PDA

View Full Version : Error "403 Forbidden" after updating to 3.0.5.1 - ¿possible bug?


mablanco
4th March 2013, 10:23
Hi all. I've just updated one of my ISPConfig installations from 3.0.4.6 to 3.0.5.1. The process went smooth, but when I tried to access the control panel all I got was the error "403 Forbidden - You don’t have permission to access / on this server".

The /var/log/apache2/error.log showed the message "[error] client denied by server configuration: /etc/apache2/htdocs", so I went to review the control panel files and found in /etc/apache2/sites-enabled/ispconfig.vhost that the <IfModule mod_php5.c> block was commented out. I am using libmodphp5, so I needed that configuration. I uncommented the block, restarted Apache2 and then I got a blank page.

The /var/log/apache2/error.log showed another message: "[error] PHP Fatal error: require_once(): Failed opening required '../lib/config.inc.php' (include_path='.:/usr/share/php:/usr/share/pear') in /usr/local/ispconfig/interface/web/index.php on line 31". When I looked at that file, I found that the permissions were 700, while those of a backup file were 750. The new file and the backup were identical expect for the version number. I corrected the permissions and then I was able to access the control panel again.

Hope this info helps. Best regards.

till
4th March 2013, 11:27
The /var/log/apache2/error.log showed the message "[error] client denied by server configuration: /etc/apache2/htdocs", so I went to review the control panel files and found in /etc/apache2/sites-enabled/ispconfig.vhost that the <IfModule mod_php5.c> block was commented out. I am using libmodphp5, so I needed that configuration. I uncommented the block, restarted Apache2 and then I got a blank page.

mod_php is not supported anymore for the ispconfig vhost for security reasons, please install mod_fcgi and a php fcgi binary.

The /var/log/apache2/error.log showed another message: "[error] PHP Fatal error: require_once(): Failed opening required '../lib/config.inc.php' (include_path='.:/usr/share/php:/usr/share/pear') in /usr/local/ispconfig/interface/web/index.php on line 31". When I looked at that file, I found that the permissions were 700, while those of a backup file were 750. The new file and the backup were identical expect for the version number. I corrected the permissions and then I was able to access the control panel again.

You should undo that permission change and install php-fcgi like I explained above.

mablanco
4th March 2013, 11:41
mod_php is not supported anymore for the ispconfig vhost for security reasons, please install mod_fcgi and a php fcgi binary.

Could you please let me know more about those secutiry reasons (or at least point me to the info)?. We are used to mod_php5 and would like to know more before we change to FCGI. What's more, the last important php bug was related to FCGI, not mod_php5. And we think that FCGI has worse performance than mod_php5 and causes more technical troubles, outweighing its advantages.

Anyway, it would be great if the updater warned about the change, as I could not access the control panel to move the webs from mod_php5 to mod_fcgi.

Thanks in advance.

till
4th March 2013, 11:55
Could you please let me know more about those secutiry reasons (or at least point me to the info)?. We are used to mod_php5 and would like to know more before we change to FCGI. What's more, the last important php bug was related to FCGI, not mod_php5. And we think that FCGI has worse performance than mod_php5 and causes more technical troubles, outweighing its advantages.

ISPConfig uses stricter security settings now which require that all scripts of the ispconfig interface are running with the priveliges of the user "ispconfig"as you noticed you have to give less stricter permissions to the file which contains the mysql login details on your server when you use mod_php. When you use mod_php, then scripts were run as user apache.

What's more, the last important php bug was related to FCGI, not mod_php5. And we think that FCGI has worse performance than mod_php5 and causes more technical troubles, outweighing its advantages.

The performance of php-fcgi and mod_php are comparable. I've never heard a complaint yet that the ispconfig interface is too slow, so you must run a really big setup with tens of thousands of customers. How many thousand clients access the ispconfig interface on your server simultaniously and how many ram and cpu's does your server has?

Anyway, it would be great if the updater warned about the change, as I could not access the control panel to move the webs from mod_php5 to mod_fcgi.

The system requirements for ispconfig are defined in the perfect setup guides that we publish regularily for all Linux distributions and php fcgi is part of these system requirements.

mablanco
4th March 2013, 12:25
ISPConfig uses stricter security settings now which require that all scripts of the ispconfig interface are running with the priveliges of the user "ispconfig"as you noticed you have to give less stricter permissions to the file which contains the mysql login details on your server when you use mod_php. When you use mod_php, then scripts were run as user apache.

I understand your point, but as Apache belongs to group "ispconfig", I don't see much extra security.

The performance of php-fcgi and mod_php are comparable. I've never heard a complaint yet that the ispconfig interface is too slow, so you must run a really big setup with tens of thousands of customers. How many thousand clients access the ispconfig interface on your server simultaniously and how many ram and cpu's does your server has?

No, they are not comparable and will never be. How can an external program be faster than a linkable module? And BTW, you don't need a big setup to notice the performance difference. On the contrary, you need to squeeze any bit of speed you can when relying on few resoturces.

The system requirements for ispconfig are defined in the perfect setup guides that we publish regularily for all Linux distributions and php fcgi is part of these system requirements.

I don't doubt that that system requirements are published in the perfect guides, but when you're running an existing installation you're not suppossed to read the guides again. I was just asking for a user-friendly feature that would save time and troubles for sysadmins running ISPConfig.

Best regards.

till
4th March 2013, 12:50
I understand your point, but as Apache belongs to group "ispconfig", I don't see much extra security.

Did you notice that we removed the group reading policy from the file? So apache can't read it even if the apache user belongs to the group ispconfig. Thats why you got a permission error when using mod_php.

No, they are not comparable and will never be. How can an external program be faster than a linkable module? And BTW, you don't need a big setup to notice the performance difference. On the contrary, you need to squeeze any bit of speed you can when relying on few resoturces.

I said comparable and not faster. But as security does not seem to matter for you, feel free to use mod_php in future. We wont make the default ispconfig install less secure just because you dont like fastcgi.

I don't doubt that that system requirements are published in the perfect guides, but when you're running an existing installation you're not suppossed to read the guides again. I was just asking for a user-friendly feature that would save time and troubles for sysadmins running ISPConfig.

You wont have to read them again, if you followed the during your initial install, then all required modules were there. ISPConfig is notifying you for missing modules that were not required for the beginning like php5-curls when you use the new aps installer.

mablanco
4th March 2013, 13:36
Did you notice that we removed the group reading policy from the file? So apache can't read it even if the apache user belongs to the group ispconfig. Thats why you got a permission error when using mod_php.

Your removed the group permissions only from the config file, but not from the rest of the files that belong to ISPConfig.

I said comparable and not faster. But as security does not seem to matter for you, feel free to use mod_php in future. We wont make the default ispconfig install less secure just because you dont like fastcgi.

Yes, I understood you, but you prefer being rethorical. Whatever...

I don't know how you figured out that secutiry is not important for me, moreover when you know nothing of me. You're quite audacious.

You wont have to read them again, if you followed the during your initial install, then all required modules were there. ISPConfig is notifying you for missing modules that were not required for the beginning like php5-curls when you use the new aps installer.

Again, I've asked just for a little warning in the updater script that would let us know about important changes in ISPConfig that would affect my installation even if I followed the setup guides in the beginning.

Anyway, this thread started just as a possible bug report with a solution. Instead of being grateful, you're quarreling with me. How dissappointing... I'd rather stop here this thread.

till
4th March 2013, 13:42
Your removed the group permissions only from the config file, but not from the rest of the files that belong to ISPConfig.

Sure, because the rest does not contain sensitive information and other files like images or css files have to be accessed by apache.

I dont comment on your other responses...