e107inc / e107

e107 Bootstrap CMS (Content Management System) v2 with PHP, MySQL, HTML5, jQuery and Twitter Bootstrap. Issue Discussion Room: https://gitter.im/e107inc/e107
https://e107.org
GNU General Public License v3.0
323 stars 214 forks source link

Apache 2.4 incompatibility #3962

Open gd-99 opened 5 years ago

gd-99 commented 5 years ago

Installing e107 version 2.2.1 using the Synology NAS Web station results in an error 500 page right after the successful install. I have tracked the issue down to the htaccess file in e107 root directory. The issue doesn't happen using a lighttpd web server. Lighttpd doesn't use .htaccess files. This issue may well also affect any web server using Apache v2.4 - I haven't got ready access to an Apache v2.4 web server to be able to check this out.

Platform: Synology DSM v6.2 Apache v2.4 - virtual host configuration PHP v7.3 e107 v2.2.1

The symptom: Navigate to the e107 root directory with a web browser - I use Firefox. Follow the normal e107 successful installation process, indicated by a green box indicating success and a suggestion to revert e107_config.php to 644 permission. The next screen once clicking the button to continue, should have the browser pointed at index.php and load the Home /Welcome page. At this point I got the Page 500 error.

The solution that worked for me: To save others a frustrating day trying to resolve the issue (yeah I know I'm slow) I thought I would share my solution here. As a quick test, to check this is a solution to your problem, simply rename .htaccess to something else e.g. test.htaccess in the e107 root directory and see if the e107 home page loads. If it does the problem is with the .htaccess file.

I wouldn't run without the protection of a .htaccess file or alternative arrangement as this will expose the e107 site to security threats.

There are three sections in the .htaccess file that need to be amended.

  1. remove (I placed a comment mark "#" in front of) order allow, deny and deny from all. Then insert a new line Require all denied. The block should now look like this: `# secure htaccess file <Files .htaccess>

    ~ order allow,deny

    ~ deny from all

    Require all denied `

  2. repeat the same procedure to this block further down: `# protect e107_config.php

    #~ order allow,deny #~ deny from all Require all denied `

I'm not well up on Apache .htaccess files, but I think the modifications above do not change the the security in these blocks. I understand the "Require all denied" is a new directive for Apache v2.4? - don't quote me!

  1. finally in the "### Block Bad Bots" block I remarked out the: `#~ SetEnvIfNoCase ^User-Agent$ .*(libwww-perl|aesop_com_spiderman) HTTP_SAFE_BADBOT

    ~ Deny from env=HTTP_SAFE_BADBOT`

    Directive. I have not been able (time) to figure out a replacement directive so have just left it commented out for now.

Moc commented 5 years ago

No time to look into this yet but please note that 500 errors always produce more information in the Apache error log which will help identify what is causing the issue.

Moc commented 5 years ago

Just checked and I am using Apache 2.4 on several installations including my development environment, so I doubt that it is applicable to all Apache 2.4 environments, otherwise we'd have far more reports.

@gd-99 Is it possible to replicate this issue again on your environment and check the apache error logs? This would provide additional useful information hopefully, to see which error is triggered.

gd-99 commented 5 years ago

Synology's Apache is significantly optimised to run on Synology hardware. As a consequence packages are not usually installed where they may be expected in a "normal" Linux file system. As the install worked perfectly on my server running lighttpd, I repeated the install steps on the Synology DSM several times, making minor changes each time to make sure I wasn't doing something stupid. I always ended up with the Error 500 page.

Doing a search on the internet, I found a post - I think on Stackexchange - for a different application but similar symptom. Here the responder made note, this particular syntax may have changed for Apache 2.4. I'm not an expert on Apache by any measurement so on a hunch I simply removed the .htaccess file and the e107 cms sprang into life. I put the .htaccess file back and it stopped. I then inserted "#" in the front of each line, removing them until e107 stopped working. The eventual combination of changes that worked, I indicated at the top of this post.

The redacted but relevant part of the logfile is as follows:

2019-09-28T11:31:00+01:00 HostName [Sat Sep 28 11:31:00.517686 2019] [core:alert] [pid 8675:tid 139829849261824] [client XXX.XXX.XXX.XXX:36189] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration, referer: http://***XXX.XXX.XXX.XXX***/install.php 2019-09-28T11:31:00+01:00 HostName [Sat Sep 28 11:31:00.582523 2019] [core:alert] [pid 8675:tid 139829798905600] [client XXX.XXX.XXX.XXX:36190] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration, referer: http://***XXX.XXX.XXX.XXX***/index.php 2019-09-28T11:33:25+01:00 HostName [Sat Sep 28 11:33:25.039386 2019] [core:alert] [pid 8675:tid 139830130415360] [client XXX.XXX.XXX.XXX:36849] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration 2019-09-28T11:33:25+01:00 HostName [Sat Sep 28 11:33:25.107028 2019] [core:alert] [pid 8675:tid 139829983545088] [client XXX.XXX.XXX.XXX:36850] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration, referer: http://XXXXXXXX/index.php 2019-09-28T11:33:25+01:00 HostName [Sat Sep 28 11:33:25.114144 2019] [core:alert] [pid 8675:tid 139829824083712] [client XXX.XXX.XXX.XXX:36851] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration 2019-09-28T11:33:27+01:00 HostName [Sat Sep 28 11:33:27.542822 2019] [core:alert] [pid 8675:tid 139829807298304] [client XXX.XXX.XXX.XXX:36860] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration 2019-09-28T11:33:27+01:00 HostName [Sat Sep 28 11:33:27.592690 2019] [core:alert] [pid 8675:tid 139829815691008] [client XXX.XXX.XXX.XXX:36861] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration, referer: http://XXXXXXXX/index.php 2019-09-28T11:36:30+01:00 HostName [Sat Sep 28 11:36:30.463709 2019] [core:alert] [pid 8675:tid 139829840869120] [client XXX.XXX.XXX.XXX:37741] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration 2019-09-28T11:36:30+01:00 HostName [Sat Sep 28 11:36:30.524676 2019] [core:alert] [pid 8675:tid 139830033901312] [client XXX.XXX.XXX.XXX:37743] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration, referer: http://bbox-nas:8580/index.php 2019-09-28T11:36:30+01:00 HostName [Sat Sep 28 11:36:30.535481 2019] [core:alert] [pid 8675:tid 139830008723200] [client XXX.XXX.XXX.XXX:37745] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration 2019-09-28T11:37:07+01:00 HostName [Sat Sep 28 11:37:07.244737 2019] [core:alert] [pid 8675:tid 139829991937792] [client XXX.XXX.XXX.XXX:37914] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration 2019-09-28T11:37:07+01:00 HostName [Sat Sep 28 11:37:07.295151 2019] [core:alert] [pid 8675:tid 139830000330496] [client XXX.XXX.XXX.XXX:37915] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration, referer: http://XXXXXXXX/index.php 2019-09-28T11:42:57+01:00 HostName [Sat Sep 28 11:42:57.783720 2019] [core:alert] [pid 8675:tid 139829916403456] [client XXX.XXX.XXX.XXX:39615] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration 2019-09-28T11:42:57+01:00 HostName [Sat Sep 28 11:42:57.851066 2019] [core:alert] [pid 8675:tid 139829882832640] [client XXX.XXX.XXX.XXX:39616] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration, referer: http://XXXXXXXX/index.php 2019-09-28T11:43:34+01:00 HostName [Sat Sep 28 11:43:34.143491 2019] [core:alert] [pid 8675:tid 139829899618048] [client XXX.XXX.XXX.XXX:39788] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration 2019-09-28T11:43:34+01:00 HostName [Sat Sep 28 11:43:34.178329 2019] [core:alert] [pid 8675:tid 139830042294016] [client XXX.XXX.XXX.XXX:39789] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration, referer: http://XXXXXXXX/index.php 2019-09-28T11:43:34+01:00 HostName [Sat Sep 28 11:43:34.216445 2019] [core:alert] [pid 8675:tid 139829866047232] [client XXX.XXX.XXX.XXX:39794] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration 2019-09-28T11:43:35+01:00 HostName [Sat Sep 28 11:43:35.147967 2019] [core:alert] [pid 8675:tid 139829849261824] [client XXX.XXX.XXX.XXX:39795] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration 2019-09-28T11:43:35+01:00 HostName [Sat Sep 28 11:43:35.190160 2019] [core:alert] [pid 8675:tid 139829798905600] [client XXX.XXX.XXX.XXX:39796] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration, referer: http://XXXXXXXX/index.php 2019-09-28T11:44:01+01:00 HostName [Sat Sep 28 11:44:01.224091 2019] [core:alert] [pid 8675:tid 139829983545088] [client XXX.XXX.XXX.XXX:39887] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration 2019-09-28T11:44:01+01:00 HostName [Sat Sep 28 11:44:01.264675 2019] [core:alert] [pid 8675:tid 139829824083712] [client XXX.XXX.XXX.XXX:39892] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration, referer: http://XXXXXXXX/index.php 2019-09-28T11:44:01+01:00 HostName [Sat Sep 28 11:44:01.834298 2019] [core:alert] [pid 8675:tid 139829807298304] [client XXX.XXX.XXX.XXX:39893] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration 2019-09-28T11:44:01+01:00 HostName [Sat Sep 28 11:44:01.867815 2019] [core:alert] [pid 8675:tid 139829815691008] [client XXX.XXX.XXX.XXX:39894] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration, referer: http://XXXXXXXX/index.php 2019-09-28T11:47:30+01:00 HostName [Sat Sep 28 11:47:30.403104 2019] [core:alert] [pid 8675:tid 139829840869120] [client XXX.XXX.XXX.XXX:40872] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: without matching section 2019-09-28T11:47:30+01:00 HostName [Sat Sep 28 11:47:30.438266 2019] [core:alert] [pid 8675:tid 139830033901312] [client XXX.XXX.XXX.XXX:40873] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: without matching section, referer: http://XXXXXXXX/index.php 2019-09-28T11:47:31+01:00 HostName [Sat Sep 28 11:47:31.127503 2019] [core:alert] [pid 8675:tid 139830008723200] [client XXX.XXX.XXX.XXX:40883] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: without matching section 2019-09-28T11:47:31+01:00 HostName [Sat Sep 28 11:47:31.171418 2019] [core:alert] [pid 8675:tid 139829991937792] [client XXX.XXX.XXX.XXX:40884] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: without matching section, referer: http://XXXXXXXX/index.php 2019-09-28T11:48:46+01:00 HostName [Sat Sep 28 11:48:46.006509 2019] [core:alert] [pid 8675:tid 139829949974272] [client XXX.XXX.XXX.XXX:41285] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration 2019-09-28T11:48:46+01:00 HostName [Sat Sep 28 11:48:46.045874 2019] [core:alert] [pid 8675:tid 139829916403456] [client XXX.XXX.XXX.XXX:41286] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration, referer: http://XXXXXXXX/index.php 2019-09-28T12:21:02+01:00 HostName [Sat Sep 28 12:21:02.339207 2019] [core:alert] [pid 8675:tid 139830008723200] [client XXX.XXX.XXX.XXX:50518] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'Deny', perhaps misspelled or defined by a module not included in the server configuration 2019-09-28T12:21:02+01:00 HostName [Sat Sep 28 12:21:02.381070 2019] [core:alert] [pid 8675:tid 139829991937792] [client XXX.XXX.XXX.XXX:50519] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'Deny', perhaps misspelled or defined by a module not included in the server configuration, referer: http://XXXXXXXX/index.php 2019-09-28T12:21:32+01:00 HostName [Sat Sep 28 12:21:32.678083 2019] [core:alert] [pid 8675:tid 139830033901312] [client XXX.XXX.XXX.XXX:50625] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'Deny', perhaps misspelled or defined by a module not included in the server configuration 2019-09-28T12:21:32+01:00 HostName [Sat Sep 28 12:21:32.712879 2019] [core:alert] [pid 8675:tid 139829975152384] [client XXX.XXX.XXX.XXX:50626] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'Deny', perhaps misspelled or defined by a module not included in the server configuration, referer: http://XXXXXXXX/index.php 2019-09-28T12:23:10+01:00 HostName [Sat Sep 28 12:23:10.643595 2019] [core:alert] [pid 8675:tid 139830017115904] [client XXX.XXX.XXX.XXX:51160] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration 2019-09-28T12:23:10+01:00 HostName [Sat Sep 28 12:23:10.673523 2019] [core:alert] [pid 8675:tid 139829941581568] [client XXX.XXX.XXX.XXX:51161] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration, referer: http://XXXXXXXX/index.php 2019-09-28T12:24:25+01:00 HostName [Sat Sep 28 12:24:25.429728 2019] [core:alert] [pid 8675:tid 139829866047232] [client XXX.XXX.XXX.XXX:51569] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration 2019-09-28T12:24:25+01:00 HostName [Sat Sep 28 12:24:25.459995 2019] [core:alert] [pid 8675:tid 139829807298304] [client XXX.XXX.XXX.XXX:51570] /xxxxxxxx/xxxxxxxx/e107cms-2.2.1/.htaccess: Invalid command 'order', perhaps misspelled or defined by a module not included in the server configuration, referer: http://XXXXXXXX/index.php

I do not know how Synology compile Apache and I don't know which modules they provide. Within the DSM interface there is no place I have found to enable /disable Apache modules. There is for PHP. If necessary I can try and hunt down the included Apache modules for you if this would be helpful?

I have checked that with my indicted modifications to the .htaccess file; I still can't list the directory and I can't view the .htaccess file through the browser.

I hope this is of some assistance to you.

Moc commented 5 years ago

Thank you.

Loading the mod_access_compat (and perhaps mod_authz_host) on your server configuration should do the trick.

e.g.

LoadModule access_compat_module modules/mod_access_compat.so
LoadModule authz_host_module modules/mod_authz_host.so
Moc commented 5 years ago

I'm keeping this issue open as we do need to look into how we deal with this Apache 2.2 vs. 2.4 upgrade incompatibility.

More info here: http://httpd.apache.org/docs/2.4/upgrading.html#run-time