[SOLVED] Error 403 Forbidden - You don't have permission... otrs/installer.pl

[SuperDOS]

I'm planning to migrate our OTRS-system from SLES 11 x64 to OpenSuSe 13.2.
I've followed the OTRS manual and installed otrs 4.0.7 and trying to run installer.pl

but get:
Forbidden

You don't have permission to access /otrs/installer.pl on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

I've run /opt/otrs/bin/otrs.SetPermissions.pl --web-group=www --otrs-user=otrs /opt/otrs/

here's the apache2 error log:

Code: Select all

[ssl:warn] [pid 2443] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[mpm_prefork:notice] [pid 2443] AH00163: Apache/2.4.10 (Linux/SUSE) OpenSSL/1.0.1k-fips configured -- resuming normal operations
[core:notice] [pid 2443] AH00094: Command line: '/usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -D SYSTEMD -D FOREGROUND'
[authz_core:error] [pid 2462] [client 192.168.10.67:57492] AH01630: client denied by server configuration: /opt/otrs/bin/cgi-bin/installer.pl
[mpm_prefork:notice] [pid 2443] AH00170: caught SIGWINCH, shutting down gracefully

Here's the apache2 modules loaded, defined in /etc/sysconfig/apache2:

Code: Select all

"actions alias auth_basic authn_file authz_host authz_groupfile authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir php5 reqtimeout authn_core authz_core mod_perl headers deflate filter"

Could it be that mod_perl isn't working?

Code: Select all

httpd2 -l
Compiled in modules:
  core.c
  mod_access_compat.c
  mod_so.c
  http_core.c
  prefork.c
  mod_unixd.c
  mod_systemd.c

It's installed throught yast but can't see it when i run httpd2 -l

Also if I run /opt/otrs/scripts/apache2-perl-startup.pl
I get:

Code: Select all

[Wed Apr  1 12:35:48 2015] apache2-perl-startup.pl: Use of uninitialized value $ENV{"MOD_PERL"} in pattern match (m//) at /opt/otrs/scripts/apache2-perl-startup.pl line 26.
MOD_PERL not used! at /opt/otrs/scripts/apache2-perl-startup.pl line 26.

Any ideas?

[EXG133]

403 looks like Apache config gone wrong. Make sure your <Directory /> settings are correct in http.conf (settings depend on your Apache version).

[SuperDOS]

running Apache/2.4.10

The one used is /opt/otrs/scripts/apache2-httpd.include.conf
which during the OTRS-installation copies to /etc/apache2/conf.d/otrs.conf

Code: Select all

# --
# added for OTRS (http://otrs.org/)
# --

ScriptAlias /otrs/ "/opt/otrs/bin/cgi-bin/"
Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/"

<IfModule mod_perl.c>

    # Setup environment and preload modules
    Perlrequire /opt/otrs/scripts/apache2-perl-startup.pl

    # Reload Perl modules when changed on disk
    PerlModule Apache2::Reload
    PerlInitHandler Apache2::Reload

    # general mod_perl2 options
    <Location /otrs>
#        ErrorDocument 403 /otrs/customer.pl
        ErrorDocument 403 /otrs/index.pl
        SetHandler  perl-script
        PerlResponseHandler ModPerl::Registry
        Options +ExecCGI
        PerlOptions +ParseHeaders
        PerlOptions +SetupEnv

        <IfModule mod_version.c>
            <IfVersion < 2.4>
                Order allow,deny
                Allow from all
            </IfVersion>
            <IfVersion >= 2.4>
                Require all granted
            </IfVersion>
        </IfModule>
        <IfModule !mod_version.c>
            Order allow,deny
            Allow from all
        </IfModule>
    </Location>

    # mod_perl2 options for GenericInterface
    <Location /otrs/nph-genericinterface.pl>
        PerlOptions -ParseHeaders
    </Location>

</IfModule>

<Directory "/opt/otrs/bin/cgi-bin/">
    AllowOverride None
    Options +ExecCGI -Includes

    <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order allow,deny
        Allow from all
    </IfModule>

    <IfModule mod_filter.c>
        <IfModule mod_deflate.c>
            AddOutputFilterByType DEFLATE text/html text/javascript application/javascript text/css text/xml application/json text/json
         </IfModule>
    </IfModule>

</Directory>

<Directory "/opt/otrs/var/httpd/htdocs/">
    AllowOverride None

    <IfModule mod_version.c>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
    </IfModule>
    <IfModule !mod_version.c>
        Order allow,deny
        Allow from all
    </IfModule>

    <IfModule mod_filter.c>
        <IfModule mod_deflate.c>
            AddOutputFilterByType DEFLATE text/html text/javascript application/javascript text/css text/xml application/json text/json
         </IfModule>
    </IfModule>

    # Make sure CSS and JS files are read as UTF8 by the browsers.
    AddCharset UTF-8 .css
    AddCharset UTF-8 .js

    # Set explicit mime type for woff fonts since it is relatively new and apache may not know about it.
    AddType application/font-woff .woff

</Directory>

<IfModule mod_headers.c>
    # Cache css-cache for 30 days
    <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css-cache">
        <FilesMatch "\.(css|CSS)$">
            Header set Cache-Control "max-age=2592000 must-revalidate"
        </FilesMatch>
    </Directory>

    # Cache css thirdparty for 4 hours, including icon fonts
    <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css/thirdparty">
        <FilesMatch "\.(css|CSS|woff|svg)$">
            Header set Cache-Control "max-age=14400 must-revalidate"
        </FilesMatch>
    </Directory>

    # Cache js-cache for 30 days
    <Directory "/opt/otrs/var/httpd/htdocs/js/js-cache">
        <FilesMatch "\.(js|JS)$">
            Header set Cache-Control "max-age=2592000 must-revalidate"
        </FilesMatch>
    </Directory>

    # Cache js thirdparty for 4 hours
    <Directory "/opt/otrs/var/httpd/htdocs/js/thirdparty/">
        <FilesMatch "\.(js|JS)$">
            Header set Cache-Control "max-age=14400 must-revalidate"
        </FilesMatch>
    </Directory>
</IfModule>

# Limit the number of requests per child to avoid excessive memory usage
MaxRequestsPerChild 4000

[EXG133]

As a test replace (I haven't tried this, please comment out the old lines so you can go back to default values)

Code: Select all

    <Location /otrs>
#        ErrorDocument 403 /otrs/customer.pl
        ErrorDocument 403 /otrs/index.pl
        SetHandler  perl-script
        PerlResponseHandler ModPerl::Registry
        Options +ExecCGI
        PerlOptions +ParseHeaders
        PerlOptions +SetupEnv

        <IfModule mod_version.c>
            <IfVersion < 2.4>
                Order allow,deny
                Allow from all
            </IfVersion>
            <IfVersion >= 2.4>
                Require all granted
            </IfVersion>
        </IfModule>
        <IfModule !mod_version.c>
            Order allow,deny
            Allow from all
        </IfModule>
    </Location>

with

Code: Select all

    <Location /otrs>
#        ErrorDocument 403 /otrs/customer.pl
        ErrorDocument 403 /otrs/index.pl
        SetHandler  perl-script
        PerlResponseHandler ModPerl::Registry
        Options +ExecCGI
        PerlOptions +ParseHeaders
        PerlOptions +SetupEnv

        <IfModule core.c>
            <IfVersion < 2.4>
                Order allow,deny
                Allow from all
            </IfVersion>
            <IfVersion >= 2.4>
                Require all granted
            </IfVersion>
        </IfModule>
    </Location>

then restart apache and otrs services

[SuperDOS]

ok tried to change to core.c but get this error:

Code: Select all

start_apache2[25173]: AH00526: Syntax error on line 28 of /etc/apache2/conf.d/otrs.conf:
start_apache2[25173]: Invalid command '<IfVersion', perhaps misspelled or defined by a module not included in the server configuration

[schulmann]

You should add the apache module "version".

[SuperDOS]

You should add the apache module "version".

so simple, ran a2enmod version and restarted apache2.

Thanks!

[wolf97084]

I am running OTRS 4 on Ubuntu 14.04 and having the same permission error accessing intaller.pl on web interface.

There is no apache module "version" available on Ubuntu, or I don't know how to install it. Any insights?

I found this in apache2 error.log
client denied by server configuration: /opt/otrs/bin/cgi-bin/installer.pl

[charlyfarias]

If you are sure using >apache 2.4 just remove all version verification options and replace with:

Require all granted

If you are on Ubuntu, should change ".c" modules with ".so" on all modules check.