At my Laravel backend, i found that .env file was publicly accessible !
So i fixted it at htaccess like this:
Options -Indexes
<Files .env>
order allow,deny
Deny from all
</Files>
now i'm getting those errors at my log :
/var/log/ispconfig/httpd/mysite.com/error.log
[Sat Jul 24 02:30:02.012555 2021] [access_compat:error] [pid 12573] [client 34.68.38.253:57077] AH01797: client denied by server configuration: /var/www/clients/client0/web1/web/.env
[Sat Jul 24 02:41:45.397639 2021] [access_compat:error] [pid 12573] [client 77.247.127.218:51261] AH01797: client denied by server configuration: /var/www/clients/client0/web1/web/.env
[Sat Jul 24 04:01:06.465017 2021] [access_compat:error] [pid 10206] [client 162.55.61.168:35064] AH01797: client denied by server configuration: /var/www/clients/client0/web1/web/.env
[Sat Jul 24 05:13:38.355428 2021] [access_compat:error] [pid 32043] [client 27.255.90.119:16470] AH01797: client denied by server configuration: /var/www/clients/client0/web1/web/.env
[Sat Jul 24 10:56:19.576281 2021] [access_compat:error] [pid 15892] [client 45.87.61.234:50726] AH01797: client denied by server configuration: /var/www/clients/client0/web1/web/.env
What's the reason ? do i have to worry about ? how to fix it ?
Config: VPS Debian 9, apache 2.4.25, ispconfig, Laravel 5.3.31
Thank you in advance.
It is because by default apache will have this security feature turned on
Require all denied
You can disable that by adding this in the config file of apache:
Require all granted
Related
I'm trying to setup my laravel application on different server centos 7 running httpd
my old configuration on other servers: i always setup document root to be in "laravelProjectDir/public"
however in this server i've tried the following:
here is my apache config file:
<IfModule mod_ssl.c>
<VirtualHost subdomain.domain.com:443>
ServerName subdomain.domain.com
ServerAdmin email#gmail.com
DocumentRoot /home/MyUser/public_html/subDomain/public2
<Directory /home/MyUser/public_html/subDomain/public2/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
Require all granted
</Directory>
LogLevel debug
ErrorLog /home/MyUser/log-subDomain.txt
CustomLog /home/MyUser/customlog-subDomain.txt combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/subdomain.domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/subdomain.domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/subdomain.domain.com/chain.pem
</VirtualHost>
</IfModule>
============================================================
Option 1
public2 which is Laravel root directory is the Apache RootDocument
accessing website from web browser with following link: https://subdomain.domain.com**/public** works good (all files in public are shown + routes work)
accessing website from web browser with following link: https://subdomain.domain.com/ routes works but all files inside public now doesn't show (ERROR 404)
==============================================================
Option 2
this is the option that always worked for me on my previous servers but not on this server.
public2/public <-- laravelRoot/public/ directory is the Apache RootDocument
/etc/httpd/sites-enabled < changed the following lines:
DocumentRoot /home/MyUser/public_html/subDomain/public2/public
<Directory /home/MyUser/public_html/subDomain/public2/public/>
result:
500 Internal Server Error
Apache Log:
[Sat Mar 06 11:32:42.550524 2021] [core:alert] [pid 6173] [client 109.161.x.x:8789] /home/myUser/public_html/subDomain/public2/.htaccess: Options not allowed here, referer: https://subdomain.domain.com/public/home
[Sat Mar 06 11:32:42.550695 2021] [ssl:debug] [pid 6173] ssl_engine_io.c(993): [client 109.161.x.x:8789] AH02001: Connection closed to child 1 with standard shutdown (server subdomain.domain.com:443)
[Sat Mar 06 11:32:44.626866 2021] [ssl:debug] [pid 6174] ssl_engine_kernel.c(225): [client 109.161.x.x:8790] AH02034: Initial (No.1) HTTPS request received for child 2 (server subdomain.domain.com:443)
[Sat Mar 06 11:32:44.627360 2021] [core:alert] [pid 6174] [client 109.161.x.x:8790] /home/myUser/public_html/subDomain/public2/.htaccess: Options not allowed here
[Sat Mar 06 11:32:44.627537 2021] [ssl:debug] [pid 6174] ssl_engine_io.c(993): [client 109.161.x.x:8790] AH02001: Connection closed to child 2 with standard shutdown (server subdomain.domain.com:443)
[Sat Mar 06 11:32:45.126934 2021] [ssl:debug] [pid 6176] ssl_engine_kernel.c(225): [client 109.161.x.x:8791] AH02034: Initial (No.1) HTTPS request received for child 4 (server subdomain.domain.com:443), referer: https://subdomain.domain.com/
[Sat Mar 06 11:32:45.127497 2021] [core:alert] [pid 6176] [client 109.161.x.x:8791] /home/myUser/public_html/subDomain/public2/.htaccess: Options not allowed here, referer: https://subdomain.domain.com/
[Sat Mar 06 11:32:45.127686 2021] [ssl:debug] [pid 6176] ssl_engine_io.c(993): [client 109.161.x.x:8791] AH02001: Connection closed to child 4 with standard shutdown (server subdomain.domain.com:443)
what is the issue here. why Apache cant allow options while I'm already setting it up with .htaccess and AllowOverride all ?
I am a new guy for Magento. When I click on backend's System>Configuration>Sales>Payment Methods, I got Internal Server Error. I checked error log file, it shows the below error:
[Tue Nov 29 20:25:39.934637 2016] [access_compat:error] [pid 306944:tid 140107193476864] [client 210.5.50.143:55854] AH01797: client denied by server configuration: /var/www/vhosts/baoho.nz/httpdocs/app/etc/local.xml
[Tue Nov 29 20:25:40.318493 2016] [:error] [pid 306946:tid 140107373123328] [client 222.153.188.223] ModSecurity: Output filter: Response body too large (over limit of 524288, total not specified). [hostname "baoho.nz"] [uri "/index.php/admin/system_config/edit/section/payment/key/0ad75a974774456d274ebf7c4bcf4cb1/"] [unique_id "WD0tb#nx70z3ONKpFlNGtgAAAEI"]
[Tue Nov 29 20:25:40.318964 2016] [proxy_fcgi:error] [pid 306946:tid 140107373123328] [client 222.153.188.223:55836] AH01068: Got bogus version 101, referer: http://baoho.nz/index.php/admin/system_config/edit/section/checkout/key/0ad75a974774456d274ebf7c4bcf4cb1/
[Tue Nov 29 20:25:40.318986 2016] [proxy_fcgi:error] [pid 306946:tid 140107373123328] (22)Invalid argument: [client 222.153.188.223:55836] AH01075: Error dispatching request to :, referer: http://baoho.nz/index.php/admin/system_config/edit/section/checkout/key/0ad75a974774456d274ebf7c4bcf4cb1/
I did change .htaccess file's memory limited from 64MB to 512MB. However, it still showed the same error. Could anyone help me to solve this problem?
Thanks
I'm using amazon linux on an m3.large instance on EC2.
I had these logs before my apache server was shut down:
[Sun Sep 28 18:54:31.679261 2014] [cgi:error] [pid 32422] [client 67.211.230.58:58937]
script not found or unable to stat: /var/www/cgi-bin/wlogin.cgi
[Mon Sep 29 03:32:17.602213 2014] [cgi:error] [pid 13612] [client 173.45.100.18:42591]
attempt to invoke directory as script: /var/www/cgi-bin/
[Mon Sep 29 03:32:19.142561 2014] [cgi:error] [pid 13623] [client 173.45.100.18:43455]
script not found or unable to stat: /var/www/cgi-bin/hi
[Mon Sep 29 15:40:45.599504 2014] [core:error] [pid 17852] [client 80.82.64.145:51226]
AH00126: Invalid URI in request GET HTTP/1.1
[Mon Sep 29 22:53:46.532859 2014] [mpm_prefork:notice] [pid 10800]
AH00169: caught SIGTERM, shutting down
And.. that's it. My httpd service was shut down.
What I'm smelling here is that some people are trying to access the server by executing CGI scripts with GET request which I found to suspect in this line:
script not found or unable to stat: /var/www/cgi-bin/hi
Here what the hell the "hi" supposed to mean unless it's not an exploiting attempt?
Also:
attempt to invoke directory as script: /var/www/cgi-bin/
They all are coming from thge same ip, 173.45.100.18.
Am I under DDoS and other malicious attack, or something arcane going on?
I don't know what I am doing wrong but I can't change the directory of my localhost files with Apache. I tried all kinds of things with httpd.conf, including changing "Order allow,deny" to "Require all granted". It still doesn't work.
I'm running Windows 7 64-bit and I'm trying to get Apache to work but all solutions so far have not helped me change DocumentRoot due to error 403.
Here is the httpd.conf
Here is my error log since the latest service restart
The Apache2.4 service is restarting. The Apache2.4 service has restarted. m_winnt:notice [pid5304:tid 468] AH00424: Parent: Received restart signal -- Restarting the server.
[Mon Sep 22 22:37:25.315061 2014] [ssl:warn] [pid 5304:tid 468] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Mon Sep 22 22:37:25.315061 2014] [mpm_winnt:notice] [pid 5304:tid 468] AH00455: Apache/2.4.10 (Win32) OpenSSL/1.0.1h configured -- resuming normal operations
[Mon Sep 22 22:37:25.315061 2014] [mpm_winnt:notice] [pid 5304:tid 468] AH00456: Apache Haus VC9 Server built: Jul 15 2014 20:34:18
[Mon Sep 22 22:37:25.315061 2014] [core:notice] [pid 5304:tid 468] AH00094: Command line: 'C:\\Apache24\\bin\\httpd.exe -d C:/Apache24'
[Mon Sep 22 22:37:25.317061 2014] [mpm_winnt:notice] [pid 5304:tid 468] AH00418: Parent: Created child process 3648
[Mon Sep 22 22:37:26.075104 2014] [ssl:warn] [pid 3648:tid 344] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Mon Sep 22 22:37:26.265115 2014] [mpm_winnt:notice] [pid 6612:tid 348] AH00364: Child: All worker threads have exited.
[Mon Sep 22 22:37:26.372121 2014] [ssl:warn] [pid 3648:tid 344] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Mon Sep 22 22:37:26.375121 2014] [mpm_winnt:notice] [pid 3648:tid 344] AH00354: Child: Starting 64 worker threads.
[Mon Sep 22 22:43:06.157556 2014] [autoindex:error] [pid 3648:tid 1052] [client ::1:53336] AH01276: Cannot serve directory C:/Apache24/htdocs/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive
A configuration like this should work:
DocumentRoot "C:/www"
<Directory "C:/www">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Don't forget to restart the server after you have made any changes to your httpd.conf file. I would also try to temporary remove any existing .htaccess file located in the C:/www folder.
To check that the syntax of your configuration file is correct use the -t option:
httpd -t
You can also check the logs/error.log to get a better description of what went wrong.
References
Installing Apache 2.2 on Microsoft Windows
Firstly change the httpd.conf file
DocumentRoot "c:/www"
<Directory "c:/www">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
then open the "\conf\extra\httpd-vhosts.conf" file.
<VirtualHost *:80>
DocumentRoot "c:/Apache24/docs/dummy-host.example.com"
</VirtualHost>
To
<VirtualHost *:80>
DocumentRoot "C:\www"
</VirtualHost>
Finally restart your apache web server and you are good to go..
I'm setting up this OSX Mavericks following this guide but I cannot get http://localhost/~giulio to work ('giulio' is this mac username).
Looks like it doesn't find the /users/giulio.conf
This is what's inside the /private/var/log/apache2/error_log
[Thu Feb 27 13:54:41 2014] [notice] caught SIGTERM, shutting down
[Thu Feb 27 13:54:48 2014] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
httpd: Could not reliably determine the server's fully qualified domain name, using iMac-di-Giulio.local for ServerName
[Thu Feb 27 13:54:48 2014] [notice] Digest: generating secret for digest authentication ...
[Thu Feb 27 13:54:48 2014] [notice] Digest: done
[Thu Feb 27 13:54:48 2014] [notice] Apache/2.2.24 (Unix) DAV/2 PHP/5.4.17 mod_ssl/2.2.24 OpenSSL/0.9.8y configured -- resuming normal operations
[Thu Feb 27 13:54:55 2014] [error] [client ::1] File does not exist: /Library/WebServer/Documents/index-maintenance.html
Solved redoing the whole process and adding Servername Localhost
and adding the follwing code into giulio.conf file into users folder.
<Directory "/Users/giulio/Sites/">
Options FollowSymLinks
AllowOverride None
Order deny,allow
Allow from all
</Directory>