Apache 2.4 issue

[sagitario 2]

Hello,

 

After I update my server from Apache 2.2 to Apache 2.4 I received a 500 Internal Server Error.

 

I see the log file and It point to .htaccess file. Deleting all and it works ok, but this isn't a safe solution because now it's possible to list my directory. Then I search about this issue and find the follow link: http://httpd.apache.org/docs/2.4/upgrading.html

 

Then I change some .htaccess files from:

 

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

 

to:

 

<Files *.php>
Require all denied
</Files>

 

This resolve the problem with listing the directory.

 

Now the only problem is that I can't access the Admin Panel. It gives a page error with the follow url: "www.sitename.com/admin/login.php?action=process&osCAdminID=o0b7cvu40fhtd87onn2oqle6d3" and the "osCAdminID" change every refresh.

 

I already try to delete the .htaccess and .htpasswd_oscommerce files but no luck.

 

Can anyone help me?

 

Thanks in advance,

 

PS: I'm using osCommerce Online Merchant v2.3.3.4 on a Linux Server with Apache 2.4.9, PHP 5.5.11 and SQL 5.6.17

[MrPhil 648]

What PHP version were you using with Apache 2.2? If PHP was updated at the same time, to 5.3 or higher, you could have a lot of session-related issues if you were on an older osC. Was it also 2.3.3.4 you were running before? That should be compatible with at least PHP 5.4, probably ruling out session-related PHP call problems.

 

Don't go arbitrarily deleting .htaccess just to get rid of error messages. It's quite possible that there is something in .htaccess or php.ini that is no longer compatible with the new Apache level. For example, many hosts now disable the "Options" command (e.g., Options -Indexes). There are at least a couple of ways to replicate that Index-suppression method. One is sticking an empty index.html file in every directory that lacks an index file. Another is to add /nothing2seeHere.html to the end of a DirectoryIndex command, and that's just a simple little page that says "Nothing to see here, folks. Move along!". That's what I use on my site.

 

It's not necessary to use the .htpassword-related files. Your hosting control panel should have something to "password protect directory", which you use to protect your (renamed) admin directory. You might try removing password references from .htaccess and using your host's password protection.

[sagitario 2]

Hi MrPhil,

 

The old server have the follow config: osCommerce Online Merchant v2.3.3.4 on a Windows Server with Apache 2.2 (Win32) ,PHP 5.5.9 and MySQL 5.6.16.

 

My host don't have a control panel, only FTP access.

 

My .htaccess file have the follow code:

 

# $Id$
#
# This is used with Apache WebServers
#
# For this to work, you must include the parameter 'Options' to
# the AllowOverride configuration
#
# Example:
#
# <Directory "/usr/local/apache/htdocs">
#   AllowOverride Options
# </Directory>
#
# 'All' with also work. (This configuration is in the
# apache/conf/httpd.conf file)
# The following makes adjustments to the SSL protocol for Internet
# Explorer browsers
#<IfModule mod_setenvif.c>
#  <IfDefine SSL>
#    SetEnvIf User-Agent ".*MSIE.*" \
#			 nokeepalive ssl-unclean-shutdown \
#			 downgrade-1.0 force-response-1.0
#  </IfDefine>
#</IfModule>
# If Search Engine Friendly URLs do not work, try enabling the
# following Apache configuration parameter
# AcceptPathInfo On
# Fix certain PHP values
# (commented out by default to prevent errors occuring on certain
# servers)
# php_value session.use_trans_sid 0
# php_value register_globals 1
##### OSCOMMERCE ADMIN PROTECTION - BEGIN #####
AuthType Basic
AuthName "osCommerce Online Merchant Administration Tool"
AuthUserFile /home/cuserlive/public_html/admin/.htpasswd_oscommerce
Require valid-user
##### OSCOMMERCE ADMIN PROTECTION - END #####

 

If I remove the OSCOMMERCE ADMIN PROTECTION or deleting the file the problem is the same.

 

Thanks,

[MrPhil 648]

This is a WAMPP server setup? I hope you didn't install WAMPP/XAMPP on a PC and try to run a live site with it -- you're gonna get killed by hackers. The very bleeding-edge levels of PHP, MySQL, and Apache lead me to suspect this. If this is a respectable commercial setup, I can't believe that they don't offer a control panel of some sort. Anyway, if this is an Apache server (you're sure that's what's running?), it ought to recognize .htaccess files. Windows servers (IIS, etc., non-Apache) ignore .htaccess files.

 

Did you ever change the name of your admin directory to something else? If so, did you change the file path in .htaccess (the /admin/.htpasswd_oscommerce above)? I would suggest that you comment out (with #) the 4 lines not already commented out, and use your hosting control panel to set up directory password protection, but you say that you have no control panel of any kind? It's possible that the method shipped with osC is no longer compatible with Apache 2.4, but I don't have any experience with that level.

 

Did you say that you get the same error even if this .htaccess is erased? Then the problem isn't in this file. It could be some other .htaccess or php.ini file (using obsolete commands). Rename or hide/temp erase all the .htaccess files and if the problem goes away, restore one at a time until you find the offender. Then comment out all the lines in it and uncomment one at a time until you find the offender. I wouldn't rule out even that it's some PHP file which got corrupted while being transferred from one system to another. There are lots of things that can trigger a 500 error.

[sagitario 2]

Hi MrPhil,

 

Sorry for my late reply, but I was away.

 

I have a temporary Windows server that is configure with XAMPP and it work everything ok. Now I have setup a new Linux server that I pretend to transfer my site. The Linux server is very simple and is only to setup my site. No need to have a control panel.

 

Thank you for the advise, I know that the server based in windows is honey for hackers, but I start to change my OSC on my home computer and user XAMPP and now want to transfer to my linux server.

 

I user the default admin directory and also confirm the file path in .htaccess.

 

I already comment the 4 lines and don't work. Deleting the .htaccess the problem remain. I have to agree with you, the .htaccess probably isn't the problem.

 

Probably is a PHP problem, but is very strange that I getting a page error instead the login page.

 

Regards,

[♥oscMarket 420]

this will solve all your problems if installed a compliant linux distribution ;)

 

http://vestacp.com/

[MrPhil 648]

Thank you for the advise, I know that the server based in windows is honey for hackers, but I start to change my OSC on my home computer and user XAMPP and now want to transfer to my linux server.

 

It's ALL servers that you run yourself on a PC, not just Windows. Unless you really, really, really know what you're doing for server security, hackers will eat you alive. It's far better to have a competent professional host who spends a lot of time worrying about security.

 

As a separate issue, I strongly recommend against setting up a PC-based server to do development work on. It's better to do your work on the server you will have the live site on. Otherwise, you'll usually have odd bugs to swat after you transfer to the live server, due to differences in server version, PHP version, MySQL version, etc. That can easily eat up all the time you saved by having everything on your laptop. Of course, if you don't have a real server yet, and you will be doing a lot of development work first, that could be a good reason to use a PC-based server for a while.

 

I user the default admin directory and also confirm the file path in .htaccess.

 

The admin/ directory name must be changed to something else (unguessable). Hackers always try "admin".