[upgrade] 4.1.2 to 4.2.0 issue with .htaccess

[raramuridesign]

Mautic Version

4.2.x series

PHP version

7.4.27

What browsers are you seeing the problem on?

Firefox, Chrome

What happened?

After performing an upgrade, the site reports an error 403, forbidden.

We upgrade via command line and clear cache and clean permissions as part of the process.

This maybe server specific, but this line in the HTACCESS

https://github.com/mautic/mautic/blob/4.2.0/.htaccess

# Apache 2.4+
<IfModule authz_core_module>
    # Deny access via HTTP requests to all PHP files.
    <FilesMatch "\.php$">
        Require all denied
    </FilesMatch>

Causes the issue, by commenting out

<FilesMatch "\.php$">
        Require all denied
    </FilesMatch>

The site loads again.

Prior to this verison 4.1.2 Worked with this in the htaccess file.

How can we reproduce this issue?

Server
Ubunto 18.04.4 LTS
Server API | FPM/FastCGI
MariaDB
1:10.2.43+maria~bionic
Apache
2.4.52-1+ubuntu18.04+1
NGiNX
1.19.9-1+ubuntu18.04+1

Not sure if this is important, but we have mautic in a subfolder off the domain
eg: domain.com/mautic/

Relevant log output

n/a

Code of Conduct

• I confirm that I have read and agree to follow this project's Code of Conduct

[RCheesley]

@mollux any thoughts on this?

[RCheesley]

See also: https://forum.mautic.org/t/403-error-after-mautic-3-3-5-update/22859

[mautibot]

This issue has been mentioned on Mautic Community Forums. There might be relevant details there:

https://forum.mautic.org/t/403-error-after-mautic-3-3-5-update/22859/5

[raramuridesign]

I have updated on 2 different servers
server one has the same setup except OS ubuntu 20
But mautic is on a domain like: https://mautic.maindomain.com

IE no subfolder, the update was smooth.

Second server is a WHM/CPANEL server the
Also has a subdomain as per the above, update worked without issues.

A note about the htaccess rule
.htaccess rule to deny all the files with .php extension so the index.php file will also be blocked by the rule so this causes a permission issue.

Perhaps it might be a good idea to exclude the index.php ?

M.

[RCheesley]

Thanks for the feedback/troubleshooting @raramuridesign - really helpful!

So to summarise this seems to be an issue when Mautic is in a sub-folder, rather than when it is in a root or subdomain?

Could you also confirm if those instances affected have the correct url rewrite settings (eg accessing mautic at domain.com/mautic/s/dashboard and not with an additional /index.php/ in the middle?

[raramuridesign]

@RCheesley the rewrite works on all the instances.

[mollux]

@raramuridesign @RCheesley

A subfolder in combination wit the .htaccess could indeed cause this issue.

Could you try to change following line in the .htaccess from
<If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">

To

<If "%{REQUEST_URI} =~ m#^/mautic/(index|index_dev|upgrade/upgrade)\.php#">

[raramuridesign]

@mollux I can confirm this change works. However I did notice the folder: mautic is present based on my example. So I have adjusted for my use case.

I have also un-commented this line

<FilesMatch "\.php$">
    Require all denied
</FilesMatch>

The only issue I see with this approach is

1. if the user has a different sub-folder name
2. if the htaccess is updated it could potentially overwrite this

What are your thoughts?
M

@RCheesley

[mollux]

@raramuridesign this was indeed purely an example, not something that needs to be committed in the repo.

There is no off the shelf fix for this, but it's something that needs to be tackled via documentation and awareness.
It depends on your setup (e.g. subfolder) if there are manual changes needed in your .htaccess after updating Mautic

@RCheesley what would be the best place to document this change? There is a different approach for tarball based and composer based installed

[raramuridesign]

@mollux Thanks and makes total sense with regards to documentation.
Question, how often is the .htaccess updated?

It might worth proving a full ideal .htaccess so users can see the different examples.
But when updates are performed, that the .htaccess is not touched.

Thoughts?

[RCheesley]

Thanks folks, @mollux I think this should be documented in the https://github.com/mautic/mautic-documentation repo. Probably under Installing Mautic / Updating Mautic and a link in the Troubleshooting section to those resources.

@raramuridesign we very rarely update htaccess, I think. The commit history is here: https://github.com/mautic/mautic/commits/4.x/.htaccess.

We do provide a full htaccess file right there in the repository, so I'm not sure what you're requesting, as the rules will be very specific for your own setup. We can't not update this file if there is a need to do so.

Maybe when we add to the docs we could give some examples for using Mautic in a folder, on a root domain, and in a subdomain as a starting point?

[nikitakothari06]

@raramuridesign @RCheesley

A subfolder in combination wit the .htaccess could indeed cause this issue.

Could you try to change following line in the .htaccess from <If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">

To

<If "%{REQUEST_URI} =~ m#^/mautic/(index|index_dev|upgrade/upgrade)\.php#">

Hi,

Yes. I have tried the solution too and it worked well on Apache 2.4 However it still gets stuck on Apache 2.2 The workaround for Apache 2.2 is still pending.

If Mautic 4.2.x requires minimum Apache 2.4 I would request Mautic team to update the requirement on Mautic website so that users don't get confused.
https://www.mautic.org/download/requirements

[marcoalejandropalacio]

Hello! I upgraded mautic 4.1.2 to 4.2.0 and it gave me 403 error.

Enter htaccess and modify line 113 of

<If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade).php#">

to

<FilesMatch "^(index|index_dev|filemanager|upgrade).php$">

And it worked correctly.

Will this cause any problems in the future?

[RCheesley]

@marcoalejandropalacio I have added the info to the release notes for the workaround which is mentioned here, and we are going to add it to the documentation in due course. This is likely because you are hosting in a folder rather than a subdirectory or root domain? If so you might want to use the workaround mentioned.

This should not present a problem in the future unless we update the htaccess file. Please always read the release notes before updating and we will make sure to be very clear if this file is being modified in future releases.

[marcoalejandropalacio]

I have the mautic installation in a subdomain.

@marcoalejandropalacio I have added the info to the release notes for the workaround which is mentioned here, and we are going to add it to the documentation in due course. This is likely because you are hosting in a folder rather than a subdirectory or root domain? If so you might want to use the workaround mentioned.

This should not present a problem in the future unless we update the htaccess file. Please always read the release notes before updating and we will make sure to be very clear if this file is being modified in future releases.

I have the mautic installation in a subdomain.

In my hosting the folders appear like this:

domains/mydomain.com/public_html/mautic

and the subdomain to access my mautic installation is mautic.mydomain.com

I hope that the solution that worked for me will help other people who have the same error

[RCheesley]

Hi folks, as this is a documentation issue relating to htaccess config I am going to close this issue - we will ensure that we provide clear warnings if we are updating the htaccess file in future releases, so please make sure you read the release notes!

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If this issue is continuing with the lastest stable version of Mautic, please open a new issue that references this one.

[nikitakothari06]

Hi,

The code for apache 2.2 still not working.

Please mention the exact syntax for apache 2.2 and 2.4 in well documented manner when the installation is made in a sub directory.

[wilsonfe]

Hello! I upgraded mautic 4.1.2 to 4.2.0 and it gave me 403 error.

Enter htaccess and modify line 113 of

<If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade).php#">

to

<FilesMatch "^(index|index_dev|filemanager|upgrade).php$">

And it worked correctly.

Will this cause any problems in the future?

Did you do just that to make it work?

# Except those allowed below.
#<If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">
#    Require all granted
#</If>

<FilesMatch "^(index|index_dev|filemanager|upgrade).php$">

In my case it didn't work.

[wilsonfe]

On my server mautic is installed in a subdomain and gave the same 403 problem.

I uninstalled everything and reinstalled version 4.2 and was unsuccessful as I had to comment out the code:

<FilesMatch "\.php$">
    Require all denied
</FilesMatch>

So I was able to access, however, even informing the Amazon AWS SES access data, I can't connect, it gives an authentication error.

[raramuridesign]

@wilsonfe @nikitakothari06
I have written an explanation here
https://kb.raramuridesign.com/htaccess-tweak-for-mautic-in-a-subfolder.html
Hope this helps.

[wilsonfe]

@wilsonfe @nikitakothari06 I have written an explanation here https://www.raramuridesign.com/kb/articles/htaccess-tweak-for-mautic-in-a-subfolder.html

Hope this helps.

On my server mautic is installed in a subdomain email.mydomain.com and gave the same 403 problem.

[raramuridesign]

Did you try to uncomment this line - the link above will only work for subfolders. So first read through the thread logically to see where your issue is. Perhaps you have a permissions issue... I suppose you should also ask on the forum and post screenshots and setup so users can assist. Github is for more code related issues.

<FilesMatch "\.php$">
    Require all denied
</FilesMatch>

ot this line in apache < 2.4

    <FilesMatch "\.php$">
        Order deny,allow
        Deny from all
    </FilesMatch>

[wilsonfe]

My installation is on hostinger on a shared hosting. They use Litespeed 5.4. Don't use apache.

If I uncomment it gives error 403.

<FilesMatch ".php$">
Require all denied

[raramuridesign]

@wilsonfe I think you might need to ask someone who has knowledge on lightspeed.
Please join the forum and post your question there.

[DanVen73]

Hello there, I have an installation of mautic in a subdomain (sub.domain.com).
After upgrading to 4.2.0 and now to 4.2.1 I had to change .htaccess file because of HTTP ERROR 403.
Changed the following lines:

# Except those allowed below.
#<If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">
<FilesMatch "^(index|index_dev|filemanager|upgrade).php$">
    Require all granted
</FilesMatch>
#</If>

That's all. It worked.

Have a nice day.

[marcoalejandropalacio]

@DanVen73

Making this change... everything inside Mautic works fine for you?

There are no functions that do not work?

[DanVen73]

I tried forms, landing, campaigns automation, multiple users connected, no problem.
@marcoalejandropalacio -> "There are no functions that do not work?" give me examples please. I'll check.

[wilsonfe]

DanVen73

The only way to install the new version was to install it all over again.

I tried to update version 4.2.0 to 4.2.1 and got the same problem (403).

I will have to redo the installation again from scratch.

I use a subdomain. email.domain.com.

I tried to do what @DanVen73 said, but I was unsuccessful.

[wilsonfe]

I updated the .htacess file before trying to do the update from the panel.

Except those allowed below.

#<If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade).php#">
<FilesMatch "^(index|index_dev|filemanager|upgrade).php$">
Require all granted

#

I don't know if I did it right.

[marcoalejandropalacio]

@DanVen73

It happened to me that the segment options did not work for me and two more options that I do not remember now.

[DanVen73]

@wilsonfe

You have to substitute this:
# Except those allowed below. <If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#"> Require all granted </If>

With this
# Except those allowed below. #<If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#"> <FilesMatch "^(index|index_dev|filemanager|upgrade).php$"> Require all granted </FilesMatch> #</If>

[wilsonfe]

@wilsonfe

You have to substitute this: # Except those allowed below. <If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#"> Require all granted </If>

With this # Except those allowed below. #<If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#"> <FilesMatch "^(index|index_dev|filemanager|upgrade).php$"> Require all granted </FilesMatch> #</If>

Thanks

[marcoalejandropalacio]

How can I update mautic manually?

I realized that one of the errors that I am having is that when updating mautic from the notification, it keeps loading one of the steps continuously

[mautibot]

This issue has been mentioned on Mautic Community Forums. There might be relevant details there:

https://forum.mautic.org/t/403-forbidden-after-fresh-install-with-softaculous/23891/11

[mautibot]

This issue has been mentioned on Mautic Community Forums. There might be relevant details there:

https://forum.mautic.org/t/error-while-upgrading-from-3-3-4-to-4-0/20686/8

[mautibot]

This issue has been mentioned on Mautic Community Forums. There might be relevant details there:

https://forum.mautic.org/t/as-usual-upgrade-to-4-2-2-this-time-effed-up-my-installation/24106/12

[mautibot]

This issue has been mentioned on Mautic Community Forums. There might be relevant details there:

https://forum.mautic.org/t/mautic-upgrade-to-4-3-1-produces-403-http-error-unless-htaccess-security-lines-are-removed/24255/3

[mautibot]

This issue has been mentioned on Mautic Community Forums. There might be relevant details there:

https://forum.mautic.org/t/security-enhancement-gives-403/24460/2

[cherouvim]

Is there a solution available which will survive potential mautic upgrades? Maybe something I can specify on my server's VirtualHost which can override the .php related deny?

[raramuridesign]

@cherouvim it does not look like hence why its been documented ;-)

[mooror]

Can someone check to see if @DanVen73's change works with an install that is not in a subdomain? Because his revisions to the .htaccess file solved our access issues when installing Mautic on a subdomain, and if it works for normal installs as well, then to my mind it should just be included in the core.

Also, has this been documented anywhere? It took us awhile to find this issue and fix the problem, but had it been mentioned in the install instructions (even as a side note) it would have been real quick and reduced frustrations

[mautibot]

This issue has been mentioned on Mautic Community Forums. There might be relevant details there:

https://forum.mautic.org/t/which-htaccess-line-should-i-change-remove-to-make-upgrade-work-on-subdomain/24664/1

[DELTASERVERS]

Dear Ones,

It is simple to solve this problem, just remove everything from /.htaccess and apply the listed below:

Prezados,

É simples resolver esse problema, basta remover tudo do /.htaccess e aplicar o listado abaixo:

RewriteEngine On
DirectoryIndex index.php

# Protegendo seu arquivo .htaccess 
# Protecting your .htaccess file

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

# Mitigação temporária de força bruta
# Temporary Brute Force Mitigation

SetEnvIfNoCase User-Agent "python-requests" bad_user
Deny from env=bad_user

# Impedindo a listagem de qualquer arquivo e diretório
# Preventing the listing of any file and directory

Options -Indexes

# Remover diretorio .PHP
# Remove .PHP directory

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

<ifModule mod_headers.c>
header always set x-xss-protection "1; mode=block"
</ifModule>

<ifModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</ifModule>

# Aplicar regras HSL
# Apply HSL rules

<ifModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
</ifModule>

# Força HTTPS
# Force HTTPS

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


<IfModule mod_expires.c>
  ExpiresActive On

 # Images
  ExpiresByType image/jpeg "access plus 1 year"
  ExpiresByType image/gif "access plus 1 year"
  ExpiresByType image/png "access plus 1 year"
  ExpiresByType image/webp "access plus 1 year"
  ExpiresByType image/svg+xml "access plus 1 year"
  ExpiresByType image/x-icon "access plus 1 year"

  # Video
  ExpiresByType video/webm "access plus 1 year"
  ExpiresByType video/mp4 "access plus 1 year"
  ExpiresByType video/mpeg "access plus 1 year"

  # Fonts
  ExpiresByType font/ttf "access plus 1 year"
  ExpiresByType font/otf "access plus 1 year"
  ExpiresByType font/woff "access plus 1 year"
  ExpiresByType font/woff2 "access plus 1 year"
  ExpiresByType application/font-woff "access plus 1 year"

  # CSS, JavaScript
  ExpiresByType text/css "access plus 1 month"
  ExpiresByType text/javascript "access plus 1 month"
  ExpiresByType application/javascript "access plus 1 month"

  # Others
  ExpiresByType application/pdf "access plus 1 month"
  ExpiresByType image/vnd.microsoft.icon "access plus 1 year"
</IfModule>

[mautibot]

This issue has been mentioned on Mautic Community Forums. There might be relevant details there:

https://forum.mautic.org/t/mautic-upgrade-to-4-3-1-produces-403-http-error-unless-htaccess-security-lines-are-removed/24255/11

[mautibot]

This issue has been mentioned on Mautic Community Forums. There might be relevant details there:

https://forum.mautic.org/t/mautic-installation-on-litespeed-server-through-softaculous/27864/2

[mautibot]

This issue has been mentioned on Mautic Forums. There might be relevant details there:

https://forum.mautic.org/t/installed-mautic-4-4-10-with-softaculous-getting-403-error/29425/2

[mautibot]

This issue has been mentioned on Mautic Forums. There might be relevant details there:

https://forum.mautic.org/t/i-have-some-issues-to-update-from-4-1-0/30477/7

[mautibot]

This issue has been mentioned on Mautic Forums. There might be relevant details there:

https://forum.mautic.org/t/can-i-install-mautic-5-and-after-using-the-database-of-the-4-1-0-version/30736/2