Hello ;
Info needed please. See my previous post. This is the last ticket remaining for next release...
Apache / Munin Problem seit Update auf 1.1.0-rc4.7
- Mutschas
- Closed
- Thread is marked as Resolved.
-
-
Sorry, i do not receive emails, if you post here. Would be great, if you do this next time in the ticket.
The failed config was not in the munin vhost, it was in /etc/apache2/sites-available/01_awstats.conf
Code- <Proxy *> Order allow,deny Allow from all</Proxy>Alias /awstatsicons "/usr/share/awstats/icon/"<Directory "/usr/share/awstats/icon/"> Options None AllowOverride None Order allow,deny Allow from all</Directory>NameVirtualHost 127.0.0.1:80<VirtualHost 127.0.0.1:80> RewriteEngine on RewriteRule ^/stats/(.+)/$ http://localhost/awstats/?config=$1 [P] RewriteRule ^/stats/(.+)/awstats.pl(.*)$ http://localhost/awstats/$1 [P] RewriteRule ^/stats/(.*)$ http://localhost/stats/$1/ [R] ScriptAlias /awstats "/usr/lib/cgi-bin/awstats.pl" <Directory /usr/lib/cgi-bin> AllowOverride none Options +ExecCGI DirectoryIndex awstats.pl Order allow,deny Allow from all </Directory> <Directory /var/www> Order deny,allow Deny from all Allow from localhost, 127.0.0.1 </Directory></VirtualHost># SECTION custom BEGIN.# SECTION custom END.
There was a "Deny from all" but no "Allow from localhost".
The munin vhost is okay:
Display MoreCode- Alias /munin /var/www/munin
- <Directory /var/www/munin>
- Order allow,deny
- Allow from all
- Options +Indexes FollowSymLinks SymLinksIfOwnerMatch +ExecCGI
- # This file can be used as a .htaccess file, or a part of your apache
- # config file.
- #
- # For the .htaccess file option to work the munin www directory
- # (/var/cache/munin/www) must have "AllowOverride all" or something
- # close to that set.
- #
- # AuthUserFile /etc/munin/munin-htpasswd
- # AuthName "Munin"
- # AuthType Basic
- # require valid-user
- # This next part requires mod_expires to be enabled.
- #
- # Set the default expiration time for files to 5 minutes 10 seconds from
- # their creation (modification) time. There are probably new files by
- # that time.
- #
- <IfModule mod_expires.c>
- ExpiresActive On
- ExpiresDefault M310
- </IfModule>
- </Directory>
Everything is working great, now.
-
-
Hello ;
Should be solved in last Git Master.
See:
https://github.com/i-MSCP/imsc…0adec45b50b6149eaf0028169
https://github.com/i-MSCP/imsc…e30a8208824604d773e80d626This is a compromise allowing the default applications as set by most Debian package to work.
Important:
If you have any sensible directories located under /var/www, which you want protect, you must add an .htaccess file into them with the following limit directives:
Indeed, the fix as referenced above allow access to any file located under /var/www excepted the imscp, virtual and scoreboards directories, which are explicitely protected throught the 01_awstats.conf file. without such a configuration snipped, any user can access any file from those directories using a PHP script. For instance:
Here, this example need the allow_url_fopen PHP option set to on (which is the case for many users). But many other solution exists.
Thanks to Daniel (Sci2tech) for its explanation about how to reproduce this security hole.
Note: If you want really allow access from localhost to any directory, you can use the following hook file (compatible with last Git Master):
File /etc/imscp/hooks.d/10_apache_localhost.pl
Display MorePHP- #!/usr/bin/perl
- package Hooks::Apache2::Localhost;
- use strict;
- use warnings;
- use iMSCP::HooksManager;
- use iMSCP::TemplateParser;
- sub addConfigSnippet
- {
- my ($tplContent, $tplName) = @_;
- if($tplName eq '01_awstats.conf') {
- my $directives = <<EOF;
- <Directory /var/www/>
- Order deny,allow
- Allow from localhost, 127.0.0.1
- </directory>
- EOF
- $$tplContent = replaceBloc(
- "# SECTION custom BEGIN.\n",
- "# SECTION custom END.\n",
- $directives,
- $$tplContent,
- 'preserveTags'
- );
- }
- 0;
- }
- iMSCP::HooksManager->getInstance->register('afterHttpdBuildConfFile', \&addConfigSnippet);
- 1;
-
Nach dem Update von 1.1.13 auf 1.1.18 erhalte ich beim munin den 403 Error. Allow from All ist in der apache conf eingetragen. Vor dem Update funktionierte es auch ohne Probleme.
-
-
-
Die Berechtigungen sollten eigentlich passen. Oder an welcher Stellschraube kann man noch drehen?
-
-
Hello ;
Any administrator should be able to solve such permission problems easily by adding the needed directives in the munin virtualhost.
In the latest i-MSCP versions, the configuration has been revisited to prevent the www-data user accessing the entire file system, and also to prevent the www-data user accessing files which are referenced by symlinks that are not owned by the owner of those symlinks. Thus with those information, you should now be able to adjust your configuration to make munin working. If you don't have the sufficient knowledge for Apache, you must post your current configuration for munin here (only the Apache part) and then, we will be able to give you some advises.
-
/etc/munin/apache.conf:
Display MoreCode- Alias /stat /var/www/munin
- <Directory /var/www/munin>
- Order allow,deny
- # Allow from localhost 127.0.0.0/8 ::1
- Options None
- Allow from all
- #Options FollowSymLinks SymLinksIfOwnerMatch
- Require all granted
- # This file can be used as a .htaccess file, or a part of your apache
- # config file.
- #
- # For the .htaccess file option to work the munin www directory
- # (/var/cache/munin/www) must have "AllowOverride all" or something
- # close to that set.
- #
- # AuthUserFile /etc/munin/munin-htpasswd
- # AuthName "Munin"
- # AuthType Basic
- # require valid-user
- # This next part requires mod_expires to be enabled.
- #
- # Set the default expiration time for files to 5 minutes 10 seconds from
- # their creation (modification) time. There are probably new files by
- # that time.
- #
- <IfModule mod_expires.c>
- ExpiresActive On
- ExpiresDefault M310
- </IfModule>
- </Directory>
Thanks
-
-
Hat evtl. noch jemand dieses Problem? Ich bekomme weiterhin die "Forbidden" Meldung beim Aufruf von munin. Vielleicht hat ja noch jemand einen Tipp. Danke euch