search

hestiacp / hestiacp

Hestia Control Panel | A lightweight and powerful control panel for the modern web.
https://hestiacp.com
GNU General Public License v3.0
3.4k stars 680 forks source link

[Bug] Hestia Panel Error 403 #2603

Closed Vladisaz closed 2 years ago

Vladisaz commented 2 years ago

Describe the bug

If you deny access to the site by error 403. The Hestia panel does not adequately respond to the execution of this command. As it should be: access to all pages of the site should be closed. As it happens in the Hestia panel: only access to the main page of the site is closed, and you can go to the rest. Why is this happening?

Tell us how to replicate the bug

Anyone knows how to reproduce a 403 error in the panel.

Which components are affected by this bug?

Control Panel Backend

Hestia Control Panel Version

v1.5.15

Operating system

Debian-10

Log capture

No response

jaapmarcus commented 2 years ago

Are you talking about the main website or the panel it self.

https://demo.hestiacp.com:8083/faewfwefaew will return a 404 without any issue

Vladisaz commented 2 years ago

Вы говорите об основном веб-сайте или о самой панели?

https://demo.hestiacp.com:8083/faewfwefaew без проблем вернет 404

I was describing a 403 error, not a 404. A non-existent 404 page works, but a 403 denied access doesn't work.

jaapmarcus commented 2 years ago

Please describe how it is triggered because by default a 404 page is show....

Even /add/web/ redirect the user to /login/ if he doesn't login first.

Vladisaz commented 2 years ago

Write your IP address and I will make an access ban for you and give you a link, and you will see for yourself how the access ban works in the Hestia panel. For quick communication, please write to me in telegram @maas36

jaapmarcus commented 2 years ago

I assume adding 

        deny x.x.x.x; to the

location / { }

Block in /usr/local/hestia/nginx/conf/nginx.conf?

It returns an:

GET /login/ HTTP/1.1 "403" 1442 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Safari/605.1.15" "-"

But also default config:

        error_page 403 /error/404.html;
        error_page 404 /error/404.html;
        error_page 410 /error/410.html;

And return a 404 as expected

Personally I will block the ip in the firewall instead of nginx.conf as it is more secure. Adds more flexibility (Can be done via ipset or even api) and so on..

https://docs.hestiacp.com/admin_docs/settings/firewall.html

As it will also reset after each nginx update

Vladisaz commented 2 years ago

And why did you close the topic if the solution has not yet been found?

Vladisaz commented 2 years ago

I block in the htaccess file, in this way. order allow,deny allow from all deny from 5.2.32.0/19 deny from 5.43.128.0/19 deny from 5.101.16.0/21 deny from 5.101.24.0/21 deny from 5.149.200.0/21 deny from 5.182.24.0/22 deny from 5.189.192.0/21 deny from 5.199.192.0/19 deny from 31.40.64.0/19 deny from 31.42.192.0/19 deny from 31.44.208.0/20 deny from 31.128.32.0/19 deny from 31.128.128.0/19 deny from 31.129.128.0/19 deny from 31.131.80.0/21 deny from 31.135.32.0/19 deny from 31.135.184.0/21 deny from 31.148.0.0/16 deny from 31.170.168.0/21 deny from 31.170.184.0/21 deny from 31.172.64.0/20 deny from 31.173.0.0/16 deny from 31.200.192.0/20 deny from 31.210.168.0/23 deny from 37.18.152.0/21 deny from 37.28.160.0/19 deny from 37.29.0.0/17 deny from 37.75.0.0/21 deny from 37.230.224.0/19 deny from 41.76.176.0/21 deny from 45.15.252.0/22 deny from 45.92.208.0/22 deny from 45.94.104.0/22 deny from 45.94.140.0/22 deny from 45.95.28.0/22 deny from 45.129.236.0/22 deny from 45.131.56.0/22 deny from 45.141.92.0/22 deny from 45.143.136.0/22 deny from 45.155.4.0/22 deny from 45.221.80.0/20 deny from 46.19.112.0/21 deny from 46.29.192.0/21 deny from 46.43.192.0/18 deny from 46.47.0.0/18 deny from 46.47.192.0/18 deny from 46.160.128.0/18 deny from 46.173.32.0/19 deny from 46.173.208.0/20 deny from 46.174.40.0/21 deny from 46.191.128.0/17

ErrorDocument 403 http://washdoc.ru/profilaktika.html

<Files "http://washdoc.ru/profilaktika.html">

     allow from all

    </Files>
ScIT-Raphael commented 2 years ago

Because ips should be blocked or allowed from firewall and not the hestia nginx.conf (as @jaapmarcus currently asume, that you've modified that - still missing information).

Maybe you could share a step by step how we can replicate that bug - it would it make a lot faster to understand. But in the current explaination, the close is valid.

ScIT-Raphael commented 2 years ago

Please provide an exact step by step example to reproduce the bug, otherwise its hard to understand and will need more time than it has to.

jaapmarcus commented 2 years ago

.htaccess can't be used on hestia it self.

Hestia uses nginx don't use .htaccess...

Vladisaz commented 2 years ago

Not only the panel works with nginx, it also works with Apache, but it works incorrectly. There are many people like me who make server settings through the htaccess file, so please pay attention to this and fix the problem.

ScIT-Raphael commented 2 years ago

Honestly, please start to explain the issue properly, otherwise we cant fix this (and will not be able to reopen the issue report).

Vladisaz commented 2 years ago

In a nutshell. I need to close all access to IP addresses and to all pages of the site controlled by the Hestia panel, and leave 100 allowed IP addresses to enter the server through which the work will be carried out. I set the access ban in the htaccess file (I already wrote an example to you). Access denied 403 works, but it only fires on the main page, it doesn't work on internal pages. This error is in the panel, because on the same server on another panel, there are no such problems. You need to try to reproduce it yourself and see. Give me an answer, do you understand what I wrote to you or not?

jaapmarcus commented 2 years ago

When I use:

order allow,deny
allow from my.ip.adr.ess
deny from all

<Files "/error/">
order allow,deny
allow from all
deny from 1.1.1.1
</Files>

It works fine and as expected. When I try it on my website (Wordpress) via an VPN (Or just change the ip in the allow block)

If we are talking about the backend of Hestia the answer is simple:

Hestia backend runs on an custom build from Nginx and does not allow .htaccesss files!

Also you can't use urls in <Files ""> block like that

Vladisaz commented 2 years ago

Did you diagnose only the main page or any internal one too?

jaapmarcus commented 2 years ago

Yes 

[Fri May 20 13:17:33.327714 2022] [access_compat:error] [pid 440589:tid 140356142216960] [client xxxxx:0] AH01797: client denied by server configuration: /home/demo/web/xxxxx/public_html/
[Fri May 20 13:17:41.344687 2022] [access_compat:error] [pid 440589:tid 140356159002368] [client xxxxx:0] AH01797: client denied by server configuration: /home/demo/web/xxx/public_html/
[Fri May 20 13:19:16.359266 2022] [access_compat:error] [pid 440590:tid 140356150609664] [client xxxxx:0] AH01797: client denied by server configuration: /home/demo/web/xx/public_html/wp-admin/
^X[Fri May 20 13:20:37.127674 2022] [access_compat:error] [pid 440590:tid 140356016391936] [client xxxxx:0] AH01797: client denied by server configuration: /home/demo/web/xxx/public_html/wp-content/
[Fri May 20 13:23:41.106999 2022] [access_compat:error] [pid 440590:tid 140355882174208] [client xxxx:0] AH01797: client denied by server configuration: /home/demo/web/xxxx/public_html/wp-login.php
Vladisaz commented 2 years ago

I will add dns Cloudflare 1.1.1.0/24 to deny access and write you 2 links with the main and internal page, try to go and see. http://washdoc.ru/ https://washdoc.ru/contacts.html

Vladisaz commented 2 years ago

Did you see?

Vladisaz commented 2 years ago

Here are your ip. And now go again with the same ip фйпи .

jaapmarcus commented 2 years ago

217.182.175.162 is not my ip address...

Also the user agent is not correct.

Also Cloudflare *** a lot things.

Whitelist Cloudflare ips in firewall and block all the ips you want to block in Cloudlflare it self.