New website : ERR 403 Forbidden! unresolvable

Discussion in 'Installation/Configuration' started by Keoz, Jun 17, 2020.

  1. Keoz

    Keoz Member

    Hi,

    *** MY CONFIGURATION ***
    Ubuntu 18.04 LTS
    PHP v7.2.24
    ISPConfig 3 (last version)

    Since yesterday evening I am facing an “ERR 403 Forbidden“ issue when attempting to connect a new webapp installation wizard from URL : https://subdomain.mywebsite.net/install.php

    These following are listed points, so that one can better track what may causse the error :
    • When whole of the webapp folders and files are removed from the location, and default “index.html“ file is re-uploaded, the URL for SSL connection correctly points to the default welcome page : https://subdomain.mywebsite.net/index.html
    • But when the webapp folders and files are loaded, although the “install.php“ file has full permissions, the connection ends up with browser delivering the message “ERROR 403 - Forbidden!“. The same message is delivered whatever the computer, or the browser in use.
    • Based on informations found over the web, among the tracks that may be investigated when such this issue occures, the most relevant seems to be about the “.htaccess“ file to be re-created and replaced… !
    I hope that one can help me to go further on solving this issue.

    Regards
     
  2. nhybgtvfr

    nhybgtvfr Active Member

    are you using the right url?
    you say https://subdomain.mywebsite.net/index.html works, but https://subdomain.mywebsite.net/install.php doesn't, when the webapp folders are uploaded, but wouldn't the correct url be https://subdomain.mywebsite.net/webapp/install.php ?
    is there any more information in the sites error log?
    what's in the .htaccess file?

    this subdomain.mywebsite.net, is it a full website using that as the domain? or is it a subdomain that uses a subfolder of the main domain? or is it a vhostsubdomain?
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    And post the lines that get added to website access.log and error.log when you try to access the site.
     
  4. Keoz

    Keoz Member

    Web root is the location where I uploaded the webapp “someapp.zip“ file, or complete folders and files (both cases in errors stings below), and subdomain.mywebsite.net is a full website.

    *** ERR 1 - unzip ***
    [Wed Jun 17 01:38:00.881579 2020] [authz_core:error] [pid 5937] [client 82.253.67.224:64748] AH01630: client denied by server configuration: /var/www/subdomain.mywebsite.net/web/unzipper.php

    *** ERR 2 - installation wizard ***
    [Wed Jun 17 02:59:38.986840 2020] [authz_core:error] [pid 1574] [client 82.253.67.224:50574] AH01630: client denied by server configuration: /var/www/subdomain.mywebsite.net/web/install.php

    What would you say about this ?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    post the result of this command, run as root user:

    ls -la /var/www/subdomain.mywebsite.net/web/
     
  6. Keoz

    Keoz Member

    This is the output (also with some highlits in the attached screen capture)!

    drwxrwxrwx 22 web4 client1 4096 juin 17 02:55 .
    drwxr-xr-x 10 root root 4096 juin 17 00:57 ..
    drwxr-xr-x 2 root root 4096 juin 17 02:42 assets
    drwxr-xr-x 2 root root 4096 juin 17 02:42 bundles
    -rwxrwxrwx 1 root root 34184 juin 17 02:42 CHANGELOG.md
    drwxr-xr-x 2 root root 4096 juin 17 02:43 commands
    drwxr-xr-x 17 root root 4096 juin 17 02:43 components
    -rwxrwxrwx 1 root root 3274 juin 17 02:43 composer.json
    -rwxrwxrwx 1 root root 146637 juin 17 02:43 composer.lock
    drwxr-xr-x 2 root root 4096 juin 17 02:43 config
    drwxr-xr-x 3 root root 4096 juin 17 02:43 controllers
    drwxr-xr-x 2 root root 4096 juin 17 02:43 custom
    -rwxrwxrwx 1 root root 3307988 juin 17 02:43 easy_forms.sql
    drwxr-xr-x 2 web4 client1 4096 juin 17 00:57 error
    drwxr-xr-x 3 root root 4096 juin 17 02:43 events
    -rwxrwxrwx 1 root root 1331 juin 17 02:43 favicon_144.png
    -rwxrwxrwx 1 root root 397 juin 17 02:43 favicon_32.png
    -rwxrwxrwx 1 root root 504 juin 17 02:43 favicon_48.png
    -rwxrwxrwx 1 root root 944 juin 17 02:43 favicon_96.png
    -rwxrwxrwx 1 web4 client1 1150 juin 17 02:43 favicon.ico
    -rwxrwxrwx 1 root root 483 juin 17 02:42 .gitignore
    drwxr-xr-x 2 root root 4096 juin 17 02:43 helpers
    -rwxrwxrwx 1 root root 4344 juin 17 02:42 .htaccess
    -rwxrwxrwx 1 root root 365 juin 17 02:44 index.php
    -rwxrwxrwx 1 root root 368 juin 17 02:44 install.php
    drwxr-xr-x 3 root root 4096 juin 17 02:44 mail
    drwxr-xr-x 14 root root 4096 juin 17 02:44 messages
    drwxr-xr-x 2 root root 4096 juin 17 02:44 migrations
    drwxr-xr-x 4 root root 4096 juin 17 02:44 models
    drwxr-xr-x 5 root root 4096 juin 17 02:44 modules
    -rwxrwxrwx 1 web4 client1 23 juin 17 02:44 robots.txt
    drwxr-xr-x 5 root root 4096 juin 17 02:44 runtime
    drwxr-xr-x 9 root root 4096 juin 17 02:45 static_files
    drwxr-xr-x 2 web4 client1 4096 juin 17 01:02 stats
    drwxr-xr-x 37 root root 4096 juin 17 02:53 vendor
    drwxr-xr-x 11 root root 4096 juin 17 02:55 views
    -rwxrwxrwx 1 root root 3435 juin 17 02:55 web.config
    -rwxrwxrwx 1 root root 776 juin 17 02:55 yii
    -rwxrwxrwx 1 root root 535 juin 17 02:55 yii.bat
     

    Attached Files:

  7. nhybgtvfr

    nhybgtvfr Active Member

    all those files are owned by root, they need to be owned by the website owner/group.
    in //var/www/subdomain.mywebsite.net/web/ run:

    chown -R web4:client1 *

    you probably don't want all those permissions for php or bat file either,

    I would also, in that directory, run:

    find . --type f -exec chmod 644 {} \;

    there may be a couple of files that want more/less restrictive permissions. eg .htaccess
    others i'd suggest check the webapp requirements/manual about.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    IMPORTANT, the commands that @nhybgtvfr posted must be executed inside the web folder. Do not run them when you are in a different folder. Do a:

    cd /var/www/subdomain.mywebsite.net/web/

    first
     
    Th0m likes this.
  9. nhybgtvfr

    nhybgtvfr Active Member

    to be fair, I did say to do them in that folder.

    probably should have included a warning about it breaking lots of things if they're run elsewhere though.. ;)
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    I know, and I did not mean this as a critic on your post, my post was just a safety measure. Just wanted to prevent the worst so we don't get the next thread on 'I changed permissions for all files in /var/www' :)
     
    Th0m likes this.
  11. nhybgtvfr

    nhybgtvfr Active Member

    that's fine. if they do that, just tell them to sudo to root and fix it with:
    :p:p:p

    * just kidding kids, do not really run this. it will break everything... :eek:
    ** i take no liability for loss or damage caused by people who do not read, or choose to ignore the warning in the line above. :rolleyes:
     
  12. Keoz

    Keoz Member

    I will give your solution a try tomorrow, but I want first to share some further info that portray a context that relates to my new question here below.

    In my above posts I did not mentioned the “similar issue“ that I faced with another webapp, although its installation wizard was started : the installation failed because of the wizard that returned a message saying that “config.php“ does not exist, although it does…, and on the browser side, connection ended up with a “Not Found“ blank page.
    Please consider that I used to install so much webapps the exact same way, without ever faced such this issue or the ERROR 403 issue.

    However, I foresee that the solution you propose to solve these has to apply all future application installations cases.

    Do I have to prepare for this eventuality, or is your solution deemed to be an exceptional measure ?
    (I’m running a project and I’d rather anticipate than be caught off guard)
     
  13. Keoz

    Keoz Member

    I also think that whatever the solution options one may propose to test, it will make sens to me if one can also explain why I can connect to default welcome page, and why such issues explained above occure when the webapp folders and files are loaded to the same root directory location.

    Shouldn’t the “.htaccess“ file track be the first to be investigated ?
     
  14. Keoz

    Keoz Member

    This solution did not work at all, and the situation remains the same as described on my second-to-last post, even after the browser cache was emptied.

    This means that when I try to launch the webapp installation wizard from its “install.php“ file, I am still returned the “ERROR 403 -Forbidden“ message. More over, I have been attempting the same installation on another server without success. It then seems that I am facing a MAJOR BUG because whatever the server, the browser in use, or the webapp to be installed (I tried with different apps) the result remains the same. So I think that the solution is not either on the “.htaccess“ file, but I may be wrong….

    *** WHAT I PROPOSE ***
    Except if someone have further solution to be tested, I wish implement a test environment and to give credentials and full access rights to an ISPConfig representative, so that he/she may test to install and run my webapps.

    Can you please provide me with the e-mail address of who could handle this ?
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig Business support is available from Florian Schaal, you can contact him here if you need help by remote login:

    https://www.ispconfig.org/get-support/?type=ispconfig
     
  16. nhybgtvfr

    nhybgtvfr Active Member


    the default welcome page is plain html, and already has the correct ownership credentials.

    for the webapp, you are trying to extract and run files that do not have the correct ownership credentials, and the owner the php process uses to access and run the php code does not have access permissions to those files and subfolders.

    also, yes, something in .htaccess may also be causing problems, I did ask about what was in that file, but since you haven't told us, there's very little we can tell you about what problems may or may not exist in that file.
    what we can see, and do know, is that the file/directory ownership details you provided were wrong, and will ALWAYS cause problems, so the first step is to correct that problem. that gives us a chance to find out what other underlying issues may remain.

    troubleshooting, especially remotely like this, is a process, not a 1 stop, 1 step solution.

    you say you've never add problems installing these webapps before, I assume that was on a standalone server, where every website is owned and run by root or www-data, so extracting/installing everything as that one user is not a problem. at least, not if you don't care that any single vulnerability in one site leaves every other site on that server, and in fact your entire server OS vulnerable.
     
  17. Keoz

    Keoz Member

    Issue solved !

    I removed and recreated the website and place the “webapp.zip“ file in root directory again.
    I then relaunch my unzipper script, just like I attempted do yesterday (reminder here above), and it worked this time !
    I am unable to comprehend why it first did not work yesterday (ERR 403), and why it did to day !

    Anyway, thanks for your attention
     

Share This Page