Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 4th March 2013, 11:23
mablanco mablanco is offline
Junior Member
 
Join Date: Mar 2013
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default Error "403 Forbidden" after updating to 3.0.5.1 - ¿possible bug?

Hi all. I've just updated one of my ISPConfig installations from 3.0.4.6 to 3.0.5.1. The process went smooth, but when I tried to access the control panel all I got was the error "403 Forbidden - You don’t have permission to access / on this server".

The /var/log/apache2/error.log showed the message "[error] client denied by server configuration: /etc/apache2/htdocs", so I went to review the control panel files and found in /etc/apache2/sites-enabled/ispconfig.vhost that the <IfModule mod_php5.c> block was commented out. I am using libmodphp5, so I needed that configuration. I uncommented the block, restarted Apache2 and then I got a blank page.

The /var/log/apache2/error.log showed another message: "[error] PHP Fatal error: require_once(): Failed opening required '../lib/config.inc.php' (include_path='.:/usr/share/php:/usr/share/pear') in /usr/local/ispconfig/interface/web/index.php on line 31". When I looked at that file, I found that the permissions were 700, while those of a backup file were 750. The new file and the backup were identical expect for the version number. I corrected the permissions and then I was able to access the control panel again.

Hope this info helps. Best regards.
Reply With Quote
Sponsored Links
  #2  
Old 4th March 2013, 12:27
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,421
Thanks: 834
Thanked 5,501 Times in 4,330 Posts
Default

Quote:
The /var/log/apache2/error.log showed the message "[error] client denied by server configuration: /etc/apache2/htdocs", so I went to review the control panel files and found in /etc/apache2/sites-enabled/ispconfig.vhost that the <IfModule mod_php5.c> block was commented out. I am using libmodphp5, so I needed that configuration. I uncommented the block, restarted Apache2 and then I got a blank page.
mod_php is not supported anymore for the ispconfig vhost for security reasons, please install mod_fcgi and a php fcgi binary.

Quote:
The /var/log/apache2/error.log showed another message: "[error] PHP Fatal error: require_once(): Failed opening required '../lib/config.inc.php' (include_path='.:/usr/share/php:/usr/share/pear') in /usr/local/ispconfig/interface/web/index.php on line 31". When I looked at that file, I found that the permissions were 700, while those of a backup file were 750. The new file and the backup were identical expect for the version number. I corrected the permissions and then I was able to access the control panel again.
You should undo that permission change and install php-fcgi like I explained above.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 4th March 2013, 12:41
mablanco mablanco is offline
Junior Member
 
Join Date: Mar 2013
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
mod_php is not supported anymore for the ispconfig vhost for security reasons, please install mod_fcgi and a php fcgi binary.
Could you please let me know more about those secutiry reasons (or at least point me to the info)?. We are used to mod_php5 and would like to know more before we change to FCGI. What's more, the last important php bug was related to FCGI, not mod_php5. And we think that FCGI has worse performance than mod_php5 and causes more technical troubles, outweighing its advantages.

Anyway, it would be great if the updater warned about the change, as I could not access the control panel to move the webs from mod_php5 to mod_fcgi.

Thanks in advance.
Reply With Quote
  #4  
Old 4th March 2013, 12:55
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,421
Thanks: 834
Thanked 5,501 Times in 4,330 Posts
Default

Quote:
Could you please let me know more about those secutiry reasons (or at least point me to the info)?. We are used to mod_php5 and would like to know more before we change to FCGI. What's more, the last important php bug was related to FCGI, not mod_php5. And we think that FCGI has worse performance than mod_php5 and causes more technical troubles, outweighing its advantages.
ISPConfig uses stricter security settings now which require that all scripts of the ispconfig interface are running with the priveliges of the user "ispconfig"as you noticed you have to give less stricter permissions to the file which contains the mysql login details on your server when you use mod_php. When you use mod_php, then scripts were run as user apache.

Quote:
What's more, the last important php bug was related to FCGI, not mod_php5. And we think that FCGI has worse performance than mod_php5 and causes more technical troubles, outweighing its advantages.
The performance of php-fcgi and mod_php are comparable. I've never heard a complaint yet that the ispconfig interface is too slow, so you must run a really big setup with tens of thousands of customers. How many thousand clients access the ispconfig interface on your server simultaniously and how many ram and cpu's does your server has?

Quote:
Anyway, it would be great if the updater warned about the change, as I could not access the control panel to move the webs from mod_php5 to mod_fcgi.
The system requirements for ispconfig are defined in the perfect setup guides that we publish regularily for all Linux distributions and php fcgi is part of these system requirements.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 4th March 2013, 13:25
mablanco mablanco is offline
Junior Member
 
Join Date: Mar 2013
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
ISPConfig uses stricter security settings now which require that all scripts of the ispconfig interface are running with the priveliges of the user "ispconfig"as you noticed you have to give less stricter permissions to the file which contains the mysql login details on your server when you use mod_php. When you use mod_php, then scripts were run as user apache.
I understand your point, but as Apache belongs to group "ispconfig", I don't see much extra security.

Quote:
Originally Posted by till View Post
The performance of php-fcgi and mod_php are comparable. I've never heard a complaint yet that the ispconfig interface is too slow, so you must run a really big setup with tens of thousands of customers. How many thousand clients access the ispconfig interface on your server simultaniously and how many ram and cpu's does your server has?
No, they are not comparable and will never be. How can an external program be faster than a linkable module? And BTW, you don't need a big setup to notice the performance difference. On the contrary, you need to squeeze any bit of speed you can when relying on few resoturces.

Quote:
Originally Posted by till View Post
The system requirements for ispconfig are defined in the perfect setup guides that we publish regularily for all Linux distributions and php fcgi is part of these system requirements.
I don't doubt that that system requirements are published in the perfect guides, but when you're running an existing installation you're not suppossed to read the guides again. I was just asking for a user-friendly feature that would save time and troubles for sysadmins running ISPConfig.

Best regards.
Reply With Quote
  #6  
Old 4th March 2013, 13:50
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,421
Thanks: 834
Thanked 5,501 Times in 4,330 Posts
Default

Quote:
I understand your point, but as Apache belongs to group "ispconfig", I don't see much extra security.
Did you notice that we removed the group reading policy from the file? So apache can't read it even if the apache user belongs to the group ispconfig. Thats why you got a permission error when using mod_php.

Quote:
No, they are not comparable and will never be. How can an external program be faster than a linkable module? And BTW, you don't need a big setup to notice the performance difference. On the contrary, you need to squeeze any bit of speed you can when relying on few resoturces.
I said comparable and not faster. But as security does not seem to matter for you, feel free to use mod_php in future. We wont make the default ispconfig install less secure just because you dont like fastcgi.

Quote:
I don't doubt that that system requirements are published in the perfect guides, but when you're running an existing installation you're not suppossed to read the guides again. I was just asking for a user-friendly feature that would save time and troubles for sysadmins running ISPConfig.
You wont have to read them again, if you followed the during your initial install, then all required modules were there. ISPConfig is notifying you for missing modules that were not required for the beginning like php5-curls when you use the new aps installer.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 4th March 2013, 14:36
mablanco mablanco is offline
Junior Member
 
Join Date: Mar 2013
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
Did you notice that we removed the group reading policy from the file? So apache can't read it even if the apache user belongs to the group ispconfig. Thats why you got a permission error when using mod_php.
Your removed the group permissions only from the config file, but not from the rest of the files that belong to ISPConfig.

Quote:
Originally Posted by till View Post
I said comparable and not faster. But as security does not seem to matter for you, feel free to use mod_php in future. We wont make the default ispconfig install less secure just because you dont like fastcgi.
Yes, I understood you, but you prefer being rethorical. Whatever...

I don't know how you figured out that secutiry is not important for me, moreover when you know nothing of me. You're quite audacious.

Quote:
Originally Posted by till View Post
You wont have to read them again, if you followed the during your initial install, then all required modules were there. ISPConfig is notifying you for missing modules that were not required for the beginning like php5-curls when you use the new aps installer.
Again, I've asked just for a little warning in the updater script that would let us know about important changes in ISPConfig that would affect my installation even if I followed the setup guides in the beginning.

Anyway, this thread started just as a possible bug report with a solution. Instead of being grateful, you're quarreling with me. How dissappointing... I'd rather stop here this thread.
Reply With Quote
  #8  
Old 4th March 2013, 14:42
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,421
Thanks: 834
Thanked 5,501 Times in 4,330 Posts
 
Default

Quote:
Your removed the group permissions only from the config file, but not from the rest of the files that belong to ISPConfig.
Sure, because the rest does not contain sensitive information and other files like images or css files have to be accessed by apache.

I dont comment on your other responses...
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Permission issue after updating to 3.0.5.1 Seidr General 12 21st October 2013 04:21
Bug when updating ftp accounts from reseller ddelbia General 1 1st July 2010 14:02
The system is currently updating the configuration files. warlock General 8 21st February 2009 19:15
possible bug? /etc/postfix/local-host-names not updating correctly woleium Installation/Configuration 3 1st February 2007 14:58


All times are GMT +2. The time now is 05:05.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.