my day just keeps getting better! (non-threatening title). Nextcloud and rocky8/9?

Discussion in 'ISPConfig 3 Priority Support' started by craig baker, Sep 18, 2023.

  1. craig baker

    craig baker Member HowtoForge Supporter

    I've been building a new server, and I'm fighting some things that I think come down to an .htaccess problem.
    I've got nextcloud installed in /var/www/html/nextcloud.
    on an older server, I had it as a vhost but I was trying to set it up to be accessed as domain.com/nextcloud.
    I setup rainloop to work nicely with a rainloop.conf file in /etc/httpd/conf.d
    I created a similar file for nextcloud and its not installing properly, and the error is it cant create a test file during install. from error.log:
    AH01797: client denied by server configuration: /var/www/html/nextcloud/data/htaccesstest.txt
    it seems that we are having trouble getting outside the website root /var/www/domain.com into /var/www/html/nextcloud
    but I've made /var/www/html/nextcloud permissions 777 and -R so permissions should not be an issue I thought.
    the nextcloud install fails with the server error above. in the /var/www/html/nextcloud/data we have an .htaccess file it creates with contents:
    Code:
    # Generated by Nextcloud on 2023-09-18 15:19:29
# Section for Apache 2.4 to 2.6
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>
<IfModule mod_access_compat.c>
  Order Allow,Deny
  Deny from all
  Satisfy All
</IfModule>

# Section for Apache 2.2
<IfModule !mod_authz_core.c>
  <IfModule !mod_access_compat.c>
    <IfModule mod_authz_host.c>
      Order Allow,Deny
      Deny from all
    </IfModule>
    Satisfy All
  </IfModule>
</IfModule>

# Section for Apache 2.2 to 2.6
<IfModule mod_autoindex.c>
  IndexIgnore *
</IfModule>
~
    any ideas why the install fails in this way?
    thanks :)
     
    craig baker, Sep 18, 2023
    #1
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You should change the path to be inside the PHP open_basedir, or change the PHP open_basedir to allow your (unusual) path.
     
    Th0m, Sep 20, 2023
    #2
  3. craig baker

    craig baker Member HowtoForge Supporter

    ah I'll try that I was wondering.... thanks th0m!
    but the weird thing is that I use /rainloop (also a .conf under /etc/httpd/conf.d) and it is under /usr/share and I have NOT put it in the basedir - but it works fine!
    and one point though, the purpose is to have /nextcloud available on all sites! surely I dont have to add it to basedir for everyone!
     
    Last edited: Sep 20, 2023
    craig baker, Sep 20, 2023
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Running an app in the way you try to run nextcloud means that the app runs in the context of the website and not in its own php and security context, this will cause all kinds of issues and might also not work on some sites, depending on website settings. An app like phpMyAdmin and rainloop does not store files, that's why it is less of an issue. Nextcloud is a file storage, so you will likely have many problems with it when you try installing it this way.

    Personally, I would not install any apps that way on my server, too unreliable and insecure. That#s why all recent perfect server guides use the apps vhost to access RoundCube and PHPMyAdmin and not a website alias anymore. I'll always create a website for them using a subdomain. So if you host sites for clients, then create a website like nextcloud.yourcompany.tld and install nextvloud into that site. and all your customers use then this URL based on your company domain (and not their own customer domain).
     
    till, Sep 21, 2023
    #4
  5. craig baker

    craig baker Member HowtoForge Supporter

    true till - the folders have to be 755 permissions. but whats puzzlling is that apache CAN write to that folder (thats where nextcloud.log lives!) - so why cant it write that one file during installation! nextcloud.log clearly gets written to during the install I turned debug on.
    yes, I have setup nextcloud on another server as a vhost subdomain nextcloud.xxx.com. I would certainly expect that to work. i'll look and see whats changed on the newer perfect servers.
    Another interesting question for you? (I try to pose interesting ones). in a dual-wan environment is there a clean way to failover the access to the site? I have different subnets that reach the same server. but if cox (or verizon) goes down, I have to manually fiddle dns to point the sites to the different ip - but then they reach the same server. on the server all ips are the local addresses 192.168.x.y.
    and one more interesting question - do we have any truly BETTER antispam tools these days? I've got perfect's amavisd and clamv working, but I keep getting spam in CYRILLIC! isnt there a way to block such obciously spammy emails? if there is a better solution out there I would love to know about it. I'm tired of getting 100 spams for each 'real' email - even with spamfilter inplace.
     
    craig baker, Sep 21, 2023
    #5
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Take care to use * in website settings and do not select an IP address. What remains is that you must either change the IP in DNS or you must run a highly available load balancer in the internet that is able to detect which line is down and switch automatically.

    We do not use amavisd anymore with ISPConfig, new setups today use Rspamd. But Amavisd is still supported, so there is no need to switch to Rspamd. Rspamd is just much better in regard to spam filtering and also speed.

    You should really consider to switch to Debian or Ubuntu based setups :) Easier to maintain, no need for picking packages from various repositories and a likely stable future in regard to development not getting stopped compared to AlmaLinux and Rocky Linux.
     
    till, Sep 21, 2023
    #6
  7. craig baker

    craig baker Member HowtoForge Supporter

    dammit till! bog BLAST you for being - probably - right. yes. I'm considering punting centos8/rocky.
    I always use * for the website entries in ispconfig. the peplink router does load balancing. never have had occasion to play with it.
    between debian and ubuntu? whats best for a production server? and the migration tool have any issues? (I have to migrate between the 2 servers anyway lol).
    can I replace amavisd with rspamd? point me to a tutorial? (not the debian/ubuntu one?) cyrillic and chinese emails, really??
     
    Last edited: Sep 21, 2023
    craig baker, Sep 21, 2023
    #7
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, then any request for a site that reaches the system should end up in the right vhost. So it's probably a matter of configuring your router and/or DNS.

    Both are fine. Personally, I prefer Debian. But that's just a personal preference, there is nothing that I could say Ubuntu is worse or better for that :)

    No issues, you can use the Migration Tool to migrate from centOS to Debian or Ubuntu.

    There is just the Debian one. I've never tested Rspamd on Rhel based systems, so I can neither say if it works nor if there might be tweaks needed in ISPConfig.

    Rspamd is a more modern filter. I can say it works fine for me, but I can't say anything specific to Cyrillic or Chinese emails, you might want to check out Rspamd website, they probably have a forum or mailing list or so where you can ask them.
     
    till, Sep 21, 2023
    #8
  9. craig baker

    craig baker Member HowtoForge Supporter

    Geez till. do you know what a horrible dislocation this for me? I've been running redhat servers since version 2. 1995! I kid you not.
    I think one of my servers was running it on a DEC Alpha cpu. now THERE is a blast from the past for you!
    here I am looking at debian. now couple of questions - I vastly prefer rainloop to roundcube. similar install instruction?? and you access them through 8081? no rainloop.mydomain.com?
    and you told me not to install letsencrypt manually and let ispconfig install it. but your perfect server debian installs it first. this not correct?
    you familiar with scrappy? that i've been using on a ubuntu server, is it happy on debian?
    mailman? or is that toast under debian? I see mailman3 installs with debian. ispconfig support?
    one nice point about RHEL was clusterability. is it available in debian?
    and do I get my money back if I'm not satisfied with your recommendation? (BIG LOL :)
     
    Last edited: Sep 22, 2023
    craig baker, Sep 22, 2023
    #9
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    I'm not using rainloop. But I guess its set up similarly.

    Personally, I would create a website rainloop.mydomain.com and install it there manually. using the apps vhost is just a standard and uncomplicated ay to make global apps accessible without having the user to create websites, set up DNS for subdomains etc. as many users would fail to set this up then. What you should not use anymore though is global aliases like somedomain.tld/webmail as they won't work reliably depending on website settings and rewrite rules.

    Both are possible, you do not have to install a LE client, as ISPConfig does it itself. But you can install one, then ISPConfig will use it (if its installed correctly and can be found in PATH).

    I don't know that software. But if it works on Ubuntu, then it will work on Debian too.

    mailman2 is neither available for recent Debian nor Ubuntu versions anymore. The only way would be to try installing a Debian 11 package on Debian 12, but then you basically mess up the system from the beginning and might get problems in future when upgrading to Debian 13, 14 etc. I might implement Mailman3 support in future if there is enough demand, but I don't have the time at the moment to look into that.

    Not sure what you mean by that. Software to run clusters is available for any major Linux distribution.

    *lol* ;)
     
    till, Sep 22, 2023
    #10
  11. craig baker

    craig baker Member HowtoForge Supporter

    couple of queries - debian is only v12 (bookworm) it is major-released far slower than the others fedora ubuntu. there a reason?
    and is it really the BEST for a production server? in all my years, redhat/centos NEVER caused a problem with a fked update.
    also - is there a snapshot utility for debian? something akin to a windows restorepoint so I could restore to an earlier version if something catastrophic happened?
    also - is it fips 142 compiant? one customer INSISTS on fips compliance and centos 8 IS compliant. required for govt contractors etc. I see that ubuntu 20 is fips compliant.
    and the debian guide says its installing mailman3. is that not so? or is it just not supported by ispconfig?
    its a BIG change my friend. much to ponder! inquiring minds and all that!
     
    Last edited: Sep 22, 2023
    craig baker, Sep 22, 2023
    #11
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Ubuntu LTS releases are every 2 years. Debian releases when it makes technical sense, which is about every two years. Fedora is basically a desktop OS for testing new technologies and not stable production server software.

    Btw. as far as I know, CentOS release cycle is slower than the one of Debian.

    I'm talking about OS upgrades, not simple daily updates. Did you upgrade Systems from Centos 5 to 6 to 7 to 8 live and online without reinstalling the system?

    This is nothing you do on the OS level. If you want snapshots, one uses either virtualization or a filesystem that supports snapshots. But virtualization is probably whats mostly used. Besides that, there is plenty of backup software available for Linux.

    Debian is an OpenSource project, so I doubt they certify it that way. Ubuntu might be certified, but I don't know as this topic does not matter for my use cases.

    Mailman 3 is a completely different software than Mailman 2, and ISPConfig does not support Mailman 3.
     
    till, Sep 22, 2023
    #12
  13. craig baker

    craig baker Member HowtoForge Supporter

    my day just keeps getting better - what the HECK am I missing? I have bind running on ns11.cdbsystems.com, it pings all is happy and I go to my godaddy account and add ns11 as a custom hostname. 2 weeks later, ns11.cdbsystems.com is still not recognized as a valid nameserver. now was there something else I need to do? geez I have 2 PAGES of custom hostnames and have never had a problem bringing up a nameserver? I did check my dual-wan router and 53 is ported properly both TCP and UDP. what else could keep godaddy from propagating the name? dig sees me. maybe I'm missing something? what a frustrating experience.
    yes I'm considering wiping it and making it debian but it STILL needs to be ns11! LOL slap me with a wet fish!
    NEVER MIND. what idiots. I deleted the custom record from godaddy and saved it back again on godaddy - and PRESTO - propagation! after listening them spend 2 hours telling me it was not their problem.
    another debian question - do you install mod_python or mod_wsgi these days?
    I'm tempted to give debian 12 a try. Till, am I being foolish? will I regret this? Will Biden win reelection?
    cdb.
     
    Last edited: Sep 23, 2023
    craig baker, Sep 22, 2023
    #13

Share This Page