Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Apache Forbidden

Discussion in 'EasyApache' started by Goran.Siriev, Mar 22, 2017.

  1. Goran.Siriev

    Goran.Siriev Member

    Joined:
    Mar 9, 2016
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    greece
    cPanel Access Level:
    Website Owner
    domain.com/highlightsicon.png --> Not working

    You don't have permission to access /highlightsicon.png on this server.

    Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

    [authz_core:error] [pid 92587] [client 179.43.176.2:14178] AH01630: client denied by server configuration: /home/username/public_html/domain.com/highlightsicon.png


    Same file difrent name
    domain.com/highligsicon.png --> working ..

    where is a problem?
    This .png working yeastarday this problem happen today..
     
    #1 Goran.Siriev, Mar 22, 2017
    Last edited by a moderator: Mar 22, 2017
  2. sktest123

    sktest123 Well-Known Member

    Joined:
    Jan 31, 2017
    Messages:
    76
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    kochin
    cPanel Access Level:
    Root Administrator
    please verify the rwx permissions of domain.com/highlightsicon.png
     
  3. tmcstom

    tmcstom Member

    Joined:
    Dec 31, 2014
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    You maybe blocking direct access to files in the site's .htaccess file. Look for something similar to the following.

    Code:
    RewriteRule \.(gif|jpg|png)$ - [F]

    If you see this try commenting out this line and try accessing the file.
     
  4. BDuenk

    BDuenk Registered

    Joined:
    Mar 22, 2017
    Messages:
    2
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Hi Goran, ran into the same issue. Last cpanel update contains an error. - Removed -
    #<FilesMatch "(.ht[access|passwd]|.user.ini|php.ini)">
    # Require all denied
    #</FilesMatch>
     
    #4 BDuenk, Mar 22, 2017
    Last edited by a moderator: Mar 22, 2017
    Goran.Siriev likes this.
  5. sanderd

    sanderd Registered

    Joined:
    Mar 22, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    netherlands
    cPanel Access Level:
    Root Administrator
    Confirmed , this is a real problem, they made a mistake since last update.

    line 95 on httpd.conf



    <FilesMatch "(.ht[access|passwd]|.user.ini|php.ini)">
    Require all denied
    </FilesMatch>

    .ht[access TYPO? should be .htaccess without the [. Cpanel please fix it.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,765
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Got any more details on this you can share?
     
  7. Goran.Siriev

    Goran.Siriev Member

    Joined:
    Mar 9, 2016
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    greece
    cPanel Access Level:
    Website Owner

    Thank you problem solver!

    <FilesMatch "(.htaccess|.passwd|.user.ini|php.ini)">
    Require all denied
    </FilesMatch>
     
    thewebexpert likes this.
  8. Bdzzld

    Bdzzld Well-Known Member

    Joined:
    Apr 3, 2004
    Messages:
    363
    Likes Received:
    2
    Trophy Points:
    168
    @BDuenk: Thanks! Also received several trouble tickets from customers today on a normally regular day regarding "forbidden errors". This solved the problem.

    For others seeking the solution. The file is located at /usr/local/apache/conf
    Restarted httpd afterwards.

    Regards.
     
  9. Mark Croxton

    Mark Croxton Member

    Joined:
    Feb 28, 2017
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Brighton, UK
    cPanel Access Level:
    Root Administrator
    Ran into this too today.

    [deleted]
     
    #9 Mark Croxton, Mar 22, 2017
    Last edited: Mar 22, 2017
  10. thewebexpert

    thewebexpert Registered

    Joined:
    May 6, 2013
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Client store down all day because of this, totally killed the store. Thank you for the fix, sad that this bug got pushed to a production server! I do not understand how such a critical problem could get pushed out on the release branch
     
  11. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,459
    Likes Received:
    35
    Trophy Points:
    178
    cPanel Access Level:
    Root Administrator
    In - ea-apache24-2.4.25-5.5.1.cpanel this section appears to be:

    <Files ".ht*">
    Require all denied
    </Files>


    In - ea-apache24-2.4.25-7.7.1.cpanel this was (incorrectly) set to:


    <FilesMatch "(.ht[access|passwd]|.user.ini|php.ini)">
    Require all denied
    </FilesMatch>
     
  12. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,459
    Likes Received:
    35
    Trophy Points:
    178
    cPanel Access Level:
    Root Administrator
    To fix:

    cp -a /var/cpanel/templates/apache2_4/ea4_main.default /var/cpanel/templates/apache2_4/ea4_main.local

    Edit /var/cpanel/templates/apache2_4/ea4_main.local

    Replace the section that says:

    <FilesMatch "(.ht[access|passwd]|.user.ini|php.ini)">
    Require all denied
    </FilesMatch>

    With:

    <Files ".ht*">
    Require all denied
    </Files>

    Save /var/cpanel/templates/apache2_4/ea4_main.local

    Rebuild httpd.conf

    /scripts/rebuildhttpdconf

    And restart Apache

    /scripts/restartsrv_httpd




    It's a shame that this made it into production.

    If cPanel fixes this you will want to remove the local changes and rebuild httpd.conf and restart again.
     
    Jack Hayhurst likes this.
  13. Jack Hayhurst

    Jack Hayhurst Member
    PartnerNOC

    Joined:
    Aug 18, 2011
    Messages:
    6
    Likes Received:
    3
    Trophy Points:
    53
    To be clear for anyone trying to pull that regex apart, I could rewrite that as a couple of matches (if I understand it correctly):

    That regex decomposes to something like "if the file matches the following patterns":
    • ".ht[acdespw|]"
    • ".user.ini"
    • "php.ini"
    Note, the periods in the previous patterns match any single non-space character too.

    sparek-3's fix should work just fine, although you can add the .user.ini and php.ini protections back in by instead putting the following into ea4_main.local, and doing the same.

    <Files ".ht*">
    Require all denied
    </Files>


    <Files ".user.ini">
    Require all denied
    </Files>


    <Files "php.ini">
    Require all denied
    </Files>
     
    quizknows likes this.
  14. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    986
    Likes Received:
    76
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    I would suggest using Jack's method. The original deny of .ht* helps secure backups like .htaccess.bak etc. as well. I really hope that stays in place, though I suppose a modsec rule could replace it if it gets removed.
     
  15. WiredChris

    WiredChris Member

    Joined:
    Aug 7, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    $ grep -E ".ht[acdespw]" /usr/share/dict/words | wc -l
    995
     
  16. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,459
    Likes Received:
    35
    Trophy Points:
    178
    cPanel Access Level:
    Root Administrator
    <Files ".ht*">
    Require all denied
    </Files>

    is the old behavior as seen in ea-apache24-2.4.25-5.5.1.cpanel

    What cPanel probably wanted to do was:

    <FilesMatch "^(.htaccess|.htpasswd|.user.ini|php.ini)$">
    Require all denied
    </FilesMatch>


    but instead got too fancy with the regex matching and didn't test it.
     
  17. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,459
    Likes Received:
    35
    Trophy Points:
    178
    cPanel Access Level:
    Root Administrator
    Well, use the best of both worlds

    <FilesMatch "^(.user.ini|php.ini)$">
    Require all denied
    </FilesMatch>
    <Files ".ht*">
    Require all denied
    </Files>


    cPanel probably wanted to block access to .user.ini and php.ini files, that's why they added this. They just didn't do it right.
     
  18. Jack Hayhurst

    Jack Hayhurst Member
    PartnerNOC

    Joined:
    Aug 18, 2011
    Messages:
    6
    Likes Received:
    3
    Trophy Points:
    53
    Do note, that would still match files named auserwini or phpaini - probably better to just use the separate Files block anyway as you avoid the regex call within the Apache parsing engine once it's loaded into memory. Worth the few bytes to cut down on a few CPU calls for every request.
     
  19. Dhaupin

    Dhaupin Active Member

    Joined:
    Jan 3, 2014
    Messages:
    41
    Likes Received:
    4
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Ah we encountered this today as well. After a full scope through the stack and hours grepping for strings in files related to "ghte", we narrowed it down to Apache, then stumbled upon this thread as we were going to post one ourselves. Our platform got owned since 3 am because of this, immense repeated downtime. The 403 error triggered a dynamic php page, and although cached, the pure volume of requests destroyed any hope (a pic that was forbidden was in the main menu, so many many times a second).

    Here is the synopsis: That regex snip is not good. It matches like this: "any single character" + "ht" + "any single char in acdepsw" = denied.

    Cause: The periods are not escaped, and brackets are used instead of the more precise parenthesis. Its pretty crazy that made it into httpd.conf (think of all the servers who got pwnd by this). Also its incomplete IMO, there should be an extra clause looking for things like .bak? I dunno just an idea.

    Corrected regex:
    Code:
    (\.ht(access|passwds?)|\.user\.ini|php\.ini)
    More broad regex (dont trust this unless you know you need it to block backup/default/upgrade files):
    Code:
    (\.ht(access|passwds?)|\.user\.ini|php\.ini)\.*(bak(up)?|old|txt|default|rpmnew|\.)*

    Below: i did not catch the difference in <> directive, apologies Jack:
    PS: @Jack Hayhurst - using .ht* means you will block "any single character" + "ht" + "any other characters" in url, which means it would deny "something.html". I would highly suggest not using that regex, especially if you are a NOC. It would immediately forbid all cache/SEO/legacy urls containing ".html" across all accounts.
     
    #19 Dhaupin, Mar 22, 2017
    Last edited: Mar 22, 2017
  20. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello Everyone!

    An emergency release to address this issue (as part of internal case EA-6088) is in-process. I'll update this thread once the updated RPMs are published and the EA4 Change Log is updated. For anyone not using a custom ea4_main.local template, here is the command you can run as a temporary workaround:

    Code:
    cp -av /var/cpanel/templates/apache2_4/ea4_main.default{,.dist}; sed -i '127s/.*/<FilesMatch "^(\\.ht(access|passwds?)|\\.user\\.ini|php\\.ini)$">/' /var/cpanel/templates/apache2_4/ea4_main.default; /scripts/rebuildhttpdconf; /scripts/restartsrv_httpd 
    Note: This command will need to be ran again if the upcp process runs before the updated RPMs are published.

    Thank you.
     
    Infopro likes this.
Loading...

Share This Page