Options FollowSymLinks

Pikeypete · 2012-01-06 07:33:31

Hey Adrian,
As we discussed via email last week if you recall the problem I had with my new server and it throwing out the "500 Internal Server Error".
Well, just a heads up, the server I have is a brand new quad with the LATEST release of DirectAdmin (as I obviously had to install it from DA). Now DirectAdmin no longer allows FollowSymLinks in the .htacess file so you may encounter the same problem with new customers who have servers running the LATEST release of DirectAdmin. It's a very recent new revision.

From the DirectAdmin site:

"DirectAdmin Support
Administrator

Security - Recommended update to httpd.conf files via custombuild

Hello,

It's been discovered that it's more secure not to allow the FollowSymLinks option in apache. The only way to truly disable that item is to change the AllowOverride settings in the main httpd.conf. Without the change of the AllowOverride, anyone could simply re-enable in an .htaccess file.

The catch with this change, is that any sites that currently have:

:Options FollowSymLinks

will throw an 500 Internal Server Error. The apache error log entry would look like:

[Thu Dec 08 03:25:56 2011] [alert] [client 1.2.3.4] /home/username/domains/domain.com/public_html/.htaccess: Option FollowSymLinks not allowed here

which would signify that the .htaccess has the FollowSymLinks option, which is no longer allowed to be used.

Since this change as the potential to break existing sites, we will not enable it for existing installs. However, new installs will have this option enabled.
The option is in the custombuild options.conf and is

secure_htaccess=yes

which, when set and you run

./build update
./build set secure_htaccess yes
./build rewrite_confs

you'll end up with a httpd-directories.conf symbolic link in /etc/httpd/conf/extra/httpd-directories-new.conf. When set to "no", it will link to httpd-directories-old.conf, which contain the old method of setting up the AllowOverride for the <Directory ..>

Versions entry:
http://www.directadmin.com/features.php?id=1119

FollowSymLinks is insecure.
SymLinksIfOwnerMatch is much better.

You said that I must of done something to the server settings but it's a default now in the new revision of DirectAdmin, just thought I'd let you know for any future customers of yours encountering the same issues. ;)

Pete.

Last edited by Pikeypete (2012-01-06 07:38:57)

Pikeypete · 2012-01-06 08:35:48

To fix this issue with the new revision of DirectAdmin (As taken off the DA site):

What this patch does, is allows Users to use everything as it was before, including the FollowSymLinks option.
However, the functionality of FollowSymLinks is no longer the insecure type as it was before.
The new functionality of FollowSymLinks with this patch will simply duplicate the functionality of the more secure SymLinksIfOwnerMatch.
This will allow the secure_htaccess option to be set to "no" (old httpd config setup), but still solve the linking issue with regards to security.
Once testing is under the belt for this patch, we'll set secure_htaccess=no as the default, and harden-symlinks-patch=yes as the default.

To use it:

cd /usr/local/directadmin/custombuild
./build update
./build set harden-symlinks-patch yes
./build set secure_htaccess no
./build apache
./build rewrite_confs

Some cases, ./build apache will delete modules from /usr/lib/apache... so if that happens, you'll also need to do:

./build php n

and for any other missing modules.

Pete.

Last edited by Pikeypete (2012-01-06 08:37:33)

symtab · 2012-01-06 10:26:36

Does this fix the problem? Is your site working correctly now?

Pikeypete · 2012-01-06 16:08:52

It was supposed to and it seemed to for a while but now it hasn't.
It's due to the new DirectAdmin security restrictions on FollowSymLinks, it's pissing me off. I tried to comment out the FollowSymLinks and even the mod_rewrite which again gives me the 500 error.
If you have the time maybe you could take a look..? You have all of my server details.. I sent you a couple of emails recently, also requesting the latest release ASP.
It's just frustrating as it's not an error that I've caused, it's a new restriction from the new revision of DirectAdmin.

Thanks Adrian.

Last edited by Pikeypete (2012-01-06 16:39:45)

symtab · 2012-01-06 16:46:53

Can you please drop me a email with ssh root access again please? (we're going to have a client area at some point, and all this email password stuff will be gone, i apologise for the inconvenience).

Pikeypete · 2012-01-06 16:56:31

Email just sent, I gave you complete access to everything.

Thank you Adrian

Pete.

symtab · 2012-01-07 08:00:26

It should be working now.

Adult Script Pro Community Forums

#1 2012-01-06 07:33:31

Options FollowSymLinks

#2 2012-01-06 08:35:48

Re: Options FollowSymLinks

#3 2012-01-06 10:26:36

Re: Options FollowSymLinks

#4 2012-01-06 16:08:52

Re: Options FollowSymLinks

#5 2012-01-06 16:46:53

Re: Options FollowSymLinks

#6 2012-01-06 16:56:31

Re: Options FollowSymLinks

#7 2012-01-07 08:00:26

Re: Options FollowSymLinks

Board footer