Back to problems

problem hub

Read-only first

Apache 403 forbidden

Check Apache syntax, enabled sites, document root, Directory rules, path permissions, and error logs before chmod or ownership changes.

Safest first command

sudo apachectl configtest

Before you run this

Expected output: Apache prints Syntax OK or names a config file and line number.

When not to use it: Do not treat Syntax OK as proof that filesystem permissions or Directory rules allow access.

Expected output example

Syntax OK

How to read the result

A syntax pass only proves Apache can parse config. A 403 usually needs Directory rules, document root, and path permissions checked next.

What to check next

Syntax error

Means: Fix config syntax before chasing permissions.

Next step: Read the named file and line.

Test Apache Config Without Reloading

Syntax OK but 403 remains

Means: Access rules or path permissions are likely.

Next step: Find DocumentRoot and Directory rules.

Find Apache DocumentRoot and Directory Rules

Error log names client denied by server configuration

Means: Directory or Require rules are blocking access.

Next step: Read recent Apache errors.

Read Recent Apache Error Log Lines

Apache 403 decision tree

Prove config syntax, then prove whether the active virtual host, Directory rule, filesystem path, or permissions explain the 403.

  1. sudo apachectl configtest
  2. find /etc/apache2/sites-enabled -maxdepth 1 -type l -printf '%f -> %l\n' 2>/dev/null | sort
  3. grep -RInE 'DocumentRoot|<Directory|Require all|Options|AllowOverride' /etc/apache2/sites-enabled /etc/apache2/conf-enabled /etc/httpd/conf.d 2>/dev/null
  4. namei -l /var/www/html/index.html
  5. sudo tail -80 /var/log/apache2/error.log 2>/dev/null || sudo tail -80 /var/log/httpd/error_log

Bad fixes to avoid

Do not chmod -R the web root, disable all access rules, or reload Apache before checking the exact virtual host and Directory block.

Common causes

  • Directory block denies access.
  • DocumentRoot points somewhere unexpected.
  • Parent directory lacks execute permission.
  • Wrong virtual host is enabled.

What not to change yet

  • Do not make the whole tree world-readable.
  • Do not disable access controls to make one URL work.
  • Do not restart Apache until config syntax passes.

Stop and escalate if

  • The next step could interrupt users, remove data, or lock out access.
  • The output includes secrets, customer data, or private infrastructure details.
  • You cannot explain the blast radius of the repair command.

supporting commands

Command path

Guides and drills

  • Nginx 403 hub Use the same path-permission reasoning for Nginx.