How to suexec public_html/cgi-bin without the "~user/" in url - apache

Apache 2.4.29 (Fedora)
Perl v5.26.1
I have a website which is run, for several reasons, out of the public_html directory of the user "jaf". Apache is set up to run cgi scripts in this directory tree as the local user ("jaf"). So, for instance "http://billyard.ca/~jaf/cgi-bin/simpletest.cgi" successfully executes as user "jaf" (rather than the default "apache"). What I am trying to achieve, unsuccessfully so far, is the following:
To get apache to run all cgi called by "http://billyard.ca/cgi-bin/" as if they were called by "http://billyard.ca/~jaf/cgi-bin/" (i.e., omit the "~jaf/") yet still operate within the "~jaf/public_html" directory as user "jaf" rather than "apache". I've added the following to the apache configuration:
<VirtualHost *:80>
Servername billyard.ca
SuexecUserGroup jaf jaf
DocumentRoot "/home/jaf/public_html"
ScriptAlias /cgi-bin/ /home/jaf/public_html/cgi-bin/
</VirtualHost>
This works "billyard.ca/~jaf/cgi-bin/simpletest.cgi".
This fails "billyard.ca/cgi-bin/simpletest.cgi"; it gives me a 500 internal server error and suexec reports "command not in docroot".
To get selinux to allow this (right now I have to go into permissive mode otherwise I get apache "premature end of header" error messages)

Related

Apache (httpd) Wont start because "could not open error log"

ok guys, im stumped. I install centos 7.2 on a vm, installed httpd, enabled it as a service, then started it
then created and edited a config file as follows
<VirtualHost *:80>
ServerAdmin admin#mydomain.com
ServerName www.mydomain.com
ServerAlias mydomain.com
DocumentRoot /var/www/mydomain.com/public_html
#ErrorLog /var/www/mydomain.com/error.log
#CustomLog /var/www/mydomain.com/requests.log combined
</VirtualHost>
So.. When I uncomment the "ErrorLog", which I believe is correct, and there is a file called error.log in directory "/var/www/mydomain.com/"
Httpd.service doesn't want to start, with the error:
(13)Permission denied: AH00091: httpd: could not open error log file /var/www/mydomain.com/error.log.
AH00015: Unable to open logs
I tried doing chown on the error.log file, to apache:apache, and root:root, and the user for the site, but that didn't work.
I also made sure to 755 the directory for www, so the error.log file should be able to be opened by that. Help me out please
Turns out that the error and access logs needed to be placed in /var/log/httpd/ instead of where they were.
All the directories in the path leading up to the error.log must have the executable and readable bit set for the apache user or group, in order for apache to be able to write to the log file.
In order to debug the permissions, you could su to the apache user, and try touching the file:
sudo -u apache touch /var/www/mydomain.com/error.log

Laravel Access forbidden on localhost xampp

I just got stuck in the very begining. I have installed laravel and when i run php artisan serv command then this(Laravel development server started on http://localhost:8000/) line appears but when i access it through browser(http://localhost:8000/) then the following error gets displayed.
Access forbidden!
You don't have permission to access the requested object. It is either read-protected or not readable by the server.
If you think this is a server error, please contact the webmaster.
Error 403
localhost
Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/7.0.2
Please help me out. Any help would be greatly appreciated. I am beginner in laravel.
Follow the steps below to create a virtual host:
Change to your XAMPP installation directory (typically, C:\xampp) and open the " httpd-vhosts.conf " and " httpd-xampp.conf " files in the apache\conf\extra\ subdirectory using your favourite text editor.
Add these lines into both files with the following directives:
<VirtualHost *:80>
DocumentRoot "C:\Users\Shivam\Desktop\laravel_project\blog"
ServerName blog.dev
<Directory "C:\Users\Shivam\Desktop\laravel_project\blog">
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order Deny,Allow
Allow from all
Require all granted
</Directory>
</VirtualHost>
This contains two virtual host configuration blocks:
The first block is the default or fallback virtual host, which is used for all requests that are not matched by subsequent blocks.
The second block sets up a virtual host named wordpress.localhost. The DocumentRoot directive specifies the directory to be used when serving requests for this virtual host (in this case, the WordPress installation directory), while the ServerName directive specifies the custom domain name for the virtual host.
To add more virtual hosts, simply duplicate the second virtual host block and modify the port number, DocumentRoot and ServerName directives as per your requirements. For example, if you want to use SSL with your custom domain name, you can add a new virtual host block for port 443.
If you plan to have a large number of virtual hosts with very similar configuration, consider using wildcard-based subdomains with your virtual hosts.
Restart Apache using the XAMPP control panel for your changes to take effect.
At this point, your virtual host is configured. However, if you try browsing to the wordpress.localhost domain, your browser will show a failure notice, since this domain does not exist in reality. To resolve this, it is necessary to map the custom domain to the local IP address. To do this, open the file C:\windows\system32\drivers\etc\hosts and add the following line to it:
127.0.0.1 blog.dev
This takes care of mapping the wordpress.localhost domain name to the local machine, which always has the IP address 127.0.0.1
It seems to me that you already have Apache running on port 8000.
Try running the serve command like this:
php artisan serve --port=9000
After it's running navigate to http://localhost:9000

How do I access the parent directory of public_html in Apache?

I remember reading a while ago how it's possible for someone to access your computers filesystem from the website. I want to know how to do it, so I can test and prevent it from happening.
Running Apache 2.4 on Windows via XAMPP
My virtualhost is set up like so:
<VirtualHost *:80>
ServerName local.scrap
DocumentRoot "D:/Dropbox/www/scrap/public_html/"
<Directory "D:/Dropbox/www/scrap/">
Order allow,deny
Allow from all
Require all granted
</Directory>
ErrorLog "D:/Dropbox/www/scrap/logs/error.log"
</VirtualHost>
There is an index2.html in scrap/ and index.html in scrap/public_html/
hosts is set up to be 127.0.0.1 local.scrap
If I type the URL http://local.scrap/ I get index.html.
If I type the URL http://local.scrap/../index2.html it gets redirected to http://local.scrap/index2.html
Why is the ../ URL getting redirected to the DocumentRoot path?
Often times a non-malicious user-agent will resolve ../ in the URL before it ever contacts the server. But even without that, webservers are designe to not allow that kind of directory traversal outside of context roots.
You'd need to test with telnet/netcat/s_client to be sure.
If there's a directory traversal or LFI vulnerability in the website application code then this might indeed be possible.
Also, some webservers have directory traversal vulnerabilities. However, the current version of Apache has no known weaknesses in this respect.

Can't get apache2.4 to pass requests to web2py using mod_wsgi

I'm having a hell of a time setting up a web2py server in a way that allows me to access the admin and appadmin interfaces from anywhere other than localhost, which is a requirement for me because the web2py server is hosted in a cloud location without a browser or X server. I understand that to access web2py's admin or appadmin interfaces from outside localhost that I must use SSL/HTTPS.
The web2py documentation seems to declare two different ways to do this. First, from the general web2py startup tutorial:
The administrative interface, admin, is only accessible from localhost
unless you run web2py behind Apache with mod_proxy. If admin detects a
proxy, the session cookie is set to secure and admin login does not
work unless the communication between the client and the proxy goes
over HTTPS
This lead me to search the web for how to setup web2py behind and apache which lead me to the web2py deployment recipes page, where it describes setting up web2py behind apache using mod_wsgi instead of mod_proxy. These are the instructions I'm currently following exactly, with the exception of updating the /etc/apache2/sites-available/web2py file to apache2.4 syntax and modifying the ServerName directive's value to "foo.bar.com" (omitted: the domain name of cloud box containing the server, this is replaced with foo.bar.com throughout this question).
However, when I get to the
When you restart Apache, it should pass all the requests to web2py without going through the Rocket wsgiserver.
part of the that web2py+apache+mod_wsgi tutorial, apache does not appear to be passing anything to web2py for me. I went ahead and moved the wsgihandler.py file as the next step in the tutorial describes, and here's my current state:
If I browse to foo.bar.com:80 from another machine, I get the Apache2 Ubuntu Default Page (the "It works!" page).
If I browse to foo.bar.com:8000 (web2py port), I the web2py server's default interface, but with no access to admin or appadmin because of the unsecure channel.
If I try to browse to foo.bar.com:443, I get the generic "Index of /" apache server
page. On this page "/" contains one directory link "html", which
is a link to the Apache2 Ubuntu Default Page (the "It works!" page).
Other information:
I have an untouched instance of web2py installed at /home/www-data/web2py except that I've moved /home/www-data/web2py/handlers/wsgihandler.py to /home/www-data/web2py/wsgihandler.py
The contents of my /etc/apache2/site-available/ directory are:
000-default.conf (not touched by me)
default-ssl.conf (not touched by me)
web2py (created by me)
I've manually started up web2py with python ~/web2py/web2py.py --ip 10.7.166.27 (that's the IP for foo.bar.com (real domain name omitted))
apache2 is running as user www-data
The server OS is Ubuntu Server 14.04 x64
This is my /etc/apache2/sites-available/web2py file:
<VirtualHost *:80>
ServerName foo.bar.com
WSGIDaemonProcess web2py user=www-data group=www-data display-name=%{GROUP}
WSGIProcessGroup web2py
WSGIScriptAlias / /home/www-data/web2py/wsgihandler.py
<Directory /home/www-data/web2py>
AllowOverride None
Require all denied
<Files wsgihandler.py>
Require all granted
</Files>
</Directory>
AliasMatch ^/([^/]+)/static/(.*) /users/www-data/web2py/applications/$1/static/$2
<Directory /users/www-data/web2py/applications/*/static/>
Order Allow,Deny
Allow from all
</Directory>
<Location /admin>
Require all denied
</Location>
<LocationMatch ^/([^/]+)/appadmin>
Require all denied
</LocationMatch>
CustomLog /private/var/log/apache2/access.log common
ErrorLog /private/var/log/apache2/error.log
</VirtualHost>
<VirtualHost *:443>
ServerName foo.bar.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
WSGIProcessGroup web2py
WSGIScriptAlias / /users/www-data/web2py/wsgihandler.py
<Directory /users/www-data/web2py>
AllowOverride None
Require all denied
<Files wsgihandler.py>
Require all granted
</Files>
</Directory>
AliasMatch ^/([^/]+)/static/(.*) /users/www-data/web2py/applications/$1/static/$2
<Directory /users/www-data/web2py/applications/*/static/>
Require all granted
</Directory>
CustomLog /private/var/log/apache2/access.log common
ErrorLog /private/var/log/apache2/error.log
</VirtualHost>
Alright! I found my stupid mistake while writing this up. I had never bothered to properly configure apache itself:
/etc/apache2/sites-available/000-default.conf and /etc/apache2/sites-available/default-ssl.conf were why I was seeing what I was seeing when browsing to foo.bar.com:80 and foo.bar.com:443 respectively.
apache2.4 seems to require the .conf on configuration files, I didn't have that so I renamed /etc/apache2/sites-available/web2py to /etc/apache2/sites-available/web2py.conf
I didn't have a symlink to /etc/apache2/sites-available/web2py at /etc/apache2/sites-enabled/web2py, so I made one.
So, as of now:
When I browse to foo.bar.com:80 I get the same Apache2 Ubuntu Default Page, BUT
When I browse to foo.bar.com:80/web2py I get an internal server error which the apache logs tell me is a python import error from wsgihandler.py, which means the apache<->mod_wsgi<->web2py link is up and running
When I browse to foo.bar.com:443/web2py I get Chrome's yellow screen complaining about my self-signed certificate and after clicking through I get a permissions-denied page, presumably because of something I haven't set up yet in web2py/SSL
This means my original question is answered, but I might come back here and comment/edit if I get stumped again getting SSL to work.

Apache Doesn't Detect CGI Script

I am running ubuntu with apache2. I have already edited my httpd.conf file to say...
ScriptAlias /cgi-bin/ /usr/local/apache2/cgi-bin/
I have also created a bash script and made it executable, and placed it within within the /usr/local/apache2/cgi-bin/ directory. However, when I send...
http://[domain]/cgi-bin/vlc-http.cgi?226625
I get a standard apache 404 URL not found error. I have no idea how to troubleshoot the situation, since I am new to apache and cgi.
Extra-Information: If I send an http request to /cgi-bin/ then apache tells me I don't have permission to access.