Why won’t Apache serve user files from symlink despite “FollowSymLinks” being set?

Question

My dev machine with Ubuntu 24.04 runs apache2 as www-data and the server root is /var/www/html. Here the Apache config:

DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/.load
IncludeOptional mods-enabled/.conf
Include ports.conf
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>
<Directory /usr/share>
    AllowOverride None
    Require all granted
</Directory>
<Directory /var/www/>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^.ht">
    Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t &quot;%r&quot; %>s %O &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot;" vhost_combined
LogFormat "%h %l %u %t &quot;%r&quot; %>s %O &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot;" combined
LogFormat "%h %l %u %t &quot;%r&quot; %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/.conf
IncludeOptional sites-enabled/.conf
ServerName 127.0.0.1

And this is the site configuration:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
&lt;Directory /&gt;
    Options FollowSymLinks
    AllowOverride None
&lt;/Directory&gt;

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

the default content of /var/www/html is:

/var/www/html$ ls -l
-rw-r--r-- 1 root     root     10671 giu  8 10:07 index.html
-rw-r--r-- 1 root     root        20 giu  8 10:18 phpinfo.php
lrwxrwxrwx 1 root     root        21 giu  8 10:31 phpmyadmin -> /usr/share/phpmyadmin

If I browse to http://127.0.0.1/index.html or http://127.0.0.1/phpinfo.php I can see the pages. So far so good.

Now I want to write some PHP code, but I want to store it inside my home directory, say:

$ cd ~/myproject
$ tree -pu .
[drwxrwxr-x mark]  .
└── [drwxrwxr-x mark]  www
    └── [-rw-rw-r-- mark]  index.php

Then I made a sym link to this www directory:

$ cd /var/www/html
$ sudo ln -s ~/myproject/www myproject

I was expecting to be able to browse with http://127.0.0.1/myproject/index.php instead I got a 403 error.

It seems odd to me since I enabled the symlink options like suggested here and the permissions seem correct. I also tried to chown to www-data with no success.

What am I missing?

---

Update: After following the hint of @Giacomo1968 I searched for the entries Require all denied:

$ cd /etc/apache2
$ grep -nrw . -e "Require all denied"
./apache2.conf:162:#    Require all denied
./apache2.conf:196: Require all denied
./mods-available/php8.3.conf:11:    Require all denied
./mods-available/php8.3.conf:15:    Require all denied
./mods-available/proxy.conf:14:#   Require all denied
./conf-available/php8.3-cgi.conf:16:    Require all denied
./conf-available/php8.3-cgi.conf:20:    Require all denied

The first result is the one I've already commented out, the second one is:

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
        Require all denied
</FilesMatch>

And I guess it's safe to keep as is.

The other results are not related to Apache user configuration.

Answer 1

Look at this Directory directive in your Apache config:

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

Try commenting out that Require all denied directive, restart Apache and see what happens.

In fact I think that whole <Directory /> block isn’t needed. I bet that is the issue since a 403 indicates a permissions issue on the Apache side of things. Read more here:

The HTTP 403 Forbidden client error response status code indicates that the server understood the request but refused to process it. This status is similar to 401, except that for 403 Forbidden responses, authenticating or re-authenticating makes no difference. The request failure is tied to application logic, such as insufficient permissions to a resource or action.

A 403 error is not a case of file system permissions, but web server issues stemming from Apache itself.

Answer 2

Look at this similar question and answer thread about Nginx.

Are the permissions to your home directory (~/) 700?

Try changing the permissions to 755 (chmod 755 ~/) and see what happens.