403 error can't solve

otakudes

February 15, 2021 03:47

I have two sites I'm running suPHP on. One is a static site. I started getting a 403 error a few days ago. I have tried checking file permissions (folder 755, file 644), group permissions user:user. Everything looks okay. Nothing is showing up in my error log for this. I made some fatal changes on my .htaccess file to make sure error log is working. It is. Any ideas what I missed? I'm hoping something simple. I tried reloading a backup from a couple months ago and the error is still showing up

Comments

11 comments

andrew.n

February 16, 2021 16:43
What does /usr/local/apache/logs/error_log say?
0
otakudes

February 17, 2021 03:13
I'm viewing /var/log/apache2/error_log. It appears to be the same as your error log. It doesn't mention the 403 error.
0
andrew.n

February 17, 2021 16:19
Do you get the same for html, php extensions as well?
0
otakudes

February 17, 2021 20:35
Yes. It doesn't look like error log is recording these. I do see a few 403 in the log though [Wed Feb 17 18:30:20.914720 2021] [:error] [pid 9120] [client 171.25.193.20:21335] [client 171.25.193.20] ModSecurity: Access denied with code 403 (phase 2). Match of "rbl nxd [Wed Feb 17 18:31:55.921580 2021] [:error] [pid 14492] [client 31.220.40.240:50748] [client 31.220.40.240] ModSecurity: Warning. String match "/.env" at REQUEST_FILENAME. [fil [Wed Feb 17 18:31:55.990894 2021] [:error] [pid 9120] [client 31.220.40.240:50740] [client 31.220.40.240] ModSecurity: Access denied with code 403 (phase 2). Match of "rbl nxd
0
otakudes

February 17, 2021 20:43
It's ModSecurity. I set Rules Engine to Do Not Process Rules and pages loaded again. I need to figure out why. EDIT: I disabled cPanels OWASP rules. ConfigServer has it's own. Maybe they were conflicting.
0
andrew.n

February 18, 2021 13:27
Glad you figured it out!
0
cPRex Jurassic Moderator

February 18, 2021 19:46
You may get more details by checking the /etc/apache2/logs/modsec_audit.log file on the system as that would have specific details on what modsec is doing.
0
otakudes

February 19, 2021 08:07
You may get more details by checking the /etc/apache2/logs/modsec_audit.log file on the system as that would have specific details on what modsec is doing.

It appears to be rule# 911100 but I have no idea why it would do this.
0
cPRex Jurassic Moderator

February 19, 2021 12:38
It's nothing you're doing wrong - sometimes ModSecurity just gives false positives, as any security tool sometimes can. You can try disabling that rule on the server to see if that gets things working well. We have an article that explains that process here: How can I disable a ModSecurity rule?
0
otakudes

February 27, 2021 08:52
I had to uninstall OWASP rules in EasyApache. I had them disabled but cPanel reenabled them causing the error again.
0
cPRex Jurassic Moderator

March 01, 2021 13:16
I would not expect cPanel to activate a set of rules on the system. If you are able to reproduce that issue, can you let me know the steps you took to make that happen so I can do some testing on my end?
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?