The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

POST requests may be blocked

Discussion in 'Workarounds and Optimization' started by canou83, Jul 20, 2016.

  1. canou83

    canou83 Member

    Joined:
    Jul 20, 2016
    Messages:
    24
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    France
    cPanel Access Level:
    Website Owner
    Hi, I'm using a VPS with Cpanel and turns over an ecommerce solution Opencart. Everything works perfectly.

    However, I have some concerns on some functions / admin links that generate me errors / disconnections my Opencart admin.

    According Opencart this does not come from them but a POST function that would be blocked.

    A strange thing, when I turn off my .htaccess, effectively blocking these disappear. Even though I always had this under .htaccess realese OVH 3 at the time)

    Do you have an idea ? Can I submit my .htaccess?

    Thank you
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you post the contents of the .htaccess file in CODE tags, ensuring to remove references to any real domain name or IP addresses?

    Thank you.
     
  3. canou83

    canou83 Member

    Joined:
    Jul 20, 2016
    Messages:
    24
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    France
    cPanel Access Level:
    Website Owner
    Thanks cPanelMichael
    Code:
    # ----------------------------------------------------------------------
    # Apache configuration file
    # This file is best used in /apache2/httpd.conf, but works (slower) in .htaccess
    #
    # I've spent quite a bit of time compiling what I find to be optimial to me
    # and my server. This file is based on:
    # - HTML5BoilerPlate: https://github.com/h5bp/html5-boilerplate/
    # - W3 Edge: http://www.w3-edge.com/
    # - Yahoo! Best Practices: http://developer.yahoo.com/performance/rules.html
    # - Caching Tutorial: http://www.mnot.net/cache_docs/
    # - Personal experience
    #
    # v1.2 / 2013.07.01 / Greg Rickaby
    # ----------------------------------------------------------------------
    
    # Specify a Default Charset
    AddDefaultCharset utf-8
    
    # ----------------------------------------------------------------------
    # Cache Control via HTTP Headers + Expires
    # Generation of Expires and Cache-Control HTTP headers according to user-specified criteria
    # http://httpd.apache.org/docs/2.0/mod/mod_headers.html
    # ----------------------------------------------------------------------
    
    # Expires Defaults
    <IfModule mod_expires.c>
    ExpiresActive On
    # Set default expires to 2 days
    ExpiresDefault A172800
    ExpiresByType text/css A31536000
    ExpiresByType application/x-javascript A31536000
    ExpiresByType text/x-component A31536000
    ExpiresByType text/html A3600
    ExpiresByType text/richtext A3600
    ExpiresByType image/svg+xml A3600
    ExpiresByType text/plain A3600
    ExpiresByType text/xsd A3600
    ExpiresByType text/xsl A3600
    ExpiresByType text/xml A3600
    ExpiresByType video/asf A31536000
    ExpiresByType video/avi A31536000
    ExpiresByType image/bmp A31536000
    ExpiresByType application/java A31536000
    ExpiresByType video/divx A31536000
    ExpiresByType application/msword A31536000
    ExpiresByType application/vnd.ms-fontobject A31536000
    ExpiresByType application/x-msdownload A31536000
    ExpiresByType image/gif A31536000
    ExpiresByType application/x-gzip A31536000
    ExpiresByType image/x-icon A31536000
    ExpiresByType image/jpeg A31536000
    ExpiresByType application/vnd.ms-access A31536000
    ExpiresByType audio/midi A31536000
    ExpiresByType video/quicktime A31536000
    ExpiresByType audio/mpeg A31536000
    ExpiresByType video/mp4 A31536000
    ExpiresByType video/mpeg A31536000
    ExpiresByType application/vnd.ms-project A31536000
    ExpiresByType application/x-font-otf A31536000
    ExpiresByType application/vnd.oasis.opendocument.database A31536000
    ExpiresByType application/vnd.oasis.opendocument.chart A31536000
    ExpiresByType application/vnd.oasis.opendocument.formula A31536000
    ExpiresByType application/vnd.oasis.opendocument.graphics A31536000
    ExpiresByType application/vnd.oasis.opendocument.presentation A31536000
    ExpiresByType application/vnd.oasis.opendocument.spreadsheet A31536000
    ExpiresByType application/vnd.oasis.opendocument.text A31536000
    ExpiresByType audio/ogg A31536000
    ExpiresByType application/pdf A31536000
    ExpiresByType image/png A31536000
    ExpiresByType application/vnd.ms-powerpoint A31536000
    ExpiresByType audio/x-realaudio A31536000
    ExpiresByType image/svg+xml A31536000
    ExpiresByType application/x-shockwave-flash A31536000
    ExpiresByType application/x-tar A31536000
    ExpiresByType image/tiff A31536000
    ExpiresByType application/x-font-ttf A31536000
    ExpiresByType audio/wav A31536000
    ExpiresByType audio/wma A31536000
    ExpiresByType application/vnd.ms-write A31536000
    ExpiresByType application/vnd.ms-excel A31536000
    ExpiresByType application/zip A31536000
    </IfModule>
    
    # No caching for dynamic files
    <filesMatch "\.(php|cgi|pl|htm)$">
    ExpiresDefault A0
    Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
    Header set Pragma "no-cache"
    </filesMatch>
    
    # 1 MIN
    <filesMatch "\.(html)$">
    ExpiresDefault A60
    Header set Cache-Control "max-age=60, must-revalidate"
    </filesMatch>
    
    # 2 DAYS
    <filesMatch "\.(xml|txt)$">
    ExpiresDefault A172800
    Header set Cache-Control "max-age=172800, must-revalidate"
    </filesMatch>
    
    # 1 WEEK
    <filesMatch "\.(jpg|jpeg|png|gif|swf|js|css)$">
    ExpiresDefault A604800
    Header set Cache-Control "max-age=604800, must-revalidate"
    </filesMatch>
    
    # 1 MONTH
    <filesMatch "\.(ico|pdf|flv)$">
    ExpiresDefault A2419200
    Header set Cache-Control "max-age=2419200, must-revalidate"
    </filesMatch>
    
    # ----------------------------------------------------------------------
    # Mime Types
    # Mime Associates the requested filename's extensions with the file's behavior and content
    # http://httpd.apache.org/docs/2.0/mod/mod_mime.html
    # ----------------------------------------------------------------------
    
    <IfModule mod_mime.c>
    AddType text/css .css
    AddType application/x-javascript .js
    AddType text/x-component .htc
    AddType text/html .html .htm
    AddType text/richtext .rtf .rtx
    AddType image/svg+xml .svg .svgz
    AddType text/plain .txt
    AddType text/xsd .xsd
    AddType text/xsl .xsl
    AddType text/xml .xml
    AddType video/asf .asf .asx .wax .wmv .wmx
    AddType video/avi .avi
    AddType image/bmp .bmp
    AddType application/java .class
    AddType video/divx .divx
    AddType application/msword .doc .docx
    AddType application/vnd.ms-fontobject .eot
    AddType application/x-msdownload .exe
    AddType image/gif .gif
    AddType application/x-gzip .gz .gzip
    AddType image/x-icon .ico
    AddType image/jpeg .jpg .jpeg .jpe
    AddType application/vnd.ms-access .mdb
    AddType audio/midi .mid .midi
    AddType video/quicktime .mov .qt
    AddType audio/mpeg .mp3 .m4a
    AddType video/mp4 .mp4 .m4v
    AddType video/mpeg .mpeg .mpg .mpe
    AddType application/vnd.ms-project .mpp
    AddType application/x-font-otf .otf
    AddType application/vnd.oasis.opendocument.database .odb
    AddType application/vnd.oasis.opendocument.chart .odc
    AddType application/vnd.oasis.opendocument.formula .odf
    AddType application/vnd.oasis.opendocument.graphics .odg
    AddType application/vnd.oasis.opendocument.presentation .odp
    AddType application/vnd.oasis.opendocument.spreadsheet .ods
    AddType application/vnd.oasis.opendocument.text .odt
    AddType audio/ogg .ogg
    AddType application/pdf .pdf
    AddType image/png .png
    AddType application/vnd.ms-powerpoint .pot .pps .ppt .pptx
    AddType audio/x-realaudio .ra .ram
    AddType application/x-shockwave-flash .swf
    AddType application/x-tar .tar
    AddType image/tiff .tif .tiff
    AddType application/x-font-ttf .ttf .ttc
    AddType audio/wav .wav
    AddType audio/wma .wma
    AddType application/vnd.ms-write .wri
    AddType application/vnd.ms-excel .xla .xls .xlsx .xlt .xlw
    AddType application/zip .zip
    </IfModule>
    
    # ----------------------------------------------------------------------
    # Gzip compression
    # Compress content before it is delivered to the client
    # http://httpd.apache.org/docs/2.0/mod/mod_deflate.html
    # ----------------------------------------------------------------------
    
    <IfModule mod_deflate.c>
    SetOutputFilter DEFLATE
    <IfModule mod_setenvif.c>
    # Netscape 4.x has some problems...
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    
    # Netscape 4.06-4.08 have some more problems
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    
    # MSIE masquerades as Netscape, but it is fine
    # BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
    
    # NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
    # the above regex won't work. You can use the following
    # workaround to get the desired effect:
    BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
    
    # Don't compress images
    SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
    </IfModule>
    
    <IfModule mod_headers.c>
    # Make sure proxies don't deliver the wrong content
    Header append Vary User-Agent env=!dont-vary
    </IfModule>
    </IfModule>
    # ----------------------------------------------------------------------
    # Start rewrite engine
    # Provides a rule-based rewriting engine to rewrite requested URLs on the fly
    # http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html
    # ----------------------------------------------------------------------
    
    # FollowSymLinks must be enabled for this to work
    <IfModule mod_rewrite.c>
    Options +FollowSymlinks
    RewriteEngine On
    </IfModule>
    
    # Block access to "hidden" directories whose names begin with a period
    <IfModule mod_rewrite.c>
    RewriteBase /
    RewriteRule ^sitemap.xml$ index.php?route=feed/google_sitemap [L]
    RewriteRule ^googlebase.xml$ index.php?route=feed/google_base [L]
    RewriteRule ^download/(.*) index.php?route=error/not_found [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} !.*\.(ico|gif|jpg|jpeg|png|js|css)
    RewriteRule ^([^?]*) index.php?_route_=$1 [L,QSA]
    RewriteCond %{HTTP_HOST} ^monsite.com$
    RewriteRule ^(.*) http://www.monsite.com/$1 [QSA,L,R=301]
    RewriteCond %{QUERY_STRING} ^(.*)common/home(.*)$
    RewriteRule ^index\.php$ http://www.monsite.com/? [L,R=301]
    </IfModule>
    
    # ----------------------------------------------------------------------
    # Disable server signature (Security)
    # Configures the Server HTTP response header
    # http://httpd.apache.org/docs/2.2/mod...erversignature
    # ----------------------------------------------------------------------
    
    ServerSignature Off
    Header unset Etag
    FileETag none
    
    # ----------------------------------------------------------------------
    # Disable directory browsing (Security)
    # Generates directory indexes, automatically, similar to the Unix ls command or the Win32 dir shell command
    # http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html
    # ----------------------------------------------------------------------
    
    <IfModule mod_autoindex.c>
    Options -Indexes
    </IfModule>
    
    # ----------------------------------------------------------------------
    # Block access to backup and source files (Security)
    # This files may be left by some text/html editors and pose a great security danger
    # ----------------------------------------------------------------------
    
    <FilesMatch "(\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dis t)|~)$">
    Order allow,deny
    Deny from all
    Satisfy All
    </FilesMatch>
    
    # ----------------------------------------------------------------------
    # Increase cookie security (Security)
    # This files may be left by some text/html editors and pose a great security danger
    # ----------------------------------------------------------------------
    <IfModule php5_module>
    php_value session.cookie_httponly true
    </IfModule>
    
    # ----------------------------------------------------------------------
    # HTTP Response Headers
    #----------------------------------------------------------------------
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-XSS-Protection 1;mode=block
    Header set X-Content-Type-Options nosniff
    
    # ----------------------------------------------------------------------
    # Webfont access
    # Allow access from all domains for webfonts.
    # ----------------------------------------------------------------------
    
    <IfModule mod_headers.c>
    <FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css)$">
    Header set Access-Control-Allow-Origin "*"
    </FilesMatch>
    </IfModule>
    
    # ----------------------------------------------------------------------
    # Force latest IE rendering engine
    # ----------------------------------------------------------------------
    
    <IfModule mod_headers.c>
    Header set X-UA-Compatible "IE=Edge,chrome=1"
    # mod_headers can't match by content-type, but we don't want to this header on everything
    <FilesMatch "\.(js|css|gif|png|jpe?g|pdf|xml|oga|ogg|m4a|ogv|m p4|m4v|webm|svg|svgz|eot|ttf|otf|woff|ico|webp|app cache|manifest|htc|crx|oex|xpi|safariextz|vcf)$" >
    Header unset X-UA-Compatible
    </FilesMatch>
    </IfModule>
    
    # ----------------------------------------------------------------------
    # Instructs the proxies to cache two versions of the resource: one compressed, and one uncompressed. 
    # https://developers.google.com/speed/...geProxyCaching
    # ----------------------------------------------------------------------
    <IfModule mod_headers.c>
    <FilesMatch "\.(js|css|xml|gz)$">
    Header append Vary: Accept-Encoding
    </FilesMatch>
    </IfModule>
    
    # ----------------------------------------------------------------------
    # CORS-enabled images (@crossorigin)
    # Send CORS headers if browsers request them; enabled by default for images.
    # http://developer.mozilla.org/en/CORS_Enabled_Image
    # http://blog.chromium.org/2011/07/usi...webgl-and.html
    # http://hacks.mozilla.org/2011/11/usi...domain-images/
    # http://wiki.mozilla.org/Security/Rev...riginAttribute
    # ----------------------------------------------------------------------
    
    <IfModule mod_setenvif.c>
    <IfModule mod_headers.c>
    <FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$">
    SetEnvIf Origin ":" IS_CORS
    Header set Access-Control-Allow-Origin "*" env=IS_CORS
    </FilesMatch>
    </IfModule>
    </IfModule>
    
     
  4. canou83

    canou83 Member

    Joined:
    Jul 20, 2016
    Messages:
    24
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    France
    cPanel Access Level:
    Website Owner
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You have several custom rules contained in your .htaccess file. I suggest backing up your .htaccess file, and then manually removing section-by-section until you are able to find the offending rule to help narrow down the cause of the problem.

    Thank you.
     
  6. canou83

    canou83 Member

    Joined:
    Jul 20, 2016
    Messages:
    24
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    France
    cPanel Access Level:
    Website Owner
    I took your advice and off 1 by 1 all the custom rules, but that does not change. Onlyrenaming the .htaccess file lets you no longer have this problem. But of course if I rename the .htaccess file, all my rules as rewrite longer works.
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    What problem(s) are you hoping to solve using this 3 year old suggestion from here?
    github.com/gregrickaby/The-Perfect-Apache-Configuration/blob/master/http.conf

    Are you adding that to the default opencart htaccess or replacing it?
    github.com/opencart/opencart/blob/master/upload/.htaccess.txt

    I think if I was going to use that "perfect apache configuration" (I wouldn't) file in my htaccess, I would do as cPanelMichael suggests, only in reverse.

    Start with a blank htaccess and make sure the site works as expected. Add one single section of that config to my htaccess at a time, save and refresh the site to see if I broke it.
     
  8. canou83

    canou83 Member

    Joined:
    Jul 20, 2016
    Messages:
    24
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    France
    cPanel Access Level:
    Website Owner
    Hello. Yes I tried with the original .htaccess Opencart and I have the same worries, even with an empty htacess. Suel when I rename the .htaccess in htaccess.txt it works.
     
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    That means there's something wrong with your/that htacess file. This isn't an issue with your cPanel as much as its an issue with your customized htaccess.

    The suggestions already posted to this thread are valid. You'll need to troubleshoot the htaccess file rule by rule to find out whats not working.

    GL!
     
  10. canou83

    canou83 Member

    Joined:
    Jul 20, 2016
    Messages:
    24
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    France
    cPanel Access Level:
    Website Owner
    I understand that, but it does with .htaccess 2 (ours and that of Opencart of origin) + it does also and especially when the .htaccess is empty, why does so when I put anything in the .htaccess? That's really what I do not understand. thank you all the same to have spent time answering.
     
  11. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    My apologies I'm unclear on your response, it does what, exactly?

    From your original post:
    What does this mean as well.

    Assuming you've got a stock cPanel server with nothing special changed on it (lightspeed, NGINX anything along those lines), and assuming you've got a stock opencart installation with a stock .htaccess provided by opencart, and some links on your site get blocked according to opencart as you mention, can we also assume the blocks are related to mod_security?

    This is possible.

    And if that is the case, you should see something about the blocks in your mod_security logs when that default site is up and running as expected, and then you click a specific link and its blocked.

    If not, then you might want to go back to opencart and ask them for more details on the original comment.

    The above as mentioned all assumes a lot of defaults. You needed to get the default site working first. That other file you're hoping to use should be left out of the equation for now completely.


    I just installed opencart via softaculous on this end. Runs out of the box as expected. I renamed the .htaccess.txt to .htaccess and the site still works as expected. I'm using the OWASP Mod_security rules but do have several, globally disabled. For just this sort of issue on other scripts...

    We're missing some sort of detail here on your end I think.

    If you think .htaccess is not working on your account, you should contact your Hosting Provider to take a closer look at this for you. As a Website Owner, you wouldn't have access to the mod_security logs which could contain important information about the issue.
     
  12. canou83

    canou83 Member

    Joined:
    Jul 20, 2016
    Messages:
    24
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    France
    cPanel Access Level:
    Website Owner
    When i comment # RewriteRule ^([^?]*) index.php?_route_=$1 [L,QSA] i've this in front

    Not Found
    The requested URL /Filtre-a-eau.html/filtre-a-eau-domestique.html was not found on this server.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

    But in admin problemes disappears
     
  13. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You're taking yet another turn on this by making changes to the default htaccess. When the htaccess is renamed, short URLs or SEO friendly URLs are expected. That URL thats not found, is a result of the code in the htaccess to make the seo URLs. Comment out that line, and the URLs break. As you have found out.

    A simple question for you: when you have the default htaccess unedited and named properly, does the site work?

    The answer should be, yes. if no, there's some other issue here.
     
  14. canou83

    canou83 Member

    Joined:
    Jul 20, 2016
    Messages:
    24
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    France
    cPanel Access Level:
    Website Owner
    A simple answer , with the .htaccess default is the same, the site works the front but I also have the problem of links which disconnects the admin.

    This is a developer of one of my module that told me I had to have a POST problem.
     
  15. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    We're unable to assist you with any opencart modules or configuration issues. On the cPanel side of things, the .htaccess works as expected on your system, although the code you're hoping to use in it, has some sort of issue.

    Your Hosting Provider will have to assist you with the POST problem. As mentioned, that sounds like a mod_security issue and you wouldn't be able to sort that out, you need their help with that.
     
  16. canou83

    canou83 Member

    Joined:
    Jul 20, 2016
    Messages:
    24
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    France
    cPanel Access Level:
    Website Owner
    It's myself that manages my server via WHM VPS.

    I do not have the possibility to intervene via mod_security WHM?
     
  17. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Do you have mod_security installed?
    Blocks should show up here:
    WHM »Security Center »ModSecurity™ Tools » Hits List

    Logfile:
    /usr/local/apache/logs/modsec_audit.log
     
Loading...

Share This Page