POST requests may be blocked
Hi, I'm using a VPS with Cpanel and turns over an ecommerce solution Opencart. Everything works perfectly.
However, I have some concerns on some functions / admin links that generate me errors / disconnections my Opencart admin.
According Opencart this does not come from them but a POST function that would be blocked.
A strange thing, when I turn off my .htaccess, effectively blocking these disappear. Even though I always had this under .htaccess realese OVH 3 at the time)
Do you have an idea ? Can I submit my .htaccess?
Thank you
-
A strange thing, when I turn off my .htaccess, effectively blocking these disappear. Even though I always had this under .htaccess realese OVH 3 at the time)
Hello, Could you post the contents of the .htaccess file in CODE tags, ensuring to remove references to any real domain name or IP addresses? Thank you.0 -
Thanks cPanelMichael # ---------------------------------------------------------------------- # Apache configuration file # This file is best used in /apache2/httpd.conf, but works (slower) in .htaccess # # I've spent quite a bit of time compiling what I find to be optimial to me # and my server. This file is based on: # - HTML5BoilerPlate: https://github.com/h5bp/html5-boilerplate/ # - W3 Edge: http://www.w3-edge.com/ # - Yahoo! Best Practices: http://developer.yahoo.com/performance/rules.html # - Caching Tutorial: http://www.mnot.net/cache_docs/ # - Personal experience # # v1.2 / 2013.07.01 / Greg Rickaby # ---------------------------------------------------------------------- # Specify a Default Charset AddDefaultCharset utf-8 # ---------------------------------------------------------------------- # Cache Control via HTTP Headers + Expires # Generation of Expires and Cache-Control HTTP headers according to user-specified criteria # http://httpd.apache.org/docs/2.0/mod/mod_headers.html # ---------------------------------------------------------------------- # Expires Defaults ExpiresActive On # Set default expires to 2 days ExpiresDefault A172800 ExpiresByType text/css A31536000 ExpiresByType application/x-javascript A31536000 ExpiresByType text/x-component A31536000 ExpiresByType text/html A3600 ExpiresByType text/richtext A3600 ExpiresByType image/svg+xml A3600 ExpiresByType text/plain A3600 ExpiresByType text/xsd A3600 ExpiresByType text/xsl A3600 ExpiresByType text/xml A3600 ExpiresByType video/asf A31536000 ExpiresByType video/avi A31536000 ExpiresByType image/bmp A31536000 ExpiresByType application/java A31536000 ExpiresByType video/divx A31536000 ExpiresByType application/msword A31536000 ExpiresByType application/vnd.ms-fontobject A31536000 ExpiresByType application/x-msdownload A31536000 ExpiresByType image/gif A31536000 ExpiresByType application/x-gzip A31536000 ExpiresByType image/x-icon A31536000 ExpiresByType image/jpeg A31536000 ExpiresByType application/vnd.ms-access A31536000 ExpiresByType audio/midi A31536000 ExpiresByType video/quicktime A31536000 ExpiresByType audio/mpeg A31536000 ExpiresByType video/mp4 A31536000 ExpiresByType video/mpeg A31536000 ExpiresByType application/vnd.ms-project A31536000 ExpiresByType application/x-font-otf A31536000 ExpiresByType application/vnd.oasis.opendocument.database A31536000 ExpiresByType application/vnd.oasis.opendocument.chart A31536000 ExpiresByType application/vnd.oasis.opendocument.formula A31536000 ExpiresByType application/vnd.oasis.opendocument.graphics A31536000 ExpiresByType application/vnd.oasis.opendocument.presentation A31536000 ExpiresByType application/vnd.oasis.opendocument.spreadsheet A31536000 ExpiresByType application/vnd.oasis.opendocument.text A31536000 ExpiresByType audio/ogg A31536000 ExpiresByType application/pdf A31536000 ExpiresByType image/png A31536000 ExpiresByType application/vnd.ms-powerpoint A31536000 ExpiresByType audio/x-realaudio A31536000 ExpiresByType image/svg+xml A31536000 ExpiresByType application/x-shockwave-flash A31536000 ExpiresByType application/x-tar A31536000 ExpiresByType image/tiff A31536000 ExpiresByType application/x-font-ttf A31536000 ExpiresByType audio/wav A31536000 ExpiresByType audio/wma A31536000 ExpiresByType application/vnd.ms-write A31536000 ExpiresByType application/vnd.ms-excel A31536000 ExpiresByType application/zip A31536000 # No caching for dynamic files ExpiresDefault A0 Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0" Header set Pragma "no-cache" # 1 MIN ExpiresDefault A60 Header set Cache-Control "max-age=60, must-revalidate" # 2 DAYS ExpiresDefault A172800 Header set Cache-Control "max-age=172800, must-revalidate" # 1 WEEK ExpiresDefault A604800 Header set Cache-Control "max-age=604800, must-revalidate" # 1 MONTH ExpiresDefault A2419200 Header set Cache-Control "max-age=2419200, must-revalidate" # ---------------------------------------------------------------------- # Mime Types # Mime Associates the requested filename's extensions with the file's behavior and content # http://httpd.apache.org/docs/2.0/mod/mod_mime.html # ---------------------------------------------------------------------- AddType text/css .css AddType application/x-javascript .js AddType text/x-component .htc AddType text/html .html .htm AddType text/richtext .rtf .rtx AddType image/svg+xml .svg .svgz AddType text/plain .txt AddType text/xsd .xsd AddType text/xsl .xsl AddType text/xml .xml AddType video/asf .asf .asx .wax .wmv .wmx AddType video/avi .avi AddType image/bmp .bmp AddType application/java .class AddType video/divx .divx AddType application/msword .doc .docx AddType application/vnd.ms-fontobject .eot AddType application/x-msdownload .exe AddType image/gif .gif AddType application/x-gzip .gz .gzip AddType image/x-icon .ico AddType image/jpeg .jpg .jpeg .jpe AddType application/vnd.ms-access .mdb AddType audio/midi .mid .midi AddType video/quicktime .mov .qt AddType audio/mpeg .mp3 .m4a AddType video/mp4 .mp4 .m4v AddType video/mpeg .mpeg .mpg .mpe AddType application/vnd.ms-project .mpp AddType application/x-font-otf .otf AddType application/vnd.oasis.opendocument.database .odb AddType application/vnd.oasis.opendocument.chart .odc AddType application/vnd.oasis.opendocument.formula .odf AddType application/vnd.oasis.opendocument.graphics .odg AddType application/vnd.oasis.opendocument.presentation .odp AddType application/vnd.oasis.opendocument.spreadsheet .ods AddType application/vnd.oasis.opendocument.text .odt AddType audio/ogg .ogg AddType application/pdf .pdf AddType image/png .png AddType application/vnd.ms-powerpoint .pot .pps .ppt .pptx AddType audio/x-realaudio .ra .ram AddType application/x-shockwave-flash .swf AddType application/x-tar .tar AddType image/tiff .tif .tiff AddType application/x-font-ttf .ttf .ttc AddType audio/wav .wav AddType audio/wma .wma AddType application/vnd.ms-write .wri AddType application/vnd.ms-excel .xla .xls .xlsx .xlt .xlw AddType application/zip .zip # ---------------------------------------------------------------------- # Gzip compression # Compress content before it is delivered to the client # http://httpd.apache.org/docs/2.0/mod/mod_deflate.html # ---------------------------------------------------------------------- SetOutputFilter DEFLATE # Netscape 4.x has some problems... BrowserMatch ^Mozilla/4 gzip-only-text/html # Netscape 4.06-4.08 have some more problems BrowserMatch ^Mozilla/4\.0[678] no-gzip # MSIE masquerades as Netscape, but it is fine # BrowserMatch \bMSIE !no-gzip !gzip-only-text/html # NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48 # the above regex won't work. You can use the following # workaround to get the desired effect: BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html # Don't compress images SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary # Make sure proxies don't deliver the wrong content Header append Vary User-Agent env=!dont-vary # ---------------------------------------------------------------------- # Start rewrite engine # Provides a rule-based rewriting engine to rewrite requested URLs on the fly # http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html # ---------------------------------------------------------------------- # FollowSymLinks must be enabled for this to work Options +FollowSymlinks RewriteEngine On # Block access to "hidden" directories whose names begin with a period RewriteBase / RewriteRule ^sitemap.xml$ index.php?route=feed/google_sitemap [L] RewriteRule ^googlebase.xml$ index.php?route=feed/google_base [L] RewriteRule ^download/(.*) index.php?route=error/not_found [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} !.*\.(ico|gif|jpg|jpeg|png|js|css) RewriteRule ^([^?]*) index.php?_route_=$1 [L,QSA] RewriteCond %{HTTP_HOST} ^monsite.com$ RewriteRule ^(.*) http://www.monsite.com/$1 [QSA,L,R=301] RewriteCond %{QUERY_STRING} ^(.*)common/home(.*)$ RewriteRule ^index\.php$ http://www.monsite.com/? [L,R=301] # ---------------------------------------------------------------------- # Disable server signature (Security) # Configures the Server HTTP response header # http://httpd.apache.org/docs/2.2/mod...erversignature # ---------------------------------------------------------------------- ServerSignature Off Header unset Etag FileETag none # ---------------------------------------------------------------------- # Disable directory browsing (Security) # Generates directory indexes, automatically, similar to the Unix ls command or the Win32 dir shell command # http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html # ---------------------------------------------------------------------- Options -Indexes # ---------------------------------------------------------------------- # Block access to backup and source files (Security) # This files may be left by some text/html editors and pose a great security danger # ---------------------------------------------------------------------- Order allow,deny Deny from all Satisfy All # ---------------------------------------------------------------------- # Increase cookie security (Security) # This files may be left by some text/html editors and pose a great security danger # ---------------------------------------------------------------------- php_value session.cookie_httponly true # ---------------------------------------------------------------------- # HTTP Response Headers #---------------------------------------------------------------------- Header always append X-Frame-Options SAMEORIGIN Header set X-XSS-Protection 1;mode=block Header set X-Content-Type-Options nosniff # ---------------------------------------------------------------------- # Webfont access # Allow access from all domains for webfonts. # ---------------------------------------------------------------------- Header set Access-Control-Allow-Origin "*" # ---------------------------------------------------------------------- # Force latest IE rendering engine # ---------------------------------------------------------------------- Header set X-UA-Compatible "IE=Edge,chrome=1" # mod_headers can't match by content-type, but we don't want to this header on everything Header unset X-UA-Compatible # ---------------------------------------------------------------------- # Instructs the proxies to cache two versions of the resource: one compressed, and one uncompressed. # https://developers.google.com/speed/...geProxyCaching # ---------------------------------------------------------------------- Header append Vary: Accept-Encoding # ---------------------------------------------------------------------- # CORS-enabled images (@crossorigin) # Send CORS headers if browsers request them; enabled by default for images. # http://developer.mozilla.org/en/CORS_Enabled_Image # http://blog.chromium.org/2011/07/usi...webgl-and.html # http://hacks.mozilla.org/2011/11/usi...domain-images/ # http://wiki.mozilla.org/Security/Rev...riginAttribute # ---------------------------------------------------------------------- SetEnvIf Origin ":" IS_CORS Header set Access-Control-Allow-Origin "*" env=IS_CORS0 -
Hi cPanelMichael, have you seen something in htaccess ? 0 -
A strange thing, when I turn off my .htaccess, effectively blocking these disappear. Even though I always had this under .htaccess realese OVH 3 at the time)
You have several custom rules contained in your .htaccess file. I suggest backing up your .htaccess file, and then manually removing section-by-section until you are able to find the offending rule to help narrow down the cause of the problem. Thank you.0 -
I took your advice and off 1 by 1 all the custom rules, but that does not change. Onlyrenaming the .htaccess file lets you no longer have this problem. But of course if I rename the .htaccess file, all my rules as rewrite longer works. 0 -
What problem(s) are you hoping to solve using this 3 year old suggestion from here? github.com/gregrickaby/The-Perfect-Apache-Configuration/blob/master/http.conf Are you adding that to the default opencart htaccess or replacing it? github.com/opencart/opencart/blob/master/upload/.htaccess.txt I think if I was going to use that "perfect apache configuration" (I wouldn't) file in my htaccess, I would do as cPanelMichael suggests, only in reverse. Start with a blank htaccess and make sure the site works as expected. Add one single section of that config to my htaccess at a time, save and refresh the site to see if I broke it. 0 -
Hello. Yes I tried with the original .htaccess Opencart and I have the same worries, even with an empty htacess. Suel when I rename the .htaccess in htaccess.txt it works. 0 -
I rename the .htaccess in htaccess.txt it works.
That means there's something wrong with your/that htacess file. This isn't an issue with your cPanel as much as its an issue with your customized htaccess. The suggestions already posted to this thread are valid. You'll need to troubleshoot the htaccess file rule by rule to find out whats not working. GL!0 -
I understand that, but it does with .htaccess 2 (ours and that of Opencart of origin) + it does also and especially when the .htaccess is empty, why does so when I put anything in the .htaccess? That's really what I do not understand. thank you all the same to have spent time answering. 0 -
but it does with .htaccess 2 (ours and that of Opencart of origin) + it does also and especially when the .htaccess is empty, why does so when I put anything in the .htaccess?
My apologies I'm unclear on your response, it does what, exactly? From your original post:According Opencart this does not come from them but a POST function that would be blocked.
What does this mean as well. Assuming you've got a stock cPanel server with nothing special changed on it (lightspeed, NGINX anything along those lines), and assuming you've got a stock opencart installation with a stock .htaccess provided by opencart, and some links on your site get blocked according to opencart as you mention, can we also assume the blocks are related to mod_security? This is possible. And if that is the case, you should see something about the blocks in your mod_security logs when that default site is up and running as expected, and then you click a specific link and its blocked. If not, then you might want to go back to opencart and ask them for more details on the original comment. The above as mentioned all assumes a lot of defaults. You needed to get the default site working first. That other file you're hoping to use should be left out of the equation for now completely. I just installed opencart via softaculous on this end. Runs out of the box as expected. I renamed the .htaccess.txt to .htaccess and the site still works as expected. I'm using the OWASP Mod_security rules but do have several, globally disabled. For just this sort of issue on other scripts... We're missing some sort of detail here on your end I think. If you think .htaccess is not working on your account, you should contact your Hosting Provider to take a closer look at this for you. As a Website Owner, you wouldn't have access to the mod_security logs which could contain important information about the issue.0 -
When i comment # RewriteRule ^([^?]*) index.php?_route_=$1 [L,QSA] i've this in front Not Found The requested URL /Filtre-a-eau.html/filtre-a-eau-domestique.html was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. But in admin problemes disappears 0 -
You're taking yet another turn on this by making changes to the default htaccess. When the htaccess is renamed, short URLs or SEO friendly URLs are expected. That URL thats not found, is a result of the code in the htaccess to make the seo URLs. Comment out that line, and the URLs break. As you have found out. A simple question for you: when you have the default htaccess unedited and named properly, does the site work? The answer should be, yes. if no, there's some other issue here. 0 -
A simple answer, with the .htaccess default is the same, the site works the front but I also have the problem of links which disconnects the admin. This is a developer of one of my module that told me I had to have a POST problem. 0 -
We're unable to assist you with any opencart modules or configuration issues. On the cPanel side of things, the .htaccess works as expected on your system, although the code you're hoping to use in it, has some sort of issue. Your Hosting Provider will have to assist you with the POST problem. As mentioned, that sounds like a mod_security issue and you wouldn't be able to sort that out, you need their help with that. 0 -
It's myself that manages my server via WHM VPS. I do not have the possibility to intervene via mod_security WHM? 0 -
Do you have mod_security installed? Blocks should show up here: WHM "Security Center "ModSecurity" Tools " Hits List Logfile: /usr/local/apache/logs/modsec_audit.log 0
Please sign in to leave a comment.
Comments
16 comments