Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

php-fpm / config issue? "Access to the script has been denied" #16

Closed
jmhunter opened this issue Oct 11, 2016 · 8 comments
Closed

php-fpm / config issue? "Access to the script has been denied" #16

jmhunter opened this issue Oct 11, 2016 · 8 comments

Comments

@jmhunter
Copy link

(Apologies if this is the wrong place for this - I'm new to github)

I have been trying to get the nextcloud docker image working, but have either misunderstood the instructions, or something isn't working.

I am running nextcloud as follows (I already have something else listening on port 9000)
# docker run --name nextcloud -d -p 8001:9000 indiehosters/nextcloud
and I am using Apache as a proxy to access it (Took me ages to figure out that I couldn't simply point a web browser at the HTTP port - I have never used php-fpm before) :

Listen 1.2.3.100:81
<VirtualHost 1.2.3.100:81>
        ProxyPassMatch "^/(.*)" "fcgi://127.0.0.1:8001/var/www/html/$1"
</VirtualHost>

This seems to work in that the php scripts themselves run fine, but none of the support files come through, they don't get passed to the browser.

[Mon Oct 10 00:44:07 2016] [error] [client 1.2.3.4] AH01071: Got error 'Access to the script '/var/www/html/core/vendor/backbone/backbone.js' has been denied (see security.limit_extensions)\n'
[Mon Oct 10 00:44:07 2016] [error] [client 1.2.3.4] AH01071: Got error 'Access to the script '/var/www/html/core/js/oc-backbone.js' has been denied (see security.limit_extensions)\n\xff\x7f'
[Mon Oct 10 00:44:07 2016] [error] [client 1.2.3.4] AH01071: Got error 'Access to the script '/var/www/html/core/js/placeholder.js' has been denied (see security.limit_extensions)\n\xff\x7f'
[....]

Am I missing something basic in the config somewhere, or am I misunderstanding how this is meant to fit together?

@pierreozoux
Copy link
Member

Hi!

I'm no apache expert, but seems you could remove /var/www/html from
your config, I think the path mismatches.

On 11-10-2016 01:22, jmhunter wrote:

(Apologies if this is the wrong place for this - I'm new to github)

I have been trying to get the nextcloud docker image working, but have
either misunderstood the instructions, or something isn't working.

I am running nextcloud as follows (I already have something else
listening on port 9000)
|# docker run --name nextcloud -d -p 8001:9000 indiehosters/nextcloud
|
and I am using Apache as a proxy to access it (Took me ages to figure
out that I couldn't simply point a web browser at the HTTP port - I have
never used php-fpm before) :

|Listen 1.2.3.100:81 <VirtualHost 1.2.3.100:81> ProxyPassMatch "^/(.*)"
"fcgi://127.0.0.1:8001/var/www/html/$1" |

This seems to work in that the php scripts themselves run fine, but none
of the support files come through, they don't get passed to the browser.

|[Mon Oct 10 00:44:07 2016] [error] [client 1.2.3.4] AH01071: Got error
'Access to the script '/var/www/html/core/vendor/backbone/backbone.js'
has been denied (see security.limit_extensions)\n' [Mon Oct 10 00:44:07
2016] [error] [client 1.2.3.4] AH01071: Got error 'Access to the script
'/var/www/html/core/js/oc-backbone.js' has been denied (see
security.limit_extensions)\n\xff\x7f' [Mon Oct 10 00:44:07 2016] [error]
[client 1.2.3.4] AH01071: Got error 'Access to the script
'/var/www/html/core/js/placeholder.js' has been denied (see
security.limit_extensions)\n\xff\x7f' [....] |

Am I missing something basic in the config somewhere, or am I
misunderstanding how this is meant to fit together?


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#16, or mute the thread
https://github.com/notifications/unsubscribe-auth/ABxvHSfPbZerp3xyLjK-HMuYGti02TOiks5qytaxgaJpZM4KTHmj.

I use PGP to protect our privacy, if you want to know more, you can
follow this
https://emailselfdefense.fsf.org/en/

If you have further questions, please do not hesitate to ask.
You can verify my public key here: https://keybase.io/pierreozoux

@jmhunter
Copy link
Author

Thanks pierreozoux for the suggestion around removing /var/www/html from the Apache config, but unfortunately I did try this (it was what I started with) and it just results with the browser showing a "File not found" message. At least with /var/www/html in the path, the php file executes even if the associated CSS files etc. can't be loaded.

I can't help feeling that I have mis-understood how this fits together, somehow.

For reference my non-working config ("File not found") is as follows:

ProxyPassMatch "^/(.*)" "fcgi://127.0.0.1:8001/$1"

which results in:

[Tue Oct 11 16:32:51 2016] [error] [client 1.2.3.4] AH01071: Got error 'Primary script unknown\n'
[Tue Oct 11 16:32:51 2016] [error] [client 1.2.3.4] AH01071: Got error 'Primary script unknown\n', referer: http://1.2.3.100:81/

This is returned to the browser:

<html><body><p>File not found.
</p></body></html>

Adding in /var/www/html to the fcgi path at least results in the php executing.

@jmhunter
Copy link
Author

jmhunter commented Nov 2, 2016

To add some clarity, here is the current status.

I have nextcloud docker running on my server:
# docker run --name nextcloud -d -p 8001:9000 indiehosters/nextcloud

And I am using Apache to reverse proxy (I've sanitised the server IP to 1.2.3.4 here):

<VirtualHost 1.2.3.4:81>
        ProxyPassMatch "^/(.*)" "fcgi://127.0.0.1:8001/var/www/html/$1"
</VirtualHost>

This all works, to a point - so I think the path in the config file is OK, at least. I can visit http://1.2.3.4:81/index.php and the nextcloud index page executes and displays.. but none of the non-PHP files e.g. CSS, images, Javascript libraries etc. work - see screenshot below:

image

This is what I get in Apache's error_log:

[Wed Nov 02 00:36:30 2016] [error] [client 2.2.2.2] AH01071: Got error 'Access to the script '/var/www/html/core/css/styles.css' has been denied (see security.limit_extensions)\n'
[Wed Nov 02 00:36:30 2016] [error] [client 2.2.2.2] AH01071: Got error 'Access to the script '/var/www/html/core/css/header.css' has been denied (see security.limit_extensions)\n'
[Wed Nov 02 00:36:30 2016] [error] [client 2.2.2.2] AH01071: Got error 'Access to the script '/var/www/html/core/css/inputs.css' has been denied (see security.limit_extensions)\n'
[Wed Nov 02 00:36:30 2016] [error] [client 2.2.2.2] AH01071: Got error 'Access to the script '/var/www/html/core/css/icons.css' has been denied (see security.limit_extensions)\n'
[Wed Nov 02 00:36:30 2016] [error] [client 2.2.2.2] AH01071: Got error 'Access to the script '/var/www/html/core/css/fonts.css' has been denied (see security.limit_extensions)\n'
[Wed Nov 02 00:36:30 2016] [error] [client 2.2.2.2] AH01071: Got error 'Access to the script '/var/www/html/core/css/apps.css' has been denied (see security.limit_extensions)\n'
[Wed Nov 02 00:36:30 2016] [error] [client 2.2.2.2] AH01071: Got error 'Access to the script '/var/www/html/core/css/global.css' has been denied (see security.limit_extensions)\n'
[Wed Nov 02 00:36:30 2016] [error] [client 2.2.2.2] AH01071: Got error 'Access to the script '/var/www/html/core/css/fixes.css' has been denied (see security.limit_extensions)\n'
[Wed Nov 02 00:36:30 2016] [error] [client 2.2.2.2] AH01071: Got error 'Access to the script '/var/www/html/core/css/multiselect.css' has been denied (see security.limit_extensions)\n'
[Wed Nov 02 00:36:30 2016] [error] [client 2.2.2.2] AH01071: Got error 'Access to the script '/var/www/html/core/css/mobile.css' has been denied (see security.limit_extensions)\n'
[...]

It looks as though it's trying to execute all the support files, rather than just show them directly.

I appreciate I'm using Apache and not nginx - but the only docs I have been able to find are https://hub.docker.com/r/indiehosters/nextcloud/ which simply says to use a reverse proxy.

How is this meant to work?

@pierreozoux
Copy link
Member

There is an apache version in preparation. #21 would you mind testing?

@jmhunter
Copy link
Author

jmhunter commented Jan 17, 2017

Apologies as I know this isn't the place for docker type queries.. but I have been trying on and off to test #21 since December.. I just don't know what docker commands I need to do, to test it :(

My docker skills are pretty much limited to 'docker pull indiehosters/nextcloud' and 'docker run indiehosters/nextcloud'.. I've found the github pull requests associated with #21 (I think) but I'm not sure either how to get docker to build it (presumably I manually create the appropriate directory structure on disk locally, and 'docker run' from there) or how to tell docker to use the Apache variant of nextcloud instead of the php-fpm variant. I thought it would be an environment variable passed to the nextcloud docker instance, but looking at the files on github I can't see anything in the docker script that checks for environment variables and selects php-fpm or apache?

I would absolutely love to test this version - and figured I should probably post on here to ask for guidance, rather than sit silently and not test it.. Thanks for everyone's efforts on the apache version - that will solve my issue (although I'm still confused as to why php-fpm doesn't work for me ;-) )

@jmhunter
Copy link
Author

Answering my own question... I think I figured it out. Posting here my steps, in case it helps others:

  • Download '10.0/apache/Dockerfile' and '10.0/apache/docker-entrypoint.sh' from https://github.com/nextcloud/docker/pull/21/files
  • chmod +x docker-entrypoint.sh
  • From the download directory, run 'docker build -t nextcloud-test .' and then 'docker run --name nextcloud-test --restart=always -d -p 8001:80 nextcloud-test'

@pierreozoux
Copy link
Member

The PR landed in master, and I htink the issue is solved, can you confirm and close?

@jmhunter
Copy link
Author

jmhunter commented Jan 21, 2017

Thank you to all who have worked on this. I have now tested using steps as below, and I can confirm that the apache variant works fine (the setup wizard appears correctly) 😃

The front page docker/nextcloud documentation now needs to be updated, I think, to guide people to the existence of the Apache variant and how to use it - at the moment, it just talks about php-fpm.

(There is probably also a better way of launching this using docker, rather than manually downloading the files as I have done - see below for how I ran it. I am not yet a docker expert, but as soon as I am, I will absolutely share what I have learnt!)

Am therefore closing this - thanks! (My initial question remains unanswered but can equally be re-framed as "how do I use php-fpm with apache as reverse proxy" and there are other forums for that. The existence of the apache variant means I don't need to get php-fpm working, anyway)

Steps I used:

mkdir docker-nextcloud-test && cd docker-nextcloud-test
wget https://raw.githubusercontent.com/nextcloud/docker/master/10.0/apache/Dockerfile    
wget https://raw.githubusercontent.com/nextcloud/docker/master/10.0/apache/docker-entrypoint.sh
chmod +x docker-entrypoint.sh
docker build -t nextcloud-test . && docker run --name nextcloud-test --restart=always -d -p 8001:80 nextcloud-test

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants