Plesk+Litespeed+Apache configs

S

skydrive

New Member
#1
#1
Hi.

I have installed Litespeed extension trial via Plesk. I have disabled apache and nginx and everything works fine, but configs created by Plesk for vhosts under /var/www/vhosts/system/DOMAIN/conf/httpd.conf , which include apache directives are being completely ignored. Is this a normal behavior?
e.g. despite these rules in the file from above, I can access and open files with blocked extensions (code generated by Plesk's Wordpress extension):
Apache config: 
# "Block author scans"
                # To remove this rule, revert this security measure on each WordPress installation on this domain
                <LocationMatch "(?i:(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html)))">
                        Require all denied
                </LocationMatch>

                # "Block access to potentially sensitive files"
                # To remove this rule, revert this security measure on each WordPress installation on this domain
                <LocationMatch ".+\\.(?i:psd|log|cmd|exe|bat|csh|ini|sh)$">
                        Require all denied
                </LocationMatch>

Also, I've added some deny directives direclty to .htaccess (because of the issue above) and now I see in the logs such entries, when file access is being blocked:

Apache config: 
2021-10-08 15:22:07    Error    46.00.00.00    403    GET /kop.sql HTTP/1.1    https://domain.com/kop.sql    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36    999    Apache SSL/TLS access
2021-10-08 15:22:07    Error    000.000.000.000    403    GET /kop.sql HTTP/1.1    https://domain.com/kop.sql    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36    999    Apache SSL/TLS access
2021-10-08 15:22:07    Error    000.000.000.000    403    GET /kop.sql HTTP/1.1    https://domain.com/kop.sql    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36    821    Apache SSL/TLS access
2021-10-08 15:22:07    Error    000.000.000.000    403    GET /kop.sql HTTP/1.1    https://domain.com/kop.sql    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36    821    Apache SSL/TLS access
2021-10-08 15:22:07    Error    000.000.000.000    403    GET /kop.sql HTTP/1.1    https://domain.com/kop.sql    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36    999    Apache SSL/TLS access
2021-10-08 15:22:07    Error            .044601 [INFO] [6171] [T0] [000.000.000.000:20298#APVH_domain.com:443] [ACL] Access to context [/] is denied!                Apache error
2021-10-08 15:22:07    Error            .516807 [INFO] [6171] [T0] [000.000.000.000:49318#APVH_domain.com:443] [ACL] Access to context [/] is denied!                Apache error
2021-10-08 15:22:07    Error            .670838 [INFO] [6171] [T0] [000.000.000.000:18430-1#APVH_domain.com:443>000.000.000.000] [ACL] Access to context [/] is denied!                Apache error
2021-10-08 15:22:07    Error            .932465 [INFO] [6171] [T0] [000.000.000.000:20298-1#APVH_domain.com:443>000.000.000.000] [ACL] Access to context [/] is denied!                Apache error
2021-10-08 15:22:07    Error            .296296 [INFO] [6172] [T0] [000.000.000.000:15326#APVH_domain.com:443] [ACL] Access to context [/] is denied!
So, my questions are:
1. How can I force LS to accept /var/www/vhosts/system/DOMAIN/conf/httpd.conf
2. What is [ACL] Access to context [/] is denied?

Appreciate any help.
Regards, Alex
 
S

skydrive

New Member
#3
#3
Well, you can easily re-create this issue without my help. Create a Vultr Cloud VM with Plesk Web-Pro + Litespeed Trial. The problem with omitting config files is already there.
I have just re-installed the whole package without touching any config files to check if my changes were involved and the result is the same with default install. As I said, no config has been manually modified.
Vultr installs Plesk App on Ubuntu 20.04
Latest Plesk ver. is 18.0.38 Update #3

I use Wordpress Toolkit Security settings, which generate Apache access rules in /var/www/vhosts/system/DOMAIN/conf/httpd.conf. These rules are working fine is Aparche is running the show, but if switched to LS, then those access rules are being ignored by LS.
E.g.:
When I create a file called ops2.log in httpdocs/ then it gets blocked by this rule:
Apache config: 
        # "Block access to potentially sensitive files"

        # To remove this rule, revert this security measure on each WordPress installation on this domain

        <LocationMatch ".+\\.(?i:psd|log|cmd|exe|bat|csh|ini|sh)$">

            Require all denied

        </LocationMatch>
Apache is showing 403 error constantly:
Code: 
2021-10-09 16:38:23    Error    000.000.000.000        AH01630: client denied by server configuration: /var/www/vhosts/domain.com/httpdocs/ops2.log                Apache error
2021-10-09 16:38:23    Error    000.000.000.000        AH01630: client denied by server configuration: /var/www/vhosts/domain.com/httpdocs/ops2.log                Apache error
2021-10-09 16:38:24    Error    000.000.000.000    403    GET /ops2.log HTTP/1.1        Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36    1.09 K    Apache SSL/TLS access
but for some reason, LS is not blocking access to this file:
Code: 
2021-10-09 16:45:36    Access    000.000.000.000    200    GET /ops2.log HTTP/1.1    https://domain.com/ops2.log    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36    0    Apache SSL/TLS access
2021-10-09 16:45:38    Access    000.000.000.000    200    GET /ops2.log HTTP/1.1    https://domain.com/ops2.log    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36    0    Apache SSL/TLS access
2021-10-09 16:46:04    Access    000.000.000.000    200    GET /ops2.log HTTP/1.1    https://domain.com/ops2.log    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36    0    Apache SSL/TLS access
Looks like the problem is with:
Apache config: 
<LocationMatch>
    ...
</LocationMatch>
,which is being ignored.

LS respects rules if added in Plesk->Domain->Apache & nginx Settings->Additional directives for HTTPS, which creates a vhost_ssl.conf (full path = /var/www/vhosts/system/DOMAIN/vhost_ssl.conf), or if added direclty to /var/www/vhosts/system/DOMAIN/conf/httpd.conf e.g.:
Apache config: 
<FilesMatch "(\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|swp|txt)|~)$">
    Require all denied
</FilesMatch>
This would deny access to files from a Wordpress install, e.g license.txt etc., but ignores httpd.conf in the same folder->/var/www/vhosts/system/DOMAIN/
Also, the deny rule from above is causing LS to log - [ACL] Access to context [/] is denied!

I am trying to move from nginx to LS, so I am not familiar with Apache very well, so I hope I was able to explain the issue.
Regards, Alex
 
N

NiteWave

Administrator
#4
#4
I did tests on a cPanel server

test URL: domain.com/a.log
Code: 
        <LocationMatch ".+\\.(?i:psd|log|cmd|exe|bat|csh|ini|sh)$">

            Require all denied

        </LocationMatch>
200 OK for lsws but 403 forbidden for apache

but if remove a \, i.e.
Code: 
        <LocationMatch ".+\.(?i:psd|log|cmd|exe|bat|csh|ini|sh)$">

            Require all denied

        </LocationMatch>
403 Forbidden for both lsws and apache.

logically, lsws's behavior is correct. with an extra \, means the file name should contain a \ in it. so a.log not match, while a\.log will match.
 
P

Pong

Administrator
Staff member
#8
#8
You'd better log a ticket with them since the ticket should be a more formal bug report. Forum is just casual community support.
 
You must log in or register to reply here.
Top