1

Im using a plugin for one of my websites which I have updated recently. Since I have updated I get always an access denied message (Error 403) when opening magnalister.php of the plugin. When I replace the new .htaccess file with the old one I have no problems. Here are the content of the files:

Before updating:

<Files magnalister.php>
    Order Deny,Allow
    Allow from all
</Files>

<Files magnaCallback.php>
    Order Deny,Allow
    Allow from all
</Files>

After updating:

<Files magnalister.php>
    <IfModule !mod_authz_core.c>
        Order Deny,Allow
        Allow from all
    </IfModule>
    <IfModule mod_authz_core.c>
        Require all granted
    </IfModule>
</Files>
<Files magnaCallback.php>
    <IfModule !mod_authz_core.c>
        Order Deny,Allow
        Allow from all
    </IfModule>
    <IfModule mod_authz_core.c>
        Require all granted
    </IfModule>
</Files>

In the PHP error log I get the following:

[Wed Sep 12 00:25:05 2018] [access_compat:error] [pid 7437] [client ***] [host ***] AH01797: client denied by server configuration: /is/htdocs/***/www/testshop3/plugins/magnalister/magnalister.php

Im using Apache/2.4.10.

What is the reason for the 403 error with the updated version?

TmCrafz
  • 139
  • 1
  • 9
  • What apache version are you using? If 2.4, is the module `mod_authz_core` loaded? – Gerald Schneider Sep 10 '18 at 17:27
  • Are you able to tell, what the two configurations do? I.e. read the documentations and find out? – Tomáš Pospíšek Sep 10 '18 at 18:01
  • Im using Apache/2.4.10. In the PHP info mod_authz_core is in the list of loaded modules. In the php error log I get the folowing: `[Wed Sep 12 00:25:05 2018] [access_compat:error] [pid 7437] [client ***] [host ***] AH01797: client denied by server configuration: /is/htdocs/***/www/testshop3/plugins/magnalister/magnalister.php` – TmCrafz Sep 11 '18 at 22:50

1 Answers1

1

Where are you denying access? That would seem to be the problem. I suspect you are still denying access with the "old" Apache 2.2 directives elsewhere in your Apache config and this is taking precedence.

All the directives you have posted only allow access, so something else in your config is denying access to that file.

You have updated your .htaccess config to work with Apache 2.4's mod_authz_core/host modules. However, on Apache 2.4, if another part of your config is still using the old Deny directives (part of mod_access_compact in Apache 2.4 and mod_authz_host in Apache 2.2) then these "old" directives will take priority over the "new" Apache 2.4 directives in .htaccess, despite the apparent order in your config, and access will still be denied.

As noted in the Apache docs under upgrading to 2.4 from 2.2:

...mixing old and new directives [can] lead to unexpected results. ... Because mod_access_compat directives take precedence over the mod_authz_host ...

So, if you are still using the "old" directives elsewhere in your config (to deny access) then these need to be updated to use the equivalent Apache 2.4 directives.

This would seem to be confirmed by the error you are seeing, which is triggered by mod_access_compact, as opposed to mod_authz_core, as you would expect on Apache 2.4.

[Wed Sep 12 00:25:05 2018] [access_compat:error] [pid 7437] [client ...] [host ...] AH01797: client denied by server configuration: /is/htdocs/.../www/testshop3/plugins/magnalister/magnalister.php

(Aside: You say you are using Apache 2.4. Do you really need to maintain backwards compatibility with Apache 2.2, as you are doing in .htaccess? Maintaining both configs is only going to be harder to maintain and more prone to error.)

MrWhite
  • 12,647
  • 4
  • 29
  • 41