Forced "Require all granted"

Hi guys,

I have our dev server running Virtualmin with Ubuntu 14.04 and by default we don't want any of the sites on our dev to be visible to the outside world. So in Server templates -> "Directives and settings for new websites" I removed "Require all granted" but it's still being placed into new sites. Is there somewhere else that this is configured?

Status: 
Active

Comments

Currently, no .. this gets added automatically because it is needed in Apache 2.4+ for the website to be accessible. However, I can see your point - perhaps Virtualmin should only add this if there is no other existing Require directive, which I presume you have to allow certain IPs?

Hi Jamie,

Thanks for getting back to me.

For our dev server users are hit with a global Basic Authentication box before they can access a site. Previously on our Debian server (apache 2.2) when I removed this attribute from the server template it honored it so it must be a 2.4 thing?? Now I just need my guys to remember to go and manually remove it.

Yes, this is special code added to support Apache 2.4.

The next Virtualmin release won't add this "Require all granted" if there is already some other "Request ... granted" directive.

Oh great thank you!

Automatically closed -- issue fixed for 2 weeks with no activity.

Hi Jamie,

I'm just revisiting this issue as it appears to not have been implemented yet.

Thanks, Ryan

Are you running the latest Virtualmin release (version 4.18 ?)

Thanks for getting back to me .. Yes I'm running 4.18

Can you post the full Apache config from one Virtualhost block, after domain creation? I'd like to see exactly which format of the "require" directive is being created.

Hi Jamie,

Please see exact directives created with a new server:

SuexecUserGroup "#1080" "#1077"
ServerName testdomain.com.au
ServerAlias testdomain.localnet
ServerAlias testdomain.neubreed.net
DocumentRoot /home/testdomain/public_html
ErrorLog /var/log/virtualmin/testdomain.com.au_error_log
CustomLog /var/log/virtualmin/testdomain.com.au_access_log combined
ScriptAlias /cgi-bin/ /home/testdomain/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/testdomain/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
AddHandler fcgid-script .php5.3
FCGIWrapper /home/testdomain/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/testdomain/fcgi-bin/php5.fcgi .php5
FCGIWrapper /home/testdomain/fcgi-bin/php5.3.fcgi .php5.3
</Directory>
<Directory /home/testdomain/cgi-bin>
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php5.3
IPCCommTimeout 120
FcgidMaxRequestLen 1073741824

Ok .. in your template, what do you have instead of Require all granted ?

I assume you have some kind of require statement, or else it would be impossible to access the newly created sites.

I don't have anything, I removed it This is the template from the default server Template

ServerName ${DOM}
ServerAlias ${PREFIX}.localnet
ServerAlias ${PREFIX}.neubreed.net
DocumentRoot ${HOME}/public_html
ErrorLog /var/log/virtualmin/${DOM}_error_log
CustomLog /var/log/virtualmin/${DOM}_access_log combined
ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory ${HOME}/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
</Directory>
<Directory ${HOME}/cgi-bin>
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>

Wouldn't that prevent all access to the website though?

That's what I want .. in my security.conf I have Basic Auth setup so that all sites need a password to see our dev. sites .. This keeps unwanted eyes and bots out of our development environment

So currently Virtualmin checks for a Require line with granted in the value, and if none is found it will add the Require all granted directive to support Apache 2.4 systems.

The hack work-around in your case is to change the template to include the line Require env granted which will not grant access to anyone, but will prevent Virtualmin from adding that line to the template.

Thanks Jamie,

I'll give that a shot ..My alternative was to do a cron sed replace in all conf file periodically .. but this seems like a better solution

Thanks for your help.