<< Access forbiden in GRAV installation >>

I am trying to install the content manager system GRAV on a server running Leap 15.2.

In the web root directory (/srv/www/htdocs), I created a folder called *site *and put inside it all the files from GRAV. This folder is owned, recursively, by wwwrun:www.

When accessing the server with https://server-address/site, I am getting the access forbidden message (error 403).

As part of the GRAV installation, there is a .htaccess file. If remove it, the access is normally. The content of that file is:


<IfModule mod_rewrite.c>

RewriteEngine On

## Begin RewriteBase
# If you are getting 500 or 404 errors on subpages, you may have to uncomment the RewriteBase entry
# You should change the '/' to your appropriate subfolder. For example if you have
# your Grav install at the root of your site '/' should work, else it might be something
# along the lines of: RewriteBase /<your_sub_folder>
##

# RewriteBase /

## End - RewriteBase

## Begin - X-Forwarded-Proto
# In some hosted or load balanced environments, SSL negotiation happens upstream.
# In order for Grav to recognize the connection as secure, you need to uncomment
# the following lines.
#
# RewriteCond %{HTTP:X-Forwarded-Proto} https
# RewriteRule .* - [E=HTTPS:on]
#
## End - X-Forwarded-Proto

## Begin - Exploits
# If you experience problems on your site block out the operations listed below
# This attempts to block the most common type of exploit `attempts` to Grav
#
# Block out any script trying to use twig tags in URL.
RewriteCond %{REQUEST_URI} ({{|}}|{%|%}) [OR]
RewriteCond %{QUERY_STRING} ({{|}}|{%25|%25}) [OR]
# Block out any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode^(]*\(^)]*\) [OR]
# Block out any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)(^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
## End - Exploits

## Begin - Index
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
## End - Index

## Begin - Security
# Block all direct access for these folders
RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
# Block access to specific file types for these system folders
RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
# Block access to specific file types for these user folders
RewriteRule ^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
# Block all direct access to .md files:
RewriteRule \.md$ error [F]
# Block all direct access to files and folders beginning with a dot
RewriteRule (^|/)\.(?!well-known) - [F]
# Block access to specific files in the root folder
RewriteRule ^(LICENSE\.txt|composer\.lock|composer\.json|\.htaccess)$ error [F]
## End - Security

</IfModule>

# Begin - Prevent Browsing and Set Default Resources
Options -Indexes
DirectoryIndex index.php index.html index.htm
# End - Prevent Browsing and Set Default Resources 


Running

a2enmod rewrite

returns

"rewrite" already present

Also, I tested running PHP code on the webserver and it is ok.

In other installation, I made a similar procedure in a server running Debian, without any issue. So, now I am lost.

I appreciate any help.

Regards,

Camps

Any ideas?

Not here I am afraid.

Just to inform you that your question is read.

I think the problem is that there are no other GRAV users here in the first place. That wouldn’t stop people to study your case and help if they can, but I am afraid that your .htaccess file is rather convoluted and strongly bound to what GRAV is for. I have seen .htaccess specifications of 5 to 10 lines, bu this is a complete program and not easy to understand what it should do.

Thank you.

The thing that let me think that it is a problem only related to OpenSUSE is that I did the same installation in another server running Debian without any issue. That installation was in a virtual machine that turn out to be corrupted :(.

I’m familiar with GRAV but I haven’t ever run it on OpenSUSE before. I suspect that the Apache error log may show more information about the issue. Are you seeing any errors there?

The .htaccess file you have is the default GRAV .htaccess file. It’s not that complex if you look at it. It’s basically just a couple of things. Some security rules and some standard rules for using “pretty permalinks”. Just to eliminate that, have you tried loading the index.php file while the .htaccess file is not there or disabled/renamed?

The Apache error_log showed not error when accessing the site. I only have some warnings after restarting Apache:

[Tue May 25 17:43:11.149247 2021] [mpm_prefork:notice] [pid 32377] AH00163: Apache/2.4.43 (Linux/SUSE) OpenSSL/1.1.1d PHP/7.4.6 configured -- resuming normal operations
[Tue May 25 17:43:11.149326 2021] [core:notice] [pid 32377] AH00094: Command line: '/usr/sbin/httpd-prefork -D SYSCONFIG -D SSL -C PidFile /var/run/httpd.pid -C Include
/etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c
Include /etc/apache2/sysconfig.d//include.conf -D SYSTEMD -D FOREGROUND' 
[Tue May 25 17:44:27.537378 2021] [mpm_prefork:notice] [pid 32377] AH00170: caught SIGWINCH, shutting down gracefully 
PHP Warning: Module 'curl' already
loaded in Unknown on line 0 
PHP Warning: Module 'mbstring' already loaded in Unknown on line 0 
PHP Warning: Module 'openssl' already loaded in Unknown on line 0
PHP Warning: Module 'zip' already loaded in Unknown on line 0
[Tue May 25 17:44:27.640238 2021] [mpm_prefork:notice] [pid 32411] AH00163: Apache/2.4.43 (Linux/SUSE) OpenSSL/1.1.1d PHP/7.4.6 configured -- resuming normal operations 
[Tue May 25 17:44:27.640318 2021] [core:notice] [pid 32411] AH00094: Command line: '/usr/sbin/httpd-prefork -D SYSCONFIG -D SSL -C PidFile /var/run/httpd.pid -C Include
/etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c
Include /etc/apache2/sysconfig.d//include.conf -D SYSTEMD -D FOREGROUND'

The Apache access_log, only showed the following:


186.193.97.29 - - [26/May/2021:14:37:50 -0300] "GET /site/ HTTP/1.1" 403 1000
186.193.97.29 - - [26/May/2021:14:37:52 -0300] "GET /favicon.ico HTTP/1.1" 200 302

Yes, if I remove/rename the .htaccess, I can access the folder in the server without any issues. I have other folders (without .htaccess) with different stuff that are working fine.

Also, I run the test suggested here, about using a test .htaccess file, but I got the same error.

I have a hunch that the issue is with the following line in the .htaccess file.

Options -Indexes

Try removing that from the file and see if that helps.

I removed… nothing changed ;(

That’s too bad! I would need to run some testing to find out what the culprit is but I don’t have time right now. The first thing we need to do is find out exactly which directive is causing the issue. Then we can figure out why.

To do that I would break the rules up into section and add each section one at a time to find out exactly where the issue is. For example, here is one section:

RewriteEngine On
RewriteCond %{REQUEST_URI} ({{|}}|{%|%}) [OR]
RewriteCond %{QUERY_STRING} ({{|}}|{%25|%25}) [OR]
RewriteCond %{QUERY_STRING} base64_encode^(]*\(^)]*\) [OR]
RewriteCond %{QUERY_STRING} (<|%3C)(^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F]

And here is another section:

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/index\.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php [L]

The following section are individual rules and can be tested individually.

RewriteEngine On
RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
RewriteRule ^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
RewriteRule \.md$ error [F]
RewriteRule (^|/)\.(?!well-known) - [F]
RewriteRule ^(LICENSE\.txt|composer\.lock|composer\.json|\.htaccess)$ error [F]

Let us know exactly which rule is causing the issue and that might shed some light on it.

All rules fail!

Just for testing, I changed

RewriteEngine On

to

RewriteEngine Off

and the forbidden message went away, but I got a blank page.

Finally got a chance to test this and was able to get it working just fine. I used a default install of Leap 15.2 with Apache and PHP installed (from the pattern mostly). I did have to modify the following file to get it working correctly though.
/etc/apache2/default-server.conf

I modified the following options to get it working.

Options SymLinksIfOwnerMatch
AllowOverride All

You may be able to limit that down further. I didn’t test that part. Was just trying to help you get it going first.

Hopefully that helps :slight_smile:

That made the trick and the server is up!!!

Thank you very much for your time and dedication @rootetsy!