Been fighting with the problem for a month now. Have Drupal 9 set up on Azure App service with docker images running php8 (base image drupal:9.1.7-php8.0-apache)
I have found out that there are two ways to have the "sites/default/files" public files directory served in azure:
Symlink "sites/default/files" folder to "/home/files" folder and set WEBSITES_ENABLE_APP_SERVICE_STORAGE to true in application settings.
Mount Azure file share directly on top of "sites/default/files" folder using Path mappings (currently in preview).
Both options works, my files are uploaded successfully and I can see them in the storages. Drupal also sees those files, BUT every time I try to access any of the uploaded files, I get 500 error with the only error being Failed to forward request to application. Encountered a System.Net.Http.HttpRequestException exception after 119.915ms with message: Received an invalid status line: 'anges: bytes'.. Check application logs to verify the application is properly handling HTTP traffic. If I delete the uploaded file, the app reacts and shows that file not found instead.
If I disable persistent storage (any of the options mentioned above), the files are uploaded correctly, no errors are shown, but the problem is that every time the app is restarted or deployed, the files are gone.
Drupal has no errors in its log. Apache logs have no more useful info (GET seems to be ok and returns 200). Have tried messing with apache.conf, with php.ini, with both .htaccess files allowing all kinds of nasty things, but still have no clue. Had multiple colleagues look into this and nothing seems to work.
Adding EnableSendfile On into Dictionary block resolved the problem.
Example:
<Directory /media/share/www/>
EnableSendfile On
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride None
Require all granted
</Directory>
Quick update: Tried every last thing I could imagine. Had numerous people try and help, but the same error 500 or 502 appears. Two weeks no answer from microsoft support.
Created new app service not with docker containers but php 7.4 and manually uploaded all drupal files to /home/site/wwwroot, also set WEBSITES_ENABLE_APP_SERVICE_STORAGE to true so that /home dir stays persistant and the web seems to be working just fine, files are all good.
In previous attempts and now azure ssh shows all files inside /home dir as nobody:nogroup 777, will investigate this further as this might lead to some security issues if this is true (but checked settings.php etc. files and they are protected atleast from web access)
Related
I have my local site hosted on IIS and Sitecore.
When i am trying to access the site from my local ex: http://xyz.local/ I am getting the following error as shown in the below image. But i am able to access my local sitecore instance ex: http://xyz.local/sitecore/login.
I have tried checking the permissions for the root folder which has full control for all the users.
also tried some of the solutions but didn't work.
Appreciate any inputs on this.
Thanks.
I'm running an application on a VPS under Ubuntu 13.10 nginx and php5-fpm, The webserver has been set up very carefully following the best security practices. The app was written and tested to avoid any kind of injection, users input data is filtered, and they are not allowed to upload files either there is no upload form in the application, so even though the server was configured with strong restrictions and permissions only for users reading from, also a PHP directive open_basedir was set for tighten security and the default value is:
open_basedir = /var/domain.com/public_html:/dev/urandom
Things it's going smoothly, but I've been watching php-fpm logs file and seeing quite often the following error:
EDIT: added missing File upload error information from the log file:
PHP Warning: File upload error - unable to create a temporary file in Unknown on line 0
PHP Warning: Unknown: open_basedir restriction in effect. File(/tmp) is not within the allowed path(s): (/var/www/domain.com/:/dev/urandom/) in Unknown on line 0
My doubt where is this coming from? The error did not point the file name either request details like IP etc,
Is my app or server compromised? or someone else faking an upload form and trying to upload files to the server, AFAIK its not possible as I have check it out and none files has been modified in computer files system.
As I'm very concerned about server security I can not figured that out! does anyone experienced this problem?
I want to reference a javascript file at the bottom of a page template.
I added the .js file under cmssitemanager / development / javascript files and then added the following to the master template (portal engine):
<script src="/CMSScripts/Custom/FOO/BAR.js"></script>
When I open the page in any browser, the javascript in the file isn't executing.
When try to access the file directly in the browser at domain.com/CMSScripts/Custom/FOO/BAR.js I get redirected to the Kentico logon page.
I don't see how/where I can specify security for the CMSScripts directory, but the user should not have to be logged in to access this file.
Any suggestions?
Update with info from first answer:
We are not currently using Windows Authentication, and I verified that the application pool user account has file-system permissions. I also verified that the application can add/delete/modify files using the cmssitemanager > administration > system > files > "test files" utility which resulted in OK status for creating/deleting/modifying folders and files.
I do have Check files permission checked in cmssitemanager > settings > system > files > security. Unchecking this option does not change the behavior, including after restarting both the application and the windows services.
The site is valid and has the correct license however there was NOT a domain alias defined. I added one however this did not change the behavior.
We have not made any changes to the web.config save for connection string information. If you are referring to this documentation on CMSUseTrailingSlashOnlyForExtensionLess in the web.config, this was not previously in there however adding it did not change anything. To that end, I wasn't seeing the site trying to redirect to domain.com/CMSScripts/Custom/FOO/BAR.js/ so I truly think it's tied to some kind of security ACL that is out of order.
Here is the solution provided by user FroggEye on the Kentico DevNet forum thread on this same issue:
You're best bet is to use the syntax below. Kentico does URL processing on all directories unless excluded and you'd have to exclude the CMSScripts directory from processing which isn't hard but the code below is a better solution.
<script src="/CMSPages/GetResource.ashx?scriptfile=/CMSScripts/Custom/FOO/BAR.js" type="text/javascript"></script>
This will do 2 things:
give you a standard place to call resources from (you can get stylesheets here as well)
allow you to use the build-in minimization functions.
Charles,
This is a strange behavior, it does not normally do that.
Do you have any windows auth going on ? where you possibly removed anonymous access (in IIS) to directories in the website folder ?
Do you have Check Files permissions turned on as a Kentico Site setting? (even though I'm fairly sure that won't affect requests to the JavaScript files in JS module)
Is it a valid site (enabled and running in CMSSiteManager) and domain name with a correct license and alias ?
Any custom modifications to web.config file that possibly changed httpHandlers or modules ? And are you running the correct extensionless URL settings in web.config ?
I have an S: which is connected via a username that exists both on server1 & server2.
The mapped drive works fine.
I connect this as a virtual directory called config in IIS it connects and works fine. I can see in content view the files in the mapped drive.
When I attempt to browse to one of these files it gets an error 500
http://www.mydomain.com/config/file.html
file.html is there
I've done this before, Im sure its a permission or security issue somehow, but I cant work it out
500 - Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.
Give up mapped drives please,
http://support.microsoft.com/kb/207671
http://support.microsoft.com/kb/257174
The answer was two part.
Part one I was simply browsing the website, I wasn't using https and thus I was getting a different IIS site that didn't have the virtual directory.
Part two was I was using ColdFusion attempting to run a .cfm from the virtual directory, even with the correct website, it still got an error 404.
The resolution for this was to ensure the ColdFusion service was run as Administrator rather than LocalSystem and all was good.
Just for everyones reference, if you create the same username / password on both servers, share using that username, connect using UNC path and that username and it will work, no special permissions or anything.
Thanks to Karl & Lex for the help.
I've installed a Joomla 1.6 template, and everything is working fine except 1 thing.
I have uploaded some .pdf-files somewhere in the file system and people who visit the site can view or download these pdf-files, but when I click on the link or trying to right-click and "Save as target" I get an error message like this:
Forbidden
You don't have permission to access
/path/filename.pdf on this server.
Additionally, a 404 Not Found error was encountered while trying to
use an ErrorDocument to handle the request. Apache mod_fcgid/2.3.6
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server
at website Port 80
I've logged in as administrator and checked if I found anything that denies access to files with .pdf extension, but all I found was that it seems like a .htaccess-file is being created in the same folder as the .pdf-files just after I'm trying to open them in my browser.
The content of the .htaccess file that is being created is this:
deny from all
I have also tried to edit this files content to "allow from all", and tried to delete it too, but Joomla is just changing it back.
Anyone know why or what that prevents me from viewing or downloading the pdf-files?
If it's a UNIX/Linux server you can FTP in with a client that shows permissions like FileZilla. It's probably the permissions associated with the parent folder cascading down to these files. Try to see if you can upload an image to the images folder and if you can save it the same way you're trying to save the PDFs. If downloading the image to your machine works, I would then look at the permissions settings. If you're not sure which permissions to look for, check out this: http://www.tuxfiles.org/linuxhelp/filepermissions.html
Usually a client can download/view files with permissions of 644 or higher.