Client Denied By Server Configuration - ISPConfig 3/Ubuntu 16.04

Discussion in 'Installation/Configuration' started by mxc, Mar 30, 2017.

  1. mxc

    mxc ISPConfig Developer ISPConfig Developer

    Hi there,
    I did an installation of ISPConfig3 on Ubuntu 16.04 and then restored an existing ISPConfig database over the installation. I don't think the issue is related to this but thought it worth mentioning in case it is. I cannot access the ISPConfig 8080 application and get the following error

    [Thu Mar 30 13:07:08.432836 2017] [access_compat:error] [pid 1213] [client] AH01797: client denied by server configuration: /var/www/ispconfig/"

    I know this is supposed to relate to the new access module in Apache 2.4. but cannot for the life of me find out where the issue is. There are no mysql issues n the mysql.log file, the ispconfig.vhost and ispconfig.conf files are the same as on my other ISPConfig boxes.

    I have tried pointng /var/www/ispconfig to a simple folder with an html file and still no luck. I rewrote the vhost file to be a simple Directory directive with "Require all granted" and still no luck. Does anyone have any idea where to look? I tried to strace the apache process but I don't get much out of it. I can see apache checking the /var/www/ispconfig dir for a .htaccess file and then it fails.

    Last edited: Mar 30, 2017
  2. mxc

    mxc ISPConfig Developer ISPConfig Developer

    Hi all,
    I solved the problem but its not all together clear to me what caused the problem in the first place because my reading of the apache documentations makes no mention of a conflict between the two access modules, in fact it says it shouldn't be a problem, (see below).

    I didn't need to do edit any files on my other servers running Ubuntu 16.04 and they use the mod_authz_host syntax. These were upgrades from 14.04 so maybe that makes a difference. The only other difference between those deployments and this one, is that this was a migration from Centos6 to Ubuntu 16.04 with some of the ISPConfig generated files being copied across as well as a mysql backup restore and then database in place upgrade which required some finicky foot work with skip-grant-tables and mysql_upgrade. It went from mysql 5.1 to mysql 5.7


    The issue came down to an apparent conflict between the mod_access_compat module, which allows the older syntax for access control i.e "Order Allow, Deny/ Allow from All" and the mod_authz_hosts module which uses the newer "Require all granted" syntax.

    Both modules are enable on my systems as some of the older config file still use the old syntax. To get ISPConfig to work I had to edit the ispconfig.vhost file and replace all "Require all granted" syntax entries with the "Order Allow,Deny/ Allow from All" syntax. Then it all worked.

    I did not replace the "Require all denied" entries figuring I wanted to change as little as possible and by default deny seems to be the case if there is a problem processing the mod_authz_host" module.

    Hope this help someone and it would be good if anyone understand what is going on with the conflict. Or if someone can explain what is happening here. I would like to move to the new syntax but would need to get ispconfig to regenerate all the existing vhost files.

    Last edited: Mar 31, 2017
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The problem is that the old and new syntax don't ply nicely together. e.g. when you deny access in old syntax in another file, then you can not grant access in new syntax later.

    So when you e.g. deny access to / or /var/www in apache2.conf using old syntax, then you can not grant access in new syntax to /var/www/ispconfig in a config file that is loaded later.

    On the long run, you should change all syntax to the new syntax in the other config files, the new syntax in the ispconfig files will start working then as well.

Share This Page