Adding RemoteIPHeader CF-Connecting-IP to Apache Directives returns a 403 error.

Discussion in 'Installation/Configuration' started by kcafe703, Jun 28, 2023.

  1. kcafe703

    kcafe703 New Member

    Fixed an issue yesterday where Apache Directives did not work.

    For most sites, RemoteIPHeader CF-Connecting-IP works fine, but for one site, adding RemoteIPHeader CF-Connecting-IP results in a 403 error.
    I added and removed the following instructions for the Apache Directives test yesterday.
    I recently added and removed the following directives for Apache Directives testing.
    Code:
    RemoteIPHeader CF-Connecting-IP
<Directory /var/www/clients/client0/web10/web>
Order Allow,Deny
Deny from all
</Directory>

    Other instructions do not result in 403 errors, but adding RemoteIP Header CF-Connecting-IP will result in 403 errors.
    The Order Allow, Deny / Deny from all instructions are presumed to be caused by not being removed normally, but domain.vhost does not have the Order Allow, Deny / Deny from all instructions.
    If you delete the site and add it again, and add RemoteIPHeader CF-Connecting-IP, a 403 error occurs.



    The following is the content of the vhost on the site where the problem occurs.

    Code:
    <Directory /var/www/****.kr>
AllowOverride None
Require all denied
</Directory>

<VirtualHost *:80>


DocumentRoot /var/www/clients/client0/web10/web

ServerName ****.kr
ServerAdmin ****@****.kr


ErrorLog /var/log/ispconfig/httpd/****.kr/error.log

Alias /error/ "/var/www/****.kr/web/error/"
ErrorDocument 400 /error/400.html
ErrorDocument 401 /error/401.html
ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/404.html
ErrorDocument 405 /error/405.html
ErrorDocument 500 /error/500.html
ErrorDocument 502 /error/502.html
ErrorDocument 503 /error/503.html


<Directory /var/www/****.kr/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +SymlinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/clients/client0/web10/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +SymlinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>




# suexec enabled
<IfModule mod_suexec.c>
SuexecUserGroup web10 client0
</IfModule>
<IfModule mod_fastcgi.c>
<Directory /var/www/clients/client0/web10/cgi-bin>
Require all granted
</Directory>
<Directory /var/www/****.kr/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler php-fcgi
</If>
</FilesMatch>
</Directory>
<Directory /var/www/clients/client0/web10/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler php-fcgi
</If>
</FilesMatch>
</Directory>
Action php-fcgi /php-fcgi virtual
Alias /php-fcgi /var/www/clients/client0/web10/cgi-bin/php-fcgi-*-80-****.kr
FastCgiExternalServer /var/www/clients/client0/web10/cgi-bin/php-fcgi-*-80-****.kr -idle-timeout 300 -socket /var/lib/php7.4-fpm/web10.sock -pass-header Authorization -pass-header Content-Type
</IfModule>
<IfModule mod_proxy_fcgi.c>
#ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.4-fpm/web10.sock|fcgi://localhost//var/www/clients/client0/web10/web/$1
<Directory /var/www/****.kr/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler "proxy:unix:/var/lib/php7.4-fpm/web10.sock|fcgi://localhost"
</If>
</FilesMatch>
</Directory>
<Directory /var/www/clients/client0/web10/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler "proxy:unix:/var/lib/php7.4-fpm/web10.sock|fcgi://localhost"
</If>
</FilesMatch>
</Directory>
</IfModule>


RewriteEngine on
RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
RewriteRule ^ - [END]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]

# add support for apache mpm_itk
<IfModule mpm_itk_module>
AssignUserId web10 client0
</IfModule>

<IfModule mod_dav_fs.c>
# Do not execute PHP files in webdav directory
<Directory /var/www/clients/client0/web10/webdav>
<ifModule mod_security2.c>
SecRuleRemoveById 960015
SecRuleRemoveById 960032
</ifModule>
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
</Directory>
DavLockDB /var/www/clients/client0/web10/tmp/DavLock
# DO NOT REMOVE THE COMMENTS!
# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
# WEBDAV BEGIN
# WEBDAV END
</IfModule>

# skipping apache_directives, as that will be handled by the ssl vhost


</VirtualHost>


<VirtualHost *:443>


DocumentRoot /var/www/clients/client0/web10/web

ServerName ****.kr
ServerAdmin ****@****.kr

<IfModule mod_http2.c>
Protocols h2 http/1.1
</IfModule>

<IfModule mod_brotli.c>
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript application/xml application/xml+rss application/atom+xml application/json application/x-font-ttf application/vnd.ms-fontobject image/x-icon
</IfModule>

ErrorLog /var/log/ispconfig/httpd/****.kr/error.log

Alias /error/ "/var/www/****.kr/web/error/"
ErrorDocument 400 /error/400.html
ErrorDocument 401 /error/401.html
ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/404.html
ErrorDocument 405 /error/405.html
ErrorDocument 500 /error/500.html
ErrorDocument 502 /error/502.html
ErrorDocument 503 /error/503.html

<IfModule mod_ssl.c>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
# <IfModule mod_headers.c>
# Header always add Strict-Transport-Security "max-age=15768000"
# </IfModule>
SSLCertificateFile /var/www/clients/client0/web10/ssl/****.kr-le.crt
SSLCertificateKeyFile /var/www/clients/client0/web10/ssl/****.kr-le.key
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
</IfModule>

<Directory /var/www/****.kr/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +SymlinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/clients/client0/web10/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +SymlinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>




# suexec enabled
<IfModule mod_suexec.c>
SuexecUserGroup web10 client0
</IfModule>
<IfModule mod_fastcgi.c>
<Directory /var/www/clients/client0/web10/cgi-bin>
Require all granted
</Directory>
<Directory /var/www/****.kr/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler php-fcgi
</If>
</FilesMatch>
</Directory>
<Directory /var/www/clients/client0/web10/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler php-fcgi
</If>
</FilesMatch>
</Directory>
Action php-fcgi /php-fcgi virtual
Alias /php-fcgi /var/www/clients/client0/web10/cgi-bin/php-fcgi-*-443-****.kr
FastCgiExternalServer /var/www/clients/client0/web10/cgi-bin/php-fcgi-*-443-****.kr -idle-timeout 300 -socket /var/lib/php7.4-fpm/web10.sock -pass-header Authorization -pass-header Content-Type
</IfModule>
<IfModule mod_proxy_fcgi.c>
#ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.4-fpm/web10.sock|fcgi://localhost//var/www/clients/client0/web10/web/$1
<Directory /var/www/****.kr/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler "proxy:unix:/var/lib/php7.4-fpm/web10.sock|fcgi://localhost"
</If>
</FilesMatch>
</Directory>
<Directory /var/www/clients/client0/web10/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler "proxy:unix:/var/lib/php7.4-fpm/web10.sock|fcgi://localhost"
</If>
</FilesMatch>
</Directory>
</IfModule>


RewriteEngine on
RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
RewriteRule ^ - [END]

# add support for apache mpm_itk
<IfModule mpm_itk_module>
AssignUserId web10 client0
</IfModule>

<IfModule mod_dav_fs.c>
# Do not execute PHP files in webdav directory
<Directory /var/www/clients/client0/web10/webdav>
<ifModule mod_security2.c>
SecRuleRemoveById 960015
SecRuleRemoveById 960032
</ifModule>
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
</Directory>
DavLockDB /var/www/clients/client0/web10/tmp/DavLock
# DO NOT REMOVE THE COMMENTS!
# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
# WEBDAV BEGIN
# WEBDAV END
</IfModule>

RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 104.16.0.0/13
RemoteIPTrustedProxy 104.24.0.0/14
RemoteIPTrustedProxy 108.162.192.0/18
RemoteIPTrustedProxy 131.0.72.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17


</VirtualHost>

<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/var/run/ocsp(128000)
</IfModule>
     
    Last edited: Jun 28, 2023
    kcafe703, Jun 28, 2023
    #1
  2. kcafe703

    kcafe703 New Member

    /var/log/ispconfig/httpd/****.kr/error.log
    [Tue Jun 20 10:06:44.170757 2023] [access_compat:error] [pid 1305045] [client 121.***.***.***:0] AH01797: client denied by server configuration: /var/www/clients/client0/web10/web/
    [Tue Jun 20 10:06:44.170810 2023] [access_compat:error] [pid 1305045] [client 121.***.***.***:0] AH01797: client denied by server configuration: /var/www/****.kr/web/error/403.html
    [Tue Jun 20 10:06:44.286234 2023] [access_compat:error] [pid 1305045] [client 121.***.***.***:0] AH01797: client denied by server configuration: /var/www/clients/client0/web10/web/
    [Tue Jun 20 10:06:44.286275 2023] [access_compat:error] [pid 1305045] [client 121.***.***.***:0] AH01797: client denied by server configuration: /var/www/****.kr/web/error/403.html
     
    kcafe703, Jun 28, 2023
    #2
  3. pyte

    pyte Well-Known Member HowtoForge Supporter

    Please use the code blocks as described in the pinned post of this forum.
    Where did you add the Apache directive? Did you add these through the ISPConfig Interface or directly in the vHost file for the site?
     
    pyte, Jun 28, 2023
    #3
  4. kcafe703

    kcafe703 New Member

    Added from the ISPConfig web interface.
     
    kcafe703, Jun 28, 2023
    #4
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    till, Jun 28, 2023
    #5
    pyte likes this.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    And as a side note, adding:

    Code:
    <Directory /var/www/clients/client0/web10/web>
Order Allow,Deny
Deny from all
</Directory>
    must result in a 403 errors as you disallow access to the website with that. So not sure why you want to add it as ist basically tells Apache to throw a 403 error when the site gets accessed.
     
    till, Jun 28, 2023
    #6
  7. kcafe703

    kcafe703 New Member

    Code:
    RemoteIPHeader CF-Connecting-IP
<Directory /var/www/clients/client0/web10/web>
Order Allow,Deny
Deny from all
</Directory>
    To test the Apache Directives, I set the RemoteIPHeader CF-Connecting-IP and Deny access to the site directive. After testing, we removed the site access denied directive.
    But with the RemoteIPHeader CF-Connecting-IP directive I get a 403 error. Other directives are fine.
    The access denied directive doesn't seem to be removed properly. There are no access denied directives in the vhost file.
     
    kcafe703, Jun 28, 2023
    #7

Share This Page