Raspbx: .htaccess files are disabled

andy_woolford · January 9, 2017, 3:57am

What appears like a fairly obvious solution, is evading me on a Debian (Jessie) based Raspbx (FreePBX 13).

.htaccess files are disable on this webserver. Please enable them

I have checked the /etc/apache2/sites-enabled/000-default.conf and can confirm that AllowOverrides is set to All in every possible statement.

mod.env and mod.rewrite are both enabled.

The test appears to be made by a “SetEnv HTACCESS on” statement in the .htaccess file itself. I have verified the .htaccess file is being parsed (because I can generate a 500 server error by typing junk into the file).

So having googled extensively, the only similar issues all point back to the AllowOverrides variable and I am now out of ideas.

I have reinstalled the framework and refreshed signatures, restarted apache2 and even performed a dist-upgrade followed by a system reboot. No difference.

Any suggestions?

Many thanks

Andy

xrobau · January 9, 2017, 5:45am

I’d just add it manually to your 000-default.conf file -it’s obviously being overwritten somewhere.

<Directory /var/www/html/admin>
  AllowOverrides all
</Directory>

andy_woolford · January 9, 2017, 11:34am

I appreciate the suggestion, but I don’t think that’s it because (as I mentioned above) the .htaccess file is actually being parsed.

Anyway, here is my 000-default.conf file after adding your code for the /var/www/html/admin directory:

<VirtualHost *:80>
ServerAdmin webmaster@localhost

DocumentRoot /var/www/html
<Directory />
	Options Indexes FollowSymLinks
	AllowOverride All
</Directory>
<Directory /var/www/html>
	Options Indexes FollowSymLinks MultiViews
	AllowOverride All
	Order allow,deny
	Allow from all
</Directory>

<Directory /var/www/html/admin>
AllowOverrides all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
	AllowOverride None
	Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
	Order allow,deny
	Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined

Sorry to say, there is still no change in the output:

xrobau · January 9, 2017, 4:45pm

That syntax is incorrect for Apache 2.4 - isn’t that what you’re using? It should be ‘Require all granted’

andy_woolford · January 9, 2017, 6:32pm

Hi Rob,

Thanks again for the assistance. You are right. Server version: Apache/2.4.10 (Raspbian)

However, although deprecated, the syntax is still supported for compatibility. According to the Apache documentation, mod_access_compat was created to support configurations containing only old directives to facilitate the 2.4 upgrade, although mixed configurations aren’t recommended.

“Require all granted” replaces the statements:

Order allow,deny
Allow from all

If this wasn’t working, then I would expect a different error, like:

"error.log - AH01797: client denied by server configuration: /var/www/html/admin..."

, but I don’t get that.

The Apache documentation for 2,4 does say this:

“Errors serving requests:
configuration error: couldn’t check user: /path - load module mod_authn_core.
.htaccess files aren’t being processed - Check for an appropriate AllowOverride directive; the default changed to None in 2.4.”

Any error with the AllowOverride directive should result in the .htaccess file not being parsed at all. But as you can see in my earlier post above, it is set to “All” and I know that the .htaccess file is being parsed because if I type a junk string like “hello” into the .htaccess file, then I get a server 500 error, (which goes away if the junk is removed).

Just to prove it to myself, I have now included “Require all granted” in the 000-default.conf file. No difference I’m afraid.

Within the .htaccess file, is the following statement:

# This is here to present a warning in the GUI if it's not parsed. If this isn't parsed,
# you need to manually add these blocks to however you're managing ACLs on your web server
SetEnv HTACCESS on

I suspect that either it isn’t being set, or the test in config.php to see if it is actually set is failing - but I don’t know how to debug this.

xrobau · January 9, 2017, 7:32pm

I don’t believe that’s correct. I think it’ll be PARSED, but only allowed sections will be included.

Also, I noticed that you pasted my typo (AllowOverrides) and apache didn’t crash.

Therefore, I’m suspecting that the file you’re editing is not the file that Apache is loading.

andy_woolford · January 10, 2017, 5:08am

oops… I will correct that and see if it makes a difference.

I have discovered something else though…

I looked at the phpinfo page and noted that I am running PHP 5.6. This is an upgrade from the original packaged PHP version 5.4, probably upgraded at the same time as Apache 2.4 when I ran apt-get dist-upgrade. I have another Raspbx system which is not upgraded which has Apache/2.2.22 (Debian) and PHP 5.4 installed, and which does not show this error. Incidentally, the default server configuration files are the same as above, (without your addition).

The last section of the phpinfo page lists the PHP Variables which includes:

_SERVER["HTACCESS"] on

This is the variable that is set in the .htaccess file with the SetEnv HTACCESS on statement.

Accordingly I am pretty convinced that AllowOverride All in the 000-default.conf file is working as expected and that the .htaccess file is being read.

Therefore, I am wondering if there is some other change in PHP 5.6 which has broken the test in the config.php page?

andy_woolford · January 13, 2017, 1:38pm

Okay Rob, I have corrected the typo, but it hasn’t made any difference.

    <VirtualHost *:80>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/html

        <Directory /var/www/html>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
                Require all granted
        </Directory>

        <Directory /var/www/html/admin>
                AllowOverride All
                Require all granted
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
                Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

So, to test your theory that the file is not being loaded by Apache, I set all of the above to AllowOverride None.

The effect of this is most interesting…

on the Dashboard page I now receive TWO warnings about .htaccess files being disabled. One of these I can clear by clicking the “-” button. The other I cannot. In both cases (None and All) also have a banner message which says:

! Security Issue !

.htaccess files are disable on this webserver. Please enable them
This is a critical issue and should be resolved urgently.

The previously mentioned PHP Variable: _SERVER[“HTACCESS”] is now missing from the phpinfo page, which implies it is no longer set.

Summary:

Putting the file as above (AllowOverride All) then the second .htaccess warning is cleared. The remaining one still does not go if I click on the “-” button, and the ! Security Issue ! text banner is still displayed.

The banner and the warnings can all be cleared if I click the “Show New” button, but reappear if I click on “Show All”.

I’m sorry if this getting tedious, but I would very much appreciate any further insights you may have about how this warning might be displayed in error on the config.php (Dashboard) page.

Kind regards

Andy

andy_woolford · February 2, 2017, 7:06am

Just bumping the issue.

This is still not resolved.

Any further ideas please?

Regards

Andy

vespino · February 2, 2017, 8:00am

Off topic: did you update this installation to Asterisk 13 by hand?

andy_woolford · February 4, 2017, 12:21pm

The version of Asterisk is:

Asterisk 11.25.1

FreePBX is at version 13 and as I recall, I followed the track upgrade instructions. This problem is relatively new though. I did also recently perform a raspbx dist-upgrade but am starting to suspect my version of PHP is incompatible as I can’t see what else would cause this to fail apart from Database corruption maybe?

Andy