problem hub
Read-only firstApache 403 forbidden
Check Apache syntax, enabled sites, document root, Directory rules, path permissions, and error logs before chmod or ownership changes.
Safest first command
sudo apachectl configtest
Before you run this
Expected output: Apache prints Syntax OK or names a config file and line number.
When not to use it: Do not treat Syntax OK as proof that filesystem permissions or Directory rules allow access.
Expected output example
Syntax OK
How to read the result
A syntax pass only proves Apache can parse config. A 403 usually needs Directory rules, document root, and path permissions checked next.
What to check next
Syntax error
Means: Fix config syntax before chasing permissions.
Next step: Read the named file and line.
Syntax OK but 403 remains
Means: Access rules or path permissions are likely.
Next step: Find DocumentRoot and Directory rules.
Error log names client denied by server configuration
Means: Directory or Require rules are blocking access.
Next step: Read recent Apache errors.
Apache 403 decision tree
Prove config syntax, then prove whether the active virtual host, Directory rule, filesystem path, or permissions explain the 403.
sudo apachectl configtestfind /etc/apache2/sites-enabled -maxdepth 1 -type l -printf '%f -> %l\n' 2>/dev/null | sortgrep -RInE 'DocumentRoot|<Directory|Require all|Options|AllowOverride' /etc/apache2/sites-enabled /etc/apache2/conf-enabled /etc/httpd/conf.d 2>/dev/nullnamei -l /var/www/html/index.htmlsudo tail -80 /var/log/apache2/error.log 2>/dev/null || sudo tail -80 /var/log/httpd/error_log
Bad fixes to avoid
Do not chmod -R the web root, disable all access rules, or reload Apache before checking the exact virtual host and Directory block.
Common causes
- Directory block denies access.
- DocumentRoot points somewhere unexpected.
- Parent directory lacks execute permission.
- Wrong virtual host is enabled.
What not to change yet
- Do not make the whole tree world-readable.
- Do not disable access controls to make one URL work.
- Do not restart Apache until config syntax passes.
Stop and escalate if
- The next step could interrupt users, remove data, or lock out access.
- The output includes secrets, customer data, or private infrastructure details.
- You cannot explain the blast radius of the repair command.
supporting commands
Command path
Guides and drills
- Nginx 403 hub Use the same path-permission reasoning for Nginx.