Emit($server->run()); running with apache

After a migration of our passbolt server to a virtualized environment, I get the error msg

emit($server->run());

The healtcheck only shows one error left:

Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://passbolt.netzwissen.de
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
 [HELP] Check that the domain name is correct in config/passbolt.php
 [HELP] Check the network settings

Setup:

• passbolt on ubuntu lxc container
• apache webserver
• haproxy for ssl termination
• App.fullBaseUrl https://passbolt.netzwissen.de

I assume the problem lies somewhere between the apache config and the passbolt config (passbolt.php). apache config:

     DocumentRoot /var/www/passbolt/webroot

        <Directory />
          Options +FollowSymLinks
          AllowOverride All
        </Directory>

        <Directory /var/www/passbolt/webroot>
          Options FollowSymLinks
          AllowOverride All
          Order Allow,Deny
          Allow from all
          DirectoryIndex index.php
        </Directory>

        <FilesMatch "\.(php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>

I went through Passbolt 3 CE - Apache configuration - #10 by garrett . If I add the rewrite rules

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]

I get a 400 Bad Request on the webserver. I also tried with the docs from Cake PHP, but with no success. The docs for running passbolt on apache are pretty limited, especially when using it in a three tier environment …

Bye, Thommie

Hi !

If passbolt is running in an ubuntu lxc container, why not using the Ubuntu package installation as described here => Passbolt Help | Install Passbolt CE on Ubuntu 22.04 ?

It just works and will be easier to maintain.

My 2 cents,

Cheers,

As I said before: this is not a LEMP setup, but - more or less - a three tier installation with ssl termination and apache. Both variations are only sparsely addressed in the currently available installation docs.

Is it possible you do not have the apache mod_rewrite module enabled?

Hi garrett

root@app2:~# apache2ctl -M    
Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
....
 rewrite_module (shared)
 ssl_module (shared)
 status_module (shared)
<

the apache config:

    ServerName passbolt.netzwissen.de
    ServerAdmin webmaster@netzwissen.de

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.

    LogLevel error
    ErrorLog ${APACHE_LOG_DIR}/passbolt_error.log
    CustomLog ${APACHE_LOG_DIR}/passbolt_access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

    DocumentRoot /var/www/passbolt/webroot

   <Directory>

the rewrite rules are loaded from the included .htaccess in webroot/ dir.
the server error log shows:

10.10.10.21 - - [11/Jan/2022:07:37:59 +0000] "GET / HTTP/1.1" 200 1611 "-" "curl/7.80.0"
10.10.10.21 - - [11/Jan/2022:07:38:04 +0000] "GET / HTTP/1.1" 304 144 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0"
10.10.10.21 - - [11/Jan/2022:07:38:04 +0000] "GET / HTTP/1.1" 304 144 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0"
10.10.10.21 - - [11/Jan/2022:07:38:05 +0000] "GET / HTTP/1.1" 304 144 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0"
10.10.10.21 - - [11/Jan/2022:07:38:05 +0000] "GET / HTTP/1.1" 304 144 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0"
10.10.10.21 - - [11/Jan/2022:07:38:05 +0000] "GET / HTTP/1.1" 304 144 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0"

So we get a http 200 OK and then 304 not modified. Looks like apache delivers correctily, but the problem lies somewhere in the cake php config, but I am not familiar with the details of this framework …

Bye, Thommie

ref CakePHP docs regarding Apache: Installation - 4.x for investigation. It does elaborate a bit more with items I’m not seeing in your setup, maybe this will help.

I went through the recommendations and tried everything, but I still have a problem with the mod_rewrite redirection settings. Previously we used an older passbolt instance (cake php 3 based?). It looks like the switch to cake php 4.x by passbolt has introduced new problems which were not present before. The DocumentRoot is /usr/share/php/passbolt, the .htaccess file there:

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteRule    ^(\.well-known/.*)$ $1 [L]
    RewriteRule    ^$    webroot/    [L]
    RewriteRule    (.*) webroot/$1    [L]
</IfModule>

The redirection error in the log:

[Tue Jan 18 15:01:46.025635 2022] [core:error] [pid 244275] [client 10.10.10.21:35458] AH00124: Request exceeded the limit of 10 i
nternal redirects due to probable configuration error. Use ‘LimitInternalRecursion’ to increase the limit if necessary. Use ‘LogLe
vel debug’ to get a backtrace.

Hello,

Here is a working apache2 configuration if that helps:

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin my@passbolt.test
                ServerName my.passbolt.test
                DocumentRoot /var/www/passbolt/webroot

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on
                SSLCertificateFile      /etc/ssl/certs/mycert.pem
                SSLCertificateKeyFile /etc/ssl/privatemycert.key

                <FilesMatch "\.(php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>

        <Directory /var/www/passbolt/webroot>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        </VirtualHost>
</IfModule>

Make sure you have .htaccess under /webroot as well in case it’s not present:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

OK, thanks a lot, the passbolt runs again. The errors were:

• the docroot is …/passbolt/webroot instead of /passbolt/ as before
• the .htaccess needs to be relocated from /passbolt/ (as provided with the rpm package from https://download.passbolt.com/ce/ubuntu focal) to /passbolt/webroot instead
• .htaccess has different rewrite rules compared to the recommendations from Installation - 4.x