Hello After updating the operating system from SLES 12 SP5 to SLES 15 SP5, I noticed that when I try to run the ISPConfig web browser on port 8080, the forbbiden message appears. Recently I was able to successfully update another server. I copied the /etc/apache2 files from it, but it didn't help. I also tried the ISPConfig update script with the -force parameter, but it didn't work. I also noticed errors in apache error_log [Thu Mar 07 14:15:34.366927 2024] [authz_core:error] [pid 3956] [client x.x.x.x:4184] AH01630: client denied by server configuration: /usr/share/apache2/error/HTTP_FORBIDDEN.html.var. I also verified the interface of the phpmyadmin application and it works without any problems x.x.x.x:8080/phpmyadmin Are there any blacklist configuration settings in another location that ISPConfig can read? I don't think it's a configuration problem in /etc/apache2 Best Regards Radoslaw
Most likly apache itself was updated which changed the configuration syntax see here: https://httpd.apache.org/docs/2.4/upgrading.html#access Make sure the vhosts in question are configured properly for the version of apache in use.
YEA but before upgrade version: Server version: Apache/2.4.51 (Linux/SUSE) and after upgrade version Server version: Apache/2.4.51 (Linux/SUSE)
Ok can you please provide the vhost configuration in question then? It's very hard to debug this without knowning any of your configurations. Is the DocumentRoot Path correct and accessible?
Vhost config Code: ###################################################### # This virtual host contains the configuration # for the ISPConfig controlpanel ###################################################### Listen 8080 NameVirtualHost *:8080 <VirtualHost _default_:8080> ServerAdmin webmaster@localhost Alias /mail /srv/www/ispconfig/mail <Directory /srv/www/ispconfig/> <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> </Directory> <Directory /usr/local/ispconfig/interface/web/> <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> </Directory> <IfModule mod_fcgid.c> DocumentRoot /srv/www/ispconfig/ SuexecUserGroup ispconfig ispconfig <Directory /srv/www/ispconfig/> Options -Indexes +FollowSymLinks +MultiViews +ExecCGI AllowOverride AuthConfig Indexes Limit Options FileInfo <FilesMatch "\.php$"> SetHandler fcgid-script </FilesMatch> FCGIWrapper /srv/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php Require all granted </Directory> IPCCommTimeout 7200 MaxRequestLen 15728640 </IfModule> <IfModule mpm_itk_module> DocumentRoot /usr/local/ispconfig/interface/web/ AssignUserId ispconfig ispconfig AddType application/x-httpd-php .php <Directory /usr/local/ispconfig/interface/web> # php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp" Options +FollowSymLinks AllowOverride None Require all granted php_value magic_quotes_gpc 0 </Directory> </IfModule> # ErrorLog /var/log/apache2/error.log # CustomLog /var/log/apache2/access.log combined ServerSignature Off <IfModule mod_security2.c> SecRuleEngine Off </IfModule> # SSL Configuration SSLEngine On SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1 SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder On <IfModule mod_headers.c> # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'" Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests" Header set X-Content-Type-Options: nosniff Header set X-Frame-Options: SAMEORIGIN Header set X-XSS-Protection: "1; mode=block" Header always edit Set-Cookie (.*) "$1; HTTPOnly" Header always edit Set-Cookie (.*) "$1; Secure" <IfVersion >= 2.4.7> Header setifempty Strict-Transport-Security "max-age=15768000" </IfVersion> <IfVersion < 2.4.7> Header set Strict-Transport-Security "max-age=15768000" </IfVersion> RequestHeader unset Proxy early </IfModule> SSLUseStapling On SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors Off # Redirect http to https ErrorDocument 400 "<script>document.location.href='https://'+location.hostname+':'+location.port;</script><h1>Error 400 - trying to redirect</h1>" </VirtualHost> You have new mail in /var/spool/mail/root and config file Code: # Important: A copy of this file exists in server/conf/ folder. # Edit both files when applying changes. ################################################ # ISPConfig General Apache Options ################################################ ServerTokens ProductOnly ServerSignature Off DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm standard_index.html ################################################ # ISPConfig Logfile configuration for vlogger ################################################ SetEnvIf Request_URI "^/datalogstatus.php$" dontlog LogFormat "%v %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_ispconfig CustomLog "| /usr/local/ispconfig/server/scripts/vlogger -s access.log -t \"%Y%m%d-access.log\" /var/log/ispconfig/httpd" combined_ispconfig <Directory /var/www/clients> AllowOverride None Require all denied </Directory> # Do not allow access to the root file system of the server for security reasons <Directory /> Options -Indexes AllowOverride None Require all denied </Directory> <Directory /var/www> Options -Indexes </Directory> <Directory /var/www/conf> AllowOverride None Require all denied </Directory> # Except of the following directories that contain website scripts <Directory /usr/share/phpmyadmin> Require all granted </Directory> <Directory /usr/share/phpMyAdmin> Require all granted </Directory> <Directory /srv/www/htdocs> Require all granted </Directory> <Directory /usr/share/squirrelmail> Require all granted </Directory> # Allow access to mailman on OpenSuSE <Directory /usr/lib/mailman/cgi-bin> Require all granted </Directory> <Directory /usr/lib/mailman/icons> Require all granted </Directory> <Directory /var/lib/mailman/archives/> Options +FollowSymLinks Require all granted </Directory> # allow path to awstats and alias for awstats icons <Directory /usr/share/awstats> Require all granted </Directory> Alias /awstats-icon "/usr/share/awstats/icon" <IfModule mod_ssl.c> SSLStaplingCache shmcb:/var/run/ocsp(128000) </IfModule> <Directory /var/www/php-cgi-scripts> AllowOverride None Require all denied </Directory> <Directory /var/www/php-fcgi-scripts> AllowOverride None Require all denied </Directory> Phpmyadmin work fine but if i change <Directory /srv/www/ispconfig/> to /srv/www/ and paste other html file it's working I have symlink in /srv/www/ lrwxrwxrwx 1 root root 34 Mar 8 13:44 ispconfig -> /usr/local/ispconfig/interface/web my files in /usr/local/ispconfig/ total 68K drwxr-xr-x 1 ispconfig ispconfig 436 Mar 8 14:04 . drwxr-x--x 1 ispconfig ispconfig 72 May 11 2017 .. drwxr-x--x 1 ispconfig ispconfig 2.1K Mar 8 14:06 admin -rwxr-x--x 1 ispconfig ispconfig 3.0K Mar 8 14:01 capp.php drwxr-x--x 1 ispconfig ispconfig 814 Sep 30 2015 client -rwxr-x--x 1 ispconfig ispconfig 2.1K Mar 8 14:01 common.php -rwxr-x--x 1 ispconfig ispconfig 3.0K Mar 8 14:01 content.php drwxr-x--x 1 ispconfig ispconfig 116 Sep 30 2015 dashboard -rwxr-x--x 1 ispconfig ispconfig 1.9K Mar 8 14:01 datalogstatus.php drwxr-x--x 1 ispconfig ispconfig 1.3K Jun 11 2021 dns -rwxr-x--x 1 ispconfig ispconfig 0 Mar 8 14:01 dummy_login.html -rwxr-x--x 1 ispconfig ispconfig 19K Mar 7 12:06 favicon.ico drwxr-x--x 1 ispconfig ispconfig 486 Sep 30 2015 help -rwxr-x--x 1 ispconfig ispconfig 4.5K Mar 8 14:01 index.php drwxr-x--x 1 ispconfig ispconfig 408 Dec 6 2016 js -rwxr-x--x 1 ispconfig ispconfig 1.7K Mar 8 14:01 keepalive.php drwxr-x--x 1 ispconfig ispconfig 136 Jul 26 2023 login drwxr-x--x 1 ispconfig ispconfig 3.5K Apr 7 2022 mail drwxr-x--x 1 ispconfig ispconfig 424 Sep 30 2015 mailuser drwxr-x--x 1 ispconfig ispconfig 428 Jul 18 2019 monitor -rwxr-x--x 1 ispconfig ispconfig 5.1K Mar 8 14:01 nav.php -rwxr-x--x 1 ispconfig ispconfig 19 Oct 9 2015 pinfo.php drwxr-x--x 1 ispconfig ispconfig 72 Jul 4 2017 remote -rwxr-x--x 1 ispconfig ispconfig 26 Mar 8 14:01 robots.txt drwxr-x--x 1 ispconfig ispconfig 2.5K Dec 6 2016 sites drwxr-x--x 1 ispconfig ispconfig 6 Sep 30 2015 strengthmeter drwxr-x--x 1 ispconfig ispconfig 18 Sep 30 2015 temp drwxr-x--x 1 ispconfig ispconfig 122 Sep 30 2015 themes drwxr-x--x 1 ispconfig ispconfig 334 Dec 6 2016 tools drwxr-x--x 1 ispconfig ispconfig 612 Sep 30 2015 vm lrwxrwxrwx 1 ispconfig ispconfig 34 Mar 7 11:37 web -> /usr/local/ispconfig/interface/web
As you've changed the default path make sure that all the permissions are correct. I'm not familiar with SLES. Maybe this is due to an SELinux issue? Can you check if it is running, and if so deactivate it temprarily and check if it interferce with your config? Code: selinuxenabled && echo enabled || echo disabled echo 0 > /sys/fs/selinux/enforce echo 1 > /sys/fs/selinux/enforce And when you run the ISPConfig server.php from the command line does that work properly?
Slinux is not installed Ad server.php is php -q serwer.php finish serwer.php mamaybe i can try other scripts to check it's work fine
Ok then i can only imagine some permission issue on the filesystem level. Maybe you messed something up by changing the default path and creating the symlink. The line "AH01630: client denied by server configuration: /usr/share/apache2/error/HTTP_FORBIDDEN.html.var." indicates that whatever you are trying to reach is not allowed by the configuration. This usually happens when the permissions to the path in any location or directory field are wrong.
Apache is a bit picky when it comes to mixing old allow/deny and new grant syntax. E.g. if you deny access to a folder in old syntax, it can not be granted by a later command in new syntax, and vice versa. Such permission denied errors are often caused on older systems whyn you might have config files in old and new syntax mixed somewhere.
ok I use ispconfig_update.sh ---force to fix permission . Do you have a script who fix this problem ?
This is not a fix for the possible issue I described, as the issue is not caused by files managed by ISPConfig. No, you have tó look trough the config files that do not belong to ISPConfig for this.
Hi, we would like to set up new servers, preferably in a cluster and with the IspConfig Panel. it would be best if there were two or more servers with a shared database. We are trying to do it on Debian and using pacemaker. What Linux distributions do you recommend for this project?
Use Debian or Ubuntu. But Debian is most likely easier as all multiserver guides exist for Debian only. ISPConfig requires a separate database for each node as it takes care on replicating its own data, but you can try to put all of them on the same server instance. It will be slower than the default multiserver setup, but if speed does not matter that much for you, then you can likely use a central database.
do you recomended database on drbd and replication files ? I think about cluster debian with pacemaker what do you think about it ?
