------------ Original Message ------------
Date: Friday, August 28, 2015 07:40:43 +0200 From: Luigi Rosa lists@luigirosa.com
Tim Dunphy wrote on 28/08/2015 00:18:
And made sure that the document root setup in the vhost for the site I'm serving has permissions for the apache user. Yet some of the files are throwing a 404 error in a browser even tho they are clearly present and accounted for on the file system.
Put
CheckSpelling on CheckCaseOnly on
in vhost or Apache configuration
You have to enable mod_speling in /etc/httpd/conf.modules.d/00-base.conf
Please show relevant httpd error_log entries. What is displayed to the client is never as useful as the real thing.
Separately, your documentroot directory and file ownerships are a security risk:
-rw-r--r--. 1 daemon daemon 222568 Jul 16 13:56
/var/www/mycomanystore/images/Jimmy_792x802_R2.jpg
And all those files have the correct ownership for apache:
[root@aozwsls00019la apache2]# egrep -i "user|group"
conf/httpd.conf
User daemon Group daemon
Directories and files under the documentroot need to be accessible to the httpd process, but should never be owned or writable by it.
If they are owned/writable by the httpd process and someone breaks through (either a bug in httpd (apache) or more likely code/scripts you are running) then the attacker can do as they wish with the documentroot contents - including (but not limited to) defacing your site.
Also, "daemon" is an odd user to be running your httpd as. The default is generally "apache". On my centos-5 and -6 servers (what centos release are you running here?) "daemon" is a member of the group "bin", which escalates potential security issues.