Ad Widget

Collapse

Premision denied (Forbidden Access) after moving to deps-scl

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Paxyon
    Junior Member
    • Jul 2020
    • 4
    #1

    Premision denied (Forbidden Access) after moving to deps-scl

    Hi,
    I successfuly upgrade Zabbix from 4.x to 5.0.0 using only zabbix-server-pgsql and everything work.
    But now, I want to update to 5.0.2 using zabbix-web-deps-scl(recommended way)

    What I did
    - yum remove php-* to remove old php, i was using newer php version that scl
    - yum install zabbix-web-pgsql-scl. Its worked, packages were insalled.

    But now, when i try to access frontend I got "You don't have permission to access /zabbix/ on this server"
    Probably because different configuration.
    Before i Used
    Code:
    #
# Zabbix monitoring system php web frontend
#

Alias /zabbix /usr/share/zabbix

<Directory "/usr/share/zabbix">
Options FollowSymLinks
AllowOverride None
Require all granted

<IfModule mod_php7.c>
php_value max_execution_time 300
php_value memory_limit 128M
php_value post_max_size 16M
php_value upload_max_filesize 2M
php_value max_input_time 300
php_value max_input_vars 10000
php_value always_populate_raw_post_data -1
php_value date.timezone Europe/Warsaw
</IfModule>
</Directory>

<Directory "/usr/share/zabbix/conf">
Require all denied
</Directory>

<Directory "/usr/share/zabbix/app">
Require all denied
</Directory>

<Directory "/usr/share/zabbix/include">
Require all denied
</Directory>

<Directory "/usr/share/zabbix/local">
Require all denied
</Directory>
    with is in file /etc/httpd/conf.d/zabbix.conf but now i probably use /etc/opt/rh/rh-php72/php-fpm.d/zabbix.conf
    Code:
    [zabbix]
user = apache
group = apache

listen = /var/opt/rh/rh-php72/run/php-fpm/zabbix.sock
listen.acl_users = apache
listen.allowed_clients = 127.0.0.1

pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35

php_value[session.save_handler] = files
php_value[session.save_path] = /var/opt/rh/rh-php72/lib/php/session/

php_value[max_execution_time] = 300
php_value[memory_limit] = 128M
php_value[post_max_size] = 16M
php_value[upload_max_filesize] = 2M
php_value[max_input_time] = 300
php_value[max_input_vars] = 10000
php_value[date.timezone] = Europe/Warsaw
    How should i change file to Zabbix frontend work?

    Tags: None
    • tim.mooney
      Senior Member
      • Dec 2012
      • 1427
      #2
      A couple bits of background you need to know about SCL:
      1. Modern SCL packages generally put their configuration files under /etc/opt/<scl-vendor>/<scl-package-basename>/ , so your rh-php72 SCL packages are going to have their configuration under /etc/opt/rh/rh-php72/
      2. Next, keep in mind that because SCL provides an alternate version of a package under completely different paths, it's very possible to have both the base OS version of some packages installed (like httpd and php) and one or more SCL versions. Unless you *need* the base OS versions of the packages for some reason, I generally would recommend uninstalling them (yum remove). If you leave them installed, they will likely confuse your coworkers and potentially you.
      3. The second config file you show, /etc/opt/rh/rh-php72/php-fpm.d/zabbix.conf is not an Apache config file: it's the config file for PHP when run via FPM. The old way of loading a "mod_php" or "mod_php7" module directly into the Apache httpd namespace is deprecated (though not completely gone). The new recommended way of serving PHP content is using PHP-FPM. That's how the Zabbix packages are clearly defaulting (it's a good default, these days), so the /etc/opt/rh/rh-php72/php-fpm.d/zabbix.conf is for a PHP-FPM worker pool. This needs to be run as a separate service (systemctl enable rh-php72-php-fpm.service; systemctl start rh-php72-php-fpm.service). It's quite fast and generally pretty efficient, and it avoids issues with the httpd worker type.
      Now, the error message you are receiving is coming from Apache httpd, so the problem is most likely in your Apache configuration.

      Did the zabbix-web-pgsql-scl package install either an example apache config file or perhaps a suggested one that might not need any changes? You can run the command:

      Code:
      rpm -q -l zabbix-web-pgsql-scl
      to get a list of all the paths that are part of that package. I'm expecting that there will probably be some kind of either example or "template" configuration file. If indeed there is a config file installed as part of zabbix-web-pgsql-scl, that's the config file that you want to use for configuring Apache httpd.
      Last edited by tim.mooney; 21-07-2020, 06:44. Reason: My original post mistakenly mentioned httpd24 SCL as a possible PHP dependency; Atsushi's follow-up correctly points out that SCL httpd24 is not a dependency if you're using PHP-FPM. I've therefore r

        Comment

        • Atsushi
          Senior Member
          • Aug 2013
          • 2028
          #3
          SCL httpd is not required to run Zabbix 5.0.2 on RHEL 7 (CentOS 7) using Zabbix official package.
          If you want to link with Apache HTTP Server (httpd), did you also install the following packages?

          zabbix-apache-conf-scl
          zabbix-web-deps-scl

            Comment

            • tim.mooney
              Senior Member
              • Dec 2012
              • 1427
              #4
              Originally posted by Atsushi
              SCL httpd is not required to run Zabbix 5.0.2 on RHEL 7 (CentOS 7) using Zabbix official package.
              You're correct, Atsushi. I was mis-remembering the dependency: it's mod_php7 (from SCL) that required SCL httpd24. Since Zabbix defaults to PHP-FPM, not mod_php7, there shouldn't be any need for SCL httpd24.

              Thanks for catching my mistake! I couldn't see a way to do strike-through with the parts of my comment #2 that were referencing SCL httpd24, so I removed most of them and added an edit note about why the are removed.
              Last edited by tim.mooney; 21-07-2020, 06:45.

                Comment

                • Paxyon
                  Junior Member
                  • Jul 2020
                  • 4
                  #5
                  Thanks for all your respone, it was very useful.
                  - remove all httpd packages(yum remove httpd) be aware, it remove mod_ssl aswell.
                  - install scl zabbix packages (yum install zabbix-apache-conf-scl, yum install zabbix-web-pgsql-scl)
                  - zabbix-apache-conf-scl create default config file (but keep old)
                  Code:
                  #
# Zabbix monitoring system php web frontend
#

Alias /zabbix /usr/share/zabbix

<Directory "/usr/share/zabbix">
Options FollowSymLinks
AllowOverride None
Require all granted

<IfModule dir_module>
DirectoryIndex index.php
</IfModule>

<FilesMatch \.(php|phar)$>
SetHandler "proxy:unix:/var/opt/rh/rh-php72/run/php-fpm/zabbix.sock|fcgi://localhost"
</FilesMatch>
</Directory>

<Directory "/usr/share/zabbix/conf">
Require all denied
</Directory>

<Directory "/usr/share/zabbix/app">
Require all denied
</Directory>

<Directory "/usr/share/zabbix/include">
Require all denied
</Directory>

<Directory "/usr/share/zabbix/local">
Require all denied
</Directory>
                  its using fpm now file located /etc/opt/rh/rh-php72/php-fpm.d/zabbix.conf

                  After this step i was confused because, I dont have any "access forbiden" page, instead error appears.
                  Its because mod_ssl was uninstalled with httpd, but after installing, its work like a charm!

                  Thanks for your help.




                    Comment

                    Previous template Next
                    Working...