open_basedir restriction in effect and subdomains - apache

For security reasons I have put my yii folder below the html root, so my structure looks like this
/conf
/httpdocs
/httpsdocs
/yii
when running the site I get an error open_basedir restriction in effect that yii.php which is called by index.php out of httpdocs is not in the allowed path. Because this site is a subdomain do I edit the vhosts.conf of the main domain or of the subdomain?
What would the proper setting be to allow
/var/www/vhosts/example.com/subdomains/mysubdomain/yii
Path to be accessible?
EDIT
So my /var/www/vhosts/example.com/conf/vhost.conf file looks like this now:
AddHandler fcgid-script .php
<Directory /var/www/vhosts/example.com/httpdocs>
php_admin_value open_basedir ".:/var/www/vhosts/example.com/subdomains/mysubdomain/httpdocs:/tmp/:/var/www/vhosts/example.com/subdomains/mysubdomain/yii"
FCGIWrapper /var/www/vhosts/example.com/bin/php-cgi .php
Options +ExecCGI +FollowSymLinks
allow from all
</Directory>
I've reconfigured and restarted the web server but I still get the error:
Warning: require_once() [function.require-once]: open_basedir restriction in effect.
File(/var/www/vhosts/example.com/subdomains/mysubdomain/httpdocs/../yii/yii.php) is not within the allowed path(s):
(/var/www/vhosts/example.com/subdomains/mysubdomain/httpdocs:/tmp)
in /var/www/vhosts/example.com/subdomains/mysubdomain/httpdocs/index.php on line 26


In the virtualhost:
php_admin_value open_basedir ".:/var/www/vhosts/example.com/subdomains/mysubdomain/httpdocs:/my/own/tmp:/var/www/vhosts/example.com/subdomains/mysubdomain/yii"


I found the answer. You have to specify the different modules or else simply editing the vhost file doens't have much of an effect. This is to turn off the open_basedir but you can edit the settings accordingly.
<Directory /var/www/vhosts/YOURDOMAIN.COM/subdomains/YOUSUBDOMAIN/httpdocs>
<IfModule sapi_apache2.c>
php_admin_value open_basedir none
</IfModule>
<IfModule mod_php5.c>
php_admin_value open_basedir none
</IfModule>
</Directory>
then
# /usr/local/psa/admin/bin/websrvmng --reconfigure-vhost --vhost-name=YOURDOMAIN.COM
# apachectl stop
# apachectl start
Full article can be found here: http://prattski.com/2008/09/13/plesk-open_basedir-fix/

Related

Installing/configurate Symfony3.2 on a Vhost Ubuntu subdomain folder --> Error 403 Forbidden and Error 500

I try to install Symfony3.2 on my vhost, running Plesk under ubuntu.
My goal is to create a production-server-status to test my Symfony-projects online.
I want to get to this project using the URL subexample.example.tld or subexample.example.tld/matchGen.
On my journey through the cavern of tears and everlasting self-doubt, I saw a lot of different errors and even achieved to break the whole vhost down including my email system... great job.
Well.. now I got the error 403 Forbidden.
The good news (at least for me): I see the favicon of symfony and if I try to open the app_dev.php (subexample.example.tld/matchGen/web/app_dev.php) it will say You are not allowed to access this file. Check app_dev.php for more information..
Opening the app.php with subexample.example.tld/matchGen/web/app.phpresult in a redirect to subexample.example.tld/matchGen/web/ and The server returned a "500 Internal Server Error"..
subexample.example.tld runs into Forbidden, too.
I already tried/did the following:
New Install at a different location
PHP matchGen/bin/symfony_requirements --> [OK] Your system is ready to run Symfony projects
Using this as Guide http://symfony.com/doc/current/setup/web_server_configuration.html#web-server-apache-mod-php (Apache 2.4 - FastCGI)--> created my subexample.example.tld.conf in /etc/apache2/sites-available, used a2ensite subexample.example.tld.conf and service apache2 reload --> * Reloading web server apache2, apparently no problems.
I tried to use a different directory for the web folder and all the other stuff --> changed nothing
Changing the rights with chmod and chown --> well... now I know how to apply a backup... long story short --> I was way too naive and learned a valuable lesson with Ubuntu and the change of rights.
https://www.liquidweb.com/kb/apache-error-no-matching-directoryindex-index-html-found-solved/ --> No effect.
Now for the error.logs:
/var/www/vhosts/system/subexample.example.tld/logs/error_logs
[Mon Apr 10 20:41:45.361150 2017] [autoindex:error] [pid 15012] [client 87.147.219.10:5188] AH01276: Cannot serve directory /var/www/vhosts/example.tld/subexample.example.tld/: No matching DirectoryIndex (index.html,index.php) found, and server-generated directory index forbidden by Options directive
[Mon Apr 10 20:41:47.707623 2017] [autoindex:error] [pid 15012] [client 87.147.219.10:5188] AH01276: Cannot serve directory /var/www/vhosts/example.tld/subexample.example.tld/matchGen/: No matching DirectoryIndex (index.html,index.php) found, and server-generated directory index forbidden by Options directive
/var/log/apache2/matchGen_error.log and /var/log/apache2/matchGen_access.log are empty.
My configfiles:
/etc/apache2/sites-available/subexample.example.tld.conf
<VirtualHost *:80>
ServerName subexample.example.tld
ServerAlias www.subexample.example.tld
DocumentRoot /var/www/vhosts/example.tld/subexample.example.tld/matchGen/web
<Directory /var/www/vhosts/example.tld/subexample.example.tld/matchGen/web>
AllowOverride None
Require all granted
Allow from All
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ app.php [QSA,L]
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>
</Directory>
# uncomment the following lines if you install assets as symlinks
# or run into problems when compiling LESS/Sass/CoffeeScript assets
# <Directory /var/www/project>
# Options FollowSymlinks
# </Directory>
# optionally disable the RewriteEngine for the asset directories
# which will allow apache to simply reply with a 404 when files are
# not found instead of passing the request into the full symfony stack
<Directory /var/www/vhosts/example.tld/subexample.example.tld/matchGen/web/bundles>
<IfModule mod_rewrite.c>
RewriteEngine Off
</IfModule>
</Directory>
ErrorLog /var/log/apache2/matchGen_error.log
CustomLog /var/log/apache2/matchGen_access.log combined
</VirtualHost>
/var/www/vhosts/system/subexample.example.tld/conf/httpd.conf
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
#IF YOU REQUIRE TO APPLY CUSTOM MODIFICATIONS, PERFORM THEM IN THE FOLLOWING FILES:
#/var/www/vhosts/system/subexample.example.tld/conf/vhost.conf
#/var/www/vhosts/system/subexample.example.tld/conf/vhost_ssl.conf
<IfModule mod_ssl.c>
<VirtualHost xx.xx.xxx.xxx:443 >
ServerName "subexample.example.tld:443"
ServerAlias "www.subexample.example.tld"
ServerAlias "ipv4.subexample.example.tld"
ServerAdmin "root#example.tld"
UseCanonicalName Off
DocumentRoot "/var/www/vhosts/example.tld/subexample.example.tld"
CustomLog /var/www/vhosts/system/subexample.example.tld/logs/access_ssl_log plesklog
ErrorLog "/var/www/vhosts/system/subexample.example.tld/logs/error_log"
<IfModule mod_suexec.c>
SuexecUserGroup "xxxx" "xxxx"
</IfModule>
<IfModule mod_userdir.c>
UserDir "/var/www/vhosts/example.tld/web_users"
</IfModule>
<IfModule mod_sysenv.c>
SetSysEnv PP_VHOST_ID "6a66d04f-d22f-4a30-bb80-ca47f117886a"
</IfModule>
ScriptAlias "/cgi-bin/" "/var/www/vhosts/example.tld/subexample.example.tld/cgi-bin/"
Alias "/plesk-stat" "/var/www/vhosts/system/subexample.example.tld/statistics"
<Location /plesk-stat/>
Options +Indexes
</Location>
<Location /plesk-stat/logs/>
Require valid-user
</Location>
Alias /webstat /var/www/vhosts/system/subexample.example.tld/statistics/webstat
Alias /webstat-ssl /var/www/vhosts/system/subexample.example.tld/statistics/webstat-ssl
Alias /ftpstat /var/www/vhosts/system/subexample.example.tld/statistics/ftpstat
Alias /anon_ftpstat /var/www/vhosts/system/subexample.example.tld/statistics/anon_ftpstat
Alias /awstats-icon /usr/share/awstats/icon
SSLEngine on
SSLVerifyClient none
SSLCertificateFile /opt/psa/var/certificates/certyKQzXqX
SetEnv PP_CUSTOM_PHP_INI /var/www/vhosts/system/subexample.example.tld/etc/php.ini
SetEnv PP_CUSTOM_PHP_CGI_INDEX fastcgi
<IfModule mod_fcgid.c>
FcgidInitialEnv PP_CUSTOM_PHP_INI /var/www/vhosts/system/subexample.example.tld/etc/php.ini
FcgidInitialEnv PP_CUSTOM_PHP_CGI_INDEX fastcgi
FcgidMaxRequestLen 134217728
FcgidIOTimeout 600
</IfModule>
TimeOut 600
<Directory /var/www/vhosts/example.tld/subexample.example.tld>
<IfModule mod_fcgid.c>
<Files ~ (\.fcgi$)>
SetHandler fcgid-script
Options +ExecCGI
</Files>
</IfModule>
<IfModule mod_fcgid.c>
<Files ~ (\.php$)>
SetHandler fcgid-script
FCGIWrapper /var/www/cgi-bin/cgi_wrapper/cgi_wrapper .php
Options +ExecCGI
</Files>
</IfModule>
SSLRequireSSL
Options -Includes +ExecCGI
</Directory>
<Directory /var/www/vhosts/example.tld/web_users>
<IfModule mod_php4.c>
php_admin_flag engine off
</IfModule>
<IfModule mod_php5.c>
php_admin_flag engine off
</IfModule>
</Directory>
<Directory /var/www/vhosts/subexample.example.tld>
Options +FollowSymLinks
</Directory>
<Directory "/var/www/vhosts/system/subexample.example.tld/statistics">
AuthType Basic
AuthName "Domainstatistiken"
AuthUserFile "/var/www/vhosts/system/subexample.example.tld/pd/d..httpdocs#plesk-stat"
require valid-user
</Directory>
<IfModule mod_security2.c>
</IfModule>
</VirtualHost>
</IfModule>
<VirtualHost xx.xx.xxx.xxx:80 >
ServerName "subexample.example.tld:80"
ServerAlias "www.subexample.example.tld"
ServerAlias "ipv4.subexample.example.tld"
ServerAdmin "root#example.tld"
UseCanonicalName Off
DocumentRoot "/var/www/vhosts/example.tld/subexample.example.tld"
CustomLog /var/www/vhosts/system/subexample.example.tld/logs/access_log plesklog
ErrorLog "/var/www/vhosts/system/subexample.example.tld/logs/error_log"
<IfModule mod_suexec.c>
SuexecUserGroup "xxxx" "xxxx"
</IfModule>
<IfModule mod_userdir.c>
UserDir "/var/www/vhosts/example.tld/web_users"
</IfModule>
<IfModule mod_sysenv.c>
SetSysEnv PP_VHOST_ID "6a66d04f-d22f-4a30-bb80-ca47f117886a"
</IfModule>
ScriptAlias "/cgi-bin/" "/var/www/vhosts/example.tld/subexample.example.tld/cgi-bin/"
Redirect permanent /plesk-stat https://subexample.example.tld/plesk-stat
Redirect permanent /webstat https://subexample.example.tld/webstat
Redirect permanent /webstat-ssl https://subexample.example.tld/webstat-ssl
Redirect permanent /ftpstat https://subexample.example.tld/ftpstat
Redirect permanent /anon_ftpstat https://subexample.example.tld/anon_ftpstat
Redirect permanent /awstats-icon https://subexample.example.tld/awstats-icon
<IfModule mod_ssl.c>
SSLEngine off
</IfModule>
SetEnv PP_CUSTOM_PHP_INI /var/www/vhosts/system/subexample.example.tld/etc/php.ini
SetEnv PP_CUSTOM_PHP_CGI_INDEX fastcgi
<IfModule mod_fcgid.c>
FcgidInitialEnv PP_CUSTOM_PHP_INI /var/www/vhosts/system/subexample.example.tld/etc/php.ini
FcgidInitialEnv PP_CUSTOM_PHP_CGI_INDEX fastcgi
FcgidMaxRequestLen 134217728
FcgidIOTimeout 600
</IfModule>
TimeOut 600
<Directory /var/www/vhosts/example.tld/subexample.example.tld>
<IfModule mod_fcgid.c>
<Files ~ (\.fcgi$)>
SetHandler fcgid-script
Options +ExecCGI
</Files>
</IfModule>
<IfModule mod_fcgid.c>
<Files ~ (\.php$)>
SetHandler fcgid-script
FCGIWrapper /var/www/cgi-bin/cgi_wrapper/cgi_wrapper .php
Options +ExecCGI
</Files>
</IfModule>
Options -Includes +ExecCGI
</Directory>
<Directory /var/www/vhosts/example.tld/web_users>
<IfModule mod_php4.c>
php_admin_flag engine off
</IfModule>
<IfModule mod_php5.c>
php_admin_flag engine off
</IfModule>
</Directory>
<Directory /var/www/vhosts/subexample.example.tld>
Options +FollowSymLinks
</Directory>
<Directory "/var/www/vhosts/system/subexample.example.tld/statistics">
AuthType Basic
AuthName "Domainstatistiken"
AuthUserFile "/var/www/vhosts/system/subexample.example.tld/pd/d..httpdocs#plesk-stat"
require valid-user
</Directory>
<IfModule mod_security2.c>
</IfModule>
</VirtualHost>
Well, I think that should give you the idea of my problem.
Thank you in advance!
Ah... please explain it for dummies... I know some things... but apparently not enough.
Edit 1:
I tried again to change the rights...
This time I created a new group, put my matchGen folder in it and tried to allow everything in this group.
sudo addgroup Symfony --force-badname
Allowing use of questionable username.
Adding group `Symfony' (GID 1009) ...
Done.
sudo chown root.Symfony /var/www/vhosts/example.tld/subexample.example.tld/matchGen -R
chmod g+rwx /var/www/vhosts/example.tld/subexample.example.tld/matchGen
No change.
Oh.. and I added the user www-data to the group Symfony.
Edit 2:
I tried to work with http://symfony.com/doc/current/setup/web_server_configuration.html#web-server-apache-fpm, but nothing changed.
After the reset I tried to open subexample.example.tld/matchGen/web/ again.
Well it did not work, but this time the error seemed to be different HTTP ERROR 500.
So... after looking in the Looks again --> mod_fcgid: stderr: PHP Fatal error: Uncaught exception 'UnexpectedValueException' with message 'The stream or file "/var/www/vhosts/example.tld/subexample.example.tld/matchGen/var/logs/prod.log" could not be opened: failed to open stream: Permission denied' in /var/www/vhosts/example.tld/subexample.example.tld/matchGen/var/cache/prod/classes.php:8203
It is definitely a problem with the rights. But why will it not work?
...
I tried to setup the www-data-user with acl, using this guide --> http://symfony.com/doc/current/setup/file_permissions.html#using-acl-on-a-system-that-supports-setfacl-linux-bsd
Instead of using var or /var at the end of the setfacl-command I used matchGen as a folder.
No change.
Edit 3:
I did it!
This here helped me after i reached the point after Edit 2.
'Failed to open stream: Permission denied' error - Laravel
Go in your project folder and use php bin/console cache:clear --env=prod
Follow up with chmod -R 777 var
Finish with composer dump-autoload
Finally...

Here is a list of things you should check if you got the same problem:
run php bin/symfony_requirements in your project folder. You may need to set up the timezone in your php.ini
create and activate a config/site for your subdomain in /etc/apache2/site-available and use a2ensite subexample.example.tld.conf. Be sure to end the name with .conf when creating the file.
Before you create/change the rights use php bin/console cache:clear --env=prod in your project folder, then set them for your var folder with chmod -R 777 var. Finish it in your project folder with composer dump-autoload.

What ELSE can cause Apache to display a CGI instead of it's output?

I have a newly configured Apache 2.4.7 webserver (AIX7 ). It is displaying the contents of my CGIs instead of their output.
I have this in my conf file:
LoadModule cgi_module /opt/freeware/lib64/httpd/modules/mod_cgi.so
AddHandler cgi-script .cgi .pl
ScriptAlias /cgi-bin "/var/www/cgi-bin"
<Directory "/var/www/cgi-bin">
Options +FollowSymLinks +Includes -Indexes +ExecCGI
Order allow,deny
Allow from all
</Directory>
My CGIs behave as expected if run from the CLI. They are world-readable and world-executable. The shebang line is correct. There are no relevant messages in error_log.
What ELSE can cause the server to not execute a CGI?

OK, I figured it out. I had two different conf directories. Apache was looking at a configuration in a different location which had the default values.
Lesson learned: If Apache seems to be ignoring your config file, make sure you're looking at the right file.

Apache httpd bad request when accessing by ip address - Review Board

I have setup Review Board and it works fine when accessed from localhost.
When I try to access it by ip (from LAN), I get BAD REQUEST.
I have copied apache-wsgi.conf to my apache conf directory.
apache-wsgi.conf
<VirtualHost *:8088>
ServerName localhost
DocumentRoot "/var/www/reviews.als.kz/htdocs"
# Error handlers
ErrorDocument 500 /errordocs/500.html
WSGIPassAuthorization On
WSGIScriptAlias "/reviews" "/var/www/reviews.als.kz/htdocs/reviewboard.wsgi/reviews"
<Directory "/var/www/reviews.als.kz/htdocs">
AllowOverride All
Options -Indexes +FollowSymLinks
Require all granted
</Directory>
# Prevent the server from processing or allowing the rendering of
# certain file types.
<Location "/reviews/media/uploaded">
SetHandler None
Options None
AddType text/plain .html .htm .shtml .php .php3 .php4 .php5 .phps .asp
AddType text/plain .pl .py .fcgi .cgi .phtml .phtm .pht .jsp .sh .rb
<IfModule mod_php5.c>
php_flag engine off
</IfModule>
</Location>
# Alias static media requests to filesystem
Alias /reviews/media "/var/www/reviews.als.kz/htdocs/media"
Alias /reviews/static "/var/www/reviews.als.kz/htdocs/static"
Alias /reviews/errordocs "/var/www/reviews.als.kz/htdocs/errordocs"
Alias /reviews/favicon.ico "/var/www/reviews.als.kz/htdocs/static/rb/images/favicon.png"
I have installed reviewboard into /var/www/reviews.als.kz directory.
Chown-ed it to apache:apache.
I run it on Fedora 21.
Review Board version 2.0.12
Apache httpd version 2.4.10
Thanks

The problem had been with python settings.
Added my ip address to ALLOWED_HOSTS within settings_local.py file and everything worked.
Thanks

I had the same problem. When you configure your reviewboard, you have to give it a site name . Some thing like "reviewboard.mycompany.com". It doesn't have to be a registered name just make up something.
Then when you try to access the reviewboard main page, use the site name (reviewboard.mycompany.com) as the URL. You'll of course need to add the made-up hostname to to your /etc/hosts so your machine can resolve the address.
Create a host entry / DNS entry with the site name. like
reivews.mycompany.com x.x.x.x
It's worked for me.

I had the same problem.
Fixed it by adding this line to my httpd.conf :
HttpProtocolOptions unsafe

Disable all CGI (php, perl, …) for a directory using .htaccess

I have a directory where users can upload files.
To avoid security issues (e.g. somebody uploading a malicious php script), I currently change the files' extension by appending .data for example, but then when downloading the file, they have to manually remove the .data.
Another common solution is to upload the files in a directory that is not served by Apache, and have a php script manage all downloads by calling readfile().
What I'd like to do is to simply disallow execution of any scripts (php, perl, cgi scripts, whatever I may install in the future) in the upload folder. This SO answer suggests adding the following line in a .htaccess file in that folder:
SetHandler default-handler
However, in my case this has no effect (the example php script I put in that folder is still executed). What am I doing wrong?
Apache configuration
The machine is a VPS (Virtual Private Server) running Debian GNU/Linux 6.0.7 (squeeze), and as far as I can remember (I note down all commands I run on that server, so my "memory" should be pretty accurate), I dindn't change anything in apache2 configuration, appart from running sudo apt-get install php5, and creating the the file /etc/apache2/sites-enabled/mysite.com with the following contents:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName mysite.com
ServerAlias www.mysite.com
DocumentRoot /home/me/www/mysite.com/www/
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /home/me/www/mysite.com/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Put this in your .htaccess:
<Files *>
# #mivk mentionned in the comments that this may break
# directory indexes generated by Options +Indexes.
SetHandler default-handler
</Files>
But this has a few security holes: one can upload a .htaccess in a subdirectory, and override these settings, and they might also overwrite the .htaccess file itself!
If you're paranoid that the behaviour of the option should change in the future, put this in your /etc/apache2/sites-enabled/mysite.com
<Directory /home/me/www/upload/>
# Important for security, prevents someone from
# uploading a malicious .htaccess
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
<Files *>
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
</Directory>
If you can't modify the apache configuration, then put the files in a .htaccess with the following directory structure:
/home/me/www/
|- myuploadscript.php
|- protected/
|- .htaccess
|- upload/
|- Uploaded files go here
That way, nobody should be able to overwrite your .../protected/.htaccess file since their uploads go in a subdirectory of .../protected, not in protected itself.
AFAICT, you should be pretty safe with that.

My Godaddy setup wont allow me to edit the httpd.conf files, and the php_flag command doesn't work due to how they've implemented php for me.
I was able to use this in my .htaccess file:
SetHandler default-handler
AddType text/plain php
I put this in the directory above where my FTP user is allowed to access, which forces all PHP files in that directory, as well as all sub-directories to show php as plain text.
This will work for other file types as well. All you need to do is add another line with whatever extension of file you want to be forced to display in plain text. AddType text/plain cgi for example

mod_rewrite ignores existing files

There is a number of similar questions, but none of them help.
I have the following rule in my .htaccess
RewriteRule ^images/.*$ - [F]
so for folders like /images/goods/ or /images/nonexistentfile.jpg I get 'Forbidden' which is what I want. The problem is if an existent file is requested, my rules are ignored and the file is served. In fact if I make a deliberate mistake in .htaccess I don't get an Internal Server Error as I would when requesting folders or non-existent files. What should I look for?
apache2.conf
<VirtualHost 1.2.3.4:8080>
ServerName domain.com
DocumentRoot /var/www/s3/data/www/domain.com
SuexecUserGroup s3 s3
CustomLog /var/www/httpd-logs/domain.com.access.log combin$
ErrorLog /var/www/httpd-logs/domain.com.error.log
ServerAlias www.domain.com
ServerAdmin example#domain.com
AddDefaultCharset utf-8
php_admin_value open_basedir "/var/www/s3/data:.:/tmp"
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f example#domain.com
php_admin_value upload_tmp_dir "/var/www/s3/data/mod-tmp"
php_admin_value session.save_path "/var/www/s3/data/mod-tmp"
AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
AddType application/x-httpd-php-source .phps
</VirtualHost>
anything else I should post here?

I had a similar issue.
I put the following .htaccess in to the images folder to forbid access to jpg files (in my case)
IndexIgnore */*
<Files ~ ".*\.jpg$">
Order deny,allow
Deny from all
</Files>

It looks like you're htaccess file isn't being applied. Try adding an AllowOverride directive in your vhost config:
<Directory "/var/www/s3/data/www/domain.com/">
AllowOverride All
</Directory>
By default, AllowOverride should be set to All, but it's possible your host set it to something else at the server config level.

in case someone has the same problem, it is painfully trivial. The default ISPManager installation puts nginx in front of Apache for static files...