Virtual hosts Options

Hello Neth Tribe,
I need to add to virtualhosts.conf this options:

Options +FollowSymLinks

I can add it manually but after i.e. some changes in vhosts via nethgui this option is lost.

How to make it permanent?

:information_source: 2020-01-14 - This solution is included in nethserver-httpd-virtualhosts-3.7.4 - update your system


Hi Dominik,

I assume you need it for one vhost and not for all.

mkdir -p /etc/e-smith/templates-custom/httpd/vhost-extra/

Create /etc/e-smith/templates-custom/httpd/vhost-extra/30directory20optionsFollowSymlinks with following content:

# 30directory20optionsFollowSymlinks
{
    use esmith::ConfigDB;
    my $vdb = esmith::ConfigDB->open_ro('vhosts') || die("Can't open vhosts db");
    my $FollowSymlinks = $vdb->get_prop("$VhostName",'FollowSymlinks') || 'disabled';
    $OUT .= "      Options +FollowSymLinks\n" if ($FollowSymlinks eq 'enabled');
}

Set FollowSymlinks to enabled and expand the template:

db vhosts setprop YOURVHOST FollowSymlinks enabled
expand-template /etc/httpd/conf.d/virtualhosts.conf

Stolen from here:

Documentation:

http://docs.nethserver.org/projects/nethserver-devel/en/v7/templates.html#subdirectory-templates

2 Likes

Hello @mrmarkuz!

Thank’s for to solutions - as soon as I get my VPS configured (with NS7) i will try to implement this and let you know how i t goes :slight_smile:

Can we achieve the same with an .htaccess file ?

3 Likes

:thinking: I have’nt think about that solutions - but the .htaccess file could be modified by PrestaShop (which i am moving from one of my client from shared hosting to VPS) - but i will try to test this scenario also.

thanks @davidep

This seems to be the easier solution for @des :

Create .htaccess in /var/lib/nethserver/vhost/YOURVHOST

with following content:

Options +FollowSymLinks

2 Likes

Hi @mrmarkuz solution with .htaccess don’t work - PrestaShop rewrites this so i will had to made changes manually but your earlier solutions with custom template works!

Thank you!

4 Likes

I found the exact same problem with wordpress, it rewrites an htaccess, so i set a Options +SymLinksIfOwnerMatch which is a bit more secure than FollowSymlinks which is an open bar for the security

https://httpd.apache.org/docs/2.4/mod/core.html#options

FollowSymLinks

The server will follow symbolic links in this directory. This is the default setting.

Even though the server follows the symlink it does *not* change the pathname used to match against `<Directory>` sections.

The `FollowSymLinks` and `SymLinksIfOwnerMatch` `Options` work only in `<Directory>` sections or `.htaccess` files.

Omitting this option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable.

@davidep maybe we could put a prop inside our vhost-extras

1 Like

I want to better understand the use case. Wordpress installs its .htaccess files: why does it not specify that option?

Is required to make WP work?

BTW, our current defaults for virtual hosts configuration seem to be different from Apache default. Maybe WP has a different expectation?

[root@nethserver ~]# cat /etc/e-smith/templates/httpd/vhost-extra/30directory20options 
      Options None
      Options +Indexes
      Options +Includes

According to Apache docs, the default Options directive value is

The default was changed from All to FollowSymlinks in 2.3.11

:warning: The Apache core docs says

[FollowSymLinks, SymLinksIfOwnerMatch] Omitting this option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable.


It could be safe (enough) to change our default vhost configuration to include FollowSymLinks. What do you think?

With wordpress you have an option to change the url of articles, with the default the .htaccess is empty

# cat .htaccess

# BEGIN WordPress
# Les directives (lignes) entre 'BEGIN WordPress' et 'END WordPress' sont
# gĂ©nĂ©rĂ© dynamiquement, et ne doivent uniquement ĂȘtre modifiĂ©es via les filtres WordPress.
# Toute modification des directives entre ces marqueurs sera outrepassée.

# END WordPress

but if you change the url of article from plain to post name you have this content

# cat .htaccess

# BEGIN WordPress
# Les directives (lignes) entre 'BEGIN WordPress' et 'END WordPress' sont
# gĂ©nĂ©rĂ© dynamiquement, et ne doivent uniquement ĂȘtre modifiĂ©es via les filtres WordPress.
# Toute modification des directives entre ces marqueurs sera outrepassée.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

yes we could use it with a prop to enable and expose it in UI, I will do the same for my wordpress module but as default.

I still don’t get why FollowSymlinks is needed :thinking:

Do you get any error?

I’d prefer to change the template, provided it is backward compatible and safe enough.

sometimes errors are cristal clear :smiley:

When I remove Options +SymLinksIfOwnerMatch of /etc/httpd/conf.d/virtualhosts.conf

I have :slight_smile:

[Tue Jan 07 22:39:54.791490 2020] [rewrite:error] [pid 23865] [client 86.195.248.166:60802] AH00670: Options FollowSymLinks and SymLinksIfOwnerMatch are both off, so the RewriteRule directive is also forbidden due to its similar ability to circumvent directory restrictions : /var/lib/nethserver/vhost/58519475b8980b3/, referer: https://stephane.de-labrusse.fr/wp-admin/options-permalink.php
[Tue Jan 07 22:40:39.381136 2020] [rewrite:error] [pid 23893] [client 86.195.248.166:60820] AH00670: Options FollowSymLinks and SymLinksIfOwnerMatch are both off, so the RewriteRule directive is also forbidden due to its similar ability to circumvent directory restrictions : /var/lib/nethserver/vhost/58519475b8980b3/, referer: https://stephane.de-labrusse.fr/wp-admin/options-permalink.php
[Tue Jan 07 22:40:45.173031 2020] [rewrite:error] [pid 23893] [client 86.195.248.166:60820] AH00670: Options FollowSymLinks and SymLinksIfOwnerMatch are both off, so the RewriteRule directive is also forbidden due to its similar ability to circumvent directory restrictions : /var/lib/nethserver/vhost/58519475b8980b3/wp-admin/admin-ajax.php, referer: https://stephane.de-labrusse.fr/wp-admin/options-permalink.php

My website is redirected to the http default page

1 Like

Hi Davide,

I think that it is not required by WordPress itself but by extensions that might contain/use a symbolic link. As example, some extensions require to know where is the location of the ssl certificate files?

- If you want to place this parameter in the .htaccess file, first you have to change the httpd daemon parameter AllowOverride None to AllowOverride All in the /etc/httpd/conf/httpd.conf file. You cannot use a custom-template as httpd doesn’t use template.

- When the value of this parameter is set to ALL, it tells the httpd daemon to let the parameters contained in the .htaccess file to overide the same parameters found in /etc/httpd/conf/httpd.conf.
*** You can have a look at https://dokuwiki.micronator-dev.org/doku.php?id=nethserver_101_cahier_06_nethserver_wordpress#fichier_httpdconf.

- Any parameters in a .htaccess file in a sub-directory override the parameters of the .htaccess of the parent directory; the same as the children override the parent’s rules
.:slight_smile:

- If you use redirection for a vhost, you can put this parameter in the redirection .conf file inside /etc/httpd/conf.d/.
*** Example: search for <Directory "/var/lib/nethserver/vhost/dokuwiki"> at https://dokuwiki.micronator-dev.org/doku.php?id=nethserver_201_cahier_04_dokuwiki.

Have a look at https://dokuwiki.micronator-dev.org/doku.php?id=nethserver_101_cahier_06_nethserver_wordpress#fichier_htaccess to see some of the parameters I use in .htaccess.

If you want your WordPress installation to be more secure, you install Wordfence which uses .htaccess for a part of its configuration, https://dokuwiki.micronator-dev.org/doku.php?id=nethserver_101_cahier_07_nethserver_wordpress_wordfence#fichier_htaccess.

*** Always make a backup copy of the .htaccess and httpd.conf files before changing any value


Michel-André

2 Likes


so our duty is to write good error log messages :wink:

Thanks for the example, now I understand!

We already have that option in virtualhosts.conf:

grep -R AllowOverride /etc/httpd/

Our configuration is too strict. Let’s follow the default Apache settings. In file /etc/e-smith/templates/httpd/vhost-extra/30directory20options:

-      Options None
+      Options FollowSymLinks
       Options +Indexes
       Options +Includes


This is exactly what @des asked in the OP.

1 Like
2 Likes

There’s a package from the testing repo! Who wants to try?

 yum --enablerepo=nethserver-testing update nethserver-httpd\*

/cc @michelandre @mrmarkuz @des

Edit: Bump!
Edit2: Released!

3 Likes