Access forbidden on new site (after upraging to 3.0.3)

Discussion in 'Installation/Configuration' started by baskin, Oct 17, 2010.

  1. baskin

    baskin Member

    I have tried today to create a new site on my ISPconfig 3 server. It is the first site that i create after upgrading to 3.0.3.

    I'm getting Access Forbidden on the default page.

    On error_log i have this:

    Code:
    [Sun Oct 17 23:31:27 2010] [crit] [client 66.249.71.181] (13)Permission denied: /srv/www/kernelit.gr/web/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
    The only .htaccess file that exist is the one that ISPconfig made and it is empty. The web folder is this:

    Code:
    aragorn:/srv/www/kernelit.gr/web # ls -l
    total 16
    -rwxr-xr-- 1 web15 client1 1406 2010-10-17 23:26 favicon.ico
    -rwxr-xr-- 1 web15 client1    0 2010-10-17 23:26 .htaccess
    -rwxr-xr-- 1 web15 client1 1861 2010-10-17 23:26 index.html
    -rwxr-xr-- 1 web15 client1   34 2010-10-17 23:26 robots.txt
    drwxr-xr-x 2 root  root    4096 2010-10-17 23:26 stats
    
    What is wrong? I haven't change anything in my configuration.

    My vhost file for the domain is (haven't touched anything):

    Code:
    <Directory /srv/www/kernelit.gr>
        AllowOverride None
        Order Deny,Allow
        Deny from all
    </Directory>
    
    <VirtualHost *:80>
          DocumentRoot /srv/www/kernelit.gr/web
      
        ServerName kernelit.gr
        ServerAlias *.kernelit.gr
        ServerAdmin webmaster@kernelit.gr
    
        ErrorLog /var/log/ispconfig/httpd/kernelit.gr/error.log
    
    
        <Directory /srv/www/kernelit.gr/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
            
            # ssi enabled
            AddType text/html .shtml
            AddOutputFilter INCLUDES .shtml
            Options +Includes
        </Directory>
        <Directory /srv/www/clients/client1/web15/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
            
            # ssi enabled
            AddType text/html .shtml
            AddOutputFilter INCLUDES .shtml
            Options +Includes
        </Directory>
    
        <IfModule mod_ruby.c>
          <Directory /srv/www/clients/client1/web15/web>
            Options +ExecCGI
          </Directory>
          RubyRequire apache/ruby-run
          #RubySafeLevel 0
          <Files *.rb>
            SetHandler ruby-object
            RubyHandler Apache::RubyRun.instance
          </Files>
          <Files *.rbx>
            SetHandler ruby-object
            RubyHandler Apache::RubyRun.instance
          </Files>
        </IfModule>
    
        # cgi enabled
            <Directory /srv/www/clients/client1/web15/cgi-bin>
          Order allow,deny
          Allow from all
        </Directory>
        ScriptAlias  /cgi-bin/ /srv/www/clients/client1/web15/cgi-bin/
        AddHandler cgi-script .cgi
        AddHandler cgi-script .pl
        # suexec enabled
        SuexecUserGroup web15 client1
        # Clear PHP settings of this website
        <FilesMatch "\.ph(p3?|tml)$">
            SetHandler None
        </FilesMatch>
        # php as fast-cgi enabled
        <IfModule mod_fcgid.c>
          # SocketPath /tmp/fcgid_sock/
          IdleTimeout 3600
          ProcessLifeTime 7200
          # MaxProcessCount 1000
          DefaultMinClassProcessCount 3
          DefaultMaxClassProcessCount 100
          IPCConnectTimeout 8
          IPCCommTimeout 360
          BusyTimeout 300
        </IfModule>
        <Directory /srv/www/kernelit.gr/web>
            AddHandler fcgid-script .php .php3 .php4 .php5
            FCGIWrapper /srv/www/php-fcgi-scripts/web15/.php-fcgi-starter .php
            Options +ExecCGI
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
            <Directory /srv/www/clients/client1/web15/web>
            AddHandler fcgid-script .php .php3 .php4 .php5
            FCGIWrapper /srv/www/php-fcgi-scripts/web15/.php-fcgi-starter .php
            Options +ExecCGI
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    
        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
          AssignUserId web15 client1
        </IfModule>
    
        <IfModule mod_dav_fs.c>
          # DO NOT REMOVE THE COMMENTS!
          # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
          # WEBDAV BEGIN
          # WEBDAV END
        </IfModule>
    
    
    </VirtualHost>
    
    
    
    <IfModule mod_ssl.c>
    ###########################################################
    # SSL Vhost
    ###########################################################
    
    <VirtualHost *:443>
          DocumentRoot /srv/www/kernelit.gr/web
      
        ServerName kernelit.gr
        ServerAlias *.kernelit.gr
        ServerAdmin webmaster@kernelit.gr
        
        ErrorLog /var/log/ispconfig/httpd/kernelit.gr/error.log
    
        SSLEngine on
        SSLCertificateFile /srv/www/clients/client1/web15/ssl/kernelit.gr.crt
        SSLCertificateKeyFile /srv/www/clients/client1/web15/ssl/kernelit.gr.key
        
            <Directory /srv/www/kernelit.gr/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
            
            # ssi enabled
            AddType text/html .shtml
            AddOutputFilter INCLUDES .shtml
            Options +Includes
        </Directory>
        <Directory /srv/www/clients/client1/web15/web>
            Options FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all
            
            # ssi enabled
            AddType text/html .shtml
            AddOutputFilter INCLUDES .shtml
            Options +Includes
        </Directory>
    
        # cgi enabled
            <Directory /srv/www/clients/client1/web15/cgi-bin>
          Order allow,deny
          Allow from all
        </Directory>
        ScriptAlias  /cgi-bin/ /srv/www/clients/client1/web15/cgi-bin/
        AddHandler cgi-script .cgi
        AddHandler cgi-script .pl
        # ssi enabled
        AddType text/html .shtml
        AddOutputFilter INCLUDES .shtml
        # suexec enabled
        SuexecUserGroup web15 client1
    # Clear PHP settings of this website
        <FilesMatch "\.ph(p3?|tml)$">
            SetHandler None
        </FilesMatch>
        # php as fast-cgi enabled
        <IfModule mod_fcgid.c>
          # SocketPath /tmp/fcgid_sock/
          IdleTimeout 3600
          ProcessLifeTime 7200
          # MaxProcessCount 1000
          DefaultMinClassProcessCount 3
          DefaultMaxClassProcessCount 100
          IPCConnectTimeout 8
          IPCCommTimeout 360
          BusyTimeout 300
        </IfModule>
        <Directory /srv/www/kernelit.gr/web>
            AddHandler fcgid-script .php .php3 .php4 .php5
            FCGIWrapper /srv/www/php-fcgi-scripts/web15/.php-fcgi-starter .php
            Options +ExecCGI
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
            <Directory /srv/www/clients/client1/web15/web>
            AddHandler fcgid-script .php .php3 .php4 .php5
            FCGIWrapper /srv/www/php-fcgi-scripts/web15/.php-fcgi-starter .php
            Options +ExecCGI
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>
    
        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
          AssignUserId web15 client1
        </IfModule>
    
        <IfModule mod_dav_fs.c>
          # DO NOT REMOVE THE COMMENTS!
          # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
          # WEBDAV BEGIN
          # WEBDAV END
        </IfModule>
    
    
    </VirtualHost>
    </IfModule>
    Thank you.
     
  2. baskin

    baskin Member

    It seems that the newly created site has wrong permissions on web root:

    Code:
    ls -l
    total 16
    drwxr-x--x 2 kernelitshell client1 4096 2010-10-17 23:26 cgi-bin
    lrwxrwxrwx 1 kernelitshell client1   36 2010-10-17 23:26 log -> /var/log/ispconfig/httpd/kernelit.gr
    drwxr-x--x 2 kernelitshell client1 4096 2010-10-17 23:26 ssl
    drwxrwxrwx 2 kernelitshell client1 4096 2010-10-17 23:26 tmp
    drwx--x--- 3 kernelitshell client1 4096 2010-10-17 23:26 web
    I have changed the permissions manually to this:

    Code:
    ls -l
    total 16
    drwxr-x--x 2 kernelitshell client1 4096 2010-10-17 23:26 cgi-bin
    lrwxrwxrwx 1 kernelitshell client1   36 2010-10-17 23:26 log -> /var/log/ispconfig/httpd/kernelit.gr
    drwxr-x--x 2 kernelitshell client1 4096 2010-10-17 23:26 ssl
    drwxrwxrwx 2 kernelitshell client1 4096 2010-10-17 23:26 tmp
    drwxr-xr-x 3 kernelitshell client1 4096 2010-10-17 23:26 web
    and now i can see the default index.html page.

    But why does this happened. Should i check something? I haven't tried to create another site to see what happens.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    1) Which web security level do you use (high or medium). You find this under system > server config > web.
    2) Which PHP method have you selected in the website settings?
    3) Which Linux distribution do you use?
     
  4. baskin

    baskin Member

    Till thanks for the answer.

    1. High (should i change to medium)
    2. Fast-cgi
    3. Opensuse 11.1

    Thanks again.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    1) no. High is correct and recommended.
    2+3) Ok.

    I just checked that on my system, the folder permissions of working websites are:

    Code:
    drwxr-x--x  6 web10 client12     4096 Dec 17  2009 .
    drwxr-xr-x  3 root  root         4096 Oct 14  2009 ..
    drwxr-x--x  2 web10 client12     4096 Oct 14  2009 cgi-bin
    lrwxrwxrwx  1 web10 client12       43 Oct 14  2009 log -> /var/log/ispconfig/httpd/domain.tld
    drwxr-x--x  2 web10 client12     4096 Oct 14  2009 ssl
    drwxrwxrwx  2 web10 client12   135168 Oct 18 03:03 tmp
    drwx--x--- 16 web10 client12     4096 Jun  8 12:30 web
    Maybe there is a problem with the user and group. Please compare the user and group records in /etc/passwd and /etc/group of a working website with a not working site.

    Additionally, please comapre the folder permissions on one of your working websites with the permissions of this not working site.
     
  6. baskin

    baskin Member

    I have deleted the site and i'm going to recreate (and compare after that)

    SuEXEC should be enabled with the above options or not?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    You should enable suexec always when FCGI or cgi is used as this allows the scripts to run separated for every website.
     
  8. baskin

    baskin Member

    I have recreated the site. It seems that something is wrong with the users and groups as i'm getting "403 Forbidden" again.

    The site's permission are identical to yours:

    Code:
    drwxr-x--x 2 web16 client1 4096 2010-10-18 11:42 cgi-bin
    lrwxrwxrwx 1 web16 client1   36 2010-10-18 11:42 log -> /var/log/ispconfig/httpd/kernelit.gr
    drwxr-x--x 2 web16 client1 4096 2010-10-18 11:42 ssl
    drwxrwxrwx 2 web16 client1 4096 2010-10-18 11:42 tmp
    drwx--x--- 3 web16 client1 4096 2010-10-18 11:42 web
    I have also created a shell user. This site belongs to client1. On /etc/passwd and /etc/group i have these:

    For /etc/passwd

    Code:
    web16:x:5009:5002::/srv/www/clients/client1/web16:/bin/false
    kernelitshell:x:5009:5002::/srv/www/clients/client1/web16:/bin/bash
    That seems identical to the working sites.

    For /etc/group

    Code:
    client1:!:5002:www-data
    client2:!:5003:
    client3:!:5004:
    client4:!:5007:
    ispapps:!:5006:
    ispconfig:!:5001:wwwrun
    sshusers:!:5005:web12,web13,web16
    Client1 is the owner of the site but it has been created long time ago.

    It seems that something is not right with this client from the beginning.

    Also as soon as i have created the shell user the site's ownership has changed to this:

    Code:
    -rwxr-xr-x 1 kernelitshell client1    0 2010-10-18 11:45 .bash_history
    drwxr-x--x 2 kernelitshell client1 4096 2010-10-18 11:42 cgi-bin
    -rwxr-xr-x 1 root          root      40 2010-10-18 11:43 .htpasswd_stats
    lrwxrwxrwx 1 kernelitshell client1   36 2010-10-18 11:42 log -> /var/log/ispconfig/httpd/kernelit.gr
    drwxr-x--x 2 kernelitshell client1 4096 2010-10-18 11:43 ssl
    drwxrwxrwx 2 kernelitshell client1 4096 2010-10-18 11:42 tmp
    drwx--x--- 3 kernelitshell client1 4096 2010-10-18 11:42 web
    Is this normal?
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess the problem is that the apache user is not member of the client groups. What is the suername of the apache user on suse? wwwrun or ww-data? Please check then that the correct username and groupname for the apache user and group are set in ispconfig under system > server config > web.

    Then edit the group file and add the correct user to the clientX groups, e.g.:

    client2:!:5003:wwwrun

    if the user is named wwrun on your server and then restart apache. I guess that a wrong user is set in ispconfig so that the user could not be added to the client group which resulted now in the access errors.


    yes, thats ok. The owner has not been changed, it just gets a new owner displayed as all shell users of a website share the same numeric uid and gid.
     
  10. baskin

    baskin Member

    It seems that we are getting something. Thank you very much for your time.

    I have checked and apache an Opensuse 11.1 runs under usrer wwwrun and group www.

    So to be sure i will change it in ISPconfig > server config > web and i will make /etc/group like this:

    Code:
    client1:!:5002:wwwrun
    client2:!:5003:wwwrun
    client3:!:5004:wwwrun
    client4:!:5007:wwwrun
    
    Is this ok? I'm asking because i don't want to have problems with the workings sites (there permissions as you can see seem to be wrong but they are working).

    Also i have noticed on ISPconfig > server config > web the following:

    On /etc/php5 i have a fastcgi folder with a php.ini inside. Should i change the GCI path on server config also?
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes. looks fine.

    As the php settings seem to work now for the existing sites, I would leave it as it is.
     
  12. baskin

    baskin Member

    Thank you very much!!!!! It is working now!!!!

    I had to make a reboot on the server (not just apache) for it to work but it seems ok now.

    If i have any problem i will report here. (I have one but it is for another thread).

    Thanks again Till and keep up the great work!!!!
     
  13. baskin

    baskin Member

    One more relative small problem exists.

    I cannot access the stats folder on this site. I'm getting "403 Forbidden" and no login screen. Inside the stats folder there is only a .htaccess file and nothing else.

    Do i have to wait for the files to appear?

    Thanks again.
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes. Stats are created nightly.
     
  15. baskin

    baskin Member

    I thought so but i asked for sure.

    Thanks again.
     
  16. awd.pt

    awd.pt Member

    Hi,

    I'm having the same problem.

    I'm running latest ISPConfig3 release on CentOS 5.5.

    All the sites are running with Fast-CGI and suExec.

    Each time I make any modification I have to manually change the perms to 711 on the web folder.

    On /etc/group I have this:
    The output of groups apache shows:
    The perm on a site when I create are:
    And I always get a Permission denied until i change them to:
    Other workaround is to change the group owner of the web directory to apache.

    I need help on sorting this out.

    I followed the multiserver installation as detailed on the ISPConfig Manual I bought.

    I have a dedicated mysql server, that is my multiserver setup.

    Thank you in advance,
    Sergio Rosa
     

Share This Page