Serving webpages using symlinks

[josefilipe]

I have a small collection of pictures that I want to share with some friends. I've modified httpd.conf so that apache doesn't use the '~username' part and only serves webpages from '/Library/WebServer/Documents'.

The pictures amount to 300MB and I don't want to make a copy to the root directory of the webserver, so that I can grow my collection while maximizing the available disk space.

The pictures folder is located at ~/Documents/pictures/ and I want my url to become http://url.com/pictures

What do I need to do in the httpd.conf file so that I can use symlinks to point to the pictures folder? Do I need to mess with permissions?

 

[iMeowbot]

Yes, you do need to make sure that the pictures are readable by others, and you'll want FollowSymLinks on the Options line of your <Directory> entry.

 

[josefilipe]

This is my <Directory> entry:

<Directory "/path/to/original/pictures">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

The folder pictures and everything inside it is 'Others: read only'. I've created an alias inside '/Library/WebServer/Documents' to the picture folder using ALT+CMD keys and it appears when I go to the root of the server. Still, I get this error when I click the pictures link: 'The requested URL /babes/ was not found on this server.'

 

[iMeowbot]

Hmph. Do you also have FollowSymLinks enabled on your DocumentRoot directory?

 

[josefilipe]

These are the defaults that came with httpd.conf:

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

<Directory "/Library/WebServer/Documents">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

 

[iMeowbot]

Okay, it just dawned on me that this is the problem:

I've created an alias inside '/Library/WebServer/Documents' to the picture folder using ALT+CMD keys

That doesn't create a symlink, it creates an alias file. Just to add to the confusion, if you create a symlink in Terminal, it looks just like an alias in the Finder.

Trash that alias, and instead create it from Terminal:

cd  /Library/WebServer/Documents
ln -s /path/to/the/real/mypics mypics

 

[josefilipe]

The symlink works, but now I get a different error:

'You don't have permission to access /pictures/ on this server.'

 

[iMeowbot]

That's good, it means we are getting closer.

The next thing to do is start up Console in your Utilities folder, and drill down in the drawer to the /var/log section, then httpd, and look at error_log.

Scroll down to the bottom and check out the messages. See if there is an error like:

[error] [client 127.0.0.1] (13)Permission denied: access to /blah/ failed because search permissions are missing on a component of the path

If that is the message, that means that one of the directories in the path to your (real) pictures folder needs read+execute permissions for "others" added (I think Apache may be happy with just execute).

----

On a related note, that <Directory> entry that you added -- the path is that of the symlink you created, right?

 

[josefilipe]

That's the error that appears in error_log:

Permission denied: access to /pictures failed because search permissions are missing on a component of the path

How do I set the necessary permissions to the entire folder, subfolders and pictures?

 

[iMeowbot]

Okay, let's say for example that your pictures are located at /Users/imeowbot/stuff/Pictures

In Terminal, cd /Users/imeowbot/stuff and then ls -ld Pictures

You may see something like:

drwx------   imeowbot imeowbot 72   2448 Aug 30 06:21 Pictures

That --- and the end of the left column will interfere with Apache, fix it with chmod o+x Pictures so that the ls command returns:

drwx-----x   imeowbot imeowbot 72   2448 Aug 30 06:21 Pictures

Then step up the tree with cd .. and use the same ls command on the stuff directory, checking again for that x, and again using chmod to open it up if needed.

You can try reloading the page in your browser at each step to see if the error is cleared.

As you can guess, this will let any other users on your Mac see the contents of those folders. Apache is one of those other users who needs to see.

 

[josefilipe]

After changing the permissions everything is now working perfectly.

Thank you for the very thorough help and troubleshooting.

 

[josefilipe]

BTW, do you know any tips on securing Apache on Mac OS X 10.4.7?

 

[iMeowbot]

The Apache that comes with OS X client is really pretty secure out of the box, the add-on modules that usually get exploited (PHP and so on) aren't enabled unless you go in and add them by hand.

Just in case, it's a good idea to assume that the whole world can look your whole filesystem. Make sure that any files and directories you don't want the whole world to see are not world readable (and especially not writable by the world or the www user). Really, Apache does a good job of restricting access, this is only to defend against undiscovered bugs.

As we saw here, it usually takes some effort to let Apache serve files outside its own folder.

 

[josefilipe]

Besides the <Document> root entry, do I need to add an entry to the pictures folder? Something like this:

<Directory "/path/to/original/pictures">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

 

[iMeowbot]

It's up to you. The options will be inherited unless you want different ones for that particular directory.

 

[josefilipe]

Once again thank you for all the help.