403 Forbidden after disabling/reenablig client

Discussion in 'ISPConfig 3 Priority Support' started by Davide, Jan 21, 2018.

  1. Davide

    Davide Member HowtoForge Supporter

    I have disabled a client for a couple of weeks, and after enabling it again I'm getting this error on his web:
    upload_2018-1-21_5-2-34.png

    I've checked permissions, vhost configuration is apparently correct, but I cannot make it work.
    All other sites are working as usual.

    Could you help me with this one?

    THank you!
     
  2. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

    This does not exactly answers your question but you can test it by placing simple image file inside /web folder and trying to access it from outside ie. hisdomain.com/image.jpg
    Looks like files are not there and you are trying to access them.
     
  3. Davide

    Davide Member HowtoForge Supporter

    This is a file I know:

    upload_2018-1-21_13-45-27.png
    Permissions are OK, but when I try to acces it, it fails:

    upload_2018-1-21_13-47-49.png

    The same if I try with a jpg...
     
  4. Taleman

    Taleman Active Member HowtoForge Supporter

    What are the settings for that website in ISPConfig panel? Redirect tab for example.
    Also, is the name service working now? If it was disabled for weeks, there may be 24 hours before the hostname resolves correctly. So check the URL really goes to your server and that website. See apache log if access happens when you load that website.
     
  5. Davide

    Davide Member HowtoForge Supporter

    Hi

    DNS is resolving OK. In fact, client is using mail with no problem.
    I can see 403 entries on apache log when I try to access site:
    213.x.y.z - - [31/Jan/2018:21:43:54 +0100] "GET /index.html HTTP/1.1" 403 641 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
    And in error.log:
    [Wed Jan 31 21:43:54.760040 2018] [access_compat:error] [pid 30398] [client 213.x.y.z:51048] AH01797: client denied by server configuration: /var/www/DOMAIN.com/web/error/403.html
     
  6. Davide

    Davide Member HowtoForge Supporter

    If I explicitly put
    <Directory /var/www/DOMAIN.com/web>
    Order allow,deny
    Allow from all
    Require all granted
    </Directory>
    On "apache options" in this site, it works. But this is not necessary in all the other sites!

    I've compared .vhost file for this site and a fake new site I've just created on the same client with the same options, and it's exactly the same (except for paths containing domain, of course).
    New fake site works, old site doesn't.
    I've emptied web directory on problematic site, letting only index.html, with no success

    I hafe no clue on what is happening to this site!
    Is there any other place to look at?
    Any kind of permission on database?
    Although error message clearly says it's an "access_compat" problem

    I'm at my very end. Any idea?
     
  7. Davide

    Davide Member HowtoForge Supporter

    I forgot to say, there is not redirection at all...
     
  8. Davide

    Davide Member HowtoForge Supporter

    If I manually add:
    Order allow,deny
    Allow from all

    to existing

    <Directory /var/www/DOMAIN.com/web>
    # Clear PHP settings of this website

    on DOMAIN.com.vhost file, it works.

    Not if I do the same into
    <Directory /var/www/clients/client192/web601/web>
    </Directory>

    It seems this site is forced to use old auth method. New method (Require) is not having effect.

    Any clue?
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Maybe you have a mix of old and new syntax on your server. When the server is an apache version that uses the new syntax, then remove all old syntax. for ispconfig vhosts, you can do that with tools > resyncm for other apache files you might have to do that manually.

    The reason for this is that you can't mix old and new syntax. E.g. when you deny access globally for /var/www in old syntax, then you can not give access to a subdirectory of /var/www in new syntax. Apache simply ignores the new syntax then. ISPConfig will choose new syntax when the apache version of that server uses new syntax.
     

Share This Page