baronn

Active Member
Dec 27, 2017
28
6
3
manchester
cPanel Access Level
Root Administrator
Hello,

This has been an ongoing issue for quite some time now (nearly a year) and we have had cpanel support look into it with no success or resolution. Have been looking into it in between work now and then and not been able to find why this issue is happening. So hoping someone from the community (or perhaps support can help again?) can shed some light on why we are getting this issue.

SO the issue relates to using order deny,allow in a htaccess to only allow IPs referenced access to an admin area.

Now there is 3 installations that exist which are all identical and all of them have the same rules in the htaccess:

order deny,allow
allow from 72.15.12.125
deny from all

which reside in the admin folder.

Here are the differences (everything else is the same) between the 3 installs:

2 are both using WordPress and the script resides in a folder inside the normal WordPress folder structure

these 2 have a non-www to www redirect in the htaccess and a https = on directive

1 (the one that has the issue) is located in a sub domain which doesn't have a WordPress install Its just the script (within which the admin folder resides)

only has the https =on directive

Now for 2 of the installations IF you navigate to the admin folder it will prevent you from accessing and redirect you to a 404 page. These 2 installations have the admin folder located within a WordPress installation i.e. wordpress/THESCRIPT/admin folder


The 1 installation that doesn't work as desired is on a subdomain i.e. subdomain.domain.com with NO WordPress install included.

If you navigate to the admin folder located in that site from a non recognised IP then it sends a 403 error and then dsiplays a broken form page rather than a 404 page which the other 2 install do.

Looking at the logs and error files all 3 seem to send the right: AH01797: client denied by server configuration message

2 installations seem to be (for what ever reason) showing a 404 (our preferred option and happy with this) where as the other install is sending a 403 error (checking the header and chrome inspector).

At first we assumed that WordPress was overtaking the 403 (not sure why it would in a sub folder install) and showing the 404 page. so as the sub domain install isn't located within a WordPress structure we assumed that it may be why.

However IF you navigate to a file on this one install that's prevented by the sub domains root .htaccess a such:

<Files ~ "\.(tpl|bak|old)$">

Order allow,deny

Deny from all

</Files>

it actually shows the 404 page! it shows the right client denied message and for what ever reason (how we need it) shows the 404 page...

So it cannot be the fact that this 1 install is not within a WordPress folder structure...

Racking our brains to find out why the order deny allow with the IPs in the admin folder will not do what the other 2 installs and even navigating to a prevented file in its own install going to a 404.

Had a look at this which I think is closely related: htaccess file deny from all, redirects to 404 not found on 403.shtml but doesn't seem to be the case.

Its not the script in use as they are identical in all 3 installs. the only thing we can think of is that it exists ina sub domain BUT then it doesn't explain why navigating to a preventable file has the desired results.

Can anyone shed some light or similar experience and help us to finally fix this???
 
Last edited by a moderator:

baronn

Active Member
Dec 27, 2017
28
6
3
manchester
cPanel Access Level
Root Administrator
Hey there! I'm not 100% sure what would be going on with that particular installation. Since you have this configured already, would it be possible for you to submit a ticket to our team so we could check this out?
This was the old ticket 93937922 - Maybe reviewing that will help?