403 Forbidden after fresh install with Softaculous

Your software
My Mautic version is: 4.2.1
My PHP version is: 7.4
My Database type and version is:

Your problem
I am trying to install for the first time using softaculous. It indicates that the installis a success however when I try to log in I get a 403 access forbidden

These errors are showing in the log:

Steps I have tried to fix the problem: uninstalled and then reinstalled

Hi,

  1. can you please confirm, that the login page works and the issue is only after login?
  2. Do you have SSL installed?

The log in does not work. When I navigate to the login url I immediately get a 403

Also worth checking if you’re using Mautic in a sub-folder. If you are, I expect you’ll need to update your htaccess file to reflect that.

Do you have SSL installed?

Yes. It is just the free SSL with namehero hosting

i also tried to install in a subdomain as opposed to a folder buthad same results

Seems like a htaccess error.
Can you see a “hidden” .htaccess file in the main dir?

Yes there is a hidden .htaccess file in th emain

I renamed it to _old but the 403 is still being shown

Can you plz read this? Does the workarounds mentioned here help?

There is no line that matches this in my htaccess file. Additionally I renamed the entire htaccess file so that it was not being called at all and the problem persisted. This leads me to believe that it is not an htaccess issue right?

Hi @gmiotke

I am from Softaculous team.

Apologies for the inconvenience caused to you.

You can open a support ticket with us and we shall look into it.
https://softaculous.deskuss.com/

PS: If you can provide your server details in the ticket (it is completely secure and the details shall be wiped off once the ticket is closed). As it would be faster to check and resolve the issue on your server.

1 Like

I have just removed comment the following lines in .htaccess and everything is working

# Apache 2.4+
<IfModule authz_core_module>
    # Deny access via HTTP requests to all PHP files.
    <FilesMatch "\.php$">
        # Comment the following line to avoid 403 error
        #Require all denied
    </FilesMatch>

    # Deny access via HTTP requests to composer files.
    <FilesMatch "^(composer\.json|composer\.lock)$">
        Require all denied
    </FilesMatch>

    # Except those allowed below.
    <If "%{REQUEST_URI} =~ m#^/emails/(index|index_dev|upgrade/upgrade)\.php#">
        Require all granted
    </If>
</IfModule>
3 Likes

Thanks, this worked fine also for me in a similar situation with Mautic 4.4.7. However, wouldn’t this create a security concern, if http access is allowed also to php files to which it should not have been?
Best, …

I too have a fresh install using softaculous. I saw on one of the forums to comment out

Comment the following line to avoid 403 error

    #Require all denied

so i did that now i am receiving the error code
The “app/bundles/CoreBundle/Resources/views/Offline” directory does not exist (“/opt/cpanel/ea-php81/root/usr/bin/app/bundles/CoreBundle/Resources/views/Offline”).

Try increasing your PHP memory to 512 or even 1024
Also this is the htaccess that I use in difficult installations:

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Redirigir a HTTPS
    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # Establecer encabezado de autorización para OAuth2 cuando PHP se ejecuta bajo fcgi
    RewriteCond %{HTTP:Authorization} .+
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Redirigir a URI sin front controller para prevenir contenido duplicado
    RewriteCond %{ENV:REDIRECT_STATUS} ^$
    RewriteRule ^index\.php(/(.*)|$) /$2 [R=301,L]

    # Si el archivo solicitado existe, simplemente servirlo
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteRule .? - [L]

    # Reescribir todas las demás consultas al front controller
    RewriteRule .? /index.php [L]

    # Proteger el directorio de logs
    RewriteRule ^app/logs/ - [F,L]

    # Proteger el directorio de configuraciones
    RewriteRule ^app/config/ - [F,L]

    # Proteger el directorio de media
    RewriteRule ^media/ - [F,L]
</IfModule>

<IfModule mod_php5.c>
    # Ajuste para php_value siempre_populate_raw_post_data
    php_value always_populate_raw_post_data -1
</IfModule>

<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE application/javascript application/rss+xml application/x-font-ttf font/ttf text/css text/javascript
</IfModule>

# Bloquear acceso a archivos sensibles
<FilesMatch "^(composer\.json|composer\.lock|\.env|\.htaccess|\.htpasswd|web\.config|app/config/parameters\.yml)$">
    Order deny,allow
    Deny from all
</FilesMatch>

# Denegar acceso directo a archivos PHP (excepto index.php y upgrade.php)
<FilesMatch "\.php$">
    <If "%{REQUEST_URI} =~ m#^/index\.php#">
        Require all granted
    </If>
    <If "%{REQUEST_URI} =~ m#^/upgrade/upgrade\.php#">
        Require all granted
    </If>
    Require all denied
</FilesMatch>

# Impedir la navegación de directorios
Options -Indexes

# Headers de seguridad
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Frame-Options "DENY"
    Header always set Referrer-Policy "no-referrer-when-downgrade"
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; frame-ancestors 'none';"
    # Protección adicional contra clickjacking
    Header always append X-Frame-Options SAMEORIGIN
</IfModule>

# Protección adicional para el archivo de actualización
<Files "upgrade.php">
    Order deny,allow
    Deny from all
    Allow from 192.168.1.100
</Files>

# Bloquear User Agents maliciosos
SetEnvIfNoCase User-Agent "^Mozilla/4\.0$" bad_user
SetEnvIfNoCase User-Agent "^Java.*" bad_user
SetEnvIfNoCase User-Agent "^Microsoft URL Control" bad_user
SetEnvIfNoCase User-Agent "^User-Agent.*" bad_user
<Limit GET POST>
    Order Allow,Deny
    Allow from all
    Deny from env=bad_user
</Limit>

# Limitar métodos HTTP
<LimitExcept GET POST>
    Order deny,allow
    Deny from all
</LimitExcept>

# Protección contra hotlinking
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\.)?yourdomain\.com/ [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [F,NC]

<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"
    Header set Access-Control-Allow-Methods "GET, POST, OPTIONS, DELETE, PUT"
    Header set Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With"
    Header set Access-Control-Allow-Credentials "true"
</IfModule>

That just turned it back to a 403 forbidden page

Also increased PHP memory?

Try this htaccess

> <IfModule mod_rewrite.c>
>     RewriteEngine On
>     RewriteBase /
> 
>     # Redirect all requests to index.php
>     RewriteCond %{REQUEST_FILENAME} !-f
>     RewriteCond %{REQUEST_FILENAME} !-d
>     RewriteRule ^ index.php [L]
> 
>     # Allow access to all files
>     <FilesMatch ".*">
>         Order allow,deny
>         Allow from all
>     </FilesMatch>
> </IfModule>
> 
> # Disable directory browsing
> Options -Indexes
> 
> # Disable server signature
> ServerSignature Off
> 
> # Add default charset
> AddDefaultCharset UTF-8
> 
> # Enable CORS for Mautic tracking
> <IfModule mod_headers.c>
>     Header set Access-Control-Allow-Origin "*"
>     Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
>     Header set Access-Control-Allow-Headers "Content-Type, Authorization"
> </IfModule>
> 
> # Allow access to Mautic tracking files
> <Files "mtc.js">
>     Order allow,deny
>     Allow from all
> </Files>
> <Files "index.php">
>     Order allow,deny
>     Allow from all
> </Files>

Is just a non production version, to see if there is another issue