I am trying to install the content manager system GRAV on a server running Leap 15.2.
In the web root directory (/srv/www/htdocs), I created a folder called *site *and put inside it all the files from GRAV. This folder is owned, recursively, by wwwrun:www.
When accessing the server with https://server-address/site, I am getting the access forbidden message (error 403).
As part of the GRAV installation, there is a .htaccess file. If remove it, the access is normally. The content of that file is:
<IfModule mod_rewrite.c>
RewriteEngine On
## Begin RewriteBase
# If you are getting 500 or 404 errors on subpages, you may have to uncomment the RewriteBase entry
# You should change the '/' to your appropriate subfolder. For example if you have
# your Grav install at the root of your site '/' should work, else it might be something
# along the lines of: RewriteBase /<your_sub_folder>
##
# RewriteBase /
## End - RewriteBase
## Begin - X-Forwarded-Proto
# In some hosted or load balanced environments, SSL negotiation happens upstream.
# In order for Grav to recognize the connection as secure, you need to uncomment
# the following lines.
#
# RewriteCond %{HTTP:X-Forwarded-Proto} https
# RewriteRule .* - [E=HTTPS:on]
#
## End - X-Forwarded-Proto
## Begin - Exploits
# If you experience problems on your site block out the operations listed below
# This attempts to block the most common type of exploit `attempts` to Grav
#
# Block out any script trying to use twig tags in URL.
RewriteCond %{REQUEST_URI} ({{|}}|{%|%}) [OR]
RewriteCond %{QUERY_STRING} ({{|}}|{%25|%25}) [OR]
# Block out any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode^(]*\(^)]*\) [OR]
# Block out any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)(^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
## End - Exploits
## Begin - Index
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
## End - Index
## Begin - Security
# Block all direct access for these folders
RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
# Block access to specific file types for these system folders
RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
# Block access to specific file types for these user folders
RewriteRule ^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
# Block all direct access to .md files:
RewriteRule \.md$ error [F]
# Block all direct access to files and folders beginning with a dot
RewriteRule (^|/)\.(?!well-known) - [F]
# Block access to specific files in the root folder
RewriteRule ^(LICENSE\.txt|composer\.lock|composer\.json|\.htaccess)$ error [F]
## End - Security
</IfModule>
# Begin - Prevent Browsing and Set Default Resources
Options -Indexes
DirectoryIndex index.php index.html index.htm
# End - Prevent Browsing and Set Default Resources
Running
a2enmod rewrite
returns
"rewrite" already present
Also, I tested running PHP code on the webserver and it is ok.
In other installation, I made a similar procedure in a server running Debian, without any issue. So, now I am lost.
I think the problem is that there are no other GRAV users here in the first place. That wouldn’t stop people to study your case and help if they can, but I am afraid that your .htaccess file is rather convoluted and strongly bound to what GRAV is for. I have seen .htaccess specifications of 5 to 10 lines, bu this is a complete program and not easy to understand what it should do.
The thing that let me think that it is a problem only related to OpenSUSE is that I did the same installation in another server running Debian without any issue. That installation was in a virtual machine that turn out to be corrupted :(.
I’m familiar with GRAV but I haven’t ever run it on OpenSUSE before. I suspect that the Apache error log may show more information about the issue. Are you seeing any errors there?
The .htaccess file you have is the default GRAV .htaccess file. It’s not that complex if you look at it. It’s basically just a couple of things. Some security rules and some standard rules for using “pretty permalinks”. Just to eliminate that, have you tried loading the index.php file while the .htaccess file is not there or disabled/renamed?
Yes, if I remove/rename the .htaccess, I can access the folder in the server without any issues. I have other folders (without .htaccess) with different stuff that are working fine.
Also, I run the test suggested here, about using a test .htaccess file, but I got the same error.
That’s too bad! I would need to run some testing to find out what the culprit is but I don’t have time right now. The first thing we need to do is find out exactly which directive is causing the issue. Then we can figure out why.
To do that I would break the rules up into section and add each section one at a time to find out exactly where the issue is. For example, here is one section:
Finally got a chance to test this and was able to get it working just fine. I used a default install of Leap 15.2 with Apache and PHP installed (from the pattern mostly). I did have to modify the following file to get it working correctly though.
/etc/apache2/default-server.conf
I modified the following options to get it working.
Options SymLinksIfOwnerMatch
AllowOverride All
You may be able to limit that down further. I didn’t test that part. Was just trying to help you get it going first.