Results 1 to 13 of 13

Thread: Forbid serverwide access to xmlrpc.php

  1. #1
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,188

    Forbid serverwide access to xmlrpc.php

    I stumbled on this solution, which is to be put in the httpd.conf file of apache (I don't have nginx).
    Code:
    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    Deny from all
    </FilesMatch>
    What is the best way to do this?
    Copy a httpd.conf to /usr/local/directadmin/custombuild/custom/ap2 and then put this code somewhere in there? If yes where is the best place to put it in the config?

    If no, what is a better solution?
    Greetings, Richard.

  2. #2
    Join Date
    Aug 2015
    Posts
    166
    Same question, but then for Apache with nginx as reverse proxy.

    Do I need to put in httpd.conf. file as or this

    Code:
    location = /xmlrpc.php {
    	deny all;
    	access_log off;
    	log_not_found off;
    }
    in nginx.conf file?

  3. #3
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,188
    Looks to me the nginx.conf as I found on the same site I found my code:
    5. Blocking access in nginx
    If you are running nginx instead of Apache you should add this code to your nginx configuration:
    server {
    location = /xmlrpc.php {
    deny all;
    }
    }
    Greetings, Richard.

  4. #4
    Join Date
    Mar 2007
    Posts
    76
    We are also looking into this.

    Your solution generates a 404 error. This is not a solution for us, because there is still a page hit.
    We would like to forbid the action (HTTP 403)

    This can be done with mod_rewrite.
    But this causes issues with existing modrewrite rules.

    I am adding this above al virtualhosts in apache.

    Code:
    <Location />
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php)$ [NC]
    RewriteRule ^(.*)$ - [F]
    </Location>

  5. #5
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,188
    A 403 would indeed be better. Thank you for sharing.
    Greetings, Richard.

  6. #6
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,684
    Hello,

    We use this:

    Code:
            <Files xmlrpc.php>
                Order allow,deny
                Deny from all
                ErrorDocument 403 "Sorry, you are not allowed to view this page!"
            </Files>
    it gives no page hit.

  7. #7
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,188
    You also put that in the Virtualhost file Alex?
    Greetings, Richard.

  8. #8
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,684
    Yes, it's under Virtualhost in templates...and the directive

    Code:
    ErrorDocument 403 "Sorry, you are not allowed to view this page!"


    overwrites user's defined instructions for ErrorDocument 403 and no PHP script is ever triggered.

  9. #9
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,188
    So if I'm correct we can copy the httpd-vhost.conf template to the /custom/ap2/extra directory, adjust it, rebuild apache and then this should stay also in there after upgrades, correct?
    Greetings, Richard.

  10. #10
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,684
    Feel free to try your way.

    I'm using this https://help.directadmin.com/item.php?id=2

  11. #11
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,188
    Oh LoL, I was thinking about the wrong one.
    However, these configs have al those pipelines in front and after and endif statements.
    I've never use all that before.

    Can I just put that code in there? Without pipes and endifs etc.?
    Is only the virtualhost2.conf and virtualhost2_secure needed or do I need to put the code in all 4 of the virtualhost2* templates somewhere?
    Greetings, Richard.

  12. #12
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,684
    Add it before the final

    Code:
    </VirtualHost>
    in all 4 templates.

  13. #13
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,188
    Great, thank you!
    Greetings, Richard.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •