[solved] suddenly ispconfig won't login

Discussion in 'Installation/Configuration' started by pannet1, Nov 10, 2017.

  1. pannet1

    pannet1 Member

    hi @till + others,

    thanks for latest update. prior updating (about 2 days before) i am no longer able to login to ispconfig with the usual url
    Code:
    https://server1.example.com:8080
    
    After the username and password entry, i am getting redirected to the same page again.

    However I am able to login with ..
    Code:
    https://xx.xx.xxx.xxx:8080
    
    I never installed anything fancy or tweaked the config. some major changes i did was

    1) ahrais way of installing letsencrypt.
    2) configured evasive
    3) installed webftp pydio based on this tutorial. (That's not working as expected but thats a different issue. Will come to that later.)
    4) i have added clients, resellers, websites to my account. Thats all.

    I just updated to the ispconfig latest release and the problem persists. I am feeling so scared because i already migrated all my clients website to the new ispconfig panel and still could not even figure out where to start.

    please help me troubleshoot.

    cheers.
     
  2. adamjedgar

    adamjedgar Member

    First thing to do is clear your web browser cache, then try to login again.

    If that fails, try to use the following to login

    https://yourserver_ipaddress:8080/

    Edit...oops sorry didnt see youcan login with ip address.forget the ipaddress part...but you should still clear your web browser cache and cookies!

    Also, login loopbacks can also be caused by
    1. a corrupt .htaccess file
    2. Cloudflare dns caching problems...disable cloudflare
    3. Perhaps your ssl certificate is having issues since upgrading ispconfig. Reissue a new ssl certificate for the domain name and see what happens
    4. Finally(and this should be number 1 not 4), what do error logs say?
     
    Last edited: Nov 10, 2017
  3. pannet1

    pannet1 Member

    hi @adamjedgar,

    Please note the time difference between evasive (past) and ispconfig (now) logs

    ispconfig/auth.log
    Code:
    Successful login for user 'admin' from XX.XXX.XXX.XX at 2017-11-11 00:27:32
    
    apache2/error.log
    Code:
    Fri Nov 10 22:23:22.951126 2017] [evasive20:error] [pid 24247] [client XX.XXX.XXX.XX:24971] client denied by server configuration: /var/www/ispconfig/sites/ajax_get_json.php, referer: https:
    //XX.XX.XXX.XXX:8080/
    
    I do not know if evasive is the cultprit.
     
  4. adamjedgar

    adamjedgar Member

    I dont know much about the evasive apache mod...other than i think its related to helping prevent brute force attacks?

    The evasive mod config file is usually found in

    /etc/apache2/conf.d/mod-evasive

    If you have cleared your browser caches, and are certain your ssl cert is ok, and its not a dns issue, and your url is ok in config file, then this evasive mod configuration pathway is better left to till or someone with a lot better understanding of that mod than me.

    I have seen ubuntu users problem solve this kind of login redirect loop problem by creating a new user account and seeing if it will login using url....the thought being its possibly user profile related. Do you have a different account you can try with domain name url?
     
    Last edited: Nov 10, 2017
    pannet1 likes this.
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    I think so. Seems like your mod_evasive settings block the ISPConfig UI.
     
  6. pannet1

    pannet1 Member

    >> I WAS COMBINING INDIVIDUAL LOGS LIKE THIS AND HENCE MISSED A DETAILED VIEW OF EACH LOG
    Code:
    sudo multitail -c daemon.log debug syslog apache2/error.log auth.log fail2ban.log mail.info php7.0-fpm.log syslog mail.log pure-ftpd/transfer.log ispconfig/auth.log --mergeall ispconfig/http/*/error.log
    
    THEN I STARTED LOOKING AT EACH LOGS INDIVIDUALLY, THERE WERE MANY ERRORS THROWN AT VARIOUS TIMES BUT NOTHING CONCRETE PERTAINING TO THE CURRENT TIME.
     
    Last edited: Nov 11, 2017
  7. pannet1

    pannet1 Member

    i had disabled mod_evasive and restarted apache and tried to login. But still the problem persists.
     
  8. adamjedgar

    adamjedgar Member

    Have you tried creating another user profile/account (accessing ispconfig via ip address) and logging in to the https://server.domain.com:8080 using that new account?

    If the above fails to make any difference, try
    1. You have tried using a different browser?
    2. Disable fail2ban temporarily and try to login. If this doesn't work then,
    3. Remove ssl certificate and try login via http://server1.yourdomain.com:8080
    4. A drastic measure would be to move to a new server with a brand new install (which i have read of people doing)
     
    Last edited: Nov 11, 2017
  9. pannet1

    pannet1 Member

    Finally I got the ispconfig panel working again. This is what I did.

    1) logged into the ispconfig panel through ip address
    2) Sites->Domain->server1.example.com
    2a) unchecked SSI
    2b) unchecked SuEXEC
    2c) changed autosubdomain from "www" to "none"
    2d) changed PHP from "FastCGI" to "Mod-PHP"
    3) Sites->Domain->Redirect
    3a) unchecked Rewrite HTTP to HTTPS
    4) Sites->Domain->Options
    4a) Apache Directives
    Removed apache directive added for webftp, This is unnecessary because there is already a provision to mention the link under configuration.

    Restarted apache and the problem got solved
     
  10. pannet1

    pannet1 Member

    hi @adamjedgar
    many thanks for your support. I just noticed your reply. prior solving the problem
    i tried another account and the result is same. so i guessed its something to do with redirect. also the login is successful as per ispconfig/auth.log. then fail2ban log does not have my ip in the banned list besides i am able to login with the ip. i have not enabled SSL through the UI but through script, so i dont have anything showing up in the UI.

    thanks once again.
     
  11. adamjedgar

    adamjedgar Member

    if i understand correctly, changing over to DSO (mod_php) is fast, however there are some disadvantages running this option...
    1. insecure...all php files are run under the "nobody" apache user
    2. Permissions will need to be set for every php file manually (because running as the "nobody" apache user)
    3. Any CMS websites (such as Wordpress) must be monitored carefully and tightly secured within the CMS itself (keep plugins and CMS updated, and run security plugins like wordfence etc)

    An advantage of DSO is that it responds to the use of an .htaccess file (whereas my understanding is that suPHP requires changes to php.ini instead)

    ------------------------------------------------------------------------------------

    My understanding is that FastCGI is supposed to already combine the best of both suPHP and DSO (mod_php)...surely it would be better to use this option? I think this would require suEXEC to be enabled however?

    I am wondering if you should change everything you did back to what it was before, then just change one thing at a time until your problem is resolved rather than a whole list of things like you have done. My reason for saying this is that surely your problem has not been caused by all of the things in the list of changes you made?

    Anyway, glad you have a working login again.
     
    pannet1 likes this.
  12. pannet1

    pannet1 Member

    @adamjedgar,

    Ans: When i made the changes, I was thinking I did a virtual host site wide changes and not server wide changes. So as long as the Server runs securely, its fine. We are not going to install any additional software except for what is recommended in the original Setup instruction and Pydio (WebFTP). Also from the below log entry ....... it seems ... that I still have lot of work to do [email protected]#

    ispconfig/httpd/server1.example.com/error.log

    Code:
    [Wed Nov 01 01:10:09.831085 2017] [cgi:error] [pid 834] [client xx.xxx.xxx.xxx:20252] AH01215: suexec policy violation: see suexec log for more details: /usr/lib/cgi-bin/mailman/admin
    [Wed Nov 01 01:10:09.831235 2017] [cgi:error] [pid 834] [client xx.xxx.xxx.xxx:20252] End of script output before headers: admin
    [Wed Nov 01 01:10:18.973251 2017] [cgi:error] [pid 835] [client xx.xxx.xxx.xxx:20253] AH02812: attempt to invoke directory as script: /usr/lib/cgi-bin/mailman/
    [Wed Nov 01 01:10:23.604126 2017] [cgi:error] [pid 835] [client xx.xxx.xxx.xxx:20253] AH01215: suexec policy violation: see suexec log for more details: /usr/lib/cgi-bin/mailman/admin
    [Wed Nov 01 01:10:23.604250 2017] [cgi:error] [pid 835] [client xx.xxx.xxx.xxx:20253] End of script output before headers: admin
    [Wed Nov 01 01:11:43.986040 2017] [cgi:error] [pid 9785] [client xx.xxx.xxx.xxx:20285] AH01215: suexec policy violation: see suexec log for more details: /usr/lib/cgi-bin/mailman/listinfo
    [Wed Nov 01 01:11:43.986215 2017] [cgi:error] [pid 9785] [client xx.xxx.xxx.xxx:20285] End of script output before headers: listinfo
    
     
  13. adamjedgar

    adamjedgar Member

    didnt you disable suEXEC?

    perhaps thats the reason why its throwing this latest series of errors?

    I wish i knew more about these kinds of things, i will be interested in reading the resolutions to your problems as i for one will learn something from it.
     
    pannet1 likes this.
  14. pannet1

    pannet1 Member

    hi @adjamjedgar,
    nope. the errors were triggered on the 1st of Nov. I think its triggerred whenever i open Mailman.
    Thats why even after the problem is resolved, i post it here, so it will be useful for others.
     
    adamjedgar likes this.
  15. adamjedgar

    adamjedgar Member

    I have stumbled across the following as one possible solution from Stack website...This did not fix the problem for the O.P on the Stack website, but is worth checking just the same.

    change the permissions to 755 for all your files and enjoy !
    The problem is the un-appropriate permissions

    Another possible solution is ownership...perhaps there is an ongoing ownership issue that needs to be fixed? Another post in a forum mentions the following (obviously the following will need a bit of rehashing to suit your actual needs ...ie the mailman directory perhaps?)
    chown -R testsite:testsite </path/to/directory-or-binary>

    As an after thought...i notice the following in your error message....in particular the "cgi-bin" directory. I wonder if that has anything to do with it? (i dont know anything about this, just asking the question i cant imagine the directory really matters unless there is a config file issue pointing somewhere else by default?)
    attempt to invoke directory as script: /usr/lib/cgi-bin/mailman/

     
    pannet1 likes this.
  16. pannet1

    pannet1 Member

    hi adamjedgar,

    sorry for belated reply. actually i am in no mood to explore many things. to be honest, i dont need mailman, so if it nags me i will better delete it.

     

Share This Page