Trying uploading files to web server result in: authz_core:error AH01630 client denied by server configuration

Hello Folks!

Operating system CentOS Linux 7.1.1503
Virtualmin version 4.18.gp
Webmin version 1.770
httpd-2.4.6-31.el7.centos.1.vm.x86_64

History: All domains in Virtualmin was migrated from Centos6 to Centos7 two months ago. Centos 6/Virtualmin was up to date versions at that time. All seemed fine and everything is working as before till now.

A customer calls in and says they can not longer upload images in wordpress anymore. In that domain log files is this:

[root@green logs]# tail /var/log/virtualmin/chinashop.se_error_log
[Fri Dec 11 23:18:54.047918 2015] [fcgid:warn] [pid 24018] (32)Broken pipe: [client XX.XXX.XXX.XX:51672] mod_fcgid: ap_pass_brigade failed in handle_request_ipc function, referer: http://chinashop.se/wp-admin/customize.php?return=%2Fwp-admin%2Fthemes.php
[Sat Dec 12 15:47:13.597380 2015] [authz_core:error] [pid 9087] [client XX.XXX.XXX.XX:53244] AH01630: client denied by server configuration: /home/domains/chinashop/public_html/wp-content/plugins/akeebabackupwp-core/app/backups/index.html, referer: http://chinashop.se/wp-admin/admin.php?page=akeebabackupwp-core%2Fakeebabackupwp.php

Searching around it was found that a new attribute was added in apache, "Require All Granted" to secure it little more.

Checking the Apache configuration for that domain the new attribute is there, so why does it behave like this ?:

<VirtualHost 10.30.0.23:80>
SuexecUserGroup "#509" "#508"
ServerName chinashop.se
ServerAlias www.chinashop.se
ServerAlias webmail.chinashop.se
ServerAlias admin.chinashop.se
DocumentRoot /home/domains/chinashop/public_html
ErrorLog /var/log/virtualmin/chinashop.se_error_log
CustomLog /var/log/virtualmin/chinashop.se_access_log combined
ScriptAlias /cgi-bin/ /home/domains/chinashop/cgi-bin/
ScriptAlias /awstats/ /home/domains/chinashop/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/domains/chinashop/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
AddHandler fcgid-script .php5.5
FCGIWrapper /home/domains/chinashop/fcgi-bin/php5.5.fcgi .php
FCGIWrapper /home/domains/chinashop/fcgi-bin/php5.fcgi .php5
FCGIWrapper /home/domains/chinashop/fcgi-bin/php5.5.fcgi .php5.5
Require all granted
</Directory>
<Directory /home/domains/chinashop/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.chinashop.se
RewriteRule ^(.*) https://chinashop.se:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.chinashop.se
RewriteRule ^(.*) https://chinashop.se:10000/ [R]
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php5.5
php_admin_value engine Off
IPCCommTimeout 31
FcgidMaxRequestLen 1073741824
<Files awstats.pl>
AuthName "chinashop.se statistics"
AuthType Basic
AuthUserFile /home/domains/chinashop/.awstats-htpasswd
require valid-user
</Files>
Alias /dav /home/domains/chinashop/public_html
<Location /dav>
DAV on
AuthType Basic
AuthName "chinashop.se"
AuthUserFile /home/domains/chinashop/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
RemoveHandler .php
RemoveHandler .php5
RewriteEngine off
</Location>
<Directory "/home/domains/chinashop/public_html/phpmyadmin">
allow from 10.0.0.0/8
allow from 172.16.0.0/16
allow from 192.168.0.0/16
deny from all
</Directory>
</VirtualHost>

Looking in system settings > server templates > apache website one can see that the new attribute is not there in the template.

Looking at the domain in virtualmin, services -> configure website -> "public_html" -> Edit directives:
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
AddHandler fcgid-script .php5.5
FCGIWrapper /home/domains/chinashop/fcgi-bin/php5.5.fcgi .php
FCGIWrapper /home/domains/chinashop/fcgi-bin/php5.fcgi .php5
FCGIWrapper /home/domains/chinashop/fcgi-bin/php5.5.fcgi .php5.5
Require all granted

What is wrong here, has the migration failed what need to be done ?

Status: 
Active

Comments

Howdy -- you do appear to have all the correct "Require all granted lines.

if the "Require all granted" line weren't working, you also wouldn't be able to access the site via other means. It wouldn't just be a problem with uploading images.

So I think that part is working as expected.

My suggestion would be to look at .htaccess files, to see if any of them are causing problems.

That attribute does not show up in Server Templates, as it is added in automatically when the domain is created.

One thing you could try, just to rule out some unusual caching issues, is to go into Server Configuration -> Website Options, and see if changing the PHP Execution Mode to "CGI" helps, or produces additional or improved error messages.

Hello Andreychek!

I am sorry to say it did not work out anyway.

Where are the logs to look in, we did not find any error at all in the /home/domains/chinashop/logs/error_log

Is there more logs, can we increase logging ? Is there some generic place in apache which can cause this error ?

We looked over all the .htaccess files in the domain we are looking on, they all have some logics to deal with the different apache versions:

Order deny,allow Deny from all Require all denied

We did also test to change to CGI wrapper (run as virtual server owner) instead.

After the failed test we changed back to FCGId (run as virtual server owner) again.

Hello Folks!

As you can see there is problem while uploading files using wordpress (authz_core:error AH01630) Yet unsolved, same error all the time whatever we try....

The came up more to it, and turned out become a real mess with apache after migrating domains to a newer server using apache2.4 using the virtualmin backup and restore.

It seems like the originally generated Allow from IP/mask also fully failed to convert automatically (if they should do). In order to get it working we had to sed all the http.conf to obtain the below result. This example snippet show phpmyadmin, it goes for also home/domains/chinashop/public_html/wp-admin and some other paths.

I had to comment out all allow from ip/subnetmask and replace them with require ip ip/subnetmask, I had to include as a file because it did not look ok in this forum, see attached file.

This actually started to work after doing it, but still file uploads is not possible.

Hello Folks!

More findings.. virtualmin nor webmin seems to support Apache2.4 Require ip ip/subnetmask

When looking in one domain -> services -> Configure website -> Per directory options -> Access control the listed Required ip is not there, the list is empty... see picture 13:31:22, I expected to see the list from 13:22.

What is going on here ?

That's a good catch, I'm glad you were able to get it working!

While Virtualmin does indeed add in a "Require All Granted" line when using Apache 2.4, it doesn't actually convert all older Apache 2.2 commands to Apache 2.4.

Syntax that is specific to Apache 2.2 would typically need to be manually converted to work within Apache 2.4.

As far as Virtualmin supporting the access control syntax though -- I'll make sure Jamie takes a look at your images, as he may have some thoughts on that.

That UI glitch with "0" appearing will be fixed in the next Webmin release.