it seems that when installing Nethserver based on the latest nethserver-7.9.2009-x86_64.iso there is some configuration mistake that leads to the rpsamd webinterface configuration page (h**ps://192.168.2.218:980/rspamd/#configuration) not being able to properly login.
I will post the information like passwords unscrambled, they are from a local test installation anyhow.
Problem
Opening the page (regardless if opened from Cockpit or standalone, providing credentials) makes the page request two addresses:
GET h**ps://rspamd:UsRr1L_CIAdMgKiK@192.168.2.218:980/rspamd/actions
Results in a “403 Forbidden”.
GET h**ps://rspamd:UsRr1L_CIAdMgKiK@192.168.2.218:980/rspamd/maps
Results in a “200 OK” and seems to return the expected JSON object.
This results in the webinterface in showing two messages:
“local > Request failed: Forbidden”
“Request failed”
How to reproduce
Start with nethserver-7.9.2009-x86_64.iso
No special instructions for installation. Root password has been set, no user created.
Once installation is done, login to cockpit on port 9090 as root.
Set FQDN and install the mail server from the software collection.
No need to update the packages first (also tested with updating first, no change).
Further information/tests done
Previously used (on another server) nethserver-7.8.2003-x86_64.iso does not show this problem.
Upgrading and updating 7.8.2003 to the latest version available via the “Software Center” does not show this problem, which is the reason why I myself and most other users might not have ran into this yet when using their existing installations.
When upgrading and updating 7.8.2003, it does not matter if you install the mail server package before or after the upgrade/update. Both ways result in a working configuration page.
Using different credentials to open the Rspamd interface (with credentials of a user in domain admin group does not work either). Easiest way:
h**ps://user_in_domain_admin_group:pass@192.168.2.218:980/rspamd/
You might have to setup a port forwarding to use another port (or reconfigure the Rspamd web port from 980 to something else) if your browser does not allow you to use other credentials. This can be done for example using “socat”: socat tcp-listen:9800,reuseaddr,fork tcp:localhost:980
I did find other promising topics but in the end they did not match this specific problem and ended in solutions that do not seem to be related to this behavior.
Hope this helps to identify/solve this problem if other are experiencing this as well (which new users most likely do).
Today I got the same error within a fresh installed server.
I…
Installed Nethserver 7.9
updated “-”
installed active directory
created LE-certs
created users
installed mail server
I logged into Rspamd with the Nethserver Admin and got the same error.
Then I used your tip (h**ps://user_in_domain_admin_group:pass@192.168.2.218:980/rspamd/) and logged in with an additional domain admin user – no success, the error persists.
I am really surprised about this previously unknown error.
I identified the problem: The admin-Pw starts with a “:” (colon).
Therefore, the resulting URL is h**ps://user_in_domain_admin_group::anything@192.168.2.218:980/rspamd with a double colon in the middle.
After the change of the PW all works fine.
But it remains a mystery to me why I have to change the PW via URL first and it doesn’t just take the PW from the AD user.
Sincerely, Marko
I also have a # and a . within the PW.
If there are any limitations, that should be communicated and validated. I myself deliberately leave the choice of password to my password manager at random.
If a wrongly chosen (even root) password (according to nomenclature rules by NethServer standards) there must be a mechanism that prevents this. Otherwise one searches oneself silly for possible error sources.
Glad that you were able to figure out a solution to this sub or kind of similar looking problem.
However this is not an actual solution to the original problem reported.
I just test installed 7.9.2009 again and updated before installing the mail server and Rspamd to check if the problem still persists and it actually does.
I also double checked on the passwords generated by the installation and they contain only the characters that were pointed out by @stephdl to be valid characters. These are the actual passwords generated by the system:
Seems like I missed the notification about the reply in my mails.
I just booted up my test Vm for this and checked the “Web Server” “Logs” page, which is what I think you are referring to when you say http-admin logs. If I should be looking somewhere else please just let me know and I will check.
Actually it seems like there is no log entry about this at all (if I am looking at the correct log files). I looked through all that the dropdown menu let me choose from and made sure I really make an access by cleaning the cache and so on.
My assumption here is that the actual HTTP access is a success, which would explain why nothing shows up in the error log and so on.
As described in my OP this is fairly simple to reproduce with a fresh installation and might be easier to investigate locally for someone who is more familiar with the NethServer components/combination.
Nevertheless, if there is something I can provide in terms of information please just let me know and I will try to provide it for further improvements of the NethServer package.
You don’t have permission to access /rspamd/actions on this server.
jquery-3.5.1.min.js:2 GET https://rspamd:XMv_8G4QcZEBAR7n@192.168.2.61:980/rspamd/actions 403 (Forbidden)
And this error logged on /var/log/httpd-admin/error_log explains it:
[rewrite:error] [pid 32170] [client 192.168.2.61:44806] AH00670: Options FollowSymLinks and SymLinksIfOwnerMatch are both off, so the RewriteRule directive is also forbidden due to its similar ability to circumvent directory restrictions : /etc/httpd/htdocs, referer: https://192.168.2.61:980/rspamd/
Cc @giacomo@davidep it seems a new installation of ns 7.9 probably due to the miss of nethgui the rspamd UI is broken for an apache followsymlinks directive missing see above
