DSO Server Setup Steps

Resolved VesperaWebDesigns
(@vesperawebdesigns)

10 years, 10 months ago
BPS Version: .52.3
Server API: apache2handler DSO Host Server Type

I have completed the steps outlined in this post:

DSO Server Setup Steps/

for the case where the Script Owner ID’s and the File Owner ID’s match:
1. include the 3 new lines in wp-config.php
2. clear the browser and server caches (the apache2 install is on my laptop)
3. navigate to BPS Security=>System Info
4. check that WP Filesystem API Method: direct
5. navigate to Setup Wizard
6. observe that there are no red warning messages
7. run Setup Wizard
8. observe that there are no red warning messages
9. navigate to BPS Security=>System Info
In the pane in the lower right quadrant of the page, the Script Owner ID’s and the File Owner ID’s are still displayed, even though the post indicates they should no longer be.

Have I misunderstood the post?

For the record, BPS when running on this server did not report any errors prior to modifying wp-config.php, but I am having difficulty getting another plug-in to work once I install BPS.

https://ww.wp.xz.cn/plugins/bulletproof-security/

Viewing 15 replies - 1 through 15 (of 23 total)

1 2 →

Plugin Author AITpro
(@aitpro)

10 years, 10 months ago
The System Info: Website|Server|Opcode Cache|Accelerators|IP Info pane/table (top left) is where you should now only be seeing this: WP Filesystem API Method: direct.

The System Info: File|Folder Permissions (CGI or DSO)|Script Owner User ID (UID)|File Owner User ID pane/table (bottom right) will always display static file/folder permissions and the UID for files and folders.

Post your entire File|Folder Permissions (CGI or DSO)|Script Owner User ID (UID)|File Owner User ID pane/table. If you want to obscure your actual UID then change them consistently. What I need to see is whether all UID’s match or not and not the actual UID.

Example:
```
Actual:  ../.htaccess	404	0404	5555	5555
Obscured: ../.htaccess	404	0404	1	1
```
Thread Starter VesperaWebDesigns
(@vesperawebdesigns)

10 years, 10 months ago
Thanks for your prompt reply!
```
DSO File and Folder Permissions|Recommendations

					Script	Script
File Path		Rec	Cur	Owner	Owner
Folder Path		Perm	Perm	UserID	UserID
../			755	0755	1000	1000
../.htaccess		644	0644	1000	1000
../wp-config.php	644	0664	1000	1000
../index.php		644	0644	1000	1000
../wp-blog-header.php	644	0644	1000	1000
../wp-admin		755	0755	1000	1000
../wp-includes		755	0755	1000	1000
../wp-content		755	0755	1000	1000
../wp-content/plugins	755	0755	1000	1000
../wp-content/themes	755	0755	1000	1000
../wp-content/uploads	755	0755	1000	1000
../wp-content/upgrade	755	0755	1000	1000
../wp-content/bps-backup	755	0755	1000	1000
../wp-content/bps-backup/logs	755	0755	1000	1000
../wp-content/bps-backup/master-backups	755	0755	1000	1000
../wp-content/bps-backup/backups_sXEZC8b7zI3vVba	755	0755	1000	1000
```
The statement in the post offering advice that concerns me is:

Note: When the WP Filesystem API Method is “direct” then the Script Owner ID and File Owner ID fields will no longer be displayed on the System Info page.

Regards,
Christina
Plugin Author AITpro
(@aitpro)

10 years, 10 months ago

Yep, that DSO Setup forum topic needs to be updated. When that forum topic was originally create the new System Info File|Folder Permissions (CGI or DSO)|Script Owner User ID (UID)|File Owner User ID pane/table did not exist yet. 😉

Ok so all UID’s match so that looks good. So now describe in detail what exactly is not working in the other plugin and post the name of the plugin so I can download it and look at the code in that plugin. Are you seeing any 403 errors in your Security Log for that other plugin? If so, post that Security Log entry for that plugin.
Thread Starter VesperaWebDesigns
(@vesperawebdesigns)

10 years, 10 months ago
The other plug-in is AkeebaBackupWP, and it is commercial. The download is behind a paywall, and staff started a scheduled vacation before my problem was completely solved (I have a work-around). They won’t be back until August 16. What is the etiquette in this situation? Can I send you the .zip file privately?

When the problem occurs, a single 403 error is recorded in your log.
```
[403 GET / HEAD Request: 5th August 2015 - 8:04 pm]
Event Code: WPADMIN-SBR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 127.0.0.1
Host Name: localhost
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://localhost/repos/akeeba2dev/wp-admin/admin.php?page=akeebabackupwp.1.3.4.rev59F39EC-%2Fakeebabackupwp.php
REQUEST_URI: /repos/akeeba2dev/wp-content/plugins/akeebabackupwp.1.3.4.rev59F39EC-/app//backups/index.html
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0
```
The requested file is in a directory that has its own .htaccess file. Support claims that a 403 error is expected for that request, that it is how the program ensures that the files cannot be accessed by the browser. If a 403 were not returned, a warning would be displayed. Apparently the malformed string (“//”) is not significant.

Support claims that the error I am seeing (reported as “Application Error 500 Invalid security token”) is the result of a session error. The following PHP variables are set according to the plug-in’s specifications:
- session.save_path = “/var/lib/php5”
- php_value session.cookie_httponly = 0
- php_value session.cookie_secure = 0
Permissions for the “/var/lib/php5” directory, where session tokens are stored, seem to be correct, and I have spotted AKWP session tokens in that directory occasionally, so I know it can be written to.

The error message appears when attempting to switch Backup Profiles in the Control Panel. The error message is only observed after Setup Wizard is run, and it is not displayed once the BPS root .htaccess file is renamed or deleted. Commenting out the Options and DirectoryIndex variables in the BPS-supplied .htaccess file does not seem to make any difference.

I was hoping that following your advice about customizing the wp-config.php file for a DSO server would help, but it does not seem to make any difference, either.

I wasn’t going to ask for your help with this until I had tried all the troubleshooting suggestions you have posted in your forum, but if you can point me in a direction that is likely to solve this problem, I’d be much obliged. 🙂

Regards,
Christina
Plugin Author AITpro
(@aitpro)

10 years, 10 months ago
The error message is only observed after Setup Wizard is run, and it is not displayed once the BPS root .htaccess file is renamed or deleted.

The Setup Wizard creates a new BPS root htaccess file. By renaming/deleting the BPS root htaccess file you have confirmed that a whitelist rule is needed in the root htaccess file for the AkeebaBackupWP plugin.

Try this first: Create a plugin skip/bypass rule for AkeebaBackupWP

1. Copy the code below to this BPS Root Custom Code text box: CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page, click the Create secure.htaccess File AutoMagic button, select the Activate Root Folder BulletProof Mode Radio button and click the Activate|Deactivate button.
```
# AkeebaBackupWP plugin skip/bypass
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/akeebabackupwp(.*) [NC]
RewriteRule . - [S=13]
```
Note: The 403 error that you are seeing logged in the BPS Security Log is probably not the same 403 error that AkeebaBackupWP support is referring too.
Thread Starter VesperaWebDesigns
(@vesperawebdesigns)

10 years, 10 months ago
Thank you! I understand the Skip Rule, but could not have written it myself. 🙂

Skip Rule #12 looks like this:
```
# Adminer MySQL management tool data populate
RewriteCond %{REQUEST_URI} ^/repos/akeeba2dev/wp-content/plugins/adminer/ [NC]
RewriteRule . - [S=12]
```
so I changed the path name to prepend “/repos/akeeba2dev”. The error was still reported, so I tried the following tweaks, one at a time:

RewriteCond %{REQUEST_URI} ^/repos/akeeba2dev/wp-content/plugins/akeebabackupwp(.*) [NC]
RewriteCond %{REQUEST_URI} ^/repos/akeeba2dev/wp-content/plugins/akeebabackupwp(.*)/ [NC]
RewriteCond %{REQUEST_URI} ^/repos/akeeba2dev/wp-content/plugins/akeebabackupwp.1.3.4.rev59F39EC- [NC]
RewriteCond %{REQUEST_URI} ^/repos/akeeba2dev/wp-content/plugins/akeebabackupwp.1.3.4.rev59F39EC-/ [NC]`

For each tweaked rule, I would:
1. Copy the rule to this BPS Root Custom Code text box: CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page, click the Create secure.htaccess File AutoMagic button, select the Activate Root Folder BulletProof Mode Radio button and click the Activate|Deactivate button.
4. Check that the root .htaccess file contained the desired rule.
5. Navigate to the AKWP Control Panel.
6. Clear the browser cache.
7. Use OPCacheGUI to clear the server cache.
8. Reload the AKWP Control Panel.
9. Attempt to select a different Backup Profile.
I double-checked the BPS Security Log, and there were no errors other than the 403 returned when that URI was requested.

Just as a sanity check, once all of these failed, I renamed the .htaccess file, cleared the caches, and reloaded the page. No error was displayed, and no errors were recorded in the BPS Security Log.

Regards,
Christina
Plugin Author AITpro
(@aitpro)

10 years, 10 months ago
Oops yeah good catch on the URI. Forgot to add your full URI in the skip/bypass rule. 😉 Ok so a plugin skip/bypass rule is not going to work for whatever is being blocked.

Try these whitelisting methods next in the same order as they are shown below:

Notes: Replace/change YourWebsite.com in the code below with your actual website domain name. You can get that by looking at the existing TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE root htaccess code in your BPS root htaccess file. I have added the additional akeebabackupwp\.php| file and code in the code below.

1. Copy the code below to this Custom Code text box: CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE: Add additional Referers and/or misc file names. IMPORTANT! Change the HTTP_REFERER YourWebsite.com domain name to your actual domain/website’s name.
2. Save your new custom code by clicking the Save Root Custom Code button.
3. Click the Create secure.htaccess File AutoMagic button on the Security Modes page.
4. Activate BulletProof Mode for your Root folder on the Security Modes page.
```
# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
# Remote File Inclusion (RFI) security rules
# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F]
#
# Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
RewriteCond %{REQUEST_URI} (akeebabackupwp\.php|timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
RewriteCond %{HTTP_REFERER} ^.*YourWebsite.com.*
RewriteRule . - [S=1]
```
If the whitelisting method above does not work then try this next;

1. Add the page=akeebabackupwp Query String skip/bypass rule below to this wp-admin Custom Code text box: CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES
2. Click the Save wp-admin Custom Code button.
3. Go to the Security Modes page and Activate wp-admin Folder BulletProof Mode.
```
# AkeebaBackupWP wp-admin Query String skip/bypass rule
# RewriteCond %{QUERY_STRING} page=akeebabackupwp(.*) [NC]
# RewriteRule . - [S=2]
```
Plugin Author AITpro
(@aitpro)

10 years, 10 months ago
Or this may work:

1. Go to the BPS htaccess File Editor page, click on the Your Current Root htaccess File tab, scroll down in your Root .htaccess file code until you see .htaccess code that looks like this code below.
```
# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
```
2. Copy your # WP REWRITE LOOP START code to this BPS Root Custom Code text box: CUSTOM CODE WP REWRITE LOOP START
3. After you have copied your WP Rewrite Loop Start .htaccess code then add the akeebabackupwp RewriteRule skip/bypass rule as shown in the code below.
4. Click the Save Root Custom Code button.
5. Go to the BPS Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode.
```
# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# akeebabackupwp RewriteRule skip/bypass
RewriteRule ^repos/akeeba2dev/wp-content/plugins/akeebabackupwp(.*) - [L]
```
Plugin Author AITpro
(@aitpro)

10 years, 10 months ago
Ok I found a free Akeeba Backup version for WordPress. Downloaded it, installed and tested it and both file and db backups work fine, but I am also seeing a 403 error even though the backups completed successfully. So this appears to only be a nuisance 403 error and not an error indicating that something is actually not working. I will figure out exactly what is triggering this error and post the solution shortly. I may find that what the Akeeba Backup support folks said about a 403 error always occurring with their plugin is that in that case BPS logs all 403 errors on a website whether or not the 403 error has anthing to do with BPS. If this is the case then it is a nuisance error that just needs to not be logged.
```
[403 GET / HEAD Request: August 13, 2015 - 1:49 pm]
Event Code: WPADMIN-SBR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 127.0.0.1
Host Name: Z666P-HP
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://demo5.local/wp-admin/admin.php?page=akeebabackupwp-core%2Fakeebabackupwp.php&view=main
REQUEST_URI: /wp-content/plugins/akeebabackupwp-core/app//backups/index.html?_=1439498971140
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
```
Plugin Author AITpro
(@aitpro)

10 years, 10 months ago
Ok ironically the problem is with the Akeeba Backup htaccess files themselves. there are several of them throughout the Akeeba Backup plugin folders. The best approach would be to automatically create .htaccess files based on a check if the mod_authz_core module is loaded instead of doing a one size fits all conditional thing with htaccess files/code to cover all bases. ie if mod_authz_core module is loaded create htaccess file/code X. if mod_authz_core module is NOT loaded create htaccess file/code Y. We actually need to do this same thing in BPS soon.

So if you do not want to see the 403 nuisance errors then the solution is to edit all Akeeba Backup htaccess files and delete the htaccess code that does not apply to your Apache server version.

Older versions of Apache used this htaccess code without having to do anything else with it. The new Apache thing is: mod_authz_core
```
Order Deny,Allow
Deny from all
```
This one size fits all thing below may work in most cases, but it will also fail in a lot of other cases. The fail is a nuisance fail and not critical. ie errors are generated, but nothing is actually being broken.
```
# Apache 2.2
<IfModule !mod_authz_core.c>
Order Deny,Allow
Deny from all
</IfModule>

# Apache 2.4
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
```
Plugin Author AITpro
(@aitpro)

10 years, 10 months ago
So on my XAMPP Dev server if I comment out all of these code lines below with # signs in this file: /app/backups/.htaccess I no longer see that 403 error and the /backups folder is still protected. I did not bother with editing any of the other Akeeba Backup htaccess files.
```
#<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
#</IfModule>

#<IfModule mod_authz_core.c>
#  <RequireAll>
#    Require all denied
#  </RequireAll>
#</IfModule>
```
Thread Starter VesperaWebDesigns
(@vesperawebdesigns)

10 years, 10 months ago
I apologize, I am having to do this in a bit of a hurry, and will have to pause in this investigation due to prior commitments.

I tried replacing the contents of /app/backups/.htaccess with your suggested code, and still got the 403 error (and the Application 500 error).

I also tried the following code in /app/backups/.htaccess (essentially the opposite of what you had done):
```
#<IfModule !mod_authz_core.c>
#Order deny,allow
#Deny from all
#</IfModule>

#<IfModule mod_authz_core.c>
  <RequireAll>
    Require all denied
  </RequireAll>
#</IfModule>
```
and still got the 403 error (and the Application 500 error).

Then I tried commenting EVERYTHING out. When I navigated to the AKWP Control Panel, a notification was displayed that was not there before, that a new version of AKWP is now available. When I went to change profiles, the Application 500 error was not displayed, and no 403 error was logged (as expected).

I restored the original /app/backups/.htaccess file, and renamed the root .htaccess file. The notification of a new version was displayed. When I went to change profiles, the Application 500 error was not displayed, and no 403 error was logged (as expected).

One difference between the paid and free versions of AKWP is how available updates are detected. The paid version checks that a valid Download ID has been entered. It probably also retrieves the update from a different location than the free version.

Somehow the existence of the BPS .htaccess file is causing AKWP not to be able to detect that an update is available. It is also causing the AKWP code to go down a different path when switching profiles, since it doesn’t even make the HTTP request that results in a 403 error.

I have to delay any further work on this until Monday. By then AKWP staff will be back from vacation, and I can pass along all this information to them. I think their input is needed at this point anyway.

Thank you for giving your time and expertise to solving this problem. I think we’re a lot closer to the solution now!
Plugin Author AITpro
(@aitpro)

10 years, 10 months ago
So there must obviously be some differences between the Akeeba free and pro versions. Maybe there are several 403 errors occurring and not just the one 403 error due to Akeeba htaccess file code itself. Or maybe the localhost server itself has had additional configuration done in the httpd.conf file or the vhosts conf file.

Both file backups and DB backups worked fine for me whether or not I changed the Akeeba htaccess file code. Are Akeeba backups also working normally for you even though you are seeing a nuisance 403 error(s)?

Most likely the API upgrade check is being blocked by 1 or more of these BPS root .htaccess file security rules below and commenting them out with a # sign in your root .htaccess file would tell you which rule or rules that is:

Most likely:
```
#RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]

#RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
```
Less likely:
```
#RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [NC,OR]
#RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
#RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
```
Least likely:
```
#RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
#RewriteCond %{QUERY_STRING} http\: [NC,OR]
#RewriteCond %{QUERY_STRING} https\: [NC,OR]
```
Thread Starter VesperaWebDesigns
(@vesperawebdesigns)

10 years, 10 months ago

Thanks! I’ll try all that on Monday, plus the suggestions you made earlier. If there are any variables in httpd.conf or vhosts.conf whose values you would like me to supply, please let me know.

I agree that the 403 error is a “nuisance error”, but I think the fact that it occurs only when the Application error is displayed is significant, and may help the AKWP developer track down the problem.
Plugin Author AITpro
(@aitpro)

10 years, 10 months ago
You would be checking the httpd.conf and vhosts conf files to see what they are doing or not doing with the mod_authz_core module.

In my XAMPP httpd.conf file I see that the module is being loaded, but this is XAMPP, which has been modified to run under Windows instead of Linux.
LoadModule authz_core_module modules/mod_authz_core.so. In my vhosts conf file I am using the new “Require all granted” vs the older “Order” directive, but my htaccess files are still using “Order” and they are working so that tells me there is a fallback for the older “Order” directive in htaccess files and they still work fine. I assume Apache is doing a standard deprecation method: https://en.wikipedia.org/wiki/Deprecation just like PHP or any other software does for backwards compatibility and moving forward. So basically that means that this htaccess code below should work for many versions of Apache until the “Order” directive is completely removed.
```
Order Deny,Allow
Deny from all
```
If everything is working correctly then that falls under nuisance. The 403 error for the API upgrade being blocked is not a nuisance error and is a critical error. One of the security filters above is most likely blocking the API upgrade check.

Viewing 15 replies - 1 through 15 (of 23 total)

1 2 →

The topic ‘DSO Server Setup Steps’ is closed to new replies.