403 Forbidden error for disabled virtualhost

14 posts / 0 new
Last post
#1 Tue, 01/06/2015 - 02:28
saifcse

403 Forbidden error for disabled virtualhost

Hi,

I'm having a strange problem. After disabling any virtualhost from Virtualmin panel, if I browse that site, getting a "Forbidden" 403 error. It's only happing after upgrading to the latest version of virtualmin (V4.12.gpl GPL). Running on CentOS 5.11. It was working fine for last 3 years. We were using custom html code for Disabled website.

Seems that it's a file permission issue. I checked "/etc/webmin/virtual-server/disabledweb" directory and the file permission for the newly created file was:

-rwxr-x--- 1 root root 6501 Jan 6 02:09 133650911428905.html

But it's suppose to be "-rw-r--r--" as all other previous disabled file are like this. I change the permission of the new file to "-rw-r--r--" and there were no more errors.

From where can I instruct virtualmin to set file permission for disabled website page to "644"?

Thanks & Regards, Saif

Sat, 01/10/2015 - 21:04
isolice

I have exactly the same problem;

root@minecraft:/etc/webmin/virtual-server/disabledweb# tail /var/log/virtualmin/isolice.co.uk_error_log
[Sun Jan 11 02:54:41.539529 2015] [authz_core:error] [pid 31390] [client 172.16.0.81:48938] AH01630: client denied by server configuration: /etc/webmin/virtual-server/disabledweb/142093019419978.html
[Sun Jan 11 02:54:42.189632 2015] [authz_core:error] [pid 31390] [client 172.16.0.81:48938] AH01630: client denied by server configuration: /etc/webmin/virtual-server/disabledweb/142093019419978.html
root@minecraft:/etc/webmin/virtual-server/disabledweb# ls -l /etc/webmin/virtual-server/disabledweb/
total 8
-rwxr-x--- 1 root root     21 Jan 11 02:55 142093019419978.html
-rw-r--r-- 1 root www-data 26 Jan 11 00:56 index.html

I have tried changing file permissions to 664, folder perms to 755. Adding this in apache vhosts; AllowOverride All

I'm really not sure what is going on.

Sun, 01/11/2015 - 14:48
isolice

Does anyone have any light on this issue?

Sun, 01/11/2015 - 15:30
Joe
Joe's picture

Sounds like a bug, possibly related to the new Virtualmin version which tightened up security on home directories and the way they can be used by virtual host owners. I've filed a ticket so Jamie can have a look.

That bug is here: https://virtualmin.com/node/35805

--

Check out the forum guidelines!

Sun, 01/11/2015 - 15:40
isolice

Thank you very much Joe :)

Sun, 01/11/2015 - 18:11
JamieCameron

For anyone who is seeing this - what gets logged to the domain's error log file when you try to access a disabled site? The error log is typically linked from logs/error_log under the domain's home dir.

''

Sun, 01/11/2015 - 18:31
isolice
root@srv3:/home/isolicec/logs# tail error_log
[Sun Jan 11 02:54:41.539529 2015] [authz_core:error] [pid 31390] [client 172.16.0.81:48938] AH01630: client denied by server configuration: /etc/webmin/virtual-server/disabledweb/1420                 93019419978.html
[Sun Jan 11 02:54:42.189632 2015] [authz_core:error] [pid 31390] [client 172.16.0.81:48938] AH01630: client denied by server configuration: /etc/webmin/virtual-server/disabledweb/1420                 93019419978.html
[Sun Jan 11 02:54:42.434130 2015] [authz_core:error] [pid 31390] [client 172.16.0.81:48938] AH01630: client denied by server configuration: /etc/webmin/virtual-server/disabledweb/1420                 93019419978.html
[Sun Jan 11 02:54:42.544151 2015] [authz_core:error] [pid 31390] [client 172.16.0.81:48938] AH01630: client denied by server configuration: /etc/webmin/virtual-server/disabledweb/1420                 93019419978.html
[Sun Jan 11 02:55:11.943402 2015] [authz_core:error] [pid 32412] [client 172.16.0.81:43039] AH01630: client denied by server configuration: /etc/webmin/virtual-server/disabledweb/1420                 93019419978.html
[Sun Jan 11 02:55:12.497444 2015] [authz_core:error] [pid 32412] [client 172.16.0.81:43039] AH01630: client denied by server configuration: /etc/webmin/virtual-server/disabledweb/1420                 93019419978.html
[Sun Jan 11 02:55:12.704166 2015] [authz_core:error] [pid 32412] [client 172.16.0.81:43039] AH01630: client denied by server configuration: /etc/webmin/virtual-server/disabledweb/1420                 93019419978.html
[Sun Jan 11 02:55:12.867276 2015] [authz_core:error] [pid 32412] [client 172.16.0.81:43039] AH01630: client denied by server configuration: /etc/webmin/virtual-server/disabledweb/1420                 93019419978.html
[Sun Jan 11 02:55:13.146836 2015] [authz_core:error] [pid 32412] [client 172.16.0.81:43039] AH01630: client denied by server configuration: /etc/webmin/virtual-server/disabledweb/1420                 93019419978.html
[Sun Jan 11 02:55:13.611093 2015] [authz_core:error] [pid 32412] [client 172.16.0.81:43039] AH01630: client denied by server configuration: /etc/webmin/virtual-server/disabledweb/1420                 93019419978.html

I hope this helps & thank you for the quick reply.

Sun, 01/11/2015 - 22:31 (Reply to #7)
JamieCameron

Also, which release of Apache are you running there?

I suspect that the rules about allowed directories changed in 2.4.

''

Mon, 01/12/2015 - 12:20 (Reply to #8)
isolice

I am using Ubuntu server just needed to clarify that aswell. It does seem to be an error relating to the Apache 2.4 permissions.

administrator@srv3:~$ sudo apache2 -v
[sudo] password for administrator:
Server version: Apache/2.4.7 (Ubuntu)
Server built:   Jul 22 2014 14:36:38
administrator@srv3:~$
Mon, 01/12/2015 - 14:11
isolice

Temporary solution;

rm -r /etc/webmin/virtual-server/disabledweb
mkdir /var/www/disabledweb
cd /etc/webmin/virtual-server/
ln -s /var/www/disabledweb/ disabledweb
chmod 2775 /etc/webmin/virtual-server/disabledweb

Now we need to edit /usr/share/webmin/virtual-server/virtual-server-lib.pl

nano /usr/share/webmin/virtual-server/virtual-server-lib.pl
ctrl+w  disabledweb  [enter]
change line
$disabled_website_dir = "/etc/webmin/virtual-server/disabledweb";
to
$disabled_website_dir = "/var/www/disabledweb";
ctrl+o  to save file. ctrl+x to exit.

Finally restart virtualmin/webmin

service webmin restart

For good measure, unsuspend and resuspend original offending websites, and problem should be resolved. I have only tried this on Ubuntu.

Mon, 01/12/2015 - 18:46
JamieCameron

Ok, so it looks like the real issue is that Apache 2.4 won't allow access to files in directories that don't have a block. This is slightly more complex for Virtualmin to fix ... but I will work on this for the next release.

''

Tue, 01/13/2015 - 00:35
saifcse

I'm using CentOS 5.11 and Apache version is 2.2.3. So, seems that the problem is not necessarily only with Apache version 2.4. I have another box running CentOS 6.6 and Apache version 2.2.15. Same issue.

Thu, 01/15/2015 - 23:51
JamieCameron

This will be fixed in the next release by creating the disabled HTML file in a location that Apache can access.

''

Thu, 01/22/2015 - 12:22
Chris_C

I confirm the bug on debian 7 wheezy, apache 2.2. 403 Forbidden is shown. It should show the contents of the small html file in the disabledweb dir.

The cause of the bug is, wrong permissions and ownership. The small html files containing the "disabled website" content text are created with wrong permissions 0750, and should be 0644. this is because they are owned by user root group root.

If you set the proper user/group ownership of the small html files, to the virtual server user and group, for example server3/server3, then the html file permissions could stay 750 or better 640.