Can't access web interface

[dave_v]

Hi,
I did a fresh install of centos 7.4.1708, then followed the instructions to install zoneminder 1,30.4 as well as the README after it installed. Everything seemed to be working fine until I tried to view and configure it. In the interest of simplicity I did a minimal install of the CentOS, so I tried to access it by https://192.168.0.15/zm (got the ip address via /sbin/ifconfig) and I get "This site can't be reached." I can ping 192.168.0.15 so it shouldn't be a network problem. ps -aux shows 6 /usr/sbin/httpd processes, as well as /usr/bin/zmdc.pl, /usr/bin/zmfilter.pl, etc. so everything seems to be working except the access.
This probably has something to do with setting permissions, and there are some hints in the faqs, but I would appreciate an suggestions.

Dave

[rockedge]

what happens with http://localhost/zm ?

this sounds at first glance like an Apache configuration problem

[dave_v]

I'm setting up as a server without X, but I'm thinking I can look up and install a text mode browser and try your suggestion.

I'm also trying to learn something about apache configuration, and looking at a couple of things in the README.Redhat7

"IMPORTANT: You must manually verify the value of PATH_ZMS under Options." I didn't know how to access options until I ran zoneminder so I wan't able to verify. When I ran 'env' there was no PATH_ZMS so i did su (export didn't work when I tried sudo) and then 'export PATH_ZMS=/cgi-bin-zm/nph-zms' I still can't access the interface, but if this is really important, maybe it should be put in the "New Installs" instructions? I'll see how to submit that idea if I get this worked out.

There's also something about the Apache ScriptAlias that I'm looking at.

One other thought, I had to run
'mysql -uroot -p -e "grant all on zm* to 'zmuser'@localhost identified by 'zmpass';"
but /etc/oasswd doesn't show any zmuser. Should it? Theree is a mysql,

[rockedge]

there should be a "zmuser" for the mysql database. All the paths are defined in Options->Path from the web console and there is a config file for zm in /etc/zm
this system will be accessed remotely? you will need to access the web console for ZM with a browser to check Options->Path

there must be an Alias to the /cgi-bin/

[dave_v]

The problem is firewalld which operates on centos by default. I shut it down
systemctl stop firewalld
and I can connect from the other machine. I started to suspect something like that after installing lynx on the server, which allowed me to open the zoneminder web interface.

A couple of odd things I found while poking around, and since this is all freshly installed I don't think it's something I did wrong.

in /etc/zm/zm.conf ZM_WEB_USER is apache, and ZM_WEB_GROUP is also apache.
In /etc/passwd, user apache belongs to group Apache.
I edited /etc/zm/zm.conf to change the group to 'Apache' and rebooted. Still nothing.

One last odd thing, README.REDHAT7 says "The Apache ScriptAlias has been changed from "/cgi-bin/zm/zms" to "/cgi-bin-zm/zms" but my freshly installed system has the old /cgi-bin/zm/zms, not /cgi-bin-zm/zms. I don't know how to check which one apache is looking for, but I suspect this isn't my problem since I can see the webpage on the local machine (or elsewhere after stopping firewalld)

[knight-of-ni]

The warning from the README you are quoting is targeted towards existing users with older versions of zoneminder who are upgrading.
It doesn't apply to you. The apache config is already set for you, and unless you've got other applications requiring a webserver on the same box, then you should leave the default configuration as it is. There is no need to change anything.

The root cause of this issue was the firewall. Note you are better off opening ports 80 & 443 on the firewall, rather than shutting it down.
I recommend you put anything your might have changed during troubleshooting back to its default setting.

[dave_v]

Thanks, knight, the only thing I have changed was to make the group of user apache match between the zm.conf and /etc/passwd. It may not have been causing any problem, but it surely isn't a good thing that the group is "apache" one place and "Apache" the other?

"better off opening ports 80 & 443" sounds like a good idea. I wasn't too worried because it's on a lan and the router has a pretty strict firewall.

[knight-of-ni]

Here is the relevant line from my /etc/passwd file you are referring to:

Code: Select all

apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin

As you can see, both the uid and gid are set to 48. The group name is apache. The label "Apache" you are referring to is actually the comment field.
This is confirmed by downloading any recent httpd source rpm and inspecting the rpm specfile. Here is the relvant portion:

Code: Select all

%pre filesystem
getent group apache >/dev/null || groupadd -g 48 -r apache
getent passwd apache >/dev/null || \
  useradd -r -u 48 -g apache -s /sbin/nologin \
    -d %{contentdir} -c "Apache" apache
exit 0

Notice the group is created with gid 48 and a name of apache, then also note "-c" parameter which assigns "Apache" as the comment when the user account is created.

Or perhaps, more simply, just do the following from the command line, to see the friendly name of gid 48:

Code: Select all

$ getent group 48
apache:x:48:

You should set the group name back to the way it was.
This is one of those things that can bite you later on down the line, after you've forgotten about it.

[rockedge]

This is one of those things that can bite you later on down the line, after you've forgotten about it.

[dave_v]

Thanks knight, for the in-depth explanation. Looks like I know just enough to get myself in trouble!