Top Menu

Jump to content
Home
    Modules
      • Projects
      • Activity
      • Work packages
      • Gantt charts
      • Calendars
      • Team planners
      • Boards
      • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.
    • Help and support
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Enterprise support
    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
    Activity
  • Roadmap
  • Work packages
    Work packages
  • Gantt charts
    Gantt charts
  • Calendars
    Calendars
  • Team planners
    Team planners
  • Boards
    Boards
  • News
  • Forums
  • Feature tour
    Feature tour

Content

You are here:
  1. Forums
  2. Support Installation & Updates

[solved] Unclear instructions on setting up the apache config

Added by Athyrion Westeros about 10 years ago

Dear all,

I followed the instructions given on https://community.openproject.org/projects/openproject/wiki/OP4_Debian_Stable_with_MySQL_in_production and encountered the problem, that the page wasn’t accessible when calling my server in the browser.

I figured out that it had to be a problem in the apache config, so I changed the following:

1) disable the default page by a2dissite 000-default

2) add the created “conf.d” directory to the apache2.conf by adding IncludeOptional conf.d/*conf

3) Change the following
<Directory /> Options FollowSymLinks AllowOverride None Require all denied </Directory>

into

<Directory /> Options FollowSymLinks AllowOverride None Require all granted </Directory>

and it worked.

My question is: isn’t that a security issue?

Has anybody a better solution to this problem?

Greatings


Replies (4)

RE: Unclear instructions on setting up the apache config - Added by Philipp Tessenow about 10 years ago

Hi Andreas,

I am no server admin and have barely a clue about how to correctly and securely configure apache. But, I am not entirely sure if the things you’ve done are necessary.
Can you please post the apache error you got after the OpenProject installation — just before you made any custom adjustments?

Which file have you edited exactly in step 3?
Also, I think it is not necessary do do step 1 (but it doesn’t hurt either).

Because I did not have to create the conf.d directory (it was already created), I guess we have a different apache version. It might be that guide was written for a different version and is, therefore, a little misleading for you. Which debian and apache2 version are you using?

I used Debian 7.7 (upgraded from Debian 7.6)
Apache 2.2.22 (what a great version number!)

cheers,
tessi

RE: Unclear instructions on setting up the apache config - Added by Philipp Tessenow about 10 years ago

To reply on the Require all granted part:

I think it is not save in general (according to this StackExchange answer it allows every external IP to access) which is probably what you want for OpenProject but not for your root directory.

RE: Unclear instructions on setting up the apache config - Added by Christian Ratz about 10 years ago

Hello Andreas,

you should disallow the access to the “/” directory by reverting your change and add a “Require all granted” to the OpenProject Directory section, like this:

   <Directory /home/openproject/openproject/public>
      # This relaxes Apache security settings.
      AllowOverride all
      # MultiViews must be turned off.
      Options -MultiViews

      Require all granted
   </Directory>

Best
Ratzi

RE: Unclear instructions on setting up the apache config - Added by Athyrion Westeros about 10 years ago

Hi there,

thank you all for your answers. I got it running without severe security issues (i think ;) ).

@tessi:
I am using Ubuntu 14.04 LTS, the apache2 version is 2.4.7.
That made the instructions in the guide I linked in my OP unclear because they were for an older version of apache.

After all, I made the following changes:

- reset the /etc/apache2/apache2.conf to default values

- set all directories to require all denied, except /usr/share
- moved the openproject.conf to sites-available and used a2ensite openproject to enable the site

Should be save for now…

Every advice on other security issues is welcome and appreciated.

Greating

  • (1 - 4/4)
Loading...