I have tried today to create a new site on my ISPconfig 3 server. It is the first site that i create after upgrading to 3.0.3. I'm getting Access Forbidden on the default page. On error_log i have this: Code: [Sun Oct 17 23:31:27 2010] [crit] [client 66.249.71.181] (13)Permission denied: /srv/www/kernelit.gr/web/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable The only .htaccess file that exist is the one that ISPconfig made and it is empty. The web folder is this: Code: aragorn:/srv/www/kernelit.gr/web # ls -l total 16 -rwxr-xr-- 1 web15 client1 1406 2010-10-17 23:26 favicon.ico -rwxr-xr-- 1 web15 client1 0 2010-10-17 23:26 .htaccess -rwxr-xr-- 1 web15 client1 1861 2010-10-17 23:26 index.html -rwxr-xr-- 1 web15 client1 34 2010-10-17 23:26 robots.txt drwxr-xr-x 2 root root 4096 2010-10-17 23:26 stats What is wrong? I haven't change anything in my configuration. My vhost file for the domain is (haven't touched anything): Code: <Directory /srv/www/kernelit.gr> AllowOverride None Order Deny,Allow Deny from all </Directory> <VirtualHost *:80> DocumentRoot /srv/www/kernelit.gr/web ServerName kernelit.gr ServerAlias *.kernelit.gr ServerAdmin [email protected] ErrorLog /var/log/ispconfig/httpd/kernelit.gr/error.log <Directory /srv/www/kernelit.gr/web> Options FollowSymLinks AllowOverride All Order allow,deny Allow from all # ssi enabled AddType text/html .shtml AddOutputFilter INCLUDES .shtml Options +Includes </Directory> <Directory /srv/www/clients/client1/web15/web> Options FollowSymLinks AllowOverride All Order allow,deny Allow from all # ssi enabled AddType text/html .shtml AddOutputFilter INCLUDES .shtml Options +Includes </Directory> <IfModule mod_ruby.c> <Directory /srv/www/clients/client1/web15/web> Options +ExecCGI </Directory> RubyRequire apache/ruby-run #RubySafeLevel 0 <Files *.rb> SetHandler ruby-object RubyHandler Apache::RubyRun.instance </Files> <Files *.rbx> SetHandler ruby-object RubyHandler Apache::RubyRun.instance </Files> </IfModule> # cgi enabled <Directory /srv/www/clients/client1/web15/cgi-bin> Order allow,deny Allow from all </Directory> ScriptAlias /cgi-bin/ /srv/www/clients/client1/web15/cgi-bin/ AddHandler cgi-script .cgi AddHandler cgi-script .pl # suexec enabled SuexecUserGroup web15 client1 # Clear PHP settings of this website <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> # php as fast-cgi enabled <IfModule mod_fcgid.c> # SocketPath /tmp/fcgid_sock/ IdleTimeout 3600 ProcessLifeTime 7200 # MaxProcessCount 1000 DefaultMinClassProcessCount 3 DefaultMaxClassProcessCount 100 IPCConnectTimeout 8 IPCCommTimeout 360 BusyTimeout 300 </IfModule> <Directory /srv/www/kernelit.gr/web> AddHandler fcgid-script .php .php3 .php4 .php5 FCGIWrapper /srv/www/php-fcgi-scripts/web15/.php-fcgi-starter .php Options +ExecCGI AllowOverride All Order allow,deny Allow from all </Directory> <Directory /srv/www/clients/client1/web15/web> AddHandler fcgid-script .php .php3 .php4 .php5 FCGIWrapper /srv/www/php-fcgi-scripts/web15/.php-fcgi-starter .php Options +ExecCGI AllowOverride All Order allow,deny Allow from all </Directory> # add support for apache mpm_itk <IfModule mpm_itk_module> AssignUserId web15 client1 </IfModule> <IfModule mod_dav_fs.c> # DO NOT REMOVE THE COMMENTS! # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE! # WEBDAV BEGIN # WEBDAV END </IfModule> </VirtualHost> <IfModule mod_ssl.c> ########################################################### # SSL Vhost ########################################################### <VirtualHost *:443> DocumentRoot /srv/www/kernelit.gr/web ServerName kernelit.gr ServerAlias *.kernelit.gr ServerAdmin [email protected] ErrorLog /var/log/ispconfig/httpd/kernelit.gr/error.log SSLEngine on SSLCertificateFile /srv/www/clients/client1/web15/ssl/kernelit.gr.crt SSLCertificateKeyFile /srv/www/clients/client1/web15/ssl/kernelit.gr.key <Directory /srv/www/kernelit.gr/web> Options FollowSymLinks AllowOverride All Order allow,deny Allow from all # ssi enabled AddType text/html .shtml AddOutputFilter INCLUDES .shtml Options +Includes </Directory> <Directory /srv/www/clients/client1/web15/web> Options FollowSymLinks AllowOverride All Order allow,deny Allow from all # ssi enabled AddType text/html .shtml AddOutputFilter INCLUDES .shtml Options +Includes </Directory> # cgi enabled <Directory /srv/www/clients/client1/web15/cgi-bin> Order allow,deny Allow from all </Directory> ScriptAlias /cgi-bin/ /srv/www/clients/client1/web15/cgi-bin/ AddHandler cgi-script .cgi AddHandler cgi-script .pl # ssi enabled AddType text/html .shtml AddOutputFilter INCLUDES .shtml # suexec enabled SuexecUserGroup web15 client1 # Clear PHP settings of this website <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> # php as fast-cgi enabled <IfModule mod_fcgid.c> # SocketPath /tmp/fcgid_sock/ IdleTimeout 3600 ProcessLifeTime 7200 # MaxProcessCount 1000 DefaultMinClassProcessCount 3 DefaultMaxClassProcessCount 100 IPCConnectTimeout 8 IPCCommTimeout 360 BusyTimeout 300 </IfModule> <Directory /srv/www/kernelit.gr/web> AddHandler fcgid-script .php .php3 .php4 .php5 FCGIWrapper /srv/www/php-fcgi-scripts/web15/.php-fcgi-starter .php Options +ExecCGI AllowOverride All Order allow,deny Allow from all </Directory> <Directory /srv/www/clients/client1/web15/web> AddHandler fcgid-script .php .php3 .php4 .php5 FCGIWrapper /srv/www/php-fcgi-scripts/web15/.php-fcgi-starter .php Options +ExecCGI AllowOverride All Order allow,deny Allow from all </Directory> # add support for apache mpm_itk <IfModule mpm_itk_module> AssignUserId web15 client1 </IfModule> <IfModule mod_dav_fs.c> # DO NOT REMOVE THE COMMENTS! # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE! # WEBDAV BEGIN # WEBDAV END </IfModule> </VirtualHost> </IfModule> Thank you.
It seems that the newly created site has wrong permissions on web root: Code: ls -l total 16 drwxr-x--x 2 kernelitshell client1 4096 2010-10-17 23:26 cgi-bin lrwxrwxrwx 1 kernelitshell client1 36 2010-10-17 23:26 log -> /var/log/ispconfig/httpd/kernelit.gr drwxr-x--x 2 kernelitshell client1 4096 2010-10-17 23:26 ssl drwxrwxrwx 2 kernelitshell client1 4096 2010-10-17 23:26 tmp drwx--x--- 3 kernelitshell client1 4096 2010-10-17 23:26 web I have changed the permissions manually to this: Code: ls -l total 16 drwxr-x--x 2 kernelitshell client1 4096 2010-10-17 23:26 cgi-bin lrwxrwxrwx 1 kernelitshell client1 36 2010-10-17 23:26 log -> /var/log/ispconfig/httpd/kernelit.gr drwxr-x--x 2 kernelitshell client1 4096 2010-10-17 23:26 ssl drwxrwxrwx 2 kernelitshell client1 4096 2010-10-17 23:26 tmp drwxr-xr-x 3 kernelitshell client1 4096 2010-10-17 23:26 web and now i can see the default index.html page. But why does this happened. Should i check something? I haven't tried to create another site to see what happens.
1) Which web security level do you use (high or medium). You find this under system > server config > web. 2) Which PHP method have you selected in the website settings? 3) Which Linux distribution do you use?
Till thanks for the answer. 1. High (should i change to medium) 2. Fast-cgi 3. Opensuse 11.1 Thanks again.
1) no. High is correct and recommended. 2+3) Ok. I just checked that on my system, the folder permissions of working websites are: Code: drwxr-x--x 6 web10 client12 4096 Dec 17 2009 . drwxr-xr-x 3 root root 4096 Oct 14 2009 .. drwxr-x--x 2 web10 client12 4096 Oct 14 2009 cgi-bin lrwxrwxrwx 1 web10 client12 43 Oct 14 2009 log -> /var/log/ispconfig/httpd/domain.tld drwxr-x--x 2 web10 client12 4096 Oct 14 2009 ssl drwxrwxrwx 2 web10 client12 135168 Oct 18 03:03 tmp drwx--x--- 16 web10 client12 4096 Jun 8 12:30 web Maybe there is a problem with the user and group. Please compare the user and group records in /etc/passwd and /etc/group of a working website with a not working site. Additionally, please comapre the folder permissions on one of your working websites with the permissions of this not working site.
I have deleted the site and i'm going to recreate (and compare after that) SuEXEC should be enabled with the above options or not?
You should enable suexec always when FCGI or cgi is used as this allows the scripts to run separated for every website.
I have recreated the site. It seems that something is wrong with the users and groups as i'm getting "403 Forbidden" again. The site's permission are identical to yours: Code: drwxr-x--x 2 web16 client1 4096 2010-10-18 11:42 cgi-bin lrwxrwxrwx 1 web16 client1 36 2010-10-18 11:42 log -> /var/log/ispconfig/httpd/kernelit.gr drwxr-x--x 2 web16 client1 4096 2010-10-18 11:42 ssl drwxrwxrwx 2 web16 client1 4096 2010-10-18 11:42 tmp drwx--x--- 3 web16 client1 4096 2010-10-18 11:42 web I have also created a shell user. This site belongs to client1. On /etc/passwd and /etc/group i have these: For /etc/passwd Code: web16:x:5009:5002::/srv/www/clients/client1/web16:/bin/false kernelitshell:x:5009:5002::/srv/www/clients/client1/web16:/bin/bash That seems identical to the working sites. For /etc/group Code: client1:!:5002:www-data client2:!:5003: client3:!:5004: client4:!:5007: ispapps:!:5006: ispconfig:!:5001:wwwrun sshusers:!:5005:web12,web13,web16 Client1 is the owner of the site but it has been created long time ago. It seems that something is not right with this client from the beginning. Also as soon as i have created the shell user the site's ownership has changed to this: Code: -rwxr-xr-x 1 kernelitshell client1 0 2010-10-18 11:45 .bash_history drwxr-x--x 2 kernelitshell client1 4096 2010-10-18 11:42 cgi-bin -rwxr-xr-x 1 root root 40 2010-10-18 11:43 .htpasswd_stats lrwxrwxrwx 1 kernelitshell client1 36 2010-10-18 11:42 log -> /var/log/ispconfig/httpd/kernelit.gr drwxr-x--x 2 kernelitshell client1 4096 2010-10-18 11:43 ssl drwxrwxrwx 2 kernelitshell client1 4096 2010-10-18 11:42 tmp drwx--x--- 3 kernelitshell client1 4096 2010-10-18 11:42 web Is this normal?
I guess the problem is that the apache user is not member of the client groups. What is the suername of the apache user on suse? wwwrun or ww-data? Please check then that the correct username and groupname for the apache user and group are set in ispconfig under system > server config > web. Then edit the group file and add the correct user to the clientX groups, e.g.: client2:!:5003:wwwrun if the user is named wwrun on your server and then restart apache. I guess that a wrong user is set in ispconfig so that the user could not be added to the client group which resulted now in the access errors. yes, thats ok. The owner has not been changed, it just gets a new owner displayed as all shell users of a website share the same numeric uid and gid.
It seems that we are getting something. Thank you very much for your time. I have checked and apache an Opensuse 11.1 runs under usrer wwwrun and group www. So to be sure i will change it in ISPconfig > server config > web and i will make /etc/group like this: Code: client1:!:5002:wwwrun client2:!:5003:wwwrun client3:!:5004:wwwrun client4:!:5007:wwwrun Is this ok? I'm asking because i don't want to have problems with the workings sites (there permissions as you can see seem to be wrong but they are working). Also i have noticed on ISPconfig > server config > web the following: On /etc/php5 i have a fastcgi folder with a php.ini inside. Should i change the GCI path on server config also?
Yes. looks fine. As the php settings seem to work now for the existing sites, I would leave it as it is.
Thank you very much!!!!! It is working now!!!! I had to make a reboot on the server (not just apache) for it to work but it seems ok now. If i have any problem i will report here. (I have one but it is for another thread). Thanks again Till and keep up the great work!!!!
One more relative small problem exists. I cannot access the stats folder on this site. I'm getting "403 Forbidden" and no login screen. Inside the stats folder there is only a .htaccess file and nothing else. Do i have to wait for the files to appear? Thanks again.
Hi, I'm having the same problem. I'm running latest ISPConfig3 release on CentOS 5.5. All the sites are running with Fast-CGI and suExec. Each time I make any modification I have to manually change the perms to 711 on the web folder. On /etc/group I have this: The output of groups apache shows: The perm on a site when I create are: And I always get a Permission denied until i change them to: Other workaround is to change the group owner of the web directory to apache. I need help on sorting this out. I followed the multiserver installation as detailed on the ISPConfig Manual I bought. I have a dedicated mysql server, that is my multiserver setup. Thank you in advance, Sergio Rosa