Re: Client denied by server configuration when restricting file types
45 views
Skip to first unread message
Jeff Kaufman
Jul 20, 2015, 9:00:36 AM7/20/15
to mod-pagespeed-discuss
Instead of setting "ModPagespeed off" could you try "ModPagespeed unplugged"? When mod_pagespeed is "off" it still interprets .pagespeed. urls in case clients are still using ones from before.
On Mon, Jul 20, 2015 at 4:23 AM, <ch...@chilliheatwave.co.uk> wrote:
Hi guys,--
mod_pagespeed is great, we've run it on our websites & servers for years.
As part of securing the WordPress installations we host, we choose to restrict filetypes in the /wp-content/uploads directory with a .htaccess rule:
Deny from all
<Files ~ ".(css|jpe?g|png|gif|js|swf|html|htm|eot|woff|ttf|svg|doc|docx|xls|xlsx|ppt|pptx|pdf|map)$">
Allow from all
</Files>
However when this restriction meets mod_pagespeed there's a 403 error, chucking "Client denied by server configuration" into the log specifically when the filename has the word 'pagespeed' in it.
For example:
will 403 error, whilst:
doesn't.
After some testing, I can see that it still affects the site even when mod_pagespeed is turned off at .htaccess and/or vhost level.
It appears mod_pagespeed is processing the request before Apache looks at the vhost.
Any ideas how I can get these restrictions to work with mod_pagespeed please?
Thanks in advance,
Chris
You received this message because you are subscribed to the Google Groups "mod-pagespeed-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod-pagespeed-di...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mod-pagespeed-discuss/c98b03cc-7de4-4949-a8e3-e390549492b7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Chris W
Jul 20, 2015, 10:57:35 AM7/20/15
to mod-pagesp...@googlegroups.com
Hi Jeff,
Thanks for taking the time to reply.
"ModPagespeed unplugged" doesn't seem to make a difference sorry (although I'm hoping we can find a way to make the filetype restrictions & mod_pagespeed play together).
I'm wondering if there's a different way to lock down that folder to prevent scripts from running, whilst being compatible with mod_pagespeed?
Cheers,
Chris
Thanks for taking the time to reply.
"ModPagespeed unplugged" doesn't seem to make a difference sorry (although I'm hoping we can find a way to make the filetype restrictions & mod_pagespeed play together).
I'm wondering if there's a different way to lock down that folder to prevent scripts from running, whilst being compatible with mod_pagespeed?
Cheers,
Chris
Jeff Kaufman
Jul 20, 2015, 12:50:26 PM7/20/15
to mod-pagespeed-discuss
I've reproduced this on a local apache server, and am trying to figure out how it happens.
--
You received this message because you are subscribed to the Google Groups "mod-pagespeed-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod-pagespeed-di...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mod-pagespeed-discuss/df56d0e2-f75e-466b-ad72-8fa54e364062%40googlegroups.com.
Jeff Kaufman
Jul 20, 2015, 2:41:53 PM7/20/15
to mod-pagespeed-discuss
Moving discussion to a bug: https://github.com/pagespeed/mod_pagespeed/issues/1111
Chris W
Aug 19, 2015, 9:09:40 AM8/19/15
to mod-pagespeed-discuss
Hi there,
I noticed the Github thread was closed, so here's some more info for others who may be stuck:
1. Even through turning mod_pagespeed off at .htaccess or Apache conf level doesn't stop the problem, setting ModPagespeedDisallow on the affected directory does stop the problem. It means your assets in the directory AREN'T "pagespeed-ed", but the rest of the page & site is.
2. Swapping the allow/deny logic around achieves a similar thing without getting 'Client denied by server configuration' errors. Assets in the folder ARE optimised:
3. This may be a better way to secure your uploads folder:
Ref: http://stackoverflow.com/questions/18932756/disable-all-cgi-php-perl-for-a-directory-using-htaccess#18948152
Cheers,
Chris
I noticed the Github thread was closed, so here's some more info for others who may be stuck:
1. Even through turning mod_pagespeed off at .htaccess or Apache conf level doesn't stop the problem, setting ModPagespeedDisallow on the affected directory does stop the problem. It means your assets in the directory AREN'T "pagespeed-ed", but the rest of the page & site is.
2. Swapping the allow/deny logic around achieves a similar thing without getting 'Client denied by server configuration' errors. Assets in the folder ARE optimised:
Order Allow,Deny
Allow from all
<Files ~ ".(php[0-9]?|sh|cgi|phtml|pl|py|pyc|pyo)$">
Deny from all
</Files>3. This may be a better way to secure your uploads folder:
<Directory /home/me/www/upload/>
# Important for security, prevents someone from
# uploading a malicious .htaccess
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
<Files *>
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
</Directory>
Ref: http://stackoverflow.com/questions/18932756/disable-all-cgi-php-perl-for-a-directory-using-htaccess#18948152
Cheers,
Chris
Jeff Kaufman
Aug 19, 2015, 9:27:52 AM8/19/15
to mod-pagespeed-discuss
Thanks for sharing your progress!
--
You received this message because you are subscribed to the Google Groups "mod-pagespeed-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod-pagespeed-di...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mod-pagespeed-discuss/1addbdb7-681d-4285-bdf9-f5e75a66ffd5%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages