Your software
My Mautic version is: 4.2.1
My PHP version is: 7.4
My Database type and version is:
Your problem
I am trying to install for the first time using softaculous. It indicates that the installis a success however when I try to log in I get a 403 access forbidden
These errors are showing in the log:
Steps I have tried to fix the problem: uninstalled and then reinstalled
The log in does not work. When I navigate to the login url I immediately get a 403
Also worth checking if you’re using Mautic in a sub-folder. If you are, I expect you’ll need to update your htaccess file to reflect that.
joeyk
April 26, 2022, 4:03pm
5
Do you have SSL installed?
Yes. It is just the free SSL with namehero hosting
i also tried to install in a subdomain as opposed to a folder buthad same results
joeyk
April 26, 2022, 7:01pm
8
Seems like a htaccess error.
Can you see a “hidden” .htaccess file in the main dir?
Yes there is a hidden .htaccess file in th emain
I renamed it to _old but the 403 is still being shown
joeyk
April 26, 2022, 9:31pm
11
Can you plz read this? Does the workarounds mentioned here help?
opened 04:14PM - 01 Mar 22 UTC
closed 06:28PM - 04 Mar 22 UTC
bug
configuration
wont-fix
### Mautic Version
4.2.x series
### PHP version
7.4.27
### What brow… sers are you seeing the problem on?
Firefox, Chrome
### What happened?
After performing an upgrade, the site reports an error 403, forbidden.
We upgrade via command line and clear cache and clean permissions as part of the process.
This maybe server specific, but this line in the HTACCESS
https://github.com/mautic/mautic/blob/4.2.0/.htaccess
```
# Apache 2.4+
<IfModule authz_core_module>
# Deny access via HTTP requests to all PHP files.
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
```
Causes the issue, by commenting out
```
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
```
The site loads again.
Prior to this verison 4.1.2 Worked with this in the htaccess file.
### How can we reproduce this issue?
Server
Ubunto 18.04.4 LTS
Server API | FPM/FastCGI
MariaDB
1:10.2.43+maria~bionic
Apache
2.4.52-1+ubuntu18.04+1
NGiNX
1.19.9-1+ubuntu18.04+1
Not sure if this is important, but we have mautic in a subfolder off the domain
eg: domain.com/mautic/
### Relevant log output
```shell
n/a
```
### Code of Conduct
- [X] I confirm that I have read and agree to follow this project's Code of Conduct
There is no line that matches this in my htaccess file. Additionally I renamed the entire htaccess file so that it was not being called at all and the problem persisted. This leads me to believe that it is not an htaccess issue right?
nikita
April 27, 2022, 7:30am
13
Hi @gmiotke
I am from Softaculous team.
Apologies for the inconvenience caused to you.
You can open a support ticket with us and we shall look into it.
https://softaculous.deskuss.com/
PS: If you can provide your server details in the ticket (it is completely secure and the details shall be wiped off once the ticket is closed). As it would be faster to check and resolve the issue on your server.
1 Like
Shaz3e
September 13, 2022, 3:52pm
14
I have just removed comment the following lines in .htaccess and everything is working
# Apache 2.4+
<IfModule authz_core_module>
# Deny access via HTTP requests to all PHP files.
<FilesMatch "\.php$">
# Comment the following line to avoid 403 error
#Require all denied
</FilesMatch>
# Deny access via HTTP requests to composer files.
<FilesMatch "^(composer\.json|composer\.lock)$">
Require all denied
</FilesMatch>
# Except those allowed below.
<If "%{REQUEST_URI} =~ m#^/emails/(index|index_dev|upgrade/upgrade)\.php#">
Require all granted
</If>
</IfModule>
3 Likes
Thanks, this worked fine also for me in a similar situation with Mautic 4.4.7. However, wouldn’t this create a security concern, if http access is allowed also to php files to which it should not have been?
Best, …
I too have a fresh install using softaculous. I saw on one of the forums to comment out
Comment the following line to avoid 403 error
#Require all denied
so i did that now i am receiving the error code
The “app/bundles/CoreBundle/Resources/views/Offline” directory does not exist (“/opt/cpanel/ea-php81/root/usr/bin/app/bundles/CoreBundle/Resources/views/Offline”).
Try increasing your PHP memory to 512 or even 1024
Also this is the htaccess that I use in difficult installations:
<IfModule mod_rewrite.c>
RewriteEngine On
# Redirigir a HTTPS
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Establecer encabezado de autorización para OAuth2 cuando PHP se ejecuta bajo fcgi
RewriteCond %{HTTP:Authorization} .+
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Redirigir a URI sin front controller para prevenir contenido duplicado
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^index\.php(/(.*)|$) /$2 [R=301,L]
# Si el archivo solicitado existe, simplemente servirlo
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule .? - [L]
# Reescribir todas las demás consultas al front controller
RewriteRule .? /index.php [L]
# Proteger el directorio de logs
RewriteRule ^app/logs/ - [F,L]
# Proteger el directorio de configuraciones
RewriteRule ^app/config/ - [F,L]
# Proteger el directorio de media
RewriteRule ^media/ - [F,L]
</IfModule>
<IfModule mod_php5.c>
# Ajuste para php_value siempre_populate_raw_post_data
php_value always_populate_raw_post_data -1
</IfModule>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE application/javascript application/rss+xml application/x-font-ttf font/ttf text/css text/javascript
</IfModule>
# Bloquear acceso a archivos sensibles
<FilesMatch "^(composer\.json|composer\.lock|\.env|\.htaccess|\.htpasswd|web\.config|app/config/parameters\.yml)$">
Order deny,allow
Deny from all
</FilesMatch>
# Denegar acceso directo a archivos PHP (excepto index.php y upgrade.php)
<FilesMatch "\.php$">
<If "%{REQUEST_URI} =~ m#^/index\.php#">
Require all granted
</If>
<If "%{REQUEST_URI} =~ m#^/upgrade/upgrade\.php#">
Require all granted
</If>
Require all denied
</FilesMatch>
# Impedir la navegación de directorios
Options -Indexes
# Headers de seguridad
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "DENY"
Header always set Referrer-Policy "no-referrer-when-downgrade"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; frame-ancestors 'none';"
# Protección adicional contra clickjacking
Header always append X-Frame-Options SAMEORIGIN
</IfModule>
# Protección adicional para el archivo de actualización
<Files "upgrade.php">
Order deny,allow
Deny from all
Allow from 192.168.1.100
</Files>
# Bloquear User Agents maliciosos
SetEnvIfNoCase User-Agent "^Mozilla/4\.0$" bad_user
SetEnvIfNoCase User-Agent "^Java.*" bad_user
SetEnvIfNoCase User-Agent "^Microsoft URL Control" bad_user
SetEnvIfNoCase User-Agent "^User-Agent.*" bad_user
<Limit GET POST>
Order Allow,Deny
Allow from all
Deny from env=bad_user
</Limit>
# Limitar métodos HTTP
<LimitExcept GET POST>
Order deny,allow
Deny from all
</LimitExcept>
# Protección contra hotlinking
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\.)?yourdomain\.com/ [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [F,NC]
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, POST, OPTIONS, DELETE, PUT"
Header set Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With"
Header set Access-Control-Allow-Credentials "true"
</IfModule>
rcarabelli:
192.168.1.100
That just turned it back to a 403 forbidden page
Also increased PHP memory?
Try this htaccess
> <IfModule mod_rewrite.c>
> RewriteEngine On
> RewriteBase /
>
> # Redirect all requests to index.php
> RewriteCond %{REQUEST_FILENAME} !-f
> RewriteCond %{REQUEST_FILENAME} !-d
> RewriteRule ^ index.php [L]
>
> # Allow access to all files
> <FilesMatch ".*">
> Order allow,deny
> Allow from all
> </FilesMatch>
> </IfModule>
>
> # Disable directory browsing
> Options -Indexes
>
> # Disable server signature
> ServerSignature Off
>
> # Add default charset
> AddDefaultCharset UTF-8
>
> # Enable CORS for Mautic tracking
> <IfModule mod_headers.c>
> Header set Access-Control-Allow-Origin "*"
> Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
> Header set Access-Control-Allow-Headers "Content-Type, Authorization"
> </IfModule>
>
> # Allow access to Mautic tracking files
> <Files "mtc.js">
> Order allow,deny
> Allow from all
> </Files>
> <Files "index.php">
> Order allow,deny
> Allow from all
> </Files>
Is just a non production version, to see if there is another issue