Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 17th October 2010, 22:47
baskin baskin is offline
Senior Member
 
Join Date: Jan 2008
Location: Syros, Greece
Posts: 118
Thanks: 9
Thanked 8 Times in 8 Posts
Default Access forbidden on new site (after upraging to 3.0.3)

I have tried today to create a new site on my ISPconfig 3 server. It is the first site that i create after upgrading to 3.0.3.

I'm getting Access Forbidden on the default page.

On error_log i have this:

Code:
[Sun Oct 17 23:31:27 2010] [crit] [client 66.249.71.181] (13)Permission denied: /srv/www/kernelit.gr/web/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
The only .htaccess file that exist is the one that ISPconfig made and it is empty. The web folder is this:

Code:
aragorn:/srv/www/kernelit.gr/web # ls -l
total 16
-rwxr-xr-- 1 web15 client1 1406 2010-10-17 23:26 favicon.ico
-rwxr-xr-- 1 web15 client1    0 2010-10-17 23:26 .htaccess
-rwxr-xr-- 1 web15 client1 1861 2010-10-17 23:26 index.html
-rwxr-xr-- 1 web15 client1   34 2010-10-17 23:26 robots.txt
drwxr-xr-x 2 root  root    4096 2010-10-17 23:26 stats
What is wrong? I haven't change anything in my configuration.

My vhost file for the domain is (haven't touched anything):

Code:
<Directory /srv/www/kernelit.gr>
    AllowOverride None
    Order Deny,Allow
    Deny from all
</Directory>

<VirtualHost *:80>
      DocumentRoot /srv/www/kernelit.gr/web
  
    ServerName kernelit.gr
    ServerAlias *.kernelit.gr
    ServerAdmin webmaster@kernelit.gr

    ErrorLog /var/log/ispconfig/httpd/kernelit.gr/error.log


    <Directory /srv/www/kernelit.gr/web>
        Options FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
        
        # ssi enabled
        AddType text/html .shtml
        AddOutputFilter INCLUDES .shtml
        Options +Includes
    </Directory>
    <Directory /srv/www/clients/client1/web15/web>
        Options FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
        
        # ssi enabled
        AddType text/html .shtml
        AddOutputFilter INCLUDES .shtml
        Options +Includes
    </Directory>

    <IfModule mod_ruby.c>
      <Directory /srv/www/clients/client1/web15/web>
        Options +ExecCGI
      </Directory>
      RubyRequire apache/ruby-run
      #RubySafeLevel 0
      <Files *.rb>
        SetHandler ruby-object
        RubyHandler Apache::RubyRun.instance
      </Files>
      <Files *.rbx>
        SetHandler ruby-object
        RubyHandler Apache::RubyRun.instance
      </Files>
    </IfModule>

    # cgi enabled
        <Directory /srv/www/clients/client1/web15/cgi-bin>
      Order allow,deny
      Allow from all
    </Directory>
    ScriptAlias  /cgi-bin/ /srv/www/clients/client1/web15/cgi-bin/
    AddHandler cgi-script .cgi
    AddHandler cgi-script .pl
    # suexec enabled
    SuexecUserGroup web15 client1
    # Clear PHP settings of this website
    <FilesMatch "\.ph(p3?|tml)$">
        SetHandler None
    </FilesMatch>
    # php as fast-cgi enabled
    <IfModule mod_fcgid.c>
      # SocketPath /tmp/fcgid_sock/
      IdleTimeout 3600
      ProcessLifeTime 7200
      # MaxProcessCount 1000
      DefaultMinClassProcessCount 3
      DefaultMaxClassProcessCount 100
      IPCConnectTimeout 8
      IPCCommTimeout 360
      BusyTimeout 300
    </IfModule>
    <Directory /srv/www/kernelit.gr/web>
        AddHandler fcgid-script .php .php3 .php4 .php5
        FCGIWrapper /srv/www/php-fcgi-scripts/web15/.php-fcgi-starter .php
        Options +ExecCGI
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
        <Directory /srv/www/clients/client1/web15/web>
        AddHandler fcgid-script .php .php3 .php4 .php5
        FCGIWrapper /srv/www/php-fcgi-scripts/web15/.php-fcgi-starter .php
        Options +ExecCGI
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
      AssignUserId web15 client1
    </IfModule>

    <IfModule mod_dav_fs.c>
      # DO NOT REMOVE THE COMMENTS!
      # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
      # WEBDAV END
    </IfModule>


</VirtualHost>



<IfModule mod_ssl.c>
###########################################################
# SSL Vhost
###########################################################

<VirtualHost *:443>
      DocumentRoot /srv/www/kernelit.gr/web
  
    ServerName kernelit.gr
    ServerAlias *.kernelit.gr
    ServerAdmin webmaster@kernelit.gr
    
    ErrorLog /var/log/ispconfig/httpd/kernelit.gr/error.log

    SSLEngine on
    SSLCertificateFile /srv/www/clients/client1/web15/ssl/kernelit.gr.crt
    SSLCertificateKeyFile /srv/www/clients/client1/web15/ssl/kernelit.gr.key
    
        <Directory /srv/www/kernelit.gr/web>
        Options FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
        
        # ssi enabled
        AddType text/html .shtml
        AddOutputFilter INCLUDES .shtml
        Options +Includes
    </Directory>
    <Directory /srv/www/clients/client1/web15/web>
        Options FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
        
        # ssi enabled
        AddType text/html .shtml
        AddOutputFilter INCLUDES .shtml
        Options +Includes
    </Directory>

    # cgi enabled
        <Directory /srv/www/clients/client1/web15/cgi-bin>
      Order allow,deny
      Allow from all
    </Directory>
    ScriptAlias  /cgi-bin/ /srv/www/clients/client1/web15/cgi-bin/
    AddHandler cgi-script .cgi
    AddHandler cgi-script .pl
    # ssi enabled
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    # suexec enabled
    SuexecUserGroup web15 client1
# Clear PHP settings of this website
    <FilesMatch "\.ph(p3?|tml)$">
        SetHandler None
    </FilesMatch>
    # php as fast-cgi enabled
    <IfModule mod_fcgid.c>
      # SocketPath /tmp/fcgid_sock/
      IdleTimeout 3600
      ProcessLifeTime 7200
      # MaxProcessCount 1000
      DefaultMinClassProcessCount 3
      DefaultMaxClassProcessCount 100
      IPCConnectTimeout 8
      IPCCommTimeout 360
      BusyTimeout 300
    </IfModule>
    <Directory /srv/www/kernelit.gr/web>
        AddHandler fcgid-script .php .php3 .php4 .php5
        FCGIWrapper /srv/www/php-fcgi-scripts/web15/.php-fcgi-starter .php
        Options +ExecCGI
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>
        <Directory /srv/www/clients/client1/web15/web>
        AddHandler fcgid-script .php .php3 .php4 .php5
        FCGIWrapper /srv/www/php-fcgi-scripts/web15/.php-fcgi-starter .php
        Options +ExecCGI
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
      AssignUserId web15 client1
    </IfModule>

    <IfModule mod_dav_fs.c>
      # DO NOT REMOVE THE COMMENTS!
      # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
      # WEBDAV END
    </IfModule>


</VirtualHost>
</IfModule>
Thank you.
Reply With Quote
Sponsored Links
  #2  
Old 17th October 2010, 23:27
baskin baskin is offline
Senior Member
 
Join Date: Jan 2008
Location: Syros, Greece
Posts: 118
Thanks: 9
Thanked 8 Times in 8 Posts
Default

It seems that the newly created site has wrong permissions on web root:

Code:
ls -l
total 16
drwxr-x--x 2 kernelitshell client1 4096 2010-10-17 23:26 cgi-bin
lrwxrwxrwx 1 kernelitshell client1   36 2010-10-17 23:26 log -> /var/log/ispconfig/httpd/kernelit.gr
drwxr-x--x 2 kernelitshell client1 4096 2010-10-17 23:26 ssl
drwxrwxrwx 2 kernelitshell client1 4096 2010-10-17 23:26 tmp
drwx--x--- 3 kernelitshell client1 4096 2010-10-17 23:26 web
I have changed the permissions manually to this:

Code:
ls -l
total 16
drwxr-x--x 2 kernelitshell client1 4096 2010-10-17 23:26 cgi-bin
lrwxrwxrwx 1 kernelitshell client1   36 2010-10-17 23:26 log -> /var/log/ispconfig/httpd/kernelit.gr
drwxr-x--x 2 kernelitshell client1 4096 2010-10-17 23:26 ssl
drwxrwxrwx 2 kernelitshell client1 4096 2010-10-17 23:26 tmp
drwxr-xr-x 3 kernelitshell client1 4096 2010-10-17 23:26 web
and now i can see the default index.html page.

But why does this happened. Should i check something? I haven't tried to create another site to see what happens.
Reply With Quote
  #3  
Old 18th October 2010, 10:09
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

1) Which web security level do you use (high or medium). You find this under system > server config > web.
2) Which PHP method have you selected in the website settings?
3) Which Linux distribution do you use?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 18th October 2010, 10:11
baskin baskin is offline
Senior Member
 
Join Date: Jan 2008
Location: Syros, Greece
Posts: 118
Thanks: 9
Thanked 8 Times in 8 Posts
Default

Quote:
Originally Posted by till View Post
1) Which web security level do you use (high or medium). You find this under system > server config > web.
2) Which PHP method have you selected in the website settings?
3) Which Linux distribution do you use?
Till thanks for the answer.

1. High (should i change to medium)
2. Fast-cgi
3. Opensuse 11.1

Thanks again.
Reply With Quote
  #5  
Old 18th October 2010, 10:19
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

1) no. High is correct and recommended.
2+3) Ok.

I just checked that on my system, the folder permissions of working websites are:

Code:
drwxr-x--x  6 web10 client12     4096 Dec 17  2009 .
drwxr-xr-x  3 root  root         4096 Oct 14  2009 ..
drwxr-x--x  2 web10 client12     4096 Oct 14  2009 cgi-bin
lrwxrwxrwx  1 web10 client12       43 Oct 14  2009 log -> /var/log/ispconfig/httpd/domain.tld
drwxr-x--x  2 web10 client12     4096 Oct 14  2009 ssl
drwxrwxrwx  2 web10 client12   135168 Oct 18 03:03 tmp
drwx--x--- 16 web10 client12     4096 Jun  8 12:30 web
Maybe there is a problem with the user and group. Please compare the user and group records in /etc/passwd and /etc/group of a working website with a not working site.

Additionally, please comapre the folder permissions on one of your working websites with the permissions of this not working site.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 18th October 2010, 10:22
baskin baskin is offline
Senior Member
 
Join Date: Jan 2008
Location: Syros, Greece
Posts: 118
Thanks: 9
Thanked 8 Times in 8 Posts
Default

I have deleted the site and i'm going to recreate (and compare after that)

SuEXEC should be enabled with the above options or not?
Reply With Quote
  #7  
Old 18th October 2010, 10:36
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

You should enable suexec always when FCGI or cgi is used as this allows the scripts to run separated for every website.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 18th October 2010, 11:03
baskin baskin is offline
Senior Member
 
Join Date: Jan 2008
Location: Syros, Greece
Posts: 118
Thanks: 9
Thanked 8 Times in 8 Posts
Default

I have recreated the site. It seems that something is wrong with the users and groups as i'm getting "403 Forbidden" again.

The site's permission are identical to yours:

Code:
drwxr-x--x 2 web16 client1 4096 2010-10-18 11:42 cgi-bin
lrwxrwxrwx 1 web16 client1   36 2010-10-18 11:42 log -> /var/log/ispconfig/httpd/kernelit.gr
drwxr-x--x 2 web16 client1 4096 2010-10-18 11:42 ssl
drwxrwxrwx 2 web16 client1 4096 2010-10-18 11:42 tmp
drwx--x--- 3 web16 client1 4096 2010-10-18 11:42 web
I have also created a shell user. This site belongs to client1. On /etc/passwd and /etc/group i have these:

For /etc/passwd

Code:
web16:x:5009:5002::/srv/www/clients/client1/web16:/bin/false
kernelitshell:x:5009:5002::/srv/www/clients/client1/web16:/bin/bash
That seems identical to the working sites.

For /etc/group

Code:
client1:!:5002:www-data
client2:!:5003:
client3:!:5004:
client4:!:5007:
ispapps:!:5006:
ispconfig:!:5001:wwwrun
sshusers:!:5005:web12,web13,web16
Client1 is the owner of the site but it has been created long time ago.

It seems that something is not right with this client from the beginning.

Also as soon as i have created the shell user the site's ownership has changed to this:

Code:
-rwxr-xr-x 1 kernelitshell client1    0 2010-10-18 11:45 .bash_history
drwxr-x--x 2 kernelitshell client1 4096 2010-10-18 11:42 cgi-bin
-rwxr-xr-x 1 root          root      40 2010-10-18 11:43 .htpasswd_stats
lrwxrwxrwx 1 kernelitshell client1   36 2010-10-18 11:42 log -> /var/log/ispconfig/httpd/kernelit.gr
drwxr-x--x 2 kernelitshell client1 4096 2010-10-18 11:43 ssl
drwxrwxrwx 2 kernelitshell client1 4096 2010-10-18 11:42 tmp
drwx--x--- 3 kernelitshell client1 4096 2010-10-18 11:42 web
Is this normal?
Reply With Quote
  #9  
Old 18th October 2010, 11:21
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

I guess the problem is that the apache user is not member of the client groups. What is the suername of the apache user on suse? wwwrun or ww-data? Please check then that the correct username and groupname for the apache user and group are set in ispconfig under system > server config > web.

Then edit the group file and add the correct user to the clientX groups, e.g.:

client2:!:5003:wwwrun

if the user is named wwrun on your server and then restart apache. I guess that a wrong user is set in ispconfig so that the user could not be added to the client group which resulted now in the access errors.


Quote:
Is this normal?
yes, thats ok. The owner has not been changed, it just gets a new owner displayed as all shell users of a website share the same numeric uid and gid.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
baskin (18th October 2010)
  #10  
Old 18th October 2010, 11:45
baskin baskin is offline
Senior Member
 
Join Date: Jan 2008
Location: Syros, Greece
Posts: 118
Thanks: 9
Thanked 8 Times in 8 Posts
 
Default

It seems that we are getting something. Thank you very much for your time.

I have checked and apache an Opensuse 11.1 runs under usrer wwwrun and group www.

So to be sure i will change it in ISPconfig > server config > web and i will make /etc/group like this:

Code:
client1:!:5002:wwwrun
client2:!:5003:wwwrun
client3:!:5004:wwwrun
client4:!:5007:wwwrun
Is this ok? I'm asking because i don't want to have problems with the workings sites (there permissions as you can see seem to be wrong but they are working).

Also i have noticed on ISPconfig > server config > web the following:

Quote:
Apache php.ini path : /etc/php5/apache2/php.ini
CGI php.ini path : /etc/php5/apache2/php.ini
On /etc/php5 i have a fastcgi folder with a php.ini inside. Should i change the GCI path on server config also?
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Updated to 3.0.1.6: Squirrelmail 403 Forbidden Access astewart General 7 23rd October 2009 21:23
access client site without using domain? dc41 General 9 31st May 2009 10:16
cannot access ispconfig site Nu2Linux Installation/Configuration 13 3rd January 2009 15:29
access ispconfig admin area on 1 site only gjcomputer General 1 2nd March 2008 15:01
Web Issues - Access Forbidden! rytech Installation/Configuration 23 22nd June 2006 15:25


All times are GMT +2. The time now is 22:44.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.