I use apache 2.4.41 and I would like to deny direct access to image files on my server.
I've implemented the following code in my apache configuration file :
SetEnvIf Referer "(www\.)?mywebsite\.net" localreferer
<FilesMatch "\.(jpg|png|gif)$">
Require env localreferer
</FilesMatch>
However I have a strange behavior. In a web browser, when a try to access an image file directly with its url, I don't get a 403 error code (as expected) and the image is displayed. But, when reloading the page (F5 or cmd+R on a mac), the ressource is blocked and a 403 error status is displayed.
When trying a curl -I, I have the following result :
HTTP/1.1 302 Found
Date: Wed, 06 Jul 2022 14:31:35 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: http://www.mywebsite.net/error/403.php
But I should get HTTP/1.1 403 Forbidden...
Could someone help me with this issue ?
Many thanks in advance.
Related
I have a site running in Vue2 and for the user everything seems to work right, however google doesn't seem to agree and shows most of my site as having 404 errors. I verified that when using a direct url on the site for example:
hptts://example.com/example
The page will load fine in the browser, but the console will immediately report a 404, but then load the content normally.
This means that lighthouse and google search console all show my page as a 404.
The site is hosted in AWS S3 as a static site, and I have index.html as the entry point and as the error location. I have user facing errors coming from Vue Router that work fine.
Any thoughts on what could be causing the 404 in the console and how to resolve it?
A real world example of this is https://lattecalories.com/brewing/starbucks-holiday-flavors-a-guide-for-2021
The HTTP 404 is the status code from the server itself saying that the URL is unknown, the thing is, when you have services nested into other ones such as S3, Cloudflare, and other APIs, you might end up having a perfectly good website with a 404 on top.
From a quick trace on your side, I seem to have found what is triggering this inside Amazon.
Look at this output:
HTTP/1.1 404
date: Sat, 29 Jan 2022 17:49:30 GMT
content-type: text/html
display: staticcontent_sol
expires: Fri, 28 Jan 2022 17:49:30 GMT
last-modified: Sat, 29 Jan 2022 13:07:11 GMT
pagespeed: off
response: 404
vary: Accept-Encoding
vary: "X-Clacks-Overhead":"GNU,Terry,Pratchett",User-Agent,Origin,Accept-Encoding
x-amz-error-code: NoSuchKey
x-amz-error-detail-key: brewing/starbucks-holiday-flavors-a-guide-for-2021
x-amz-error-message: The specified key does not exist.
x-amz-id-2: NnQCklbWF34u0C188TUsd6FrlA7IHcfjh3lSNqU7eX6MLSKG5yxM/9AsgeAlaCqCZFrPzOs7JNk=
x-amz-request-id: AYR2Z1Q5H45D1B6V
x-ezoic-cdn: Miss
x-middleton-display: staticcontent_sol
x-middleton-response: 404
x-origin-cache-control:
x-sol: pub_site
cf-cache-status: DYNAMIC
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=CWwatL5unsl0K3Tt8iy4Sv3b6zcy54UMMaruLGh5hVyFcbMi2qEo13mxbofVr5JTkOOM2HGwFvWweklpm2inUMS279wCx0uJhKzfqR16JU%2BpIXZSrqR3YNGXjr%2FWxc%2BnLpgCmVn1ZJAc5zxYVWmSBg%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 6d544c288d2dec19-ATL
content-encoding: gzip
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Those NoSuchKey, I also notice that when I try to hit that site on an invalid URL the site still loads instead of your 404 page, this means the distribution method is wrong and you might not be pointing correctly to the S3 URLs.
I would just create a new download distribution to your S3 URLs, that would fix this, this is a mapping issue. When you are running this on defaults this is pretty common.
Check out this answer here: "The specified key does not exist" for VueJS app deployed on deployed on S3 with CloudFront
Based on the answer by #Kram, this error information is highly relevant (I'm getting the same error in my site):
x-amz-error-code: NoSuchKey
x-amz-error-detail-key: brewing/starbucks-holiday-flavors-a-guide-for-2021
x-amz-error-message: The specified key does not exist.
It may fix it if you change CloudFront to respond with 200 OK (as described in the above URL).
The nature of the error is that S3 is trying to load the URL domain.com/brewing/starbucks-holiday-flavors-a-guide-for-2021 but that location doesnt exist in the bucket.
The fix is to redirect to /index.html to allow vue-router to resolve the URL.
I'm currently suffering this error in my Vue3 application in S3, but we aren't using CloudFront. I added the error page as index.html but it didn't fix the error. The website loads properly but it throws a 404 into the console everytime you reload the page. We're going to simply ignore the error for now and we will add CloudFront later. It's just a dev environment for now.
The servers (Ubuntu Server) it's going down because a 360Spider it's running too many request per seconds, I am trying to resolve this using this configuration in the .htaccess file:
BrowserMatchNoCase "360Spider" bots
BrowserMatchNoCase ^360Spider bots
Order Allow,Deny
Allow from ALL
Deny from env=bots
And works partially because the error.log logs some of this events:
[Sun Jul 20 23:30:15 2014] [error] [client 10.183.200.5] client denied by server configuration: /var/www/view, referer: http://www.mysite.org/
But the access.log it's still saving information about the 360Spider:
10.183.200.5 - - [20/Jul/2014:23:31:33 -0400] "GET /view/article/154967 HTTP/1.1" 403 536 "http://www.mysite.org/view/article/154967/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0); 360Spider"
I want to block all that have the word 360Spider.
PD: I can't block the bot using the ip because all the traffic come with the same ip. I just can work with the .htaccess file.
Any IP Address, or bot going to a url/website will most likely make a GET request — Apache logs it. Just because you see it in the log does not mean it isn't blocked; Your access.log clearly shows that it is.
When the bot tried to GET /view/article/154967 it was denied (403 Forbidden).
Why can't I see why Apache returns 403?!
If I look in the access log the only information I get is
193.162.142.166 - - [29/Jan/2014:18:34:26 +0100] "POST /api_test/callback.php HTTP/1.1" 403 2293
How can I get more information about why the request is forbidden/rejected?
The call is made from a payment gateway...
If the callback URL is a http request there are no problems and returns 200 OK
If the callback URL is a https my server returns 403.. I need to know why?
The server has SSL and openSSL installed and it works!
Have tried to do the https request from http://web-sniffer.net/ and then there are no problems..
I don't get it.. There must be something in the request headers from the payment gateway which results in 403
update
error log
[Wed Jan 29 20:45:55 2014] [error] No hostname was provided via SNI for a name based virtual host
solution
Ok it looks like the client doesn't support SNI
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
Use the LogLevel directive to adjust how verbose the error logs are and increase until you can see what you want.
httpd 2.4 has better messages in a lot of respect and expensive list of LogLevel settings than 2.2. So if you're using 2.2 it may be a bit harder to figure this out.
We're using Apache in front of Jenkins. Jenkins' Ajax calls include a n header that apparently needs to survive the roundtrip. If we access Jenkins on port 8080, then the n header is included in the response, if we access it through mod_proxy, the n header is getting stripped.
I tried using mod_headers to preserve this header, but for some reason that doesn't work. Is there any other way I can force mod_proxy to leave this header alone?
Edit 1:
This is the response getting returned by Jenkins.
HTTP/1.1 200 OK
Server: Winstone Servlet Engine v0.9.10
Content-Type: text/html;charset=UTF-8
n: 131
Connection: Close
Date: Tue, 20 Mar 2012 09:53:42 GMT
X-Powered-By: Servlet/2.5 (Winstone/0.9.10)
This is what Apache is returning:
Connection:close
Content-Encoding:gzip
Content-Type:text/html;charset=UTF-8
Date:Tue, 20 Mar 2012 10:37:21 GMT
Transfer-Encoding:chunked
Vary:Accept-Encoding
Edit 2:
It turns out Nginx does pass the appropriate headers back. That's the way I managed to solve it now. Still the original question is relevant: is there any way to get it done using Apache?
I found a way to get around this issue under apache.
it was created by alex (see https://issues.jenkins-ci.org/browse/JENKINS-327)
basically
my jenkins running at "http://localhost:8080/jenkins"
I want to access it via jenkins.mydomain.com.
now when I access jenkins.mydomain.com apache will redirect me to jenkins.mydomain.com/jenkins, not perfact but at least works.
<VirtualHost *:80>
ServerName jenkins.mydomain.com
Redirect / http://jenkins.mydomain.com/jenkins
<Location /jenkins>
ProxyPass http://localhost:8080/jenkins
ProxyPassReverse http://localhost:8080/jenkins
</Location>
</VirtualHost>
I eventually moved to Nginx. Nginx didn't strip out the headers. Still, it remains weird that you cannot get Apache to leave the n header alone.
I got this error
when I tried to delete an image which I have uploaded:
"Forbidden
You don't have permission to access /act-photo-delete.php on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request:
Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.friendsjoint.com Port 80 "
What will be the reason for this?
I tried changing the chmods for the files,
but nothing worked.
Does any one have any ideas?
It is a file not found error. Are you sure you have provided the correct path for the php file.
For the forbidden part take a look at this.
Forbidden – You don’t have permission to access this page error and solution