Apache 2.4, new site, forbidden?

Discussion in 'Installation/Configuration' started by SparkyRih, May 5, 2014.

  1. SparkyRih

    SparkyRih New Member

    I'm running Ubuntu 13.10 with the latest ISPConfig update...

    So I just created a new website, but I cant'access it via the web browser due to a 403 error...

    I've walked through the vhost config file and changed the "Required all denied" to "Required all granted"... But nothong...

    All my other sties are still working great...

    Could someone please advise me, this is very frustrating :S
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Do not change any settings in the vhost file manually, the same file (template) works on ten thousands of servers, so it need not to be changed. Check the error.log of the website to find the reason for the error.
     
  3. SparkyRih

    SparkyRih New Member

    That's the frustrating part :p the erro log just says "access denied by server config" XD

    [Mon May 05 13:36:11.528377 2014] [access_compat:error] [pid 11978] [client 84.28.55.219:29273] AH01797: client denied by server configuration: /var/www/smartwatchmarket.eu/web/error/403.html
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Is there a index.php or index.html file in /var/www/smartwatchmarket.eu/web/ ? if yes, is it owned by the correct user and group?
     
  5. SparkyRih

    SparkyRih New Member

    The index.php and all the other files are 644 (folders 755), so those permissions should fine...
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    and the owner is the web user and client group of this website?
     
  7. Hirbod

    Hirbod New Member

    The chmod is important - sure, but what about the group? Did you upload the files via root ssh or user-FTP/ssh?

    If you did upload as root, this might be the problem. Create an hello world index.html, clear cache and open the site again - and do not change anything in the vhost file (.html comes before .php)

    Edit:
    Whoops, till was faster - as usual
     
  8. SparkyRih

    SparkyRih New Member

    File: âindex.phpâ
    Size: 1068 Blocks: 8 IO Block: 4096 regular file
    Device: fc00h/64512d Inode: 17695869 Links: 1
    Access: (0644/-rw-r--r--) Uid: ( 5015/ web38) Gid: ( 5005/ client1)
    Access: 2014-05-05 12:54:03.506078055 +0200
    Modify: 2014-05-05 12:54:03.522078057 +0200
    Change: 2014-05-05 12:54:03.522078057 +0200
    Birth: -

    web38 is correct...

    Edit: I always upload via the client FTP...
     
  9. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    The error comes from access_compat, so it is from "deny from all" somewhere in the apache config, I think.
    Try
    Code:
    grep -i -r -l 'deny from all' /etc/apache2/*
    Then check the reported files if there are such directives left that should have been rewritten to new syntax.
     
  10. SparkyRih

    SparkyRih New Member

    /etc/apache2/apache2.conf
    /etc/apache2/conf-available/security.conf
    /etc/apache2/conf-available/security.conf.dpkg-new
    /etc/apache2/conf-available/php5-cgi.conf
    /etc/apache2/mods-available/php5.conf
    /etc/apache2/sites-available/ispconfig.conf
    /etc/apache2/sites-available/ispconfig.vhost
    And in all sites-available EXCEPT for the one that has hte issue...

    But I'm not sure where it should be and were it shouldn't be?


    <Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy all
    </Files>

    This one in the apache2.conf?

    Edit: Is this of any use in this case?


    * Restarting web server apache2 AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:73
    [ OK ]

    I've renamed the apache2.conf.dpkg-dist to apache2.conf, and removed the *.conf from the last line (sites-enabled)... still nothing :S

    I'm already spending a couple of wasted hours on this issue :S
     
    Last edited: May 5, 2014
  11. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Have you done "reconfigure services" = yes when you updated ISPConfig?
    Have you any files in /usr/local/ispconfig/server/conf-custom/

    I would assume the problem comes from a not-updated file during update.
     
  12. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Check the contents of ispconfig.conf and .vhost.
     
  13. SparkyRih

    SparkyRih New Member

    But I don't know what's odd and what not...

    And I removed all custom modules because they were not used anymore, so it's pretty much a clean apache server...
     
    Last edited: May 5, 2014
  14. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Then simply post the content of those files ;)
     
  15. SparkyRih

    SparkyRih New Member

    your help is greatly appreciated :)

    I did add the lines "Require all denied/granted" myself as an attempt to solve something, but it doesn't make any difference, all sites keep working except for the new one...

    ispconfig.conf
    [email protected]:/etc/apache2/sites-available# vi ispconfig.conf
    </Directory>

    <Directory /var/lib/mailman/archives/>
    Options +FollowSymLinks
    Order allow,deny
    Allow from all
    Require all granted
    </Directory>

    # allow path to awstats and alias for awstats icons
    <Directory /usr/share/awstats>
    Order allow,deny
    Allow from all
    Require all granted
    </Directory>

    Alias /awstats-icon "/usr/share/awstats/icon"

    NameVirtualHost *:80
    NameVirtualHost *:443
    NameVirtualHost 77.72.148.50:80
    NameVirtualHost 77.72.148.50:443
     
    Last edited: May 5, 2014
  16. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    That's definitly not the full content of the ispconfig.conf and the ispconfig.vhost is missing, too.
    Most important are the sections of those files that have "deny from all" in it.
     
  17. SparkyRih

    SparkyRih New Member

    I'm sorry... You know those days when nothing, and really nothing works? I'm having that day now, because it's not only this issue that I'm working on atm :S

    [email protected]:/etc/apache2/sites-available# vi ispconfig.conf
    LogFormat "%v %h %l %u %t \"%r\" %>s %B \"%{Referer}i\" \"%{User-Agent}i\"" combined_ispconfig
    CustomLog "| /usr/local/ispconfig/server/scripts/vlogger -s access.log -t \"%Y%m%d-access.log\" /var/log/ispconfig/httpd" combined_ispconfig

    <Directory /var/www/clients>
    AllowOverride None
    Order Deny,Allow
    Deny from all
    Require all denied
    </Directory>

    # Do not allow access to the root file system of the server for security reasons
    <Directory />
    AllowOverride None
    Order Deny,Allow
    Deny from all
    Require all denied
    </Directory>

    <Directory /var/www/conf>
    AllowOverride None
    Order Deny,Allow
    Deny from all
    Require all denied
    </Directory>

    # Except of the following directories that contain website scripts
    <Directory /usr/share/phpmyadmin>
    Order allow,deny
    Allow from all
    Require all granted

    From here on everything is Allow fro mall...

    I'll add the ispconfig.vhost in a minute...

    Edit:
    [email protected]:/etc/apache2/sites-available# vi ispconfig.vhost
    Listen 8080
    NameVirtualHost *:8080

    <VirtualHost _default_:8080>
    ServerAdmin [email protected]

    <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
    </FilesMatch>

    <IfModule mod_fcgid.c>
    DocumentRoot /var/www/ispconfig/
    SuexecUserGroup ispconfig ispconfig
    <Directory /var/www/ispconfig/>
    Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
    AllowOverride AuthConfig Indexes Limit Options FileInfo
    <FilesMatch "\.php$">
    SetHandler fcgid-script
    </FilesMatch>
    FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
    Order allow,deny
    Allow from all
    Require all granted
    </Directory>
    IPCCommTimeout 7200
    MaxRequestLen 15728640
    </IfModule>

    <IfModule mpm_itk_module>
    DocumentRoot /usr/local/ispconfig/interface/web/
    AssignUserId ispconfig ispconfig
    AddType application/x-httpd-php .php
    <Directory /usr/local/ispconfig/interface/web>
    # php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp"
    Options +FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
    Require all granted
    php_value magic_quotes_gpc 0
    </Directory>
    </IfModule>

    # ErrorLog /var/log/apache2/error.log
    # CustomLog /var/log/apache2/access.log combined
    ServerSignature Off

    <IfModule mod_security2.c>
    SecRuleEngine Off
    </IfModule>
    SecRuleEngine Off
    </IfModule>

    # SSL Configuration
    SSLEngine On
    SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
    SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
    #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle

    </VirtualHost>

    <Directory /var/www/php-cgi-scripts>
    AllowOverride None
    Order Deny,Allow
    Deny from all
    Require all denied
    </Directory>

    <Directory /var/www/php-fcgi-scripts>
    AllowOverride None
    Order Deny,Allow
    Deny from all
    Require all denied
    </Directory>
     
    Last edited: May 5, 2014
  18. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Please remove
    Code:
                    Order Deny,Allow
            Deny from all
    
    From all those things.
    It has precedence above the require all option and prevents your new web (or all updated webs) from working.

    "Require all denied" stays there, of course.
     
  19. SparkyRih

    SparkyRih New Member

    I'll try It today, I really hope that's going to do the trick...

    I'll get back with the result...

    Edit: You're the hero of the day! :D
    The site is finally reachable, now I can finally move on :)

    But should I also do this with all existing vhosts? and for the Allow for all as well?
     
    Last edited: May 5, 2014

Share This Page