Submitted by RyanJohnson on Thu, 01/08/2015 - 14:09
Hi guys,
I have our dev server running Virtualmin with Ubuntu 14.04 and by default we don't want any of the sites on our dev to be visible to the outside world. So in Server templates -> "Directives and settings for new websites" I removed "Require all granted" but it's still being placed into new sites. Is there somewhere else that this is configured?
Status:
Active
Comments
Submitted by JamieCameron on Thu, 01/08/2015 - 19:54 Comment #1
Currently, no .. this gets added automatically because it is needed in Apache 2.4+ for the website to be accessible. However, I can see your point - perhaps Virtualmin should only add this if there is no other existing Require directive, which I presume you have to allow certain IPs?
Submitted by RyanJohnson on Thu, 01/08/2015 - 21:10 Comment #2
Hi Jamie,
Thanks for getting back to me.
For our dev server users are hit with a global Basic Authentication box before they can access a site. Previously on our Debian server (apache 2.2) when I removed this attribute from the server template it honored it so it must be a 2.4 thing?? Now I just need my guys to remember to go and manually remove it.
Submitted by JamieCameron on Thu, 01/08/2015 - 23:17 Comment #3
Yes, this is special code added to support Apache 2.4.
The next Virtualmin release won't add this "Require all granted" if there is already some other "Request ... granted" directive.
Submitted by RyanJohnson on Thu, 01/08/2015 - 23:46 Comment #4
Oh great thank you!
Submitted by Issues on Thu, 01/22/2015 - 23:50 Comment #5
Automatically closed -- issue fixed for 2 weeks with no activity.
Submitted by RyanJohnson on Wed, 08/12/2015 - 19:43 Comment #6
Hi Jamie,
I'm just revisiting this issue as it appears to not have been implemented yet.
Thanks, Ryan
Submitted by JamieCameron on Thu, 08/13/2015 - 19:10 Comment #7
Are you running the latest Virtualmin release (version 4.18 ?)
Submitted by RyanJohnson on Thu, 08/13/2015 - 19:32 Comment #8
Thanks for getting back to me .. Yes I'm running 4.18
Submitted by JamieCameron on Sat, 08/15/2015 - 01:12 Comment #9
Can you post the full Apache config from one Virtualhost block, after domain creation? I'd like to see exactly which format of the "require" directive is being created.
Submitted by RyanJohnson on Sun, 08/16/2015 - 22:20 Comment #10
Hi Jamie,
Please see exact directives created with a new server:
SuexecUserGroup "#1080" "#1077"ServerName testdomain.com.au
ServerAlias testdomain.localnet
ServerAlias testdomain.neubreed.net
DocumentRoot /home/testdomain/public_html
ErrorLog /var/log/virtualmin/testdomain.com.au_error_log
CustomLog /var/log/virtualmin/testdomain.com.au_access_log combined
ScriptAlias /cgi-bin/ /home/testdomain/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/testdomain/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
AddHandler fcgid-script .php5.3
FCGIWrapper /home/testdomain/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/testdomain/fcgi-bin/php5.fcgi .php5
FCGIWrapper /home/testdomain/fcgi-bin/php5.3.fcgi .php5.3
</Directory>
<Directory /home/testdomain/cgi-bin>
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php5.3
IPCCommTimeout 120
FcgidMaxRequestLen 1073741824
Submitted by JamieCameron on Sun, 08/16/2015 - 23:37 Comment #11
Ok .. in your template, what do you have instead of
Require all granted?I assume you have some kind of
requirestatement, or else it would be impossible to access the newly created sites.Submitted by RyanJohnson on Sun, 08/16/2015 - 23:43 Comment #12
I don't have anything, I removed it This is the template from the default server Template
ServerName ${DOM}ServerAlias ${PREFIX}.localnet
ServerAlias ${PREFIX}.neubreed.net
DocumentRoot ${HOME}/public_html
ErrorLog /var/log/virtualmin/${DOM}_error_log
CustomLog /var/log/virtualmin/${DOM}_access_log combined
ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory ${HOME}/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
</Directory>
<Directory ${HOME}/cgi-bin>
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
Submitted by JamieCameron on Mon, 08/17/2015 - 00:01 Comment #13
Wouldn't that prevent all access to the website though?
Submitted by RyanJohnson on Mon, 08/17/2015 - 00:21 Comment #14
That's what I want .. in my security.conf I have Basic Auth setup so that all sites need a password to see our dev. sites .. This keeps unwanted eyes and bots out of our development environment
Submitted by JamieCameron on Mon, 08/17/2015 - 20:54 Comment #15
So currently Virtualmin checks for a
Requireline withgrantedin the value, and if none is found it will add theRequire all granteddirective to support Apache 2.4 systems.The hack work-around in your case is to change the template to include the line
Require env grantedwhich will not grant access to anyone, but will prevent Virtualmin from adding that line to the template.Submitted by RyanJohnson on Mon, 08/17/2015 - 21:54 Comment #16
Thanks Jamie,
I'll give that a shot ..My alternative was to do a cron sed replace in all conf file periodically .. but this seems like a better solution
Thanks for your help.