr-x root root www
drwxr-xr-x jenkins root htdocs
lrwxrwxrwx root root releases -> /relstore
drwxr-xr-x root root /
drwxrwxrwx root root relstore
因此,可以清楚地看到可以解析符号链接,并且所有目录都具有世界R-X权限。可以排除 SELinux,因为它是禁用的(通过getenforce检查(。
怎么了?
Apache 2.4.x 似乎默认验证符号链接的所有者,然后该所有者必须与符号链接目标的所有者匹配。要禁用此行为,请将-SymLinksIfOwnerMatch指定为附加Options指令,即
<Directory "/srv/www/htdocs">
Options +Indexes +FollowSymLinks -SymLinksIfOwnerMatch
...
</Directory>