After upgrading to 4.1.5, one of my sites is now getting a 403 error on all pages. I reverted to 4.1.4 and it works fine. Then I did force reinstall 4.1.5 and still getting the 403 errors, so had to revert back to 4.1.4.

http://www.litespeedtech.com/support/forum/showthread.php?p=30093#post30093

That fixed it, thanks.

Got the same problem. 403 shows when I for example edit a post in wordpress and save it.

I applied the above solution but it didn't fix it.

Any other advice?

Please do a "Force reinstall" to make sure the latest build is used.

Did it now and the issue still happens. Seems whenever you edit a post or page and save it a 403 error occurs. It happens on ALL WP based sites on the machine :-(

Any other thing to look for?

Please check error.log, if you use cPanel, check /usr/local/apache/logs/error_log for the reason of 403 error.

I'm not using cpanel or any other panel it's a debian linux machine with no panels.

On the litespeed log there's no error showing.

Where is the log file located at?

So, you have configured vhosts in native configuration?
It should be /usr/local/lsws/logs/error.log, maybe you should enable full debug logging for a while, and search for log entries with your IP address.
I wonder if it is a 403 error from LiteSpeed or from somewhere else.

Strange, there are no visible errors on my IP in the log.
On some of the WP sites I managed to get it to work by clearing the cache but on others it failed to work remaining with 403 errors.

My guess is a bug in 4.1.5 that happens on some plugins on WP but am not sure.
I might be forced to downgrade and stay on 4.1.3 unless you guys have another advice?

update: file uploads (images) to posts fail too (HTTP error) with nothing in the debug log that indicates an error :-(

Please check if PHP suEXEC is function properly or not.
write test PHP script to run "id" command, see if php processes is running as correct user ID.

I assume you are using PHP suEXEC, each web site uses its own lsphp5 running as the user id of the owner of the site.

Actually all websites are under www-data (same user) as all are owned by us.

then make sure lsphp5 were running as www-data. Please show us the actual error.

Hi,
LSphp is running under www-data (see attached).
Error 403 still happens (also attached).

I wish the logs would give me a hint of the cause but they seem useless as they show no errors or issues :-(

Anything else i can try?

you may also check stderr.log (e.g. /usr/local/lsws/logs/stderr.log) and syslog (e.g. /var/log/messages).

also check the ownership of your upload directory.

Hi,
LSphp is running under www-data (see attached).
Error 403 still happens (also attached).

I wish the logs would give me a hint of the cause but they seem useless as they show no errors or issues :-(

Anything else i can try?
For those 403 error, LSWS should log something about it. maybe you can turn on debug logging and try again. make sure debug level is "HIGH", log level is at "DEBUG".

I think I might have found a solution: In the security settings of the server setup I've set the "check symbolic links" to "no" and it started to work again.
Thanks for your help!

I was happy to soon.
Same issue remains :-(
I added a debug log to the site and FINALLY got this:
ModSecurity: Access denied with code 403, [Rule: 'ARGS' '(fromCharCode|http-equiv|<.+>|innerHTML|dynsrc|-->)']
[Msg: XSS attack]

How do I fix that?

You can locate and comment out that rule, or use

SecRuleRemoveById xxxxx

to exclude that rule for that URL.
Maybe you enabled Request Body scan by default, which may cause trouble with gotroot rules.

Thanks. Realizing it may sounds like a silly question but any hints to the location of the rules config file on the server?

the rule can be found through
lsws admin console->Configuration->Server->
Request Filter->XSS attack->just disable it

restart lsws. see if the issue gone.

That did the trick! Thank you so much.

OK after reading this thread I was able to stop the 403 error...

But how come I have to remove these rules in any version after 4.1.1?

SecFilterSelective ARGS "(fromCharCode|http-equiv|<.+>|innerHTML|dynsrc|-->)"

SecFilterSelective ARGS "<(applet|div|embed|iframe|img|meta|object|script|te xtarea)"

When the same exact script & data is OK in 4.1.1?

the rulesets may not work well with 4.1.1 and prior as modsec support is improving.