Random "forbidden" error with websites

Discussion in 'Installation/Configuration' started by kokez, Dec 23, 2005.

  1. kokez

    kokez New Member HowtoForge Supporter

    Successful installation on a ppc platform (an Apple iMac 400 with 128Mb ram) following the 'ISP-Server Setup - Ubuntu 5.10 "Breezy Badger"'.

    Only have a little problem at every boot with quota:
    quotaon: using //quota.group on /dev/hda3 [/]: Function not implemented
    quotaon: using //quota.user on /dev/hda3 [/]: Function not implemented
    If it is a minor problem i can live with it.

    A real problem is when i get web pages on browser. I receive a random "forbidden" error, that states that i cannot access the page. Restart Apache2 and for some time the result is as expected, no errors at all, after which the problem appear again, at the beginning after an inconsistent number of pages (or images) and then always more frequently until i am forced to restart Apache2.

    The problem is NOT with the apache of ISPconfig, but only with apache2 for websites.

    What can i do?

    LC
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Either your Kernel has not quota enabled or you have not modified the /etc/fstab correctly to enable quota on /dev/hda3

    Strannge, never heard of that problem. Please compare the permissions of files that can be viewed in browser with files where you get an permission error. Do they have the same rights? Please check your apache log for errors.
     
  3. kokez

    kokez New Member HowtoForge Supporter

    This is the exact error:
    ----------
    Forbidden

    You don't have permission to access / on this server.

    Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
    ----------

    I have o lot of lines like this in /var/www/web1/log/error.log
    ----------
    [Fri Dec 23 16:37:39 2005] [crit] [client 151.8.12.133] (24)Too many open files: /.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable, referer: http://mta.philstudium.com/
    ----------
    but it is there not ".htaccess" in /var/www/web1/

    And an extract from an ssh session:
    ----------
    root@mta:/var/www# ls -l
    total 20
    drwxr-xr-x 2 root root 4096 2005-12-10 16:46 apache2-default
    lrwxrwxrwx 1 root root 13 2005-12-14 17:12 mta.philstudium.com -> /var/www/web1
    lrwxrwxrwx 1 root root 13 2005-12-10 18:37 phil.dw.lan -> /var/www/web1
    drwxr-xr-x 2 root root 4096 2005-12-10 18:12 sharedip
    drwxr-xr-x 10 web1_monica web1 4096 2005-12-14 21:20 web1
    drwxr-xr-x 8 web3_claudio web3 4096 2005-12-15 04:00 web3
    drwxr-xr-x 2 root root 4096 2005-12-10 17:12 webalizer
    lrwxrwxrwx 1 www-data web2 13 2005-12-10 21:06 webmail.phil.dw.lan -> /var/www/web2
    lrwxrwxrwx 1 www-data web3 13 2005-12-14 18:01 www.ittc.mta.philstudium.com -> /var/www/web3
    lrwxrwxrwx 1 www-data web1 13 2005-12-10 18:33 www.phil.dw.lan -> /var/www/web1
    root@mta:/var/www# cd web1
    root@mta:/var/www/web1# ls -l
    total 28
    drwxr-xr-x 2 web1_monica web1 4096 2005-12-11 15:15 cgi-bin
    drwxrwxr-x 3 web1_monica web1 4096 2005-12-10 18:33 ftp
    drwxr-xr-x 2 web1_monica web1 4096 2005-12-10 18:33 log
    lrwxrwxrwx 1 root root 38 2005-12-14 21:20 Maildir -> /var/www/web1/user/web1_monica/Maildir
    drwxrwxrwx 2 web1_monica web1 4096 2005-12-10 18:33 phptmp
    drwxr-xr-x 2 web1_monica web1 4096 2005-12-10 18:33 ssl
    drwxr-xr-x 4 web1_monica web1 4096 2005-12-12 16:45 user
    drwxrwxr-x 13 web1_monica web1 4096 2005-12-14 20:18 web
    root@mta:/var/www/web1# cd web
    root@mta:/var/www/web1/web# ls -l
    total 48
    drwxr-xr-x 3 web1_monica web1 4096 2005-12-10 18:41 2lang
    drwxr-xr-x 3 web1_monica web1 4096 2005-12-11 13:12 cmsimple
    drwxrwxrwx 2 web1_monica web1 4096 2005-12-14 21:17 content
    drwxrwxrwx 2 web1_monica web1 4096 2005-12-10 20:08 downloads
    drwxrwxr-x 2 web1_monica web1 4096 2005-12-10 18:33 error
    drwxr-xr-x 3 web1_monica web1 4096 2005-12-10 18:41 images
    -rw-r--r-- 1 web1_monica web1 39 2005-12-10 18:41 index.php
    drwxr-xr-x 8 web1_monica web1 4096 2005-12-12 21:19 mail
    drwxr-xr-x 2 web1_monica web1 4096 2005-12-10 18:41 plugins
    drwxr-xr-x 2 web1_monica web1 4096 2005-12-12 04:00 stats
    drwxr-xr-x 6 web1_monica web1 4096 2005-12-10 18:50 templates
    drwxr-xr-x 2 web1_monica web1 4096 2005-12-12 21:05 wiz
    ----------

    discovered 100+ MB of these after a "tail -f /var/log/apache2/error.log"
    ----------
    [Fri Dec 23 17:01:10 2005] [notice] child pid 18276 exit signal Segmentation fault (11)
    piped log program '/root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log_%Y_%m_%d' failed unexpectedly
    ----------
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Is there an .htaccess file in /var/www/web1/web/ ?
    The webroot of the apache vhost is /var/www/web1/web/ and not /var/www/web1/

    Is your server under heavy load or have you any services running that need so much file descriptors that all file descriptors are in use?
     
  5. kokez

    kokez New Member HowtoForge Supporter

    was my typo, no ".htaccess" in /var/www/web1/web/


    no, for sure the server is not under heavy load. Services are all on, except for bind. "ps -A" show this:

    PID TTY TIME CMD
    1 ? 00:00:02 init
    2 ? 00:00:00 ksoftirqd/0
    3 ? 00:00:02 events/0
    4 ? 00:00:00 khelper
    5 ? 00:00:00 kthread
    21 ? 00:00:00 kblockd/0
    54 ? 00:00:00 pdflush
    55 ? 00:00:00 pdflush
    57 ? 00:00:00 aio/0
    56 ? 00:00:00 kswapd0
    627 ? 00:00:00 khubd
    1165 ? 00:00:02 kjournald
    1328 ? 00:00:00 udevd
    1820 ? 00:00:00 khpsbpkt
    2454 ? 00:00:00 knodemgrd_0
    3407 ? 00:00:00 dd
    3409 ? 00:00:00 klogd
    3421 ? 00:00:00 courierlogger
    3422 ? 00:00:00 authdaemond.pla
    3425 ? 00:00:00 authdaemond.pla
    3426 ? 00:00:00 authdaemond.pla
    3427 ? 00:00:00 authdaemond.pla
    3428 ? 00:00:00 authdaemond.pla
    3429 ? 00:00:00 authdaemond.pla
    3440 ? 00:00:00 couriertcpd
    3444 ? 00:00:00 courierlogger
    3460 ? 00:00:00 couriertcpd
    3462 ? 00:00:00 courierlogger
    3475 ? 00:00:00 couriertcpd
    3477 ? 00:00:00 courierlogger
    3495 ? 00:00:00 couriertcpd
    3497 ? 00:00:00 courierlogger
    3513 ? 00:00:00 mysqld_safe
    3550 ? 00:03:13 mysqld
    3551 ? 00:00:00 logger
    3672 ? 00:00:00 saslauthd
    3673 ? 00:00:00 saslauthd
    3674 ? 00:00:00 saslauthd
    3675 ? 00:00:00 saslauthd
    3676 ? 00:00:00 saslauthd
    3688 ? 00:00:00 sshd
    3708 ? 00:00:00 atd
    3718 ? 00:00:00 cron
    3781 ? 00:00:00 ispconfig_httpd
    3782 ? 00:00:18 ispconfig_wconf
    3787 ? 00:00:01 ispconfig_httpd
    4007 ? 00:00:00 freshclam
    4014 tty1 00:00:00 getty
    4016 tty2 00:00:00 getty
    4017 tty3 00:00:00 getty
    3763 ? 00:00:00 master
    3769 ? 00:00:00 qmgr
    32046 ? 00:00:00 syslogd
    3266 ? 00:00:00 proftpd
    10417 ? 00:00:01 ispconfig_httpd
    10540 ? 00:00:38 apache2
    10546 ? 00:00:00 apache2
    10547 ? 00:00:01 apache2
    10548 ? 00:00:00 apache2
    10549 ? 00:00:00 apache2
    10608 ? 00:00:00 apache2
    10614 ? 00:00:01 apache2
    10615 ? 00:00:01 apache2
    16483 ? 00:00:00 apache2
    18263 ? 00:00:00 apache2
    18470 ? 00:00:00 apache2
    23939 ? 00:00:00 pickup
    28958 ? 00:00:00 sshd
    28961 ? 00:00:00 sftp-server
    29540 ? 00:00:00 sshd
    29543 pts/0 00:00:00 bash
    29666 ? 00:00:00 sleep
    29672 ? 00:00:00 apache2 <defunct>
    29673 pts/0 00:00:00 ps
     
  6. falko

    falko Super Moderator ISPConfig Developer

    You have to use
    Code:
    ls -l[B][COLOR="Red"]a[/COLOR][/B]
    instead of
    Code:
    ls -l
    to see files that begin with a dot. Try this; I'm sure there is a .htaccess file.
     
  7. kokez

    kokez New Member HowtoForge Supporter

    no, there is not:

    Code:
    root@mta:~# ls -la /var/www/web1/web/
    total 56
    drwxrwxr-x  13 web1_monica web1 4096 2005-12-27 18:46 .
    drwxr-xr-x  10 web1_monica web1 4096 2005-12-14 21:20 ..
    drwxr-xr-x   3 web1_monica web1 4096 2005-12-10 18:41 2lang
    drwxr-xr-x   3 web1_monica web1 4096 2005-12-11 13:12 cmsimple
    drwxrwxrwx   2 web1_monica web1 4096 2005-12-14 21:17 content
    drwxrwxrwx   2 web1_monica web1 4096 2005-12-10 20:08 downloads
    drwxrwxr-x   2 web1_monica web1 4096 2005-12-10 18:33 error
    drwxr-xr-x   3 web1_monica web1 4096 2005-12-10 18:41 images
    -rw-r--r--   1 web1_monica web1   39 2005-12-10 18:41 index.php
    drwxr-xr-x   8 web1_monica web1 4096 2005-12-12 21:19 mail
    drwxr-xr-x   2 web1_monica web1 4096 2005-12-10 18:41 plugins
    drwxr-xr-x   2 web1_monica web1 4096 2005-12-12 04:00 stats
    drwxr-xr-x   6 web1_monica web1 4096 2005-12-10 18:50 templates
    drwxr-xr-x   2 web1_monica web1 4096 2005-12-12 21:05 wiz
    i've also searched for ".htaccess" into all folders, the only one found is into /var/www/web1/web/stats that is not part of the site. Keep in mind that the "forbidden" error is random, so the majority of the requests are correctly served.
    Can this error be related to my "quota" error?

    Thanks for your help,

    LC
     
  8. kokez

    kokez New Member HowtoForge Supporter

    tried today the same installation (ubuntu-server-5.10-install-i386 + ISPConfig-2.1.2.tar.gz) on a P4 2.8GHz 256RAM, all work as expected, no quota error, no forbiddens, no errors at all. Until now...
    :)
    LC
     
  9. saul

    saul New Member

    pcfg_openfile 'Too many files' problem

    I had exactly the same problem installing the 'perfect setup' for debian sarge. I was using a 64 bit system though, and I think this problem have something to do with the the 64 bit system.

    I'm pretty sure the error is an OS problem - not a permissions issue. After lots of futzing around, I found this:

    http://groups.google.com/group/comp...UTF-8&oe=UTF-8&start=10&sa=N#c1b73aa6c4d8525e

    Which explains that this error:

    Is caused by more files being open on the system than are set as allowable in /proc/sys/fs/file-max.

    you can tell how many files you're allowed to open by doing

    The obvious fix is to make it so you can open more files.

    I tried almost doubling how many I allowed to open:

    That seemed to sort out the problem, the trouble is, being a bad admin, I don't really know how many files I *should* allow to be open at any time.

    This works, but am I introducing security flaws? I wish I was a better admin.

    Anyway - from my experience so far, I would not recommend running ispconfig under a 64 bit debian system - too fiddly, but workable so far.

    Hope this helps someone one day. I was bewildered about this for a good few hours..

    cheers,

    Saul.
     
    Last edited: Feb 28, 2006
  10. falko

    falko Super Moderator ISPConfig Developer

    Should be ok.
    BTW, the next ISPConfig version will have support for 64-bit systems. :)
     
  11. saul

    saul New Member

    it didn't work in the end..

    hi falco,

    thanks for all your help and feedback :)

    I'm giving this one up - I thought it would work to increase the open files allowance in the way I described above, but I'm still having lots of problems.. the same errors after the system runs for a while... so scratch that earlier advice!

    I've re-installed my server with a 32bit system and I'm starting from scratch.

    fingers crossed!

    Cheers,

    Saul.
     
    Last edited: Mar 1, 2006
  12. burtathis

    burtathis New Member

    same problem !

    Hi,

    I don't know if it's good news for you but i had exactly the sames problem.
    The first one about quota, i solve it with recompiling the kernel with quota support.

    the second one, the weird "forbidden" problem i just put the finger on it !

    I have a mac mini 1.42Ghz and i used the ubuntu perfect setup howto.

    I put it in the DMZ and i disabled the firewall with ispconfig interface.

    Another problem is that i can access this ispconfig interface by the port 81 from outside, but the pages don't seems to open well : there is errors with downloading images in the central frame so the browser can't finish opening them.

    I access the interface with ssl enabled.

    I start my "forum crowler" night !

    see you soon ...
     
    Last edited: Mar 1, 2006
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Which browser do you use on your mac mini? Please try to connect with firefox or camino and check if the problems remain.

    I guess you have an URL to the controlpanel in the config.inc.php file that can be only resolved from inside your network? Try to change the url in config.inc.php to an URL that points to your external IP.
     
  14. burtathis

    burtathis New Member

    I use firefox and safari on two macs : one in the local network and one outside. always the same behavior : you can see the website quietly for a moment but at one time the forbidden message appear randomly.

    you can check by yourself here :
    http://gastfall.org or http://www.gastfall.org


    It is a "healthy" solution to allow more files opened ?
    What is the "by default" maximum ?

    You are wright !
    I put the wan IP instead : one problem solved, thanks !

    By the way, it didn't change the "forbidden" pb... i still digging!
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    Please check this file for errors:

    /root/ispconfig/httpd/logs/error_log
     
  16. falko

    falko Super Moderator ISPConfig Developer

  17. saul

    saul New Member

    trying again with 64bit system

    Well it was quite comical that at 6pm - on the day I posted that I was giving up running ispconfig on the 64bit system - then spending the whole day reinstalling debain3.1 for 32bit, installing Perfect Setup 3.1, re-installing ispconfig etc.. etc. I get a message that the new version of ispconfig is out - with 64bit support! :)

    Anyway - since it's so easy to set up, and I'm getting good at it now! I'll test whether the problem with too many open files and random 403s (+ patchily loading images due to - I assume random 403s on each image as the system opened too many files - these were my symptoms). was to do with running a 64bit system.

    It seems this problem is common to some macs and to the amd64 bit hardware I'm running it on - because the symptoms are identical. It looked, at first like dns or permissions issues to me too, but the givaway (which mentioned running out of open file quota) was in the individual site logs - not in the ispconfig main logs..

    I've just re-installed debian and am half way through the perfect 3.1 install on a 64bit system. I'll let you know if I have the same problem as before with the new version of ispconfig.

    I really hope not! I think I'll be tearing my hair out after the 3rd install in 3 days :p

    Cheers,

    Saul.
     
  18. falko

    falko Super Moderator ISPConfig Developer

    I tested ISPConfig 2.2.0 on Debian Sarge AMD64 and didn't have any problems. :)
     
  19. burtathis

    burtathis New Member

    Hi !
    Because i passed too much time to adjust all this stuff like a blind man (i added more pb to my first one!), i'll ask one basic questions :

    • I bought a domain name "gastfall.org" at ovh.com :
      In there configuration pane i put 3 entries :
      .gastfall.org MX1 (ORT redirect)
      .gastfall.org A 82.227.0.130 (my external ip)
      www.gastfall.org A 82.227.0.130
    • I put in ispconfig interface in server, settings :
      server name=chocobox ; hostname=www ; domain=192.168.0.5 ; ip=192.168.0.5 ; netmask=255.255.255.0.
      And in DNS :
      Default Ns1: 82.227.0.130 ; Default Ns2: 82.227.0.130.
    • I made a new client and a new site in ispconfig interface (with 2 users) :
      -In basis, i put hostname=www ; domain=gastfall.org ; create DNS and DNS-MX.
      -In co-domains, i add an entry without hostname and domain=gastfall.org and create DNS and DNS-MX.

    Please, tell me if i am wrong for all that adjustments ?

    Saul, thanks in advance for digging the "forbidden pb" !
    I have the idea that the two configurations ppc and 64bit needed to recompile the kernel to add quota support, so perhaps, the problem deals with quota ?

    I'll tell everybody if i find something !
     
  20. falko

    falko Super Moderator ISPConfig Developer

    Your mail will be handled by redirect.ovh.net - it is ok like that if you intend it like this.
    Ok.

    As domain you should use a domain, not an IP address.
    This is important only if you want your ISPConfig server to act as a nameserver. If you let ovh.com handle your DNS records, then it doesn't matter what you fill in here (btw, you should use FQDNs here instead of IP addresses).

    Ok, but you don't need "Create DNS" and "Create MX" because the DNS records are handled by ovh.com.
    Ok, but again same as above.

    Did you forward port 80 from your router to your ISPConfig server?
     

Share This Page