Topic: SME 10 iBay external access via http error AH01797: client denied by server conf

[RDMidtun]

I am hit by the same bug and was wondering what is the best workaround? Should I try to patch the httpd.conf file with the correct syntax, or is there another way of doing it? JPP mentions creating an "apache-auth.conf.local file with an ignore regex", but I do not see how that can be done.

[Jean-Philippe Pialasse]

best way would be to update the fragments with the incriminated elements
mkdir -p /etc/e-smith/templates-custom /etc/httpd/conf/httpd.conf

starting with
90e-smithAccess40ibays
cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/90e-smithAccess40ibays /etc/e-smith/templates-custom /etc/httpd/conf/httpd.conf

then edit

Code: [Select]

vim  /etc/e-smith/templates-custom /etc/httpd/conf/httpd.conf/90e-smithAccess40ibays

reading this https://httpd.apache.org/docs/2.4/upgrading.html

and make all needed changes suggested


test for obvious errors

Code: [Select]

expand-template /etc/httpd/conf/httpd.conf
httpd -t

if this does not any error you can do a live test to see you are prevented to what you should be

Code: [Select]

systemctl restart httpd-e-smith
and when ok post here : https://bugs.koozali.org/show_bug.cgi?id=11774


if you have extra motivation you can also do :

./VirtualHosts/27ManagerProxyPass
./VirtualHosts/28phpkiProxyPass
./85HordeAccess
./96ProxyConf
./85ImpAccess
./85IngoAccess
./85TurbaAccess
./86MnemoAccess
./35ProxyPass
./86NagAccess
./98nextcloud
./85DefaultAccess
./85ServerResourcesAccess
./90e-smithAccess10icons
./95ProxyService
./87KronolithAccess
./80DenyHTAccess

[RDMidtun]

best way would be to update the fragments with the incriminated elements

Thanks a lot for the fast response and detailed description of a solution! I will look into it as soon as possible and feedback my findings to the forum and update the bug report.

[RDMidtun]

best way would be to update the fragments with the incriminated elements

Thanks again for the instructions JPP!

I did the following:

Code: [Select]

cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/90e-smithAccess40ibays /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
vim  /etc/e-smith/templates-custom /etc/httpd/conf/httpd.conf/90e-smithAccess40ibays
expand-template /etc/httpd/conf/httpd.conf
httpd -t
systemctl restart httpd-e-smith

The 90e-smithAccess40ibays has been changed in such a way that what used to be this fragment in httpd.conf

Code: [Select]

<Directory /home/e-smith/files/ibays/familiealbum/html>
    SSLRequireSSL
    Options None
    Options +Indexes
    Options +Includes
    AllowOverride None
    order deny,allow
    deny from all
    allow from 127.0.0.1 192.168.185.0/255.255.255.0
    AuthName "Familie bilder"
    AuthType Basic
    AuthBasicProvider external
    AuthExternal pwauth
    require user familiealbum
    Satisfy any
</Directory>
Now looks like this:

Code: [Select]

<Directory /home/e-smith/files/ibays/familiealbum/html>
    SSLRequireSSL
    Options None
    Options +Indexes
    Options +Includes
    AllowOverride None
    Allow from 127.0.0.1 192.168.185.0/255.255.255.0
    AuthName "Familie bilder"
    AuthType Basic
    AuthBasicProvider external
    AuthExternal pwauth
    <RequireAny>
        Require user familiealbum
        Require ip 127.0.0.1 192.168.185.0/255.255.255.0
    </RequireAny>
</Directory>

The require block might be RequireAll depending on the config of the ibay.

By changing to the new syntax there is no more access_compat error in the httpd error log and fail2ban is no longer blocking the ibay.

I will update the bug report with this text and a version of my 90e-smithAccess40ibays file.

[Jean-Philippe Pialasse]

great !

update with the fragment content, not the output of the fragment

[RDMidtun]

great !

update with the fragment content, not the output of the fragment

If you by that mean the code fragment, I uploaded the  90e-smithAccess40ibays file as an attachment to the bug report, see https://bugs.koozali.org/attachment.cgi?id=6655.