PMA SSO - Access denied [informational only]

Hello community.

EDIT: Resolution at the end of the post, but still curious as to why this is happening.

I recently enabled phpmyadmin Sing-Sign-On and in almost all servers it works flawlessly. On one server though, I get an “Access denied” error, when clicking on the phpmyadmin icon, next to the DB name, under DB tab in Hestia UI: image

The non-SSO phpmyadmin page loads fine at https://[ServerFQDN//phpmyadmin/ when I click on the phpMyAdmin button (or type the address manually).Only the SSO thing creates the Access Denied error below:
image

(not to be confused with this error as described in 2364)

The server is Ubuntu 18.04.6 LTS running Hestia in apache2 + php-fpm multiphp configuration. The installation command was:
bash hst-install.sh --nginx yes --apache yes --phpfpm no --multiphp yes --named yes --vsftpd yes --proftpd no --iptables yes --fail2ban yes --quota yes --exim yes --dovecot yes --spamassassin no --clamav no --mysql yes --postgresql no --interactive yes --hostname $(hostname -f) --email [REDACTED] --password [REDACTED] --port [REDACTED] --api yes

Here is what I have tried so far:

  1. Checked that the API is enabled in Server > Configure > Security > System > API and that the IP of the server as well as 127.0.0.1 are on the allow list. I even tried “allow-all” in the allow list, just for testing purposes
  2. /var/log/hestia/auth.log does not contain any errors.
  3. /var/log/apache2/domains/[ServerFQDN].error.log contains the following error
Got error 'PHP message: PHP Warning:  Unknown: failed to open stream: Permission denied in Unknown on line 0Unable to open primary script: /usr/share/phpmyadmin/hestia-sso.php (Permission denied)', referer: https://ServerFQDN:PORT/

Although the file /usr/share/phpmyadmin/hestia-sso.php exists with permissions 0640 Group=www-data, Owner=root. The /usr/share/phpmyadmin directory has permissions 0755 with Group=root, Owner=root. I think this is actually causing the error, but I can’t figure out why this is happening :confused:

  1. The FQDN Web Domain is under the admin user in Hestia and is using default template for apache2, PHP-7_4 template, and default proxy template. I made sure the PHP-7_4 template contains /usr/share in the open_basedir entry. Here are both templates for reference:
/usr/local/hestia/data/templates/web/php-fpm/PHP-7_4.tpl
; origin-src: deb/php-fpm/multiphp.tpl

[%domain%]
listen = /run/php/php%backend_version%-fpm-%domain%.sock
listen.owner = %user%
listen.group = www-data
listen.mode = 0660

user = %user%
group = %user%

pm = ondemand
pm.max_children = 8
pm.max_requests = 4000
pm.process_idle_timeout = 10s
pm.status_path = /status

php_admin_value[upload_tmp_dir] = /home/%user%/tmp
php_admin_value[session.save_path] = /home/%user%/tmp
php_admin_value[open_basedir] = /home/%user%/.composer:/home/%user%/web/%domain%/public_html:/home/%user%/web/%domain%/private:/home/%user%/web/%domain%/public_shtml:/home/%user%/tmp:/tmp:/var/www/html:/bin:/usr/bin:/usr/local/bin:/usr/share:/opt
php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f [email protected]%domain%

env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /home/%user%/tmp
env[TMPDIR] = /home/%user%/tmp
env[TEMP] = /home/%user%/tmp
/usr/local/hestia/data/templates/web/apache2/php-fpm/default.stpl
#=========================================================================#
# Default Web Domain Template                                             #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS   #
# https://docs.hestiacp.com/admin_docs/web.html#how-do-web-templates-work #
#=========================================================================#

<VirtualHost %ip%:%web_ssl_port%>

    ServerName %domain_idn%
    %alias_string%
    ServerAdmin %email%
    DocumentRoot %sdocroot%
    ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
    Alias /vstats/ %home%/%user%/web/%domain%/stats/
    Alias /error/ %home%/%user%/web/%domain%/document_errors/
    #SuexecUserGroup %user% %group%
    CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
    CustomLog /var/log/%web_system%/domains/%domain%.log combined
    ErrorLog /var/log/%web_system%/domains/%domain%.error.log
    <Directory %home%/%user%/web/%domain%/stats>
        AllowOverride All
    </Directory>
    <Directory %sdocroot%>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
	</Directory>
    SSLEngine on
    SSLVerifyClient none
    SSLCertificateFile %ssl_crt%
    SSLCertificateKeyFile %ssl_key%
    %ssl_ca_str%SSLCertificateChainFile %ssl_ca%

    <FilesMatch \.php$>
        SetHandler "proxy:%backend_lsnr%|fcgi://localhost"
    </FilesMatch>
    SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

    IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
    IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>
  1. Here is the relevant log entry in /var/log/apache2/domains/[ServerFQDN].log
[Client-IP] - - [05/Feb/2022:18:51:22 +0200] "GET /phpmyadmin//hestia-sso.php?database=[redacted]&user=[redacted]&exp=1644079879&hestia_token=$2y$10$2c5W5Z1e24LLW0.U5dgiCOckCodY5nubL/9YkFIlRxUdunD7m/fcu HTTP/1.0" 403 369 "https://[FQDN]:[PORT]/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"
  1. I made sure I have tried what is mentioned here and here.

  2. Disabled PMA SSO (Server > Configure > Database) and then re-enabled.

  3. The file /etc/hosts contains a line for FQDN pointing to 127.0.0.1. Here are the entries

127.0.1.1 [FQDN] [HOSTNAME]
127.0.0.1 localhost

I think I am missing something, but what :question:

EDIT - PROBEM SOLVED
It turns out that when I select hosting:thread: apache web template for FQDN Web Domain, it’s working OK :muscle:

But I’m still puzzled, because on other servers I don’t need to change the FQDN Web Domain apache template to something other than the default for the PMA SSO to work.

:thread: Actually I noticed that on other servers, there is no apache template other than the default. So I guess this has something to do with the fact this is an “older” server. Maybe before removing plain apache support, or something. Judging from the date of the folder hst_install_backups in /root, I must have setup this server on 25/09/2019.

I have looked for differences between the default apache web template in this “problematic” server (/usr/local/hestia/data/templates/web/apache2/php-fpm/default.stpl) and the one in the Hestia Repository and they are identical.

Also checked /etc/apache2/conf.d/phpmyadmin.inc against another server, and they are identical.

For reference, this is the hosting.stpl apache web template that is working fine with PMA SSO on this server:

hosting.stpl
#=======================================================================#
# Default Web Domain Template                                           #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
#=======================================================================#

<VirtualHost %ip%:%web_ssl_port%>

    ServerName %domain_idn%
    %alias_string%
    ServerAdmin %email%
    DocumentRoot %sdocroot%
    ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
    Alias /vstats/ %home%/%user%/web/%domain%/stats/
    Alias /error/ %home%/%user%/web/%domain%/document_errors/
    #SuexecUserGroup %user% %group%
    CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
    CustomLog /var/log/%web_system%/domains/%domain%.log combined
    ErrorLog /var/log/%web_system%/domains/%domain%.error.log
    <Directory %sdocroot%>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
        php_admin_value upload_max_filesize 10M
        php_admin_value max_execution_time 20
        php_admin_value post_max_size  8M
        php_admin_value memory_limit 32M
        php_admin_flag mysql.allow_persistent  off
        php_admin_flag safe_mode off
        php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f [email protected]%domain_idn%"
        php_admin_value open_basedir %docroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
        php_admin_value upload_tmp_dir %home%/%user%/tmp
        php_admin_value session.save_path %home%/%user%/tmp
    </Directory>
    <Directory %home%/%user%/web/%domain%/stats>
        AllowOverride All
    </Directory>
    SSLEngine on
    SSLVerifyClient none
    SSLCertificateFile %ssl_crt%
    SSLCertificateKeyFile %ssl_key%
    %ssl_ca_str%SSLCertificateChainFile %ssl_ca%
    <IfModule mod_ruid2.c>
        RMode config
        RUidGid %user% %group%
        RGroups www-data
    </IfModule>
    <IfModule mpm_itk.c>
        AssignUserID %user% %group%
    </IfModule>

    IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*

</VirtualHost>

This is ultra-low priority, or of no importance at all. I’m just putting it here just in case it is actually related to “something - somewhere - sometime” :biohazard:

Probably still using modphp on this server :slight_smile:

1 Like

You are always making it look so easy @eris :muscle: Respect.
I believe you nailed it. Here are the results of apachectl -V on different servers:

Current server
Server version: Apache/2.4.52 (Ubuntu)
Server built:   2021-12-28T20:17:57
Server's Module Magic Number: 20120211:121
Server loaded:  APR 1.7.0, APR-UTIL 1.6.1
Compiled using: APR 1.7.0, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     prefork
  threaded:     no
    forked:     yes (variable process count)
Some newer server
Server version: Apache/2.4.52 (Ubuntu)
Server built:   2021-12-28T20:18:12
Server's Module Magic Number: 20120211:121
Server loaded:  APR 1.7.0, APR-UTIL 1.6.1
Compiled using: APR 1.7.0, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)

So if I want to convert this server to NOT use mod_php, I guess I need to run /usr/local/hestia/install/upgrade/manual/migrate_mpm_event.sh and that’s it? Or maybe I need to do something more before that or after?

First https://github.com/hestiacp/hestiacp/blob/main/install/upgrade/manual/migrate_apache.sh

It is in the same folder

1 Like