BackupPC error - 403 Forbidden

Lockheed · 2014-12-09 12:49:57

The wiki only explains Apache and lighttpd configuration.
However, for nginx I had to look for help elsewhere. I found this config file:

server {
listen 80;
server_name durablis;
access_log /var/log/nginx/backuppc.access_log;
error_log /var/log/nginx/backuppc.error_log;
root /usr/share/backuppc/cgi-bin;
location /backuppc {
auth_basic "BackupPC admin";
auth_basic_user_file /etc/backuppc/htpasswd;
alias /usr/share/backuppc/cgi-bin/;
index /index.cgi;
}
location ~\.cgi$ {
gzip off;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_index BackupPC_Admin;
fastcgi_param SCRIPT_FILENAME /usr/share/backuppc/cgi-bin$fastcgi_script_name;
}
}

The problem is that applying it gives me

403 Forbidden
nginx/1.7.7

I did some checking and permissions seem to be correct:

# namei -om /usr/share/nginx/html/backuppc
f: /usr/share/nginx/html/backuppc
 drwxr-xr-x root root /
 drwxr-xr-x root root usr
 drwxr-xr-x root root share
 drwxr-xr-x root root nginx
 drwxr-xr-x root root html
 lrwxrwxrwx root root backuppc -> /usr/share/backuppc/cgi-bin/
   drwxr-xr-x root root /
   drwxr-xr-x root root usr
   drwxr-xr-x root root share
   drwxr-xr-x root root backuppc
   drwxr-xr-x root root cgi-bin

Yet I get this error in nginx log:

2014/12/09 20:46:00 [error] 18960#0: *3 directory index of "/usr/share/nginx/html/backuppc/" is forbidden, client: 192.168.7.7, server: backup, request: "GET / HTTP/1.1", host: "backup"

I'm not sure what else can be wrong here. Can someone point me in the right direction?

Last edited by Lockheed (2014-12-10 10:25:11)

Lockheed · 2014-12-09 23:58:45

If I put an index.html in that folder, then it gets read as empty page, but if it is just the "BackupPC_Admin" file, which I think is in CGI, then this error occurs.

ackt1c · 2014-12-10 10:16:29

Uri

Last edited by ackt1c (2022-11-05 13:07:42)

Lockheed · 2014-12-10 10:24:43

I am well aware of nginx wiki. However, it was not very helpful in this case.
I solved this problem, by replacing "location /backuppc with "location /".
Now there are no errors in nginx log.

However, now I get the same error message in the browser only, but this time it does not seem to come from NGINX, because it is just the error, without any nginx signature or formatting anywhere, which makes me thing its internal backuppc error.
I first am asked for login and password (I assume it's about backuppc's credentials), and when I input it, I am taken to this error:

403 Forbidden

Last edited by Lockheed (2014-12-10 13:22:30)

ackt1c · 2014-12-10 10:29:41

404

Last edited by ackt1c (2022-11-05 13:08:05)

Lockheed · 2014-12-10 10:38:43

I made sure cgi directory of backuppc is present in open_basedir.

ackt1c wrote:

Make sure cgi scripts are even executing as well.

How can I do that?

/etc/backuppc/config.pl
http://pastebin.com/raw.php?i=ydX2eaJT

I also verified
/etc/httpd/conf/extra/backuppc.conf

  GNU nano 2.2.6                                    File: /etc/httpd/conf/extra/backuppc.conf                                                                                

<Directory /usr/share/backuppc/cgi-bin>
  # This section tells apache which machines can access the interface.
  # You can change the allow line to allow access from your local
  # network, or comment out this region to allow access from all
  # machines.
  Require ip 127.0.0.1
  # allow from 127.0.0.1 192.168.7.7

  # You can change the authorization method to LDAP or another method
  # besides htaccess here if you are so inclined.
  AuthType Basic
  AuthUserFile /etc/backuppc/backuppc.users
  AuthName "BackupPC Community Edition Administrative Interface"
  require valid-user
</Directory>

<Directory /usr/share/backuppc/html>
  Require ip 127.0.0.1
  # allow from 127.0.0.1 192.168.7.7

</Directory>

Alias           /backuppc         /usr/share/backuppc/html
ScriptAlias     /BackupPC_Admin         /usr/share/backuppc/cgi-bin/BackupPC_Admin

The host I'm trying to connect to backuppc from is 192.168.7.7

Uncommenting the "allow" part (which I had to add myself) does not change anything.

Last edited by Lockheed (2014-12-10 11:29:19)

ackt1c · 2014-12-10 16:25:58

System

Last edited by ackt1c (2022-11-05 13:04:50)

Lockheed · 2014-12-11 20:13:08

Indeed, the test CGI script run just fine.

But with BackupPC cgi script I am asked for login details, and then when they are correctly entered, I am taken to

403 Forbidden

But this one is not generated by Nginx itself because it lacks the formating and nginx signature.

YesserLab · 2014-12-24 00:46:47

I was facing the same problem exactly,
after fooling around with suggested solutions I realized it was actually more than one problem.
How I fixed it was like this:

# pacman -S perl-fcgi fcgiwrap
# systemctl start fcgiwrap.socket

I'm not sure if the packages are actually necessary, but I needed fcgiwrap to have the socket available for nginx to pass the trafic to it
and of course start/enable it by systemctl

I also installed perl-fcgi as I thought it might be needed

looking at the log files I got a permission denied on the user authentication file in: /etc/backuppc/
so simply

# chmod 755 /etc/backuppc

finally, put this in a file (let's call it backuppc) in /etc/nginx/sites-available
and create a symlink to sites-enabled, then restart nginx

server {
  listen your_port_here;
  server_name your_server_name_or_ip;

  access_log /var/log/nginx/backuppc.access_log;
  error_log  /var/log/nginx/backuppc.error_log;

  location / {
    auth_basic "BackupPC admin";
    auth_basic_user_file /etc/backuppc/backuppc.users;
    root /usr/share/backuppc/cgi-bin;
    index /index.cgi;
  }

  location  ~\.cgi$ {
    gzip off;
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/run/fcgiwrap.sock;
    root /usr/share/backuppc/cgi-bin;
    fastcgi_index BackupPC_Admin;
    fastcgi_param SCRIPT_FILENAME /usr/share/backuppc/cgi-bin/BackupPC_Admin;
  }
}

the key to the fix is to make sure that fastcgi_pass is correctly set to the socket path
and to set the parameter SCRIPT_FILENAME correctly
(I think it should be the same for both our cases).

finally, this doesn't solve everything
the path of css/pics in the resulting html is messed up
they are in /usr/share/backuppc/html but the darn thing has it wrong, I have to look into that
and apparently, to log on successfully, the script expects an environment variables set to some username.
I have to look at this too

anyways,
hope this might help
Cheers;

Last edited by YesserLab (2014-12-24 02:20:14)

YesserLab · 2014-12-24 01:42:02

UPDATE !!
regarding the faulty CSS/Images path:

create a symlink like this

$ cd /usr/share/backuppc/cgi-bin
# ln -s /usr/share/backuppc/html html

then edit /etc/backuppc/config.pl as follows:

$Conf{CgiImageDirURL} = 'html';

It's also worth mentioning that the service is starting with the user 'backuppc' and nginx is starting the cgi with 'http' (yet it expects the user 'backuppc')
so you have a couple of options to fix that
I just went the easyway and unset the flag. Like

$Conf{BackupPCUserVerify} = 0;

Done

Lockheed · 2014-12-26 14:03:13

@YesserLab, great and rare info. However, it still doesn't work for me and I get

403 Forbidden

from BackupPC (not from nginx).

Here are the only two differences between our configs:

1. For some strange reason I have to use

fastcgi_pass unix:/var/run/fcgiwrap.sock;

because if I use

fastcgi_pass unix:/run/fcgiwrap.socket;

I get 502 Bad Gateway nginx error.

2. I use

auth_basic_user_file /etc/backuppc/htpasswd;

instead of

auth_basic_user_file /etc/backuppc/backuppc.users;

because otherwise I get

500 Internal Server Error
nginx/1.7.8

Do you think one of those could be the cause?

YesserLab · 2014-12-26 21:21:34

Regarding the "403 Forbidden", it is actually neither from Backuppc nor from nginx.
It comes from fcgiwrap. It means that fcgiwrap was asked to goto/execute a file/directory that fcgiwrap doesn't have a permission to access

Also I saw you wrote:

fastcgi_pass unix:/run/fcgiwrap.socket;

it's actually ".sock" not ".socket", was this a typo only here on the forum ?

Another important thing, in:

fastcgi_param SCRIPT_FILENAME /usr/share/backuppc/cgi-bin$fastcgi_script_name;

$fastcgi_script_name is not defined (by default), so either define it, or like I did, put the path to the backuppc cgi script explicitly as follows:

fastcgi_param SCRIPT_FILENAME /usr/share/backuppc/cgi-bin/BackupPC_Admin;

If this still doesn't help, please post the output of these commands:

$ ls /run

$ ls -l /etc/backuppc

$ ls -l /usr/share/backuppc

And please post the output of the following log files
/var/log/nginx/backuppc.access_log
/var/log/nginx/backuppc.error_log
/var/log/backuppc/LOG

Last edited by YesserLab (2014-12-26 21:24:24)

Lockheed · 2014-12-27 07:49:10

Indeed, I confused ".sock" with ".socket". After correcting,

fastcgi_pass unix:/run/fcgiwrap.socket;

works fine.

I also introduced the second recommendation of yours and now I have

fastcgi_param SCRIPT_FILENAME /usr/share/backuppc/cgi-bin/BackupPC_Admin;

which caused the 403 Forbidden error to be replaced with

An error occurred while reading CGI reply (no response received)

I think it's about write permissions to one of the directories, but I am not sure which one, and what the permissions should be.

Logs:

/var/log/nginx/backuppc.access_log

192.168.7.7 - admin [27/Dec/2014:08:40:40 +0100] "GET / HTTP/1.1" 502 76 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0"
192.168.7.7 - admin [27/Dec/2014:08:46:13 +0100] "GET / HTTP/1.1" 502 76 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0"
192.168.7.7 - admin [27/Dec/2014:08:46:14 +0100] "GET / HTTP/1.1" 502 76 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0"

/var/log/nginx/backuppc.error_log (only occurs if I use "auth_basic_user_file /etc/backuppc/backuppc.users;" instead of "auth_basic_user_file /etc/backuppc/htpasswd;").

2014/12/27 08:38:13 [crit] 868#0: *3 open() "/etc/backuppc/backuppc.users" failed (13: Permission denied), client: 192.168.7.7, server: backup, request: "GET /favicon.ico HTTP/1.1", host: "backup"

/var/log/backuppc/LOG

2014-12-27 01:00:01 Running 2 BackupPC_nightly jobs from 0..15 (out of 0..15)
2014-12-27 01:00:01 Running BackupPC_nightly -m 0 127 (pid=12165)
2014-12-27 01:00:01 Running BackupPC_nightly 128 255 (pid=12166)
2014-12-27 01:00:01 Next wakeup is 2014-12-27 02:00:00
2014-12-27 01:00:27 Finished  admin1  (BackupPC_nightly 128 255)
2014-12-27 01:00:27 BackupPC_nightly now running BackupPC_sendEmail
2014-12-27 01:00:33 Finished  admin  (BackupPC_nightly -m 0 127)
2014-12-27 01:00:33 Pool nightly clean removed 0 files of size 0.00GB
2014-12-27 01:00:33 Pool is 0.00GB, 0 files (0 repeated, 0 max chain, 0 max links), 1 directories
2014-12-27 01:00:33 Cpool nightly clean removed 0 files of size 0.00GB
2014-12-27 01:00:33 Cpool is 0.00GB, 0 files (0 repeated, 0 max chain, 0 max links), 1 directories
2014-12-27 02:00:01 Next wakeup is 2014-12-27 03:00:00
2014-12-27 03:00:01 Next wakeup is 2014-12-27 04:00:00
2014-12-27 04:00:01 Next wakeup is 2014-12-27 05:00:00
2014-12-27 05:00:01 Next wakeup is 2014-12-27 06:00:00
2014-12-27 06:00:00 Next wakeup is 2014-12-27 07:00:00
2014-12-27 07:00:00 Next wakeup is 2014-12-27 08:00:00
2014-12-27 08:00:00 Next wakeup is 2014-12-27 09:00:00

Last edited by Lockheed (2014-12-27 09:52:13)

Lockheed · 2015-01-30 14:55:41

With latest updates, my problem changed completely. Now, after logging into backuppc web interface, the error is not what was before, but rather:

Error: Unable to read config.pl or language strings!!

Note: $ENV{REMOTE_USER} is not set, which could mean there is an installation problem. BackupPC_Admin expects Apache to authenticate the user and pass their user name into this script as the REMOTE_USER environment variable. See the documentation.

The solutions found online only relate to Apache server.

And I get this error regardless of whether the backuppc sustemd service is running.

Last edited by Lockheed (2015-01-30 19:29:00)

Lockheed · 2015-03-04 21:52:18

I think the more I try to fix it, the more it gets broken. Now, I have permanent

500 Internal Server Error
nginx/1.7.10

/var/log/nginx/backuppc.error_log

2015/03/04 22:39:45 [crit] 31933#0: *8 open() "/etc/backuppc/backuppc.users" failed (13: Permission denied), client: 192.168.7.7, server: backup, request: "GET / HTTP/1.1", host: "backup"

The problem is, I can't find any info about appropriate permissions.

Arch Linux

#1 2014-12-09 12:49:57

BackupPC error - 403 Forbidden

#2 2014-12-09 23:58:45

Re: BackupPC error - 403 Forbidden

#3 2014-12-10 10:16:29

Re: BackupPC error - 403 Forbidden

#4 2014-12-10 10:24:43

Re: BackupPC error - 403 Forbidden

#5 2014-12-10 10:29:41

Re: BackupPC error - 403 Forbidden

#6 2014-12-10 10:38:43

Re: BackupPC error - 403 Forbidden

#7 2014-12-10 16:25:58

Re: BackupPC error - 403 Forbidden

#8 2014-12-11 20:13:08

Re: BackupPC error - 403 Forbidden

#9 2014-12-24 00:46:47

Re: BackupPC error - 403 Forbidden

#10 2014-12-24 01:42:02

Re: BackupPC error - 403 Forbidden

#11 2014-12-26 14:03:13

Re: BackupPC error - 403 Forbidden

#12 2014-12-26 21:21:34

Re: BackupPC error - 403 Forbidden

#13 2014-12-27 07:49:10

Re: BackupPC error - 403 Forbidden

#14 2015-01-30 14:55:41

Re: BackupPC error - 403 Forbidden

#15 2015-03-04 21:52:18

Re: BackupPC error - 403 Forbidden

Board footer