DSO Server Setup Steps

Resolved VesperaWebDesigns
(@vesperawebdesigns)

10 years, 10 months ago
BPS Version: .52.3
Server API: apache2handler DSO Host Server Type

I have completed the steps outlined in this post:

DSO Server Setup Steps/

for the case where the Script Owner ID’s and the File Owner ID’s match:
1. include the 3 new lines in wp-config.php
2. clear the browser and server caches (the apache2 install is on my laptop)
3. navigate to BPS Security=>System Info
4. check that WP Filesystem API Method: direct
5. navigate to Setup Wizard
6. observe that there are no red warning messages
7. run Setup Wizard
8. observe that there are no red warning messages
9. navigate to BPS Security=>System Info
In the pane in the lower right quadrant of the page, the Script Owner ID’s and the File Owner ID’s are still displayed, even though the post indicates they should no longer be.

Have I misunderstood the post?

For the record, BPS when running on this server did not report any errors prior to modifying wp-config.php, but I am having difficulty getting another plug-in to work once I install BPS.

https://ww.wp.xz.cn/plugins/bulletproof-security/

Viewing 8 replies - 16 through 23 (of 23 total)

← 1 2

Thread Starter VesperaWebDesigns
(@vesperawebdesigns)

10 years, 9 months ago
To answer your question, I have not yet had a problem doing a backup. I am having a problem when trying to switch backup profiles, which would be needed if a client did multiple types of backups.

Just to clarify, I am making these changes in isolation. Before I make each change, I put everything back to default (the way it was when I installed the two plug-ins).

When I put your suggested Whitelist rule into the TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE, and made the following substitution for YourWebsite.com:
RewriteCond %{HTTP_REFERER} ^.*localhost.*
I still get the Application error, and the notification of update does not appear.

When I add the Query String skip/bypass rule to the wp-admin Custom Code text box, I still get the Application error, and the notification of update does not appear.

Since you said one or more of your list of BPS root .htaccess file security rules might be blocking the API upgrade check, I commented them ALL out. In this case, I edited the root .htaccess file directly. I still get the Application error, and the notification of update does not appear.

The way configuration information is stored for the version of Apache2 I have seems to be different from XAMPP. There are no httpd.conf or vhosts.conf files.

The file /etc/apache2/apache.conf has the following lines:
```
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
IncludeOptional sites-enabled/*.conf
```
In the file /etc/apache2/mods-enabled/authz_core.load is the command:
LoadModule authz_core_module /usr/lib/apache2/modules/mod_authz_core.so

The file /etc/apache2/apache.conf has the following lines:
```
# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied
</Directory>

<Directory /usr/share>
	AllowOverride None
	Require all granted
</Directory>

<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
</Directory>

#<Directory /srv/>
#	Options Indexes FollowSymLinks
#	AllowOverride None
#	Require all granted
#</Directory>
```
and
```
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
	Require all denied
</FilesMatch>
```
The file /etc/apache2/sites-enabled/mysite.conf contains the following lines:
```
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
        ServerName localhost
	DocumentRoot /home/christina/public_html
	<Directory />
		Options FollowSymLinks
		AllowOverride All
	</Directory>
	<Directory /home/christina/public_html>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
		Require all granted
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>
```
If there are other relevant sections of configuration information you think I might be overlooking, please let me know and I’ll supply them.
Plugin Author AITpro
(@aitpro)

10 years, 9 months ago
The way configuration information is stored for the version of Apache2 I have seems to be different from XAMPP. There are no httpd.conf or vhosts.conf files.

You either have a Debian or Ubuntu (Ubuntu is derived from Debian) Linux OS and the server type is a DSO server type. Only Debian and Ubuntu use the apache.conf file method instead of using the standard Apache httpd.conf file. mysite.conf contains your vhosts (VirtualHost) configuration.

In your vhosts conf file: mysite.conf I see that you are using both the old “Order” directive and the new “Require” all granted directive for the authz_core_module module. You need to comment out or delete the old “Order” directive code since your server is loading/using the new authz_core_module module. Try this first and then retest things to see if errors are still occurring.
```
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
        ServerName localhost
	DocumentRoot /home/christina/public_html
	<Directory />
		Options FollowSymLinks
		AllowOverride All
	</Directory>
	<Directory /home/christina/public_html>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		#Order allow,deny
		#allow from all
		Require all granted
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		#Order allow,deny
		#Allow from all
		Require all granted
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        #Order deny,allow
        #Deny from all
        #Allow from 127.0.0.0/255.0.0.0 ::1/128
		Require ip 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>
```
Plugin Author AITpro
(@aitpro)

10 years, 9 months ago

Just a reminder: any time you make changes to any of your Apache web server configuration files you MUST reboot your Apache web server in order for the new configuration settings to be loaded/used.
Plugin Author AITpro
(@aitpro)

10 years, 9 months ago
FYI you can simplify this code (If you use “host” instead of “ip” then you do not need to specify IPv4 and IPv6 IP address ranges):
```
change....
Require ip 127.0.0.0/255.0.0.0 ::1/128
to this code...
Require host localhost
```
And if you wanted to allow access to the server for a local network you would do this (this is just a reference example):
```
Require ip 192.168.100
Require host localhost
```
Thread Starter VesperaWebDesigns
(@vesperawebdesigns)

10 years, 9 months ago
I may have found the problem.

The root .htaccess file contains the following directive:
```
ErrorDocument 403 /repos/akwpcore-1.4.1/wp-content/plugins/bulletproof-security/403.php
```
If I comment out this line, I am able to switch profiles successfully.

Here are the first few lines in /wp-content/plugins/bulletproof-security/403.php (left/right arrows changed to “[]” so they show up in the code segment):
```
[?php ob_start(); ?]
[?php session_cache_limiter('nocache'); ?]
[?php session_start(); ?]
[?php error_reporting(0); ?]
[?php session_destroy(); ?]
```
If I leave the above line in the .htaccess file intact and remove this code, I am able to switch profiles successfully.

When the AKWP Control Panel is displayed as the result of being selected from a menu, it initializes some session variables. It also checks that the backup directory is inaccessible from the browser – it performs a request where a 403 error is expected.

When the 403 error is detected, the BPS root .htaccess file causes /wp-content/plugins/bulletproof-security/403.php to be executed. 403.php calls session_destroy(), which wipes out the session variables.

When the AKWP Control Panel is displayed as the result of redirection after a form is submitted (such as selecting a new Backup Profile), it loads and checks the session variables. These variables were wiped out by 403.php, AKWP detects that something is amiss with the session and displays “Application Error 500”.

Can this be resolved with a Skip rule? Do developers need to create a custom 403.php file for use on sites where AKWP is installed? Is there some other better solution?
Plugin Author AITpro
(@aitpro)

10 years, 9 months ago

session_destroy and the other code was created at the top of the 403.php template file to prevent problems that will occur in other plugins and themes if that code is not used. The logic is that when a 403 error occurs then it means “game over” so not sure how to allow an expected 403 error since that is a very strange approach. 403 errors should mean “game over” and not “game is intentionally failing as expected so continue on”. It is very bizarre to accept that is a legitimate logical method or approach. Logically if a 403 error is occurring then something needs to be fixed to prevent the orginal 403 error from occurring.

The solution for this issue is simple, but you will lose some BPS functionality. Turn Off Security Logging on the BPS Security Log page. The ErrorDocument directive code will no longer redirect to the BPS 403.php Security logging template, but that also means no Security logging will occur anymore.

Thread Starter VesperaWebDesigns
(@vesperawebdesigns)

10 years, 9 months ago

Thanks! Turning off Security Logging allows AKWP to function properly. But as you pointed out, that will cause problems with other plug-ins that expect the session to be destroyed. Eventually this requires a more tailored solution, but for now there is this work-around, so I’ll mark this Topic as Resolved.

Plugin Author AITpro
(@aitpro)

10 years, 9 months ago

Yep, I was originally planning on going through the Akeeba Backup code and fixing the code/bug in Akeeba that is causing this problem and then providing the bugfix to Akeeba, but the version of Akeeba that I was testing with is different than your version. oh well. And yep, session destroy is correct and essential code so messing with good/correct code to accommodate a bug in another plugin is not something I would consider messing with. 😉

Viewing 8 replies - 16 through 23 (of 23 total)

← 1 2

The topic ‘DSO Server Setup Steps’ is closed to new replies.