POST requests may be blocked

[canou83]

Hi, I'm using a VPS with Cpanel and turns over an ecommerce solution Opencart. Everything works perfectly.

However, I have some concerns on some functions / admin links that generate me errors / disconnections my Opencart admin.

According Opencart this does not come from them but a POST function that would be blocked.

A strange thing, when I turn off my .htaccess, effectively blocking these disappear. Even though I always had this under .htaccess realese OVH 3 at the time)

Do you have an idea ? Can I submit my .htaccess?

Thank you

 

[cPanelMichael]

A strange thing, when I turn off my .htaccess, effectively blocking these disappear. Even though I always had this under .htaccess realese OVH 3 at the time)

Hello,

Could you post the contents of the .htaccess file in CODE tags, ensuring to remove references to any real domain name or IP addresses?

Thank you.

 

[canou83]

Thanks cPanelMichael

# ----------------------------------------------------------------------
# Apache configuration file
# This file is best used in /apache2/httpd.conf, but works (slower) in .htaccess
#
# I've spent quite a bit of time compiling what I find to be optimial to me
# and my server. This file is based on:
# - HTML5BoilerPlate: https://github.com/h5bp/html5-boilerplate/
# - W3 Edge: http://www.w3-edge.com/
# - Yahoo! Best Practices: http://developer.yahoo.com/performance/rules.html
# - Caching Tutorial: http://www.mnot.net/cache_docs/
# - Personal experience
#
# v1.2 / 2013.07.01 / Greg Rickaby
# ----------------------------------------------------------------------

# Specify a Default Charset
AddDefaultCharset utf-8

# ----------------------------------------------------------------------
# Cache Control via HTTP Headers + Expires
# Generation of Expires and Cache-Control HTTP headers according to user-specified criteria
# http://httpd.apache.org/docs/2.0/mod/mod_headers.html
# ----------------------------------------------------------------------

# Expires Defaults
<IfModule mod_expires.c>
ExpiresActive On
# Set default expires to 2 days
ExpiresDefault A172800
ExpiresByType text/css A31536000
ExpiresByType application/x-javascript A31536000
ExpiresByType text/x-component A31536000
ExpiresByType text/html A3600
ExpiresByType text/richtext A3600
ExpiresByType image/svg+xml A3600
ExpiresByType text/plain A3600
ExpiresByType text/xsd A3600
ExpiresByType text/xsl A3600
ExpiresByType text/xml A3600
ExpiresByType video/asf A31536000
ExpiresByType video/avi A31536000
ExpiresByType image/bmp A31536000
ExpiresByType application/java A31536000
ExpiresByType video/divx A31536000
ExpiresByType application/msword A31536000
ExpiresByType application/vnd.ms-fontobject A31536000
ExpiresByType application/x-msdownload A31536000
ExpiresByType image/gif A31536000
ExpiresByType application/x-gzip A31536000
ExpiresByType image/x-icon A31536000
ExpiresByType image/jpeg A31536000
ExpiresByType application/vnd.ms-access A31536000
ExpiresByType audio/midi A31536000
ExpiresByType video/quicktime A31536000
ExpiresByType audio/mpeg A31536000
ExpiresByType video/mp4 A31536000
ExpiresByType video/mpeg A31536000
ExpiresByType application/vnd.ms-project A31536000
ExpiresByType application/x-font-otf A31536000
ExpiresByType application/vnd.oasis.opendocument.database A31536000
ExpiresByType application/vnd.oasis.opendocument.chart A31536000
ExpiresByType application/vnd.oasis.opendocument.formula A31536000
ExpiresByType application/vnd.oasis.opendocument.graphics A31536000
ExpiresByType application/vnd.oasis.opendocument.presentation A31536000
ExpiresByType application/vnd.oasis.opendocument.spreadsheet A31536000
ExpiresByType application/vnd.oasis.opendocument.text A31536000
ExpiresByType audio/ogg A31536000
ExpiresByType application/pdf A31536000
ExpiresByType image/png A31536000
ExpiresByType application/vnd.ms-powerpoint A31536000
ExpiresByType audio/x-realaudio A31536000
ExpiresByType image/svg+xml A31536000
ExpiresByType application/x-shockwave-flash A31536000
ExpiresByType application/x-tar A31536000
ExpiresByType image/tiff A31536000
ExpiresByType application/x-font-ttf A31536000
ExpiresByType audio/wav A31536000
ExpiresByType audio/wma A31536000
ExpiresByType application/vnd.ms-write A31536000
ExpiresByType application/vnd.ms-excel A31536000
ExpiresByType application/zip A31536000
</IfModule>

# No caching for dynamic files
<filesMatch "\.(php|cgi|pl|htm)$">
ExpiresDefault A0
Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
Header set Pragma "no-cache"
</filesMatch>

# 1 MIN
<filesMatch "\.(html)$">
ExpiresDefault A60
Header set Cache-Control "max-age=60, must-revalidate"
</filesMatch>

# 2 DAYS
<filesMatch "\.(xml|txt)$">
ExpiresDefault A172800
Header set Cache-Control "max-age=172800, must-revalidate"
</filesMatch>

# 1 WEEK
<filesMatch "\.(jpg|jpeg|png|gif|swf|js|css)$">
ExpiresDefault A604800
Header set Cache-Control "max-age=604800, must-revalidate"
</filesMatch>

# 1 MONTH
<filesMatch "\.(ico|pdf|flv)$">
ExpiresDefault A2419200
Header set Cache-Control "max-age=2419200, must-revalidate"
</filesMatch>

# ----------------------------------------------------------------------
# Mime Types
# Mime Associates the requested filename's extensions with the file's behavior and content
# http://httpd.apache.org/docs/2.0/mod/mod_mime.html
# ----------------------------------------------------------------------

<IfModule mod_mime.c>
AddType text/css .css
AddType application/x-javascript .js
AddType text/x-component .htc
AddType text/html .html .htm
AddType text/richtext .rtf .rtx
AddType image/svg+xml .svg .svgz
AddType text/plain .txt
AddType text/xsd .xsd
AddType text/xsl .xsl
AddType text/xml .xml
AddType video/asf .asf .asx .wax .wmv .wmx
AddType video/avi .avi
AddType image/bmp .bmp
AddType application/java .class
AddType video/divx .divx
AddType application/msword .doc .docx
AddType application/vnd.ms-fontobject .eot
AddType application/x-msdownload .exe
AddType image/gif .gif
AddType application/x-gzip .gz .gzip
AddType image/x-icon .ico
AddType image/jpeg .jpg .jpeg .jpe
AddType application/vnd.ms-access .mdb
AddType audio/midi .mid .midi
AddType video/quicktime .mov .qt
AddType audio/mpeg .mp3 .m4a
AddType video/mp4 .mp4 .m4v
AddType video/mpeg .mpeg .mpg .mpe
AddType application/vnd.ms-project .mpp
AddType application/x-font-otf .otf
AddType application/vnd.oasis.opendocument.database .odb
AddType application/vnd.oasis.opendocument.chart .odc
AddType application/vnd.oasis.opendocument.formula .odf
AddType application/vnd.oasis.opendocument.graphics .odg
AddType application/vnd.oasis.opendocument.presentation .odp
AddType application/vnd.oasis.opendocument.spreadsheet .ods
AddType application/vnd.oasis.opendocument.text .odt
AddType audio/ogg .ogg
AddType application/pdf .pdf
AddType image/png .png
AddType application/vnd.ms-powerpoint .pot .pps .ppt .pptx
AddType audio/x-realaudio .ra .ram
AddType application/x-shockwave-flash .swf
AddType application/x-tar .tar
AddType image/tiff .tif .tiff
AddType application/x-font-ttf .ttf .ttc
AddType audio/wav .wav
AddType audio/wma .wma
AddType application/vnd.ms-write .wri
AddType application/vnd.ms-excel .xla .xls .xlsx .xlt .xlw
AddType application/zip .zip
</IfModule>

# ----------------------------------------------------------------------
# Gzip compression
# Compress content before it is delivered to the client
# http://httpd.apache.org/docs/2.0/mod/mod_deflate.html
# ----------------------------------------------------------------------

<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
<IfModule mod_setenvif.c>
# Netscape 4.x has some problems...
BrowserMatch ^Mozilla/4 gzip-only-text/html

# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip

# MSIE masquerades as Netscape, but it is fine
# BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

# NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
# the above regex won't work. You can use the following
# workaround to get the desired effect:
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

# Don't compress images
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
</IfModule>

<IfModule mod_headers.c>
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</IfModule>
</IfModule>
# ----------------------------------------------------------------------
# Start rewrite engine
# Provides a rule-based rewriting engine to rewrite requested URLs on the fly
# http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html
# ----------------------------------------------------------------------

# FollowSymLinks must be enabled for this to work
<IfModule mod_rewrite.c>
Options +FollowSymlinks
RewriteEngine On
</IfModule>

# Block access to "hidden" directories whose names begin with a period
<IfModule mod_rewrite.c>
RewriteBase /
RewriteRule ^sitemap.xml$ index.php?route=feed/google_sitemap [L]
RewriteRule ^googlebase.xml$ index.php?route=feed/google_base [L]
RewriteRule ^download/(.*) index.php?route=error/not_found [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !.*\.(ico|gif|jpg|jpeg|png|js|css)
RewriteRule ^([^?]*) index.php?_route_=$1 [L,QSA]
RewriteCond %{HTTP_HOST} ^monsite.com$
RewriteRule ^(.*) http://www.monsite.com/$1 [QSA,L,R=301]
RewriteCond %{QUERY_STRING} ^(.*)common/home(.*)$
RewriteRule ^index\.php$ http://www.monsite.com/? [L,R=301]
</IfModule>

# ----------------------------------------------------------------------
# Disable server signature (Security)
# Configures the Server HTTP response header
# http://httpd.apache.org/docs/2.2/mod...erversignature
# ----------------------------------------------------------------------

ServerSignature Off
Header unset Etag
FileETag none

# ----------------------------------------------------------------------
# Disable directory browsing (Security)
# Generates directory indexes, automatically, similar to the Unix ls command or the Win32 dir shell command
# http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html
# ----------------------------------------------------------------------

<IfModule mod_autoindex.c>
Options -Indexes
</IfModule>

# ----------------------------------------------------------------------
# Block access to backup and source files (Security)
# This files may be left by some text/html editors and pose a great security danger
# ----------------------------------------------------------------------

<FilesMatch "(\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dis t)|~)$">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

# ----------------------------------------------------------------------
# Increase cookie security (Security)
# This files may be left by some text/html editors and pose a great security danger
# ----------------------------------------------------------------------
<IfModule php5_module>
php_value session.cookie_httponly true
</IfModule>

# ----------------------------------------------------------------------
# HTTP Response Headers
#----------------------------------------------------------------------
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection 1;mode=block
Header set X-Content-Type-Options nosniff

# ----------------------------------------------------------------------
# Webfont access
# Allow access from all domains for webfonts.
# ----------------------------------------------------------------------

<IfModule mod_headers.c>
<FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>

# ----------------------------------------------------------------------
# Force latest IE rendering engine
# ----------------------------------------------------------------------

<IfModule mod_headers.c>
Header set X-UA-Compatible "IE=Edge,chrome=1"
# mod_headers can't match by content-type, but we don't want to this header on everything
<FilesMatch "\.(js|css|gif|png|jpe?g|pdf|xml|oga|ogg|m4a|ogv|m p4|m4v|webm|svg|svgz|eot|ttf|otf|woff|ico|webp|app cache|manifest|htc|crx|oex|xpi|safariextz|vcf)$" >
Header unset X-UA-Compatible
</FilesMatch>
</IfModule>

# ----------------------------------------------------------------------
# Instructs the proxies to cache two versions of the resource: one compressed, and one uncompressed. 
# https://developers.google.com/speed/...geProxyCaching
# ----------------------------------------------------------------------
<IfModule mod_headers.c>
<FilesMatch "\.(js|css|xml|gz)$">
Header append Vary: Accept-Encoding
</FilesMatch>
</IfModule>

# ----------------------------------------------------------------------
# CORS-enabled images (@crossorigin)
# Send CORS headers if browsers request them; enabled by default for images.
# http://developer.mozilla.org/en/CORS_Enabled_Image
# http://blog.chromium.org/2011/07/usi...webgl-and.html
# http://hacks.mozilla.org/2011/11/usi...domain-images/
# http://wiki.mozilla.org/Security/Rev...riginAttribute
# ----------------------------------------------------------------------

<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
<FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$">
SetEnvIf Origin ":" IS_CORS
Header set Access-Control-Allow-Origin "*" env=IS_CORS
</FilesMatch>
</IfModule>
</IfModule>

 

[canou83]

Hi cPanelMichael, have you seen something in htaccess ?

 

[cPanelMichael]

A strange thing, when I turn off my .htaccess, effectively blocking these disappear. Even though I always had this under .htaccess realese OVH 3 at the time)

You have several custom rules contained in your .htaccess file. I suggest backing up your .htaccess file, and then manually removing section-by-section until you are able to find the offending rule to help narrow down the cause of the problem.

Thank you.

 

[canou83]

I took your advice and off 1 by 1 all the custom rules, but that does not change. Onlyrenaming the .htaccess file lets you no longer have this problem. But of course if I rename the .htaccess file, all my rules as rewrite longer works.

 

[Infopro]

What problem(s) are you hoping to solve using this 3 year old suggestion from here?
github.com/gregrickaby/The-Perfect-Apache-Configuration/blob/master/http.conf

Are you adding that to the default opencart htaccess or replacing it?
github.com/opencart/opencart/blob/master/upload/.htaccess.txt

I think if I was going to use that "perfect apache configuration" (I wouldn't) file in my htaccess, I would do as cPanelMichael suggests, only in reverse.

Start with a blank htaccess and make sure the site works as expected. Add one single section of that config to my htaccess at a time, save and refresh the site to see if I broke it.

 

[canou83]

Hello. Yes I tried with the original .htaccess Opencart and I have the same worries, even with an empty htacess. Suel when I rename the .htaccess in htaccess.txt it works.

 

[Infopro]

I rename the .htaccess in htaccess.txt it works.

That means there's something wrong with your/that htacess file. This isn't an issue with your cPanel as much as its an issue with your customized htaccess.

The suggestions already posted to this thread are valid. You'll need to troubleshoot the htaccess file rule by rule to find out whats not working.

GL!

 

[canou83]

I understand that, but it does with .htaccess 2 (ours and that of Opencart of origin) + it does also and especially when the .htaccess is empty, why does so when I put anything in the .htaccess? That's really what I do not understand. thank you all the same to have spent time answering.

 

[Infopro]

but it does with .htaccess 2 (ours and that of Opencart of origin) + it does also and especially when the .htaccess is empty, why does so when I put anything in the .htaccess?

My apologies I'm unclear on your response, it does what, exactly?

From your original post:

According Opencart this does not come from them but a POST function that would be blocked.

What does this mean as well.

Assuming you've got a stock cPanel server with nothing special changed on it (lightspeed, NGINX anything along those lines), and assuming you've got a stock opencart installation with a stock .htaccess provided by opencart, and some links on your site get blocked according to opencart as you mention, can we also assume the blocks are related to mod_security?

This is possible.

And if that is the case, you should see something about the blocks in your mod_security logs when that default site is up and running as expected, and then you click a specific link and its blocked.

If not, then you might want to go back to opencart and ask them for more details on the original comment.

The above as mentioned all assumes a lot of defaults. You needed to get the default site working first. That other file you're hoping to use should be left out of the equation for now completely.


I just installed opencart via softaculous on this end. Runs out of the box as expected. I renamed the .htaccess.txt to .htaccess and the site still works as expected. I'm using the OWASP Mod_security rules but do have several, globally disabled. For just this sort of issue on other scripts...

We're missing some sort of detail here on your end I think.

If you think .htaccess is not working on your account, you should contact your Hosting Provider to take a closer look at this for you. As a Website Owner, you wouldn't have access to the mod_security logs which could contain important information about the issue.

 

[canou83]

When i comment # RewriteRule ^([^?]*) index.php?_route_=$1 [L,QSA] i've this in front

Not Found
The requested URL /Filtre-a-eau.html/filtre-a-eau-domestique.html was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

But in admin problemes disappears

 

[Infopro]

You're taking yet another turn on this by making changes to the default htaccess. When the htaccess is renamed, short URLs or SEO friendly URLs are expected. That URL thats not found, is a result of the code in the htaccess to make the seo URLs. Comment out that line, and the URLs break. As you have found out.

A simple question for you: when you have the default htaccess unedited and named properly, does the site work?

The answer should be, yes. if no, there's some other issue here.

 

[canou83]

A simple answer , with the .htaccess default is the same, the site works the front but I also have the problem of links which disconnects the admin.

This is a developer of one of my module that told me I had to have a POST problem.

 

[Infopro]

We're unable to assist you with any opencart modules or configuration issues. On the cPanel side of things, the .htaccess works as expected on your system, although the code you're hoping to use in it, has some sort of issue.

Your Hosting Provider will have to assist you with the POST problem. As mentioned, that sounds like a mod_security issue and you wouldn't be able to sort that out, you need their help with that.

 

[canou83]

It's myself that manages my server via WHM VPS.

I do not have the possibility to intervene via mod_security WHM?

 

[Infopro]

Do you have mod_security installed?
Blocks should show up here:
WHM »Security Center »ModSecurity™ Tools » Hits List

Logfile:
/usr/local/apache/logs/modsec_audit.log