Symfony on Heroku: 403 Forbidden You do not have permission / access on this server

I have successfully deployed my Symfony 2 application to Heroku, but now when I try to access it, I get the following 403 error:

Forbidden

You do not have permission to access this server.

This is the magazine from Heroku:

2015-07-29T14:31:41.827491+00:00 heroku[router]: at=info method=GET path="/" host=my-app.herokuapp.com request_id=557a70f4-ea11-4519-b8df-301b714f6ffa fwd="151.77.103.253" dyno=web.1 connect=0ms service=1ms status=403 bytes=387 2015-07-29T14:31:41.828428+00:00 app[web.1]: [Wed Jul 29 14:31:41.827438 2015] [autoindex:error] [pid 104:tid 140466989270784] [client 10.100.0.139:16096] AH01276: Cannot serve directory /app/: No matching DirectoryIndex (index.php,index.html,index.htm) found, and server-generated directory index forbidden by Options directive 2015-07-29T14:31:41.829009+00:00 app[web.1]: 10.100.0.139 - - [29/Jul/2015:14:31:41 +0000] "GET / HTTP/1.1" 403 209 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36 

It seems that Symfony (or Heroku?) Is trying to serve the /app/ directory, but I think this is wrong, as from the logs:

2015-07-29T14: 31: 41.828428 + 00: 00 application [web.1]: [Wed Jul 29 14: 31: 41.827438 2015] [autoindex: error] [pid 104: tid 140466989270784] [client 10.100.0.139:16096 ] AH01276: Unable to specify directory / application / : No DirectoryIndex matching (index.php, index.html, index.htm) and the index generated by the server is prohibited by the Options directive

Following the symfony documentation tutorial on how to deploy to Heroku , I created my .procfile and into it

 web: bin/heroku-php-apache2 web/ 

I also uninstalled the DemoBundle , and now my root URL is configured in the DefaultController as follows:

 <?php // \AppBundle\Controller\DefaultController.php namespace AppBundle\Controller; use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route; use Symfony\Bundle\FrameworkBundle\Controller\Controller; class DefaultController extends Controller { /** * @Route("/", name="Homepage") */ public function indexAction() { return $this->render('default/index.html.twig'); } } 

I think, in the end, there are some problems with my .htaccess , that is, the one that comes with Symfony Standard Edition:

 # Use the front controller as index file. It serves as a fallback solution when # every other rewrite/redirect fails (eg in an aliased environment without # mod_rewrite). Additionally, this reduces the matching process for the # start page (path "/") because otherwise Apache will apply the rewriting rules # to each configured DirectoryIndex file (eg index.php, index.html, index.pl). DirectoryIndex app.php <IfModule mod_rewrite.c> RewriteEngine On # Determine the RewriteBase automatically and set it as environment variable. # If you are using Apache aliases to do mass virtual hosting or installed the # project in a subdirectory, the base path will be prepended to allow proper # resolution of the app.php file and to redirect to the correct URI. It will # work in environments without path prefix as well, providing a safe, one-size # fits all solution. But as you do not need it in this case, you can comment # the following 2 lines to eliminate the overhead. RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$ RewriteRule ^(.*) - [E=BASE:%1] # Sets the HTTP_AUTHORIZATION header removed by apache RewriteCond %{HTTP:Authorization} . RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] # Redirect to URI without front controller to prevent duplicate content # (with and without `/app.php`). Only do this redirect on the initial # rewrite by Apache and not on subsequent cycles. Otherwise we would get an # endless redirect loop (request -> rewrite to front controller -> # redirect -> request -> ...). # So in case you get a "too many redirects" error or you always get redirected # to the start page because your Apache does not expose the REDIRECT_STATUS # environment variable, you have 2 choices: # - disable this feature by commenting the following 2 lines or # - use Apache >= 2.3.9 and replace all L flags by END flags and remove the # following RewriteCond (best solution) RewriteCond %{ENV:REDIRECT_STATUS} ^$ RewriteRule ^app\.php(/(.*)|$) %{ENV:BASE}/$2 [R=301,L] # If the requested filename exists, simply serve it. # We only want to let Apache serve files and not directories. RewriteCond %{REQUEST_FILENAME} -f RewriteRule .? - [L] # Rewrite all other queries to the front controller. RewriteRule .? %{ENV:BASE}/app.php [L] </IfModule> <IfModule !mod_rewrite.c> <IfModule mod_alias.c> # When mod_rewrite is not available, we instruct a temporary redirect of # the start page to the front controller explicitly so that the website # and the generated links can still be used. RedirectMatch 302 ^/$ /app.php/ # RedirectTemp cannot be used instead </IfModule> </IfModule> 

Another part of my application may be causing this problem: security.yml , which is currently like this:

 # you can read more about security in the related section of the documentation # http://symfony.com/doc/current/book/security.html security: # http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password encoders: FOS\UserBundle\Model\UserInterface: sha512 # http://symfony.com/doc/current/cookbook/security/acl.html#bootstrapping acl: connection: default # http://symfony.com/doc/current/book/security.html#hierarchical-roles role_hierarchy: ROLE_ADMIN: ROLE_USER # ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH] ROLE_SUPER_ADMIN: ROLE_ADMIN # http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers providers: fos_userbundle: id: fos_user.user_provider.username_email # the main part of the security, where you can set up firewalls # for specific sections of your app firewalls: main: pattern: ^/ form_login: provider: fos_userbundle csrf_provider: security.csrf.token_manager logout: true anonymous: true # disables authentication for assets and the profiler, adapt it according to your needs dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false # with these settings you can restrict or allow access for different parts # of your application based on roles, ip, host or methods # http://symfony.com/doc/current/cookbook/security/access_control.html access_control: #- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https } - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } 

But referring to http:// my-app.herokuapp.com/login (which seems to be "open to the world"), I get a nice 404 error anyway:

Not found

The requested URL / login was not found on this server.

So what could be the problem? What setting is stopping me from accessing my Symfony application on Heroku?