ErrorDocument 403 /403.php

I think 403 is "Forbidden", not "error". If you don't have a page to display, I think it would show a system message "access denied". If /403.php exists, then it should show that.

Apologies, yes 403 is of course forbidden. It shows that when I ban myself and go to it. But when the chinabots (ie that span) arrive they give a "File does not exist: /var/www/error" - odd

this on a live site is producing endless "File does not exist: /var/www/error"

Can you show an example of this from your logs?

<Files /403.php>
allow from all
</Files> 

The error is not in the site, it's in the htaccess :( <Files> and <FilesMatch> envelopes look only at the filename, not at any part of its path.

You can collapse them into one envelope by going to a Regular Expression:

<FilesMatch "40[1]\.php$">
Order Deny,Allow
Allow from all
</FilesMatch>

Never use an Allow or Deny directive without a preceding "Order" statement. In fact you can say "Order Deny,Allow" without anything else and it will be as if you said "Allow from all", but this looks a bit unnerving.

You should always have an exclusion for your error document, because otherwise the server goes into a tizzy trying to serve up the 403 page --even if the visitor is a robot who will never bother to look at it. You may not care what the visitor sees. But your server cares; it will keep making the request/lockout loop 10 or more times. That's a lot more work than simply offering up the document in the first place.

Code a separate exemption for any module that issues 403s, because they don't override each other. For most people that means something like

RewriteRule ^40[31]\.php - [L]

before all other RewriteRules. That's in addition to, not instead of, the <Files> or <FilesMatch> envelope for mod_authzzzz.

access file--
27.150.236.59 - - [06/Apr/2014:12:01:48 +0100] "GET / HTTP/1.0" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727 ; .NET CLR 4.0.30319)"

error file-
[Sun Apr 06 12:01:48 2014] [error] [client 27.150.236.59] client denied by server configuration: /home/plat-linnas01/e/[domainremovedforthispost]/user/htdocs/
[Sun Apr 06 12:01:48 2014] [error] [client 27.150.236.59] File does not exist: /var/www/error

okies - thank you - I've done all that now Lucy!

I swear htaccess combines all the fun in life. Regex and complicated rules that can bring down your website in a heartbeat. What's not to love :)

Lucy, question about this. You say:

RewriteRule ^40[31]\.php - [L]
before all other RewriteRules. That's in addition to, not instead of, the <Files> or <FilesMatch> envelope for mod_authzzzz.

I'm not really getting this bit - if my 403 file is at /bonkerslocation/403.php would it be:

RewriteRule ^bonkerslocation/403\.php - [L]

ErrorDocument 400 /400.php
ErrorDocument 401 /401.php
ErrorDocument 403 /403.php

Don't you have a custom error documanet for 404 responses as well? For example:

ErrorDocument 404 /404.php

yes - but didn't list them here in this post :)

access file--
27.150.236.59 - - [06/Apr/2014:12:01:48 +0100] "GET / HTTP/1.0" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727 ; .NET CLR 4.0.30319)"

The reason I asked is because this looks like a 404 response.

*scratching head*

still getting it

[Sun Apr 06 21:52:29 2014] [error] [client 120.43.23.186] client denied by server configuration: /home/plat-linnas01/e/[siteurlremoved]/user/htdocs/
[Sun Apr 06 21:52:29 2014] [error] [client 120.43.23.186] File does not exist: /var/www/error

&

120.43.23.186 - - [06/Apr/2014:21:52:29 +0100] "GET / HTTP/1.0" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) )"

Well this is the weird thing.

So anyone who goes to "/error" on my site doesn't get the specified 404 page but the white standard one. Any other url they go to that doesn't exist and they get the custom one.

Really weird, I've raised it with the hosting company (maybe "/error" is reserved or defaulted on the server or something, I dunno!)

if my 403 file is at /bonkerslocation/403.php would it be:

RewriteRule ^bonkerslocation/403\.php - [L]

Yes. You can also simply leave off the opening anchor and give only the filename. But it's always good to give the full path, when possible, because then the server can get out of there all the sooner. This line goes before all other RewriteRules-- contrary to the ordinary rule ordering-- because the point is to intercept internal requests for the error document. Otherwise they'd be locked out along with everything else.

client denied by server configuration

Unfortunately that's all error logs ever say. "They got a 403 because you told them they're not allowed." If you have RewriteLogs-- on shared hosting, you don't-- you'll get more information if-and-only-if the 403 was issued by mod_rewrite. Otherwise it's up to you to squint at the ErrorLog entry and see if you can figure out which aspect of the request triggered a rule.

maybe "/error" is reserved or defaulted on the server or something

On shared hosting, there's generally a default name for error documents, such as "missing.html" and "forbidden.html". At the server level, this means two things: there's a server-wide set of directives that say things like

ErrorDocument 403 forbidden.html

AND there's a corresponding <Files> envelope that says

<Files "forbidden.html">
Order Deny,Allow
Allow from all
</Files>

All the site owner sees is that their "forbidden.html" magically works. If you haven't got this page, and someone gets locked out, the error log will say two things. First it will record the "client denied by server configuration" line, and then it will record that it couldn't find the specified error page.

There may be a supplementary line in the config file that says something like

:: making this up off the top of my head ::

RewriteCond %{THE_REQUEST} error\.html
RewriteRule ^error\.html - [G]

This prevents the server from showing the "error.html" page to people who ask for it by name. But I doubt the rule is really expressed this way, because it would only work if the destination site doesn't have RewriteRules of its own.

Matter of fact: Around the middle of last year, the bingbot started asking for one directory-specific error document by name. I've never found out how it learned of its existence; I didn't even know it was happening until many months later when I moved sites. Ordinarily, you deal with this kind of thing by serving up a 410. Here I couldn't-- because it was the 410 document itself that was involved! So now I've got a line that says

RewriteCond %{THE_REQUEST} ebooks/gone\.html
RewriteRule ^ebooks/gone\.html - [R=404,L]

Normally of course you don't need to code an explicit 404. Here I had to, because the file actually does exist-- I just don't want search engines to know about it. Yes, it's really "R=404". This is a quirk shared by mod_rewrite and mod_alias. You can attach any number after the "R=" or "Redirect"; it doesn't have to be in the 3xx range.

---

Edit: Heh, this is funny. My mousing hand must have slipped while composing this post, because there's now a search-engine tab open containing the words 'maybe "/error" is reserved or defaulted on the server or something, I' (was that a single line in your post?). And there are 78 million replies (really) so clearly you are not the first person to wonder.

client denied by server configuration: /home/plat-linnas01/e/[domainremovedforthispost]/user/htdocs/

make sure you are checking the Apache directives in the directory specified here.

File does not exist: /var/www/error

i am assuming this is not in your document root directory and therefore this error doesn't look like it was caused by the request from the user agent.
i would guess your root directory index.php script is trying to open this file.

that would explain the different error results.

i am assuming this is not in your document root directory and therefore this error doesn't look like it was caused by the request from the user agent.

My error logs look like that too. Regular access logs show URLs, but error logs show the physical filepath, regardless of whether it was an internal or external request. php action probably wouldn't show up in error logs at all, but in the entirely separate "php logs" file (which you may not even have access to in shared hosting, if in fact it exists at all).

File does not exist: /var/www/error

but error logs show the physical filepath

the only directory path a browser can request would be relative to the document root directory.
that doesn't look like a filepath in the document root directory so it can't be a browser request.

it's an internal rewrite or some other internal request and the server process does not have sufficient ownership/permissions to read that internally requested file.

My point was that error logs on my shared-hosting setup-- which can't possibly be different from all other shared-hosting setups in the world-- always show the physical filepath, no matter where the request came from. If it started as an external request, then the ordinary access logs will also record the 403/404/whatever, using the requested form. But you can't tell from the error log alone whether the request was internal or external.

:: detour to random error log from test site ::

[Sun Apr 06 14:52:57 2014] [error] [client 37.139.52.23] client denied by server configuration: /home/myusername/example.com/, referer: http://www.spammy-referer.ru/
[Sun Apr 06 20:04:49 2014] [error] [client 134.249.48.26] client denied by server configuration: /home/myusername/example.com/, referer: http://www.other-spammy-referer.ru/

This tells me that the OP and I do not use the same host ;) Since it's my test site, I know that these particular requests were blocked by IP. Only my real sites have RewriteRules that would also block the fake .ru referer (global lockout unless it's a major search engine). Every few months I take a closer look and update IP lists as needed. Belt and suspenders.