[CentOS] apache mysterious 404 error

Fri Aug 28 08:57:54 UTC 2015
Richard <lists-centos at listmail.innovate.net>


------------ Original Message ------------
> Date: Friday, August 28, 2015 07:40:43 +0200
> From: Luigi Rosa <lists at luigirosa.com>
>
> Tim Dunphy wrote on 28/08/2015 00:18:
> 
>>   And made sure that the document root setup in the vhost for the
>>   site I'm serving has permissions for the apache user. Yet some
>> of the files are throwing a 404 error in a browser even tho they
>> are clearly present and accounted for on the file system.
> 
> Put
> 
> CheckSpelling on
> CheckCaseOnly on
> 
> in vhost or Apache configuration
> 
> You have to enable mod_speling in
> /etc/httpd/conf.modules.d/00-base.conf

Please show relevant httpd error_log entries. What is displayed to
the client is never as useful as the real thing.

Separately, your documentroot directory and file ownerships are a
security risk:

   > -rw-r--r--. 1 daemon daemon 222568 Jul 16 13:56
      /var/www/mycomanystore/images/Jimmy_792x802_R2.jpg
 
   > And all those files have the correct ownership for apache:
 
   > [root at aozwsls00019la apache2]# egrep -i "user|group" 
       conf/httpd.conf 

   > User daemon
   > Group daemon

Directories and files under the documentroot need to be accessible
to the httpd process, but should never be owned or writable by it. 

If they are owned/writable by the httpd process and someone breaks
through (either a bug in httpd (apache) or more likely code/scripts
you are running) then the attacker can do as they wish with the
documentroot contents - including (but not limited to) defacing your
site. 

Also, "daemon" is an odd user to be running your httpd as. The
default is generally "apache". On my centos-5 and -6 servers (what
centos release are you running here?) "daemon" is a member of the
group "bin", which escalates potential security issues.