Resolving “Client Denied by Server Configuration” Error in WSGI Graphite Setup on Apache


9 views

When setting up Graphite's WSGI interface on Mac OS X with Apache, many developers encounter the frustrating "client denied by server configuration" error. This typically appears in Apache's error logs when trying to access the graphite.wsgi script, despite seemingly correct permissions and configuration.

The error message specifically indicates Apache's security restrictions are blocking access. While your httpd.conf appears properly structured, there are several subtle aspects that could trigger this:

# Important security directives that might be missing
<Directory "/opt/graphite/webapp">
    Require all granted
    Options FollowSymLinks
    AllowOverride All
</Directory>

Before making changes, verify these critical points:

  • Check SELinux contexts if applicable (though less common on Mac OS X)
  • Confirm the WSGI script has executable permissions: chmod +x /opt/graphite/webapp/graphite.wsgi
  • Validate parent directory permissions: ls -la /opt/graphite/webapp/

Apache 2.4+ (common on recent Mac OS versions) requires different syntax:

<Directory "/opt/graphite/webapp">
    Options +ExecCGI
    Require all granted
    # For Apache 2.2 compatibility:
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Allow from all
    </IfModule>
</Directory>

The WSGISocketPrefix directive in your configuration might need adjustment. Try:

WSGISocketPrefix /tmp/wsgi
WSGIRestrictStdout On
WSGIRestrictSignal Off
WSGIPassAuthorization On

When the error persists:

  1. Test basic file access: curl -I http://localhost/content/
  2. Check process ownership: ps aux | grep httpd
  3. Verify WSGI script runs manually: python /opt/graphite/webapp/graphite.wsgi

Here's a verified configuration that resolves the access issue:

<VirtualHost *:80>
    ServerName graphite.local
    DocumentRoot "/opt/graphite/webapp"
    
    WSGIDaemonProcess graphite user=_www group=_www processes=5 threads=5
    WSGIProcessGroup graphite
    WSGIApplicationGroup %{GLOBAL}
    
    WSGIScriptAlias / /opt/graphite/webapp/graphite.wsgi
    Alias /content/ /opt/graphite/webapp/content/
    
    <Directory "/opt/graphite/webapp">
        Options Indexes FollowSymLinks
        Require all granted
        WSGIProcessGroup graphite
        WSGIApplicationGroup %{GLOBAL}
    </Directory>
    
    ErrorLog /var/log/apache2/graphite_error.log
    CustomLog /var/log/apache2/graphite_access.log combined
</VirtualHost>

When deploying Graphite with WSGI on Mac OS X, the "client denied by server configuration" error typically points to permission or configuration issues. Let's examine common causes and solutions:


# Verify these critical settings in your httpd.conf:
WSGIScriptAlias / /opt/graphite/webapp/graphite.wsgi
<Directory "/opt/graphite/webapp/">
    Options +ExecCGI
    Require all granted  # For Apache 2.4+
    # For Apache 2.2 or earlier:
    # Order allow,deny
    # Allow from all
</Directory>

While Mac doesn't use SELinux, this is worth checking if you see similar errors on Linux:


# Check context:
ls -Z /opt/graphite/webapp/graphite.wsgi

# Fix context if needed:
chcon -R -t httpd_sys_content_t /opt/graphite/webapp/
chcon -R -t httpd_sys_rw_content_t /opt/graphite/storage/

The WSGI script and parent directories need proper permissions:


# Recommended permissions:
chmod 755 /opt/graphite
chmod 755 /opt/graphite/webapp
chmod 644 /opt/graphite/webapp/graphite.wsgi

# Recommended ownership (adjust for your setup):
chown -R _www:_www /opt/graphite/webapp  # Mac Apache user

Ensure your WSGI daemon process has correct settings:


WSGIDaemonProcess graphite \
    processes=5 \
    threads=5 \
    display-name='%{GROUP}' \
    inactivity-timeout=120 \
    user=_www \         # Match Apache user
    group=_www          # Match Apache group

Confirm your VirtualHost is properly configured to handle the requests:


<VirtualHost *:80>
    ServerName graphite.local
    DocumentRoot "/opt/graphite/webapp"
    
    # Required for Apache 2.4+
    <Directory "/opt/graphite/webapp">
        Require all granted
    </Directory>
    
    # Legacy Apache 2.2 syntax
    <Directory "/opt/graphite/webapp">
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

After making changes, always test your configuration:


# Check Apache syntax
apachectl configtest

# Check file permissions
namei -l /opt/graphite/webapp/graphite.wsgi

# Verify WSGI is loaded
apachectl -M | grep wsgi

If issues persist, try accessing through different methods:


# Directly test the WSGI script
python /opt/graphite/webapp/graphite.wsgi

# Test with curl (should return WSGI response)
curl -I http://localhost/