ISPConfig: Getting 403 Forbidden Errors with Attempting to Login to Admin Pages
I have had a server running ISPConfig 2.x for quite some time and have been wanting to make the transition to ISPConfig 3.x as soon as I had a chance. That chance presented itself earlier this weekend and I am glad to say there were no major issues thanks to the amazing how to from Falco at HowToForge. After the installation and bringing numerous sites back online I had some outside the normal installation steps to complete. These steps included things like installing/configuring SNMP, installing/configure Nagios, etc.
All appeared well when I went to sleep meaning the servers seemed to all check out when was finished and ready to catch some sleep. Anyways when I logged on the following day to check all of the sites all was still functional besides a small DNS configuration error I had made with one sub domain which was not a big deal.
Later I logged on again but this time I was adding a new site and I got a “Page Cannot Be Displayed” error when attempting to open http://server1.example.com:8080/ which should have be redirecting me right to the admin section. To be more specific I was getting a 403 Forbidden error meaning I did not have access to this page and/or directory. I was baffled since this had been working fine after installation. The Apache logs with the 403 Forbidden errors didn’t provide any more clues but I included them below so you can see if your issues is similar.
Apache ISPConfig Admin 403 Forbidden Error Log Example:
[Sun Jul 12 06:29:24 2009] [error] [client 192.168.1.100] (13)Permission denied: access to / denied [Sun Jul 12 06:29:27 2009] [error] [client 192.168.1.100] (13)Permission denied: access to / denied [Sun Jul 12 06:29:46 2009] [error] [client 192.168.1.100] (13)Permission denied: access to / denied
So with little to do on in any of the logs I had investigated I decided to retrace my footsteps to see where and when the error might have occurred. I knew I had made a modification to httpd.conf so i decided to start there in case I had inadvertently added a configuration option that was telling Apache to block the admin directory. After double checking the Apache config files in /etc/httpd/conf and /etc/httpd/conf.d I was unable to find anything. Next I decided to open permissions on the /usr/local/ispconfig/interface/web directory by issuing the below command. First I backed up the currently directory and permissions using the first command and the second command was to allow Read/Write/Execute to all directories.
Backup ISPConfig “web” Directory and Then Open Up Permissions:
cp -pR /usr/local/ispconfig/interface/web /usr/local/ispconfig/interface/web.orig chmod -R 777 /usr/local/ispconfig/interface/web
When I refreshed the admin page it came up immediately. This obviously indicated a permissions problem of some sort but the correct way to fix things was not to leave it with open access to the world so I investigated further. First off I copied the web.orig directory back so I could verify when I had corrected the issue the proper way.
I decided to investigate the extra packages I had installed after the ISPConfig setup was complete. One of those packages was Nagios from rpmforge so I started there. One of the things that the package configures is a user and group named nagios. When I took a look into the /etc/group file I noticed that apache was a member of the nagios group but no longer a member of the ispconfig group. I then added apache to the ispconfig group which would look like the below.
Correct ISPConfig Group File Configuration:
I refreshed the page after adding apache to the ispconfig group and the admin page appeared instantly so problem solved. I can only assume that something about the nagios package accidentally removed apache from the ispconfig group access. I assume that this could happen with other packages so if You are getting 403 Forbidden errors only when visiting the ISPConfig administration section you should verify that apache is in the ispconfig group.
Hope that helps.