Mautic Version 4.4.7
My PHP version is : 8.0.28
My Database type and version is: mysqlnd 8.0.28
Installing Errors
I am installing Mautic on a litespeed server through the Softaculous.
Error 403 on a fresh install
After installing Mautic, the log in page doesn’t open. It’s an error 403.
My problem is :
The installation isn’t in a sub-folder. It’s in a sub-domain.
Current solution is to comment out:
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
Or eliminate the entire section:
<IfModule authz_core_module>
# Deny access via HTTP requests to all PHP files.
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
# Deny access via HTTP requests to composer files.
<FilesMatch "^(composer\.json|composer\.lock)$">
Require all denied
</FilesMatch>
# Except those allowed below.
<If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">
Require all granted
</If>
</IfModule>
The above code is meant for Apache 2.4+
As per my understanding, the code above is specific to Apache web servers and uses the “authz_core_module” module, which is part of the Apache server software.
LiteSpeed, on the other hand, is a separate web server software, and although it is compatible with Apache’s configuration files, it has its own set of modules and directives that it uses to configure access restrictions. This might explain why Mautic as a 403 error as a fresh install on litespeed servers through softaculous.
Steps I have tried to fix the problem
Here is what I have done/would suggest to mitigate the problem.
Add a litespeed section/Eliminate the apache module on litespeed installs and replace it with litespeed compatible code.
Below are two code variations I have come up with that are litespeed compatible. Any of them should work. They are pretty much the same.
The straightforward version.
# Litespeed
<IfModule LiteSpeed>
# Deny access via HTTP requests to all PHP files.
RewriteRule \.php$ - [F]
# Deny access via HTTP requests to composer files.
RewriteRule ^(composer\.json|composer\.lock)$ - [F]
# Except those allowed below.
RewriteRule ^(index|index_dev|upgrade/upgrade)\.php$ - [L]
</IfModule>
The second is an alteration of the first.
# Litespeed server
RewriteEngine On
# Deny access via HTTP requests to all PHP files.
RewriteRule \.php$ - [F]
# Deny access via HTTP requests to composer files.
RewriteRule ^(composer\.json|composer\.lock)$ - [F]
# Except those allowed below.
RewriteCond %{REQUEST_URI} !/(index|index_dev|upgrade/upgrade)\.php$
RewriteRule ^ - [F]
Both of them should work in whichever approach.
They address the commenting out of code issue. Importantly, they maintain the intended purpose or function of the original code.
The Result
Mautic installation on litespeed will be more secure | No more 403 error on litespeed softaculous fresh installs | Litespeed code addition and removal of code causing the error on litespeed servers.
How to reproduce this issue
Install Mautic on a litespeed Server
Install Mautic through softaculous on a litespeed server
I have tried installing Mautic on two different litespeed servers hosted by two different hosting providers and the result was the same. A 403 error on a fresh install.
P.S.
P.S. If I missed something please let me know. Also can this be added into future updates?