Hello Neth Tribe,
I need to add to virtualhosts.conf this options:
Options +FollowSymLinks
I can add it manually but after i.e. some changes in vhosts via nethgui this option is lost.
How to make it permanent?
2020-01-14 - This solution is included in nethserver-httpd-virtualhosts-3.7.4 - update your system
Hi Dominik,
I assume you need it for one vhost and not for all.
mkdir -p /etc/e-smith/templates-custom/httpd/vhost-extra/
Create /etc/e-smith/templates-custom/httpd/vhost-extra/30directory20optionsFollowSymlinks with following content:
# 30directory20optionsFollowSymlinks
{
use esmith::ConfigDB;
my $vdb = esmith::ConfigDB->open_ro('vhosts') || die("Can't open vhosts db");
my $FollowSymlinks = $vdb->get_prop("$VhostName",'FollowSymlinks') || 'disabled';
$OUT .= " Options +FollowSymLinks\n" if ($FollowSymlinks eq 'enabled');
}
Set FollowSymlinks to enabled and expand the template:
db vhosts setprop YOURVHOST FollowSymlinks enabled
expand-template /etc/httpd/conf.d/virtualhosts.conf
Stolen from here:
Documentation:
http://docs.nethserver.org/projects/nethserver-devel/en/v7/templates.html#subdirectory-templates
2 Likes
Hello @mrmarkuz!
Thankâs for to solutions - as soon as I get my VPS configured (with NS7) i will try to implement this and let you know how i t goes 
Can we achieve the same with an .htaccess file ?
3 Likes
I haveânt think about that solutions - but the .htaccess file could be modified by PrestaShop (which i am moving from one of my client from shared hosting to VPS) - but i will try to test this scenario also.
thanks @davidep
This seems to be the easier solution for @des :
Create .htaccess in /var/lib/nethserver/vhost/YOURVHOST
with following content:
Options +FollowSymLinks
2 Likes
Hi @mrmarkuz solution with .htaccess donât work - PrestaShop rewrites this so i will had to made changes manually but your earlier solutions with custom template works!
Thank you!
4 Likes
I found the exact same problem with wordpress, it rewrites an htaccess, so i set a Options +SymLinksIfOwnerMatch which is a bit more secure than FollowSymlinks which is an open bar for the security
https://httpd.apache.org/docs/2.4/mod/core.html#options
FollowSymLinks
The server will follow symbolic links in this directory. This is the default setting.
Even though the server follows the symlink it does *not* change the pathname used to match against `<Directory>` sections.
The `FollowSymLinks` and `SymLinksIfOwnerMatch` `Options` work only in `<Directory>` sections or `.htaccess` files.
Omitting this option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable.
@davidep maybe we could put a prop inside our vhost-extras
1 Like
I want to better understand the use case. Wordpress installs its .htaccess files: why does it not specify that option?
Is required to make WP work?
BTW, our current defaults for virtual hosts configuration seem to be different from Apache default. Maybe WP has a different expectation?
[root@nethserver ~]# cat /etc/e-smith/templates/httpd/vhost-extra/30directory20options
Options None
Options +Indexes
Options +Includes
According to Apache docs, the default Options directive value is
The default was changed from All to FollowSymlinks in 2.3.11
The Apache core docs says
[FollowSymLinks, SymLinksIfOwnerMatch] Omitting this option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable.
âŠIt could be safe (enough) to change our default vhost configuration to include FollowSymLinks. What do you think?
With wordpress you have an option to change the url of articles, with the default the .htaccess is empty
# cat .htaccess
# BEGIN WordPress
# Les directives (lignes) entre 'BEGIN WordPress' et 'END WordPress' sont
# gĂ©nĂ©rĂ© dynamiquement, et ne doivent uniquement ĂȘtre modifiĂ©es via les filtres WordPress.
# Toute modification des directives entre ces marqueurs sera outrepassée.
# END WordPress
but if you change the url of article from plain to post name you have this content
# cat .htaccess
# BEGIN WordPress
# Les directives (lignes) entre 'BEGIN WordPress' et 'END WordPress' sont
# gĂ©nĂ©rĂ© dynamiquement, et ne doivent uniquement ĂȘtre modifiĂ©es via les filtres WordPress.
# Toute modification des directives entre ces marqueurs sera outrepassée.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
yes we could use it with a prop to enable and expose it in UI, I will do the same for my wordpress module but as default.
I still donât get why FollowSymlinks is needed 
Do you get any error?
Iâd prefer to change the template, provided it is backward compatible and safe enough.
sometimes errors are cristal clear 
When I remove Options +SymLinksIfOwnerMatch of /etc/httpd/conf.d/virtualhosts.conf
I have 
[Tue Jan 07 22:39:54.791490 2020] [rewrite:error] [pid 23865] [client 86.195.248.166:60802] AH00670: Options FollowSymLinks and SymLinksIfOwnerMatch are both off, so the RewriteRule directive is also forbidden due to its similar ability to circumvent directory restrictions : /var/lib/nethserver/vhost/58519475b8980b3/, referer: https://stephane.de-labrusse.fr/wp-admin/options-permalink.php
[Tue Jan 07 22:40:39.381136 2020] [rewrite:error] [pid 23893] [client 86.195.248.166:60820] AH00670: Options FollowSymLinks and SymLinksIfOwnerMatch are both off, so the RewriteRule directive is also forbidden due to its similar ability to circumvent directory restrictions : /var/lib/nethserver/vhost/58519475b8980b3/, referer: https://stephane.de-labrusse.fr/wp-admin/options-permalink.php
[Tue Jan 07 22:40:45.173031 2020] [rewrite:error] [pid 23893] [client 86.195.248.166:60820] AH00670: Options FollowSymLinks and SymLinksIfOwnerMatch are both off, so the RewriteRule directive is also forbidden due to its similar ability to circumvent directory restrictions : /var/lib/nethserver/vhost/58519475b8980b3/wp-admin/admin-ajax.php, referer: https://stephane.de-labrusse.fr/wp-admin/options-permalink.php
My website is redirected to the http default page
1 Like
Hi Davide,
I think that it is not required by WordPress itself but by extensions that might contain/use a symbolic link. As example, some extensions require to know where is the location of the ssl certificate files?
- If you want to place this parameter in the .htaccess file, first you have to change the httpd daemon parameter AllowOverride None to AllowOverride All in the /etc/httpd/conf/httpd.conf file. You cannot use a custom-template as httpd doesnât use template.
- When the value of this parameter is set to ALL, it tells the httpd daemon to let the parameters contained in the .htaccess file to overide the same parameters found in /etc/httpd/conf/httpd.conf.
*** You can have a look at https://dokuwiki.micronator-dev.org/doku.php?id=nethserver_101_cahier_06_nethserver_wordpress#fichier_httpdconf.
- Any parameters in a .htaccess file in a sub-directory override the parameters of the .htaccess of the parent directory; the same as the children override the parentâs rulesâŠ.
- If you use redirection for a vhost, you can put this parameter in the redirection .conf file inside /etc/httpd/conf.d/.
*** Example: search for <Directory "/var/lib/nethserver/vhost/dokuwiki"> at https://dokuwiki.micronator-dev.org/doku.php?id=nethserver_201_cahier_04_dokuwiki.
Have a look at https://dokuwiki.micronator-dev.org/doku.php?id=nethserver_101_cahier_06_nethserver_wordpress#fichier_htaccess to see some of the parameters I use in .htaccess.
If you want your WordPress installation to be more secure, you install Wordfence which uses .htaccess for a part of its configuration, https://dokuwiki.micronator-dev.org/doku.php?id=nethserver_101_cahier_07_nethserver_wordpress_wordfence#fichier_htaccess.
*** Always make a backup copy of the .htaccess and httpd.conf files before changing any valueâŠ
Michel-André
2 Likes
âŠso our duty is to write good error log messages 
Thanks for the example, now I understand!
We already have that option in virtualhosts.conf:
grep -R AllowOverride /etc/httpd/
Our configuration is too strict. Letâs follow the default Apache settings. In file /etc/e-smith/templates/httpd/vhost-extra/30directory20options:
- Options None
+ Options FollowSymLinks
Options +Indexes
Options +Includes
âŠThis is exactly what @des asked in the OP.
1 Like
2 Likes
Thereâs a package from the testing repo! Who wants to try?
yum --enablerepo=nethserver-testing update nethserver-httpd\*
/cc @michelandre @mrmarkuz @des
Edit: Bump!
Edit2: Released!
3 Likes