Forbidden 403 error on Foreman 1.4.x with Apache/Passenger

Hello,

I've got the following problem both on a Foreman installation that I
upgraded to 1.4.0 from 1.3.2 and on a clean Foreman 1.4.1 installation:

I'm trying to access Foreman through Passenger/Apache, and I get a "You
don't have permission to access /puppet/ on this server" 403 error.
I've attached my foreman.conf file as used in Apache. I've looked through a
lot of the suggestions out there for this problem, and I don't think it's
either a sym-link problem, or an obvious permissions problem.
It's particularly odd in that this has come up on a previously-working
Foreman installation, although I did also upgrade Ruby and Passenger at
this point. If I make mistakes in foreman.conf, Apache2 picks these up, so
it's reading foreman.conf.

The upgraded installation is on Ubuntu 12.04 with Ruby 1.9.3p0, Rails
4.1.0beta1, Passenger 4.0.37, Foreman 1.4.1
The clean installation is on Ubuntu 13.10 with Ruby 1.9.3p194, Rails
3.2.17, Passenger 4.0.37, Foreman 1.4.1

There is a sym-link: /var/www/puppet -> /usr/share/foreman but I'm not sure
this is important, although it probably is relevant that I am deploying to
a SubURI rather than just /

According to foreman_passenger.log: All Phusion Passenger agents started!
According to /var/log/apache2/error.log: Cannot serve directory
/var/www/puppet/public/: No matching DirectoryIndex
(index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and
server-generated directory index forbidden by Options directive
(but this presumably just means that Passenger hasn't been launched
correctly for this directory).

Any suggestions would be helpful. I feel as though it's a very simple
permissions problem or a missing line in my apache conf file, but I really
can't see it.

Thanks,

Philip

foreman.conf (1.31 KB)

Hello again,

Alternatively, if anyone has a Foreman installation working with the
previously mentioned versions, could they post their foreman.conf for
Apache?
Incidentally, I did manage to get a basic Ruby-on-Rails site working with
an essentially identical .conf file so, unless there's something subtle,
I'm wondering whether there's an incompatibility between Foreman and the
listed versions of Rails/Passenger?
I can get Foreman running on a stand-alone Rails server at port 3000, so
it's almost certainly a problem with the Apache/Passenger set-up.

Thanks,

Philip

How are you setting this system up? The deb packages for Foreman do
not create a link to /var/www/puppet/public and the Foreman Installer
doesn't deploy a config file that looks anything like the one you have
there. For packages, the main Foreman codebase will be in
/usr/share/foreman with some symlinks out to /var and /etc for logs
and config files, and Apache should serve Foreman from there.

While it's not using a SubURL, the default passenger.conf from the
installer looks something like this:

<VirtualHost 192.168.122.2:443>
ServerName foreman.example.com
ServerAlias foreman

DocumentRoot /usr/share/foreman/public
PassengerAppRoot /usr/share/foreman/

AddDefaultCharset UTF-8

[some assets stuff here which isn't relevant to the discussion]

Use puppet certificates for SSL

SSLEngine On
SSLCertificateFile /var/lib/puppet/ssl/certs/foreman.example.com.pem
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/foreman.example.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
SSLVerifyClient optional
SSLOptions +StdEnvVars
SSLVerifyDepth 3

</VirtualHost>

There's a similar definition for Port 80 as well, of course.

Hello Greg,

> While it's not using a SubURL, the default passenger.conf from the
> installer looks something like this:
>
> <VirtualHost 192.168.122.2:443>
> ServerName foreman.example.com
> ServerAlias foreman
>
> DocumentRoot /usr/share/foreman/public
> PassengerAppRoot /usr/share/foreman/
>
> </VirtualHost>
>

It turns out it was a very simple mistake on my part; I only had
PassengerAppRoot within the Location and Directory directives, and not at
global scope.
Putting that line in makes it work correctly, even in the SubURL.

I can't remember where I got the original for this from, I probably put it
together from snippets/hints in the Foreman manual, and I was editing for
my own authentication and SubURL purposes anyway.

Thanks for the pointer in the right direction.

Philip