Mautic Installation On Litespeed Server | Through Softaculous

Mautic Version 4.4.7
My PHP version is : 8.0.28
My Database type and version is: mysqlnd 8.0.28

Installing Errors

I am installing Mautic on a litespeed server through the Softaculous.

Error 403 on a fresh install

After installing Mautic, the log in page doesn’t open. It’s an error 403.

My problem is :

The installation isn’t in a sub-folder. It’s in a sub-domain.

Current solution is to comment out:

<FilesMatch "\.php$">
    Require all denied
</FilesMatch>

Or eliminate the entire section:

<IfModule authz_core_module>
    # Deny access via HTTP requests to all PHP files.
    <FilesMatch "\.php$">
        Require all denied
    </FilesMatch>

    # Deny access via HTTP requests to composer files.
    <FilesMatch "^(composer\.json|composer\.lock)$">
        Require all denied
    </FilesMatch>

    # Except those allowed below.
    <If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">
        Require all granted
    </If>
</IfModule>

The above code is meant for Apache 2.4+

As per my understanding, the code above is specific to Apache web servers and uses the “authz_core_module” module, which is part of the Apache server software.

LiteSpeed, on the other hand, is a separate web server software, and although it is compatible with Apache’s configuration files, it has its own set of modules and directives that it uses to configure access restrictions. This might explain why Mautic as a 403 error as a fresh install on litespeed servers through softaculous.

Steps I have tried to fix the problem

Here is what I have done/would suggest to mitigate the problem.
Add a litespeed section/Eliminate the apache module on litespeed installs and replace it with litespeed compatible code.

Below are two code variations I have come up with that are litespeed compatible. Any of them should work. They are pretty much the same.

The straightforward version.

# Litespeed
<IfModule LiteSpeed>
    # Deny access via HTTP requests to all PHP files.
    RewriteRule \.php$ - [F]

    # Deny access via HTTP requests to composer files.
    RewriteRule ^(composer\.json|composer\.lock)$ - [F]

    # Except those allowed below.
    RewriteRule ^(index|index_dev|upgrade/upgrade)\.php$ - [L]
</IfModule>

The second is an alteration of the first.

# Litespeed server
RewriteEngine On
# Deny access via HTTP requests to all PHP files.
RewriteRule \.php$ - [F]

# Deny access via HTTP requests to composer files.
RewriteRule ^(composer\.json|composer\.lock)$ - [F]

# Except those allowed below.
RewriteCond %{REQUEST_URI} !/(index|index_dev|upgrade/upgrade)\.php$
RewriteRule ^ - [F]

Both of them should work in whichever approach.

They address the commenting out of code issue. Importantly, they maintain the intended purpose or function of the original code.

The Result

Mautic installation on litespeed will be more secure | No more 403 error on litespeed softaculous fresh installs | Litespeed code addition and removal of code causing the error on litespeed servers.

How to reproduce this issue

Install Mautic on a litespeed Server
Install Mautic through softaculous on a litespeed server

I have tried installing Mautic on two different litespeed servers hosted by two different hosting providers and the result was the same. A 403 error on a fresh install.

P.S.

P.S. If I missed something please let me know. Also can this be added into future updates?

I would suggest not using Softaculous, its an absolute headache when it comes to updating at a later stage.

As for litespeed, the htaccess needs a tweak

I used cyberpanel a while back and it always had to have a tweak

Old notes but this is what I had on my upgrade procedure on htaccess
– comment out (add # infront of line ~105 # Apache 2.4+) ‘Require all denied’

Thanks for your input.

I have dug a bit dipper into this and realized the authz_core_module can actually be understood by Litespeed.

But it’s execution has to be clear.

The current code uses regular expressions in the If statement to match the allowed PHP files. Regular expressions can be error-prone.

Prior to the if state, the code runs fine blocking access to all php files (Resulting to the 403 error)

The exception doesn’t work on Litespeed. The problem is the if statement.

Hi bgit,

You seem quite knowledgeable and tech savy, that is precisely why I would like to reiterate on the advice given by @tornmarketing a couple posts before.

Here’s a very old article I wrote about if some years ago, it is still very valid today: