DaveH
Posts: 17
Joined: Thu Oct 24, 2013 9:43 pm

lighttpd 403 forbidden when omitting filename

Sun Apr 11, 2021 8:22 am

I have raspbian buster running, with lighttpd serving a very basic web interface for a project, written as a single perl file.

Whenever I omit the filename from the url, I get a 403 forbidden error. The script is called wildcam.pl and I have tried a few combinations. Currently the config is:

Code: Select all

server.modules = (
	"mod_indexfile",
	"mod_access",
	"mod_alias",
 	"mod_redirect",
)

#server.document-root        = "/var/www/html"
server.document-root        = "/home/pi/wildbin/webfiles"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 80

# strict parsing and normalization of URL for consistency and security
# https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails
# (might need to explicitly set "url-path-2f-decode" = "disable"
#  if a specific application is encoding URLs inside url-path)
server.http-parseopts = (
  "header-strict"           => "enable",# default
  "host-strict"             => "enable",# default
  "host-normalize"          => "enable",# default
  "url-normalize-unreserved"=> "enable",# recommended highly
  "url-normalize-required"  => "enable",# recommended
  "url-ctrls-reject"        => "enable",# recommended
  "url-path-2f-decode"      => "enable",# recommended highly (unless breaks app)
 #"url-path-2f-reject"      => "enable",
  "url-path-dotseg-remove"  => "enable",# recommended highly (unless breaks app)
 #"url-path-dotseg-reject"  => "enable",
 #"url-query-20-plus"       => "enable",# consistency in query string
)

index-file.names            = ( "wildcam.pl", "index.pl", "index.php", "index.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

compress.cache-dir          = "/var/cache/lighttpd/compress/"
compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"

#server.compat-module-load   = "disable"
server.modules += (
	"mod_compress",
	"mod_dirlisting",
	"mod_staticfile",
)

cgi.assign      = (
	".pl"  => "/usr/bin/perl",
	".py"  => "/usr/bin/python",
	".sh"  => "/bin/bash",
)
In the directory root I have:

Code: Select all

-rw-r--r-- 1 www-data www-data 1056 Apr 11 08:26 styles.css
-rwxr-xr-x 1 www-data www-data 9813 Apr 11 08:27 wildcam.pl
If I add wildcam.pl to the end of the URL, then it runs fine, so it is not a problem executing the perl. For some reason it is not finding or executing the default index file. There is nothing written to the logs.

The various things I have tried are:
  • Using /var/www/html as the document root and symlinking the files
    Using /var/www/html as the document root and copying the files
    The files were originally owned by pi:pi, I changed to www-data:www-data
    Linking wildcam.pl to index.pl and removing wildcam.pl from the index-files.names list
    Copying wildcam.pl to index.pl
All options give the 403 forbidden error.

If I create a index.html with a link to wildcam.pl, that is fine but is not as clean, so it looks like it just misses index.pl or wildcam.pl off the list.

I have enabled the access log but that doesn't shed much light:

Code: Select all

192.168.40.21 birdbox.local - [11/Apr/2021:09:17:49 +0100] "GET / HTTP/1.1" 403 341 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0"

Any suggestions? I suppose I could to a rewrite as a workaround, but it would be nice if it worked by default.

User avatar
DougieLawson
Posts: 41185
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: lighttpd 403 forbidden when omitting filename

Sun Apr 11, 2021 11:32 am

Depending on whether you've got an index file directive or mod_dirlisting active

Code: Select all

index-file.names   = ( "index.php", "index.html",
                                  "index.htm", "default.htm" )

Code: Select all

dir-listing.activate = "enable"
what you're seeing with the http 403 is normal (and desirable) behaviour.
Any language using left-hand whitespace for syntax is ridiculous

Any DMs sent on Twitter will be answered next month.
Fake doctors - are all on my foes list.

Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

DaveH
Posts: 17
Joined: Thu Oct 24, 2013 9:43 pm

Re: lighttpd 403 forbidden when omitting filename

Sun Apr 11, 2021 5:22 pm

Is there a way to fix it? I'm finding it quite undesirable as I want to to execute a index.pl file when the URL ends in just /.

I don't want to list the directory, I just want to to default to index.pl, rather than index.html.

User avatar
DougieLawson
Posts: 41185
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: lighttpd 403 forbidden when omitting filename

Sun Apr 11, 2021 9:26 pm

Add this directive to your lighty config.

Code: Select all

index-file.names   = ( "index.pl", "index.php", "index.html", "index.htm", "default.htm" )
Any language using left-hand whitespace for syntax is ridiculous

Any DMs sent on Twitter will be answered next month.
Fake doctors - are all on my foes list.

Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

cleverca22
Posts: 3564
Joined: Sat Aug 18, 2012 2:33 pm

Re: lighttpd 403 forbidden when omitting filename

Mon Apr 12, 2021 12:31 am

DougieLawson wrote:
Sun Apr 11, 2021 9:26 pm
Add this directive to your lighty config.

Code: Select all

index-file.names   = ( "index.pl", "index.php", "index.html", "index.htm", "default.htm" )
DaveH wrote:
Sun Apr 11, 2021 8:22 am

Code: Select all

index-file.names            = ( "wildcam.pl", "index.pl", "index.php", "index.html" )
that line is already present, and should be causing it to load wildcam.pl if no name has been specified
i would expect it to work as shown in the original post

try adding this, and then look at the logs it generates:

Code: Select all

debug.log-request-handling = "enable"

DaveH
Posts: 17
Joined: Thu Oct 24, 2013 9:43 pm

Re: lighttpd 403 forbidden when omitting filename

Tue Apr 13, 2021 9:02 pm

Thanks for the suggestion.

That showed it was not correctly matching the index file name. As it was clearly there it looked like either a bug or as it it were being overridden by something.

In the conf-enable directory I found the a default config sitting there, 99-unconfigured.conf with the line

Code: Select all

index-file.names := ( "index.php", "index.html", "index.lighttpd.html" )
Removing that makes it work. An annoying thing to find, but I'm glad I found it. I appreciate your help.

Return to “General discussion”