Apache 2.4 Wrong htaccess rules applied
-
I was having some issues with my site and found that my error log reported problems associated with the .htaccess rules.
AH01797: client denied by server configuration:
There are some old support threads about this that are 1 year old but your plugin still doesn’t enter the correct rules based on the Apache version.
Rule Changes: (see Apache website upgrading to 2.4 from 2.2)
2.2 configuration:
Order deny,allow
Deny from all2.4 configuration:
Require all deniedIn previous threads you said that it will be addressed but 1 year later and nothing has been changed. I’m having to update the code manually but this should not be necessary and many users may be unaware why there site is responding slow or losing connection in the admin.
https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/
-
Thank you for reporting this. Could you share the thread you mentioned above stating the changes to comply with Apache 2.4?
Which Apache version is your server currently using?
Regards
Hi
i’ve the same problem
Apache 2.4.16
this is my .htaccess modification
I did not apply all the possible rules
I’m not sure that the modified part of the firewall 5G/6G is correct
# BEGIN All In One WP Security #AIOWPS_BLOCK_WP_FILE_ACCESS_START <Files license.txt> Require all denied </files> <Files wp-config-sample.php> Require all denied </Files> <Files readme.html> Require all denied </Files> #AIOWPS_BLOCK_WP_FILE_ACCESS_END #AIOWPS_BASIC_HTACCESS_RULES_START <Files .htaccess> Require all denied </Files> ServerSignature Off LimitRequestBody 10240000 <Files wp-config.php> Require all denied </Files> #AIOWPS_BASIC_HTACCESS_RULES_END #AIOWPS_PINGBACK_HTACCESS_RULES_START <Files xmlrpc.php> Require all denied </Files> #AIOWPS_PINGBACK_HTACCESS_RULES_END #AIOWPS_DEBUG_LOG_BLOCK_HTACCESS_RULES_START <Files debug.log> Require all denied </Files> #AIOWPS_DEBUG_LOG_BLOCK_HTACCESS_RULES_END #AIOWPS_DISABLE_INDEX_VIEWS_START Options -Indexes #AIOWPS_DISABLE_INDEX_VIEWS_END #AIOWPS_DISABLE_TRACE_TRACK_START RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] #AIOWPS_DISABLE_TRACE_TRACK_END #AIOWPS_FORBID_PROXY_COMMENTS_START RewriteCond %{REQUEST_METHOD} ^POST RewriteCond %{HTTP:VIA} !^$ [OR] RewriteCond %{HTTP:FORWARDED} !^$ [OR] RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR] RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR] RewriteCond %{HTTP:X_FORWARDED_HOST} !^$ [OR] RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR] RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR] RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR] RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$ RewriteRule wp-comments-post\.php - [F] #AIOWPS_FORBID_PROXY_COMMENTS_END #AIOWPS_DENY_BAD_QUERY_STRINGS_START RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} http: [NC,OR] RewriteCond %{QUERY_STRING} https: [NC,OR] RewriteCond %{QUERY_STRING} mosConfig [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} (\;|'|\"|%22).*(request|insert|union|declare|drop) [NC] RewriteRule ^(.*)$ - [F,L] #AIOWPS_DENY_BAD_QUERY_STRINGS_END #AIOWPS_ADVANCED_CHAR_STRING_FILTER_START <IfModule mod_alias.c> RedirectMatch 403 \, RedirectMatch 403 \: RedirectMatch 403 \; RedirectMatch 403 \= RedirectMatch 403 \[ RedirectMatch 403 \] RedirectMatch 403 \^ RedirectMatch 403 \BACKTICK RedirectMatch 403 \{ RedirectMatch 403 \} RedirectMatch 403 \~ RedirectMatch 403 \" RedirectMatch 403 \$ RedirectMatch 403 \< RedirectMatch 403 \> RedirectMatch 403 \| RedirectMatch 403 \.\. RedirectMatch 403 \%0 RedirectMatch 403 \%A RedirectMatch 403 \%B RedirectMatch 403 \%C RedirectMatch 403 \%D RedirectMatch 403 \%E RedirectMatch 403 \%F RedirectMatch 403 \%22 RedirectMatch 403 \%27 RedirectMatch 403 \%28 RedirectMatch 403 \%29 RedirectMatch 403 \%3C RedirectMatch 403 \%3E RedirectMatch 403 \%3F RedirectMatch 403 \%5B RedirectMatch 403 \%5C RedirectMatch 403 \%5D RedirectMatch 403 \%7B RedirectMatch 403 \%7C RedirectMatch 403 \%7D # COMMON PATTERNS Redirectmatch 403 \_vpi RedirectMatch 403 \.inc Redirectmatch 403 xAou6 Redirectmatch 403 db\_name Redirectmatch 403 select\( Redirectmatch 403 convert\( Redirectmatch 403 \/query\/ RedirectMatch 403 ImpEvData Redirectmatch 403 \.XMLHTTP Redirectmatch 403 proxydeny RedirectMatch 403 function\. Redirectmatch 403 remoteFile Redirectmatch 403 servername Redirectmatch 403 \&rptmode\= Redirectmatch 403 sys\_cpanel RedirectMatch 403 db\_connect RedirectMatch 403 doeditconfig RedirectMatch 403 check\_proxy Redirectmatch 403 system\_user Redirectmatch 403 \/\(null\)\/ Redirectmatch 403 clientrequest Redirectmatch 403 option\_value RedirectMatch 403 ref\.outcontrol # SPECIFIC EXPLOITS RedirectMatch 403 errors\. RedirectMatch 403 config\. RedirectMatch 403 include\. RedirectMatch 403 display\. RedirectMatch 403 register\. Redirectmatch 403 password\. RedirectMatch 403 maincore\. RedirectMatch 403 authorize\. Redirectmatch 403 macromates\. RedirectMatch 403 head\_auth\. RedirectMatch 403 submit\_links\. RedirectMatch 403 change\_action\. Redirectmatch 403 com\_facileforms\/ RedirectMatch 403 admin\_db\_utilities\. RedirectMatch 403 admin\.webring\.docs\. Redirectmatch 403 Table\/Latest\/index\. </IfModule> #AIOWPS_ADVANCED_CHAR_STRING_FILTER_END #AIOWPS_SIX_G_BLACKLIST_START # 6G BLACKLIST/FIREWALL (2016) # @ https://perishablepress.com/6g/ # 6G:[QUERY STRINGS] <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{QUERY_STRING} (eval\() [NC,OR] RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} ([a-z0-9]{2000}) [NC,OR] RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR] RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR] RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR] RewriteCond %{QUERY_STRING} (\|\.\.\.|\.\./|~|BACKTICK |<|>|\|) [NC,OR] RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR] RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR] RewriteCond %{QUERY_STRING} ('|\")(.*)(drop|insert|md5|select|union) [NC] RewriteRule .* - [F] </IfModule> # 6G:[REQUEST METHOD] <ifModule mod_rewrite.c> RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC] RewriteRule .* - [F] </IfModule> # 6G:[REFERRERS] <IfModule mod_rewrite.c> RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000}) [NC,OR] RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC] RewriteRule .* - [F] </IfModule> # 6G:[REQUEST STRINGS] <IfModule mod_alias.c> RedirectMatch 403 (?i)([a-z0-9]{2000}) RedirectMatch 403 (?i)(https?|ftp|php):/ RedirectMatch 403 (?i)(base64_encode)(.*)(\() RedirectMatch 403 (?i)(=\'|=\%27|/\'/?)\. RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&?)/?$ RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\"\\") RedirectMatch 403 (?i)(~|BACKTICK|<|>|:|;|,|%|\|\s|\{|\}|\[|\]|\|) RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack) RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ) RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$ RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php </IfModule> # 6G:[USER AGENTS] <IfModule mod_setenvif.c> SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot <RequireAll> <limit GET POST PUT> Require all granted Require not env bad_bot </limit> </RequireAll> </IfModule> #AIOWPS_SIX_G_BLACKLIST_END #AIOWPS_FIVE_G_BLACKLIST_START # 5G BLACKLIST/FIREWALL (2013) # @ https://perishablepress.com/5g-blacklist-2013/ # 5G:[QUERY STRINGS] <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{QUERY_STRING} (\"|%22).*(<|>|%3) [NC,OR] RewriteCond %{QUERY_STRING} (javascript:).*(\;) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3) [NC,OR] RewriteCond %{QUERY_STRING} (\\|\.\./|BACKTICK|='$|=%27$) [NC,OR] RewriteCond %{QUERY_STRING} (\;|'|\"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR] RewriteCond %{QUERY_STRING} (base64_encode|localhost|mosconfig) [NC,OR] RewriteCond %{QUERY_STRING} (boot\.ini|echo.*kae|etc/passwd) [NC,OR] RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC] RewriteRule .* - [F] </IfModule> # 5G:[USER AGENTS] <IfModule mod_setenvif.c> # SetEnvIfNoCase User-Agent ^$ keep_out SetEnvIfNoCase User-Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu) keep_out <RequireAll> <limit GET POST PUT> Require all granted Require not env keep_out </limit> </RequireAll> </IfModule> # 5G:[REQUEST STRINGS] <IfModule mod_alias.c> RedirectMatch 403 (https?|ftp|php)\:// RedirectMatch 403 /(https?|ima|ucp)/ RedirectMatch 403 /(Permanent|Better)$ RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$ RedirectMatch 403 (\,|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\"\\\") RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$ RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php$ RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107\_) RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae|config\.xml) RedirectMatch 403 \.well\-known/host\-meta RedirectMatch 403 /function\.array\-rand RedirectMatch 403 \)\;\$\(this\)\.html\( RedirectMatch 403 proc/self/environ RedirectMatch 403 msnbot\.htm\)\.\_ RedirectMatch 403 /ref\.outcontrol RedirectMatch 403 com\_cropimage RedirectMatch 403 indonesia\.htm RedirectMatch 403 \{\$itemURL\} RedirectMatch 403 function\(\) RedirectMatch 403 labels\.rdf RedirectMatch 403 /playing.php RedirectMatch 403 muieblackcat </IfModule> # 5G:[REQUEST METHOD] <ifModule mod_rewrite.c> RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] </IfModule> #AIOWPS_FIVE_G_BLACKLIST_END #AIOWPS_BLOCK_SPAMBOTS_START <IfModule mod_rewrite.c> RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} ^(.*)?wp-comments-post\.php(.*)$ RewriteCond %{HTTP_REFERER} !^http(s)?://(.*)?\.MYSITE\.EXT [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule .* https://127.0.0.1 [L] </IfModule> #AIOWPS_BLOCK_SPAMBOTS_END #AIOWPS_PREVENT_IMAGE_HOTLINKS_START <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{REQUEST_FILENAME} -f RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(.*)?\.MYSITE\.EXT [NC] RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L] </IfModule> #AIOWPS_PREVENT_IMAGE_HOTLINKS_END # END All In One WP SecurityHi, all I have submitted a message to the plugin developers to investigate further your findings.
Thank you for reporting this.
Regards
Previous support threads reporting the issue and not fixed:
https://www.ads-software.com/support/topic/apache-24-25?replies=6
https://www.ads-software.com/support/topic/apache-24-incompatibility?replies=7
My clients servers use Apache 2.4 and I try to use All in One Security for all of them.
Hi All,
Apache 2.3 and later comes with access_compat module that supports configurations containing old directives (including the ones mentioned in this thread). If you administrate your webserver or you can convince your webserver admin to activate it for you, it may help you with this issue until it is fixed in the plugin.
Cheers,
?eslavHi,
a note from access_compat wiki page:
Note
The directives provided by mod_access_compat have been deprecated by mod_authz_host. Mixing old directives like Order, Allow or Deny with new ones like Require is technically possible but discouraged. This module was created to support configurations containing only old directives to facilitate the 2.4 upgrade. Please check the upgrading guide for more information.
My experience is absolutely negative about the use of old and new mixed directives
practically, it is very easy to create conflicts that lock apache.
Using systems like Cpanel or ISPConfig is not possible to use an Apache 2.4 with only old-style configuration.
so as not to have problems:
the old goes with the old,
New only goes with the new!regards!
@simonezazu, that’s a good point. I only used old directives in .htaccess on my local Apache 2.4 server, so I had no troubles with mod_access_compat.
Btw. you might be interested in checking out AIOWPSF master branch on Github. All firewall rules that used old directives now also support the new ones. Also Blacklist Manager feature now works under Apache 2.3+. The only feature that still needs to be adapted for newer Apache is Login Whitelist, but we’re working on that.
Would be perfect, if you could give it a try and report back!
@chesio
Thank you for the work you doI’m testing the master branch, many features seem to work, but when I apply the 5G rules… Error 500!
inside the .htaccess that is the problem:
# 5G:[USER AGENTS] <IfModule mod_setenvif.c> # SetEnvIfNoCase User-Agent ^$ keep_out SetEnvIfNoCase User-Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu) keep_out <limit GET POST PUT> Require all granted Require not env keep_out Order Allow,Deny Allow from all Deny from env=keep_out </limit> </IfModule>I changed to this:
# 5G:[USER AGENTS] <IfModule mod_setenvif.c> # SetEnvIfNoCase User-Agent ^$ keep_out SetEnvIfNoCase User-Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu) keep_out # Apache < 2.3 <IfModule !mod_authz_core.c> <limit GET POST PUT> Order Allow,Deny Allow from all Deny from env=keep_out </limit> </IfModule> # Apache >= 2.3 <IfModule mod_authz_core.c> <RequireAll> <limit GET POST PUT> Require all granted Require not env keep_out </limit> </RequireAll> </IfModule> </IfModule>and now seem to work
@simonezazu, good catch, I completely forgot about 5G.
I’d be in favor of removing 5G from the plugin instead of patching it for new Apache. 5G is an out-dated and problematic ruleset these days, but I let @wpsolutions have final word on this.
Thanks for testing!
Hi @chesio,
Yes I agree with your comment regarding 5G rules and that we should probably phase these out.
I guess the important thing is that we will need to find a way to gracefully handle all users who currently have 5G rules active on their servers.Hi @wpsolutions,
I’d suggest to show an admin notice informing about 5G being phased out soon to any user who has 5G active. This way also users that don’t read changelogs will become aware.
The note could link to a (sticky) support thread that would briefly explain the decision behind the change and encourage the switch to 6G or provide copy-paste ready 5G snippet for Custom Rules for those who would like to keep 5G.
Then some future version of the plugin could remove 5G feature completely.
- The topic ‘Apache 2.4 Wrong htaccess rules applied’ is closed to new replies.
