Error 403 on new web

Discussion in 'Installation/Configuration' started by rfnx, Jun 7, 2024.

  1. rfnx

    rfnx Member

    Web access for new site doesn't work!

    I get error 403 when I start the page!

    In the group file ispconfig is entered with:

    "ispconfig:x:5004:www-data"

    The files are on the correct web folder, have the correct rights and ispconfig has access to the group file.

    What else do I have to check to give my web access?

    The apache error log tells "invalid URL path":
    Code:
    [Fri Jun 07 00:00:03.281826 2024] [mpm_event:notice] [pid 279861:tid 139917425604480] AH00489: Apache/2.4.59 (Debian) mod_fcgid/2.3.9 Phusion_Passenger/6.0.17 OpenSSL/3.0.11 mod_python/3.5.0+git20211031.e6458ec Python/3.11.2 mod_perl/2.0.12 Perl/v5.36.0 configured -- resuming normal operations
    [Fri Jun 07 00:00:03.281864 2024] [core:notice] [pid 279861:tid 139917425604480] AH00094: Command line: '/usr/sbin/apache2'
    [Fri Jun 07 00:00:03.281925 2024] [mpm_event:warn] [pid 279861:tid 139917425604480] AH00488: long lost child came home! (pid 279865)
    [ E 2024-06-07 00:01:11.2056 318312/T5 age/Cor/SecurityUpdateChecker.h:506 ]: Security update check failed: server temporarily unavailable, try again later (next check in 24 hours)
    [Fri Jun 07 00:34:48.108444 2024] [authz_core:error] [pid 318389:tid 139916679837376] [client 164.92.244.132:60920] AH01630: client denied by server configuration: /var/www/html/server-status
    [Fri Jun 07 02:04:53.030542 2024] [core:error] [pid 318389:tid 139916545619648] [client 43.133.60.210:39742] AH10244: invalid URI path (/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh)
    
    When I run the site on PHP-FPM:

    Code:
    Fri Jun 07 04:25:10.190721 2024] [ssl:error] [pid 461166:tid 140449261795200] AH02604: Unable to configure certificate hostname.domain.tld:8081:0 for stapling
    [Fri Jun 07 04:25:10.190871 2024] [:notice] [pid 461166:tid 140449261795200] mod_python: Creating 8 session mutexes based on 0 max processes and 25 max threads.
    [Fri Jun 07 04:25:10.190878 2024] [:notice] [pid 461166:tid 140449261795200] mod_python: using mutex_directory /tmp
    [ N 2024-06-07 04:25:10.2022 461142/T1 age/Cor/CoreMain.cpp:1325 ]: Passenger core shutdown finished
    [Fri Jun 07 04:25:10.212465 2024] [mpm_event:notice] [pid 461166:tid 140449261795200] AH00489: Apache/2.4.59 (Debian) mod_fcgid/2.3.9 Phusion_Passenger/6.0.17 OpenSSL/3.0.11 mod_python/3.5.0+git20211031.e6458ec Python/3.11.2 mod_perl/2.0.12 Perl/v5.36.0 configured -- resuming normal operations
    [Fri Jun 07 04:25:10.212534 2024] [core:notice] [pid 461166:tid 140449261795200] AH00094: Command line: '/usr/sbin/apache2'
    [ E 2024-06-07 04:25:12.2599 461177/T5 age/Cor/SecurityUpdateChecker.h:521 ]: A security update is available for your version (6.0.17) of Phusion Passenger(R). We strongly recommend upgrading to version 6.0.22.
    [ E 2024-06-07 04:25:12.2600 461177/T5 age/Cor/SecurityUpdateChecker.h:526 ]: Additional security update check information:
    - [Fixed in 6.0.19] [CVE-2023-38545] A vulnerability existed in libcurl before 8.4.0 which was the library used for Passenger proxy functionality. Exploiting this vulnerability would require two preconditions. First a SOCKS5 proxy to be configured for Passenger licensing, anonymous telemetry, or security update check which is not the default but is possible. Second the attacker would need to cause Passenger to use an attacker-controlled URL when performing these requests. Causing Passenger to use non-standard urls requires that the attacker already have code execution on the Passenger host, or control of the Passenger config. If exploited this vulnerability could lead to code execution, due to buffer overflow.
    [Fri Jun 07 04:33:36.340100 2024] [cgid:error] [pid 461199:tid 140448769201856] [client 31.220.1.83:57174] AH01264: script not found or unable to stat: /usr/lib/cgi-bin/luci
    Is it the SSL error I need to fix?
    Code:
    [Fri Jun 07 04:25:10.190721 2024] [ssl:error] [pid 461166:tid 140449261795200] AH02604: Unable to configure certificate hostname.domain.tld:8081:0 for stapling
    BTW:
    How can I get the cgid:error & libcurl vulnerability fixed & could Phusion be the main issue here?
    apt update and upgrade didn't fix it ;)

    Will run a dist-upgrade ...

    The server is running on Debian 12.2.0-14
    Thanks in advance ...
     
    Last edited: Jun 7, 2024
  2. rfnx

    rfnx Member

    The dist-upgrade did't fix it!

    Server still on Debian 12.2.0-14 and Phusion still on 6.0.17 ...

    hmmm :( have no clue why not 12.4 !
    My sources.list is pointing to:

    Performed the tests from the guidelines and added system infos in hope it will help:

    Code:
    ##### SERVER #####
    PHP CLI: 8.2.18
    Apache/2.4.59 (Debian)
    
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] OS version is Debian GNU/Linux 12 (bookworm)
    
    [INFO] uptime:  07:05:01 up  1:49,  1 user,  load average: 0,03, 0,02, 0,00
    
    [INFO] memory:
                  gesamt       benutzt     frei      gemns.  Puffer/Cache verfügbar
    Speicher:       15Gi       2,3Gi        12Gi        55Mi       1,0Gi        13Gi
    Swap:             0B          0B          0B
    
    [INFO] systemd failed services status:
      UNIT LOAD ACTIVE SUB DESCRIPTION
    0 loaded units listed.
    
    [INFO] ISPConfig is installed.
    
    ##### ISPCONFIG #####
    ISPConfig version is 3.2.11p2
    
    
    ##### VERSION CHECK #####
    
    [INFO] php (cli) version is 8.2.18
    [INFO] php-cgi (used for cgi php in default vhost!) is version 8.2.18
    
    ##### PORT CHECK #####
    
    
    ##### MAIL SERVER CHECK #####
    
    [WARN] I found no "smtps" entry in your postfix master.cf
    [INFO] this is not critical, but if you want to offer SSL for smtp (not TLS) connections you have to enable this.
    
    ##### RUNNING SERVER PROCESSES #####
    
    [INFO] I found the following web server(s):
        Apache 2 (PID 927)
    [INFO] I found the following mail server(s):
        Postfix (PID 1318)
    [INFO] I found the following pop3 server(s):
        Dovecot (PID 694)
    [INFO] I found the following imap server(s):
        Dovecot (PID 694)
    [INFO] I found the following ftp server(s):
        PureFTP (PID 1086)
    
    ##### LISTENING PORTS #####
    Server)        ()
    Local        (Address)
    [anywhere]:465        (1318/master)
    [anywhere]:143        (694/dovecot)
    [anywhere]:25        (1318/master)
    [anywhere]:22        (729/sshd:)
    [anywhere]:21        (1086/pure-ftpd)
    [anywhere]:110        (694/dovecot)
    [localhost]:11334        (764/rspamd:)
    [localhost]:11332        (764/rspamd:)
    [localhost]:11333        (764/rspamd:)
    [anywhere]:995        (694/dovecot)
    [anywhere]:993        (694/dovecot)
    [anywhere]:587        (1318/master)
    [localhost]:11211        (698/memcached)
    [localhost]:10023        (491/postgrey)
    [anywhere]:3306        (820/mariadbd)
    [localhost]:953        (699/named)
    [localhost]:953        (699/named)
    [localhost]:953        (699/named)
    [localhost]:953        (699/named)
    ***.***.***.***:53        (699/named)
    ***.***.***.***:53        (699/named)
    ***.***.***.***:53        (699/named)
    ***.***.***.***:53        (699/named)
    [localhost]:53        (699/named)
    [localhost]:53        (699/named)
    [localhost]:53        (699/named)
    [localhost]:53        (699/named)
    [localhost]:6379        (701/redis-server)
    *:*:*:*::*:443        (927/apache2)
    *:*:*:*::*:465        (1318/master)
    [localhost]43        (694/dovecot)
    *:*:*:*::*:25        (1318/master)
    *:*:*:*::*:22        (729/sshd:)
    *:*:*:*::*:21        (1086/pure-ftpd)
    [localhost]10        (694/dovecot)
    *:*:*:*::*:80        (927/apache2)
    2a03:4000:55:f45:583:53        (699/named)
    2a03:4000:55:f45:583:53        (699/named)
    2a03:4000:55:f45:583:53        (699/named)
    2a03:4000:55:f45:583:53        (699/named)
    *:*:*:*::*:995        (694/dovecot)
    *:*:*:*::*:993        (694/dovecot)
    *:*:*:*::*5833:beff:fe44:53        (699/named)
    *:*:*:*::*5833:beff:fe44:53        (699/named)
    *:*:*:*::*5833:beff:fe44:53        (699/named)
    *:*:*:*::*5833:beff:fe44:53        (699/named)
    *:*:*:*::*:587        (1318/master)
    *:*:*:*::*:6379        (701/redis-server)
    *:*:*:*::*:3306        (820/mariadbd)
    *:*:*:*::*:53        (699/named)
    *:*:*:*::*:53        (699/named)
    *:*:*:*::*:53        (699/named)
    *:*:*:*::*:53        (699/named)
    *:*:*:*::*:953        (699/named)
    *:*:*:*::*:953        (699/named)
    *:*:*:*::*:953        (699/named)
    *:*:*:*::*:953        (699/named)
    *:*:*:*::*:10023        (491/postgrey)
    *:*:*:*::*:11332        (764/rspamd:)
    *:*:*:*::*:11333        (764/rspamd:)
    *:*:*:*::*:11334        (764/rspamd:)
    *:*:*:*::*:8081        (927/apache2)
    *:*:*:*::*:8080        (927/apache2)
    
    
    
    
    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    f2b-postfix-sasl  6    --  [anywhere]/0            [anywhere]/0            multiport dports 25
    f2b-sshd   6    --  [anywhere]/0            [anywhere]/0            multiport dports 22
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain f2b-postfix-sasl (1 references)
    target     prot opt source               destination
    REJECT     0    --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
    RETURN     0    --  [anywhere]/0            [anywhere]/0  
    
    Chain f2b-sshd (1 references)
    target     prot opt source               destination
    REJECT     0    --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     0    --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
    RETURN     0    --  [anywhere]/0            [anywhere]/0  
    
    
    
    
    ##### LET'S ENCRYPT #####
    acme.sh is installed in /root/.acme.sh/acme.sh
    
    Here the log tail:

    Code:
    [Fri Jun 07 05:15:41.930958 2024] [ssl:error] [pid 927:tid 139656139134848] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: [email protected],CN=hostname.domain.tld,OU=IT,O=G\\C3\\83\\C2\\B6ttexxxxd,L=Meerbusch,ST=Nordrheinwestphalen,C=DE / issuer: [email protected],CN=hostname.domain.tld,OU=IT,O=G\\C3\\83\\C2\\B6ttexxxxd,L=Meerbusch,ST=Nordrheinwestphalen,C=DE / serial: 60C29F7293241556F61962BEF1DE620EAD5A2EAC / notbefore: Dec 11 08:38:53 2023 GMT / notafter: Dec 8 08:38:53 2033 GMT]
    [Fri Jun 07 05:15:41.930981 2024] [ssl:error] [pid 927:tid 139656139134848] AH02604: Unable to configure certificate hostname.domain.tld,8081:0 for stapling
    [ N 2024-06-07 05:15:41.9357 887/T1 age/Cor/CoreMain.cpp:1325 ]: Passenger core shutdown finished
    [Fri Jun 07 05:15:41.957849 2024] [:notice] [pid 927:tid 139656139134848] mod_python: Creating 8 session mutexes based on 0 max processes and 25 max threads.
    [Fri Jun 07 05:15:41.957878 2024] [:notice] [pid 927:tid 139656139134848] mod_python: using mutex_directory /tmp
    [Fri Jun 07 05:15:42.034951 2024] [mpm_event:notice] [pid 927:tid 139656139134848] AH00489: Apache/2.4.59 (Debian) mod_fcgid/2.3.9 Phusion_Passenger/6.0.17 OpenSSL/3.0.11 mod_python/3.5.0+git20211031.e6458ec Python/3.11.2 mod_perl/2.0.12 Perl/v5.36.0 configured -- resuming normal operations
    [Fri Jun 07 05:15:42.035059 2024] [core:notice] [pid 927:tid 139656139134848] AH00094: Command line: '/usr/sbin/apache2'
    [ E 2024-06-07 05:15:43.9929 948/T5 age/Cor/SecurityUpdateChecker.h:521 ]: A security update is available for your version (6.0.17) of Phusion Passenger(R). We strongly recommend upgrading to version 6.0.22.
    [ E 2024-06-07 05:15:43.9929 948/T5 age/Cor/SecurityUpdateChecker.h:526 ]: Additional security update check information:
    - [Fixed in 6.0.19] [CVE-2023-38545] A vulnerability existed in libcurl before 8.4.0 which was the library used for Passenger proxy functionality. Exploiting this vulnerability would require two preconditions. First a SOCKS5 proxy to be configured for Passenger licensing, anonymous telemetry, or security update check which is not the default but is possible. Second the attacker would need to cause Passenger to use an attacker-controlled URL when performing these requests. Causing Passenger to use non-standard urls requires that the attacker already have code execution on the Passenger host, or control of the Passenger config. If exploited this vulnerability could lead to code execution, due to buffer overflow.
    Sorry, but my MCITP SA doesn't really help me here :mad:

    BTW: I remember that I was getting NPM with node.js running, but no more remember exactly why; think it was because of a user framework that I wanted to get running with Joomla because of user points & rankings ...
     
    Last edited: Jun 7, 2024
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    This is not related to websites, its the user of the ISPConfig GUI.

    In which folder did you install MediaWiki and which rights and owner do the files have? Website files are never owned by user ispconfig., they are owned by the webID user and clientID group of the website and this user differs for each website and the group differs for each client. So in case you changed the owner of the MediaWiki files to ispconfig or www-data, then you know why you get that error, as user and group you used are wrong then.

    That's the wrong log. Nothing in that log is about your MediaWiki site issue and nothing in there need to be fixed. You must look into the error.log file of the website, its in the log folder of the website.

    I guess you are not aware yet how Linux distributions work. Linux distributions work by fixing issues without altering the software versions, so the info you find in the log, which is unrelated to your issue anyway, is likely wrong. So unless there is anything to install when you run apt-get update and your Debian versuíon is still supported, which debian 12 is, then there i nothing to do. Do not dist-upgrade if there is no dist-upgrade needed.
     
  4. rfnx

    rfnx Member

    /var/www/clients/client2/web15/web

    Uuups :confused:.. var/log/ispconfig/httpd/domain.tld/error.log says:

    [Fri Jun 07 08:31:16.820312 2024] [authz_core:error] [pid 1011:tid 139655928297152] [client 43.159.129.209:45048] AH01630: client denied by server configuration: /var/www/domain.tld/web/index.php

    nope ... not at all :p I'm a stupid click'n'enjoy & have-fun-fixing-by-try'n'error-nerd
    Then I will try to take that into account in the future before I iron out updates

    But what do I have to do to access the wiki?
     

    Attached Files:

  5. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    well, you should have checked your /var/lib/mysql for permission errors before destroying the vm then *jokingly*

    Anyway, I wonder, how do you do your snapshots? memeory freezing the VM? I wonder if it has corrupted at some point in time without notice
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Post the output of:

    ls -la /var/www/clients/client2/web15/web

    Is this the only error in that file?
     
  7. rfnx

    rfnx Member

    hh!

    is it to change the vhost?
    to

    Order allow,deny
    Allow from all
    &
    Require all granted

    At the moment its as follows:


    upload_2024-6-7_9-0-32.png



    Sorry, I should have done the LPIC instead of the MS crap!
     
  8. rfnx

    rfnx Member

    yah man! Or employ a pro :D

    I do it in the hoster's web panel ...
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    No. The config file are fine of course, unless you edited them manually. Please just post the info we ask you to post; this will be faster for all of us, and we avoid your system getting damaged further.
     
  10. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    Also I wonder, you have rspamd installed, looks like a newer setup, but php-fpm is not in the list in #2 ?
    systemctl status php8.2-fpm ?
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Good point, yes, it's definitely missing for such a new Debian system. Or at least, he can only use fastcgi mode without it for PHP and not php-fpm.
     
  12. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    If the php-fpm unit is not found, maybe something else is missing, too
     
  13. rfnx

    rfnx Member

    yes, repetitively.
    Here the whole thing:
    upload_2024-6-7_9-9-31.png
     
  14. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    What php execution method did you chose for this web? Default? Cgi? Fpm? Disabled? ^
     
    till likes this.
  15. rfnx

    rfnx Member

    Hey guys sorry!

    I have no idea!

    Strictly speaking, the server isn't even mine, but something I recommended to a friend for his "project to save the world" (gotnet.io). I'm just having fun fiddling around and may host my stuff about healing plants on his server ;)
     
  16. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    If you go to your domain /index.html you get a 404. So the 403 is caused by the server not beeing able to parse the php files and therefore denied access to the source code.

    Something in the setup is not working
    $ systemctl status php8.2-fpm
     
  17. rfnx

    rfnx Member

    Oh there are different motes to execute PHP? :rolleyes:
    I just call it by browser or command line.
    The site itself is set to PHP-FPM in ISPC at the moment ...

    upload_2024-6-7_9-20-40.png
     
  18. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    your php-fpm is either not installed or functioning on the system.
    Fast-CGI will work but, who wants that :)
     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    And please answer the questions about which PHP method you used for the site, or make a screenshot of the whole site settings and post that.
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so you use php-fpm without having PHP-FPM installed. switch the site to fastcgi mode, or install php-fpm and start it.
     

Share This Page