Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
litespeed_wiki:config:understanding_403 [2018/06/29 14:38] Jackson Zhang [Understanding Error 403 Forbidden] |
litespeed_wiki:config:understanding_403 [2019/06/13 15:42] (current) Jackson Zhang [Throttling] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Understanding Error 403 Forbidden ====== | ====== Understanding Error 403 Forbidden ====== | ||
| - | |||
| {{ :litespeed_wiki:config:403.png?400 |}} | {{ :litespeed_wiki:config:403.png?400 |}} | ||
| - | Error 403 Forbidden can be trigger by many things and in this wiki we will show you most of them.Most important thing is to check log files when you get the error as there will show in most cases from what it is. | + | Error 403 Forbidden can be triggered by many things, and in this wiki we will show you most of them. The most important thing is to check the log files when you get the error, as they will show the cause in most cases. |
| - | Generally, it is not LSWS web server bug related. Most of the time, it related to permission issue, restriction configuration setting, mod_security etc. | + | Generally, it is not LiteSpeed Web Server causing 403 issues. Most of the time, the error is related to a permission issue, configuration restriction, security settings, mod_security etc. |
| | | ||
| - | If you use the control panel like cpanel, you can try to switch to apache to see if it happens to it. If it happens to both Apache and LSWS, you can try the following possible tips yourself to locate the root cause of 403 error. If it doesn't happen to Apache but only happen to LSWS, you can log a ticket with us to take a further look. | + | If you use a control panel like cPanel, you can try to switch to Apache and see if the error continues. If it happens to both Apache and LSWS, you can try the following possible tips yourself to locate the root cause. If it //doesn't// happen to Apache but only happens to LSWS, you can log a ticket with us to take a further look. |
| - | ===== File/Directory permissions ===== | + | |
| - | Wrong file or directory permission will show that error. In this case you need to check the permissions and put the right ones. | + | ===== File/Directory Permissions ===== |
| + | If the file or directory has the wrong permissions, you may see Error 403. Fix the premissions, and the error goes away. | ||
| - | ===== Wrong file/directory user ===== | + | ===== Wrong File/Directory User ===== |
| - | + | Make sure that the file or directory belongs to the correct user. Lets say that your ''public_html'' directory is owned by the username ''test'', and you try to create a file ''index.php'' as user ''test1''. That can trigger the error, as test1 will not have permission to read the file or the directory. | |
| - | Make sure that the file or directory are using the right user. Lets say that your **public_html** directory is for username "test" and you put a file index.php as user test1. That can trigger the error as the user test1 will not have the right to read the file or the directory. | + | |
| - | + | ||
| - | ===== Deny from .htaccess file ===== | + | |
| - | + | ||
| - | If you have code like: | + | |
| + | ===== Deny From .htaccess File ===== | ||
| + | Your ''.htaccess'' may have code like this: | ||
| <code> deny from all </code> | <code> deny from all </code> | ||
| - | |||
| or | or | ||
| - | |||
| <code> deny from <your ip address> </code> | <code> deny from <your ip address> </code> | ||
| - | This mean that the access for the webside is deny or it is deny from IP address. You can simple remove or comment that like with "**#**" | + | This means that access for the website is denied for everyone, or just from your IP address, respectively. You can simply remove or comment the line out with ''**#**''. |
| - | ===== Indexes ===== | + | ===== Rewrite rule forbidden ===== |
| + | If you have something similar to the following rewrite rules, it may return 403 borbidden. | ||
| + | |||
| + | RewriteCond (SOMECONDITION) | ||
| + | RewriteRule ^(.*)$ – [F,L] | ||
| - | Directory indexing is preventing list of the files for the directory but if you do not have index file (index.php, index.html etc) and the **autoindex** option is ON that will return error 403. | ||
| - | If you have that line in the .htaccess file: | + | ===== Indexes ===== |
| + | Directory indexing may be preventing a list of the files for the directory, but if you do not have an index file (''index.php'', ''index.html'', etc.) and the **autoindex** option is ''ON'' that will return error 403. | ||
| + | If you have this line in the ''.htaccess'' file: | ||
| <code> Options -Indexes </code> | <code> Options -Indexes </code> | ||
| - | Try to remove it or put it on: | + | Remove the line, or turn autoindex on: |
| <code> Options +Indexes </code> | <code> Options +Indexes </code> | ||
| - | ===== Problem/missing PHP Handler ===== | + | ===== Problem/Missing PHP Handler ===== |
| + | If the PHP handler is not setup correctly, the web server will return error 403. This will be shown in the server error log file and you will need to check it for more information. After that, create the correct PHP handler to resolve the issue. | ||
| - | If the php handler is not setup correctly the Webserver will return error 403. This will be showed in the server error log file and you need to check them for more information. After that you need to create the right php handler to resolve the issue. | + | ===== File Restriction ===== |
| + | In **Litespeed WebAdmin > Configuration > Server > Security** there is an option called **Restricted Permission Mask**. If you set this to a high value like ''644'', you will get error 403 for your pages. | ||
| - | ===== File restriction ===== | + | To resolve it you need to lower the value. |
| - | In Litespeed webadmin -> Configuration -> Server -> Security there is a option "Restricted Permission Mask". If you setup to hight value like 644 you will get error 403 for your pages. | + | ===== Incorrect File Ownership After Migration ===== |
| + | When migrating or uploading files to a cPanel account, some image files might incorrectly be assigned to ''nobody:nobody'', when they should be user:user. | ||
| - | To resolve it you need to change the value to lower. | + | /home/jsmith/public_html>ls -ald images/detailed/130/Untitled-1-Recovered_urba-uz.jpg |
| + | -rw-rw-rw- 1 nobody nobody 103609 Apr 12 11:21 images/detailed/130/Untitled-1-Recovered_urba-uz.jpg | ||
| + | /home/jsmith/public_html>ls -ald images/detailed/130 | ||
| + | drwxrwxrwx 2 nobody nobody 36864 Apr 14 15:12 images/detailed/130 | ||
| + | /home/jsmith/public_html>ls -ald images/detailed | ||
| + | drwxrwxrwx 51 jsmith jsmith 4096 Apr 11 13:16 images/detailed | ||
| + | /home/jsmith/public_html>ls -ald images | ||
| + | drwxrwxrwx 48 jsmith jsmith 4096 Mar 31 16:30 images | ||
| - | ===== Mod Security/Waf/fail2ban/CPHulk ===== | + | The **Force Strict Ownership** setting in LSWS Admin specifies whether to enforce strict file ownership checking. If it is enabled, the web server will check if the owner of the file being served is the same as the owner of the virtual host. If it is different, a ''403 Access Denied'' error will be returned. |
| - | Depend what and how much requests you are doing for X website the firewall can block you. In most cases you IP address will be deny in the system firewall (iptables, firewalld etc) and you need to remove your IP address from there. | + | To fix the problem, either change all files user:group to user:user ( in the above example, that would be ''jsmith:jsmith''), or disable **Force Strict Ownership** in LSWS Admin. |
| + | ===== Mod Security/WAF/fail2ban/CPHulk ===== | ||
| + | Depending on what and how many requests you are doing for a particular website, the firewall can block you. In most cases your IP address will be denied in the system firewall (iptables, firewalld etc) and you need to remove your IP address in order to avoid the error. | ||
| - | ===== Throttling ===== | + | If mod_security rules enabled, it may be triggerred for 403 error. For example: |
| + | [modsecurity] [Fri Apr 26 10:07:36 2019] [error] [client 111.111.111.111] ModSecurity: Access denied with code 403, [Rule: 'TX:ANOMALY_SCORE' '@ge %{tx.in_example_score_threshold}'] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"][tag "platform-multi"] [tag "attack-generic"] | ||
| + | ===== Hit LiteSpeed Per Client Throttling connection limit ===== | ||
| + | Similar to the previous case - if you have strict throttling rules and you make too many connections, that can trigger error 403. | ||
| + | For example, you may use LiteSpeed ''per client throttling'' throttling feature and set ''Connection Soft Limit'' and ''Connection Hard Limit''. If any visitor's IP goes over that connection limit, it will trigger 403 error and show the following in the logs: | ||
| + | [NOTICE] [x.x.x.x] bot detected for vhost [N/A], reason: OverConnSoftLimit, close connection | ||
| + | or | ||
| + | [NOTICE] [x.x.x.x] bot detected for vhost [N/A], reason: OverConnHardLimit, close connection! | ||
| - | Similar to previous case - if you have strict Throttling rules and you make too many connection that can trigger error 403. | + | ===== Hit reCAPTCHA security feature ===== |
| + | If a visitor fails on reCAPTCHA verification, it may trigger 403 error. | ||
| - | ===== GeoIP/IP2Loc or similar modules ===== | + | ===== Hit LiteSpeed WordPress Protection feature ===== |
| - | + | If a visitor hit LiteSpeed WordPress Protection feature with over limit connections, it may trigger 403 error. | |
| - | If GeoIP or IP2Loc is allow they can block access to files like wp-login (wp-admin). In this case you need to allow the access. | + | ===== GeoIP/IP2Loc or Similar Modules ===== |
| + | If GeoIP or IP2Loc is allowed, they can block access to files like ''wp-login'' (wp-admin). In this case you need to allow them access in order to avoid the error. | ||
| ===== Error 403 in LiteSpeed WebAdmin ===== | ===== Error 403 in LiteSpeed WebAdmin ===== | ||
| - | + | There is an option to restrict access to the WebAdmin. If you forget to add your IP address, or if it changes, you can edit it from the configuration file in ''/usr/local/lsws/admin/conf/admin_config.xml'': | |
| - | There is a option to restrict the access to the WebAdmin. If you forgot to add you IP address ot if its change you can edit it from the conf file in /usr/local/lsws/admin/conf/admin_config.xml | + | |
| <code> <security> | <code> <security> | ||
| Line 73: | Line 91: | ||
| </security> | </security> | ||
| </code> | </code> | ||
| - | Put your IP address in the allow list. For multi IP addresses its look like this: | ||
| + | Put your IP address in the allow list. For multiple IP addresses it looks like this: | ||
| <code> <allow>XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX</allow> </code> | <code> <allow>XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX</allow> </code> | ||
| - | ===== Additionally Information ===== | + | ===== Additional Information ===== |
| - | + | The best way to diagnose and resolve that error is to check the system configuration, website configuration and the error logs. If you are unsure what is the correct configuration for some option that is triggering error 403, you can check the wiki for that option. | |
| - | Best way to diagnostic and resolve that error is to check the system configuration, website configuration and the error logs. If you are what is the right configuration for some option that is triggering error 403 you can check the wikis for that. | + | |
| For example: | For example: | ||
| - | + | For [[litespeed_wiki:config:geolocation|GeoLocation]] configuration or [[litespeed_wiki:config:ip2location|IP2Location]]. | |
| - | For [[litespeed_wiki:config:geolocation|GeoLocation]] configuration or [[litespeed_wiki:config:ip2location|IP2Location]] | + | |