New Agent Setup link issue

someitwannabe

The new agent set up link just takes them to a 404 error.
I suspect I over secured the server but am not sure as it is a "not found" as opposed to a "forbidden" error.
Running Ubuntu, Apache, PHP and MYSQL with Mod Security as a WAF and Mod_Evasive.
Steps taken to harden server largely pulled from https://www.securecoding.com/blog/how-to-secure-ubuntu-based-web-server/

KevinTheJedi

someitwannabe

Do you have URL Rewriting enabled on Apache? What’s your Apache site config look like? It should have this:

https://forum.osticket.com/d/103786-ajax-not-working/9

You should also look at your Helpdesk URL setting to make sure that’s correct. Like if your site is in a sub folder make sure the Helpdesk URL contains that as well.

Cheers.

someitwannabe

currently it is only internal use on our network and by ip
as far as url rewriting it is enabled, and all of the webpages are in /var/www/osticket.
The URL sent by osticket to the agents is:
http://192.168.1.92/upload/scp/pwreset.php?token=Ao9amxj0FNj2TwawW0OgyBU7ng0jMp204cVBBJAdY5R9WLmV

pwreset.php does exist in /upload/scp

Contents of etc/apache2/sites-enabled/osticket.conf

            DocumentRoot /var/www/osticket/upload

            SecRuleEngine On

            ErrorLog ${APACHE_LOG_DIR}/error.log

            CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /var/www/>

            Options -Indexes +FollowSymLinks

            AllowOverride None

            Require all granted

    </Directory>

</VirtualHost>

KevinTheJedi

someitwannabe

Yea I would add a directory directive for the upload folder and add the options I linked above. Then restart Apache and see if that works.

Cheers.

someitwannabe

KevinTheJedi
Ill do that.
In the mean time can you explain a little better what is happening here? I'm learning all of this on the fly lol
does the directory directive that's there now not include everything underneath?

KevinTheJedi

someitwannabe

It does include all directories under it but it has AllowOverride None. It’s good to keep that as you want it to be strict on the broad directories like /var/www and /var/www/html. However, for osTicket specifically you want AllowOverride All (plus the other options in the link above) for it to function correctly. So creating a new directory directive for the osTicket folder specifically allows you to apply more lax options that won’t affect any other site you put under /var/www or /var/www/html.

Cheers.

someitwannabe

Adding the following and restarting apache had no effect
<Directory /var/www/osticket/upload/>
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>

KevinTheJedi

someitwannabe

Change AllowOverride value to All, restart Apache, and retest. You may also want to send a new email as those links expire in 30 or so minutes.

Cheers.

someitwannabe

No change even with a new link. Would the apache access and error logs help? I was looking at them but i am not familiar enough to understand what I am seeing.

KevinTheJedi

someitwannabe

Usually Access Logs are unhelpful as they just show where the user was sent to and what paths it tried to go to. If it shows /scp/pwreset.php?token=xxx then that's what we expect. If you try to open that link yourself, do you get the same issue? Also, could you try disabling ModSecurity, restart Apache, make sure ModSecurity is still disabled after restart, and retest? If that works then you know ModSecurity is preventing it and you need to make some custom rules to allow it. I cannot assist with that as I'm unfamiliar with making ModSecurity rules.

Cheers.

someitwannabe

KevinTheJedi Update, idf the agent removes upload from the url and goes to that it works.
instead of
http://192.168.1.92/upload/scp/pwreset.php?token=sKDOGn1p4ObnxctJVAPws7CdbTwx6Q44BxbMOVkmbGwxLH4e
it needs to be
http://192.168.1.92/scp/pwreset.php?token=sKDOGn1p4ObnxctJVAPws7CdbTwx6Q44BxbMOVkmbGwxLH4e
of course this is specific to how i set it up, id still like to know a bit better about why it works like that
Also how/ where do i change the URL that the %{link} variable in the template is referencing

KevinTheJedi

someitwannabe

Oh, I totally missed that you had DocumentRoot /var/www/osticket/upload above the first time; my apologies. This means when you go to the IP/domain the site automatically serves the contents of the /upload folder. This means the Helpdesk URL setting should not have the /upload at the end. Once you do this and send a new email it should work.

Cheers.

someitwannabe

KevinTheJedi
All good Kevin, I can imagine you have a lot of these help requests on your plate. Thanks as Always!