Forbid serverwide access to xmlrpc.php

Richard G

Verified User
Joined
Jul 6, 2008
Messages
12,554
Location
Maastricht
I stumbled on this solution, which is to be put in the httpd.conf file of apache (I don't have nginx).
Code:
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
Deny from all
</FilesMatch>

What is the best way to do this?
Copy a httpd.conf to /usr/local/directadmin/custombuild/custom/ap2 and then put this code somewhere in there? If yes where is the best place to put it in the config?

If no, what is a better solution?
 
Same question, but then for Apache with nginx as reverse proxy.

Do I need to put in httpd.conf. file as or this

Code:
location = /xmlrpc.php {
	deny all;
	access_log off;
	log_not_found off;
}

in nginx.conf file?
 
Looks to me the nginx.conf as I found on the same site I found my code:
5. Blocking access in nginx
If you are running nginx instead of Apache you should add this code to your nginx configuration:
server {
location = /xmlrpc.php {
deny all;
}
}
 
We are also looking into this.

Your solution generates a 404 error. This is not a solution for us, because there is still a page hit.
We would like to forbid the action (HTTP 403)

This can be done with mod_rewrite.
But this causes issues with existing modrewrite rules.

I am adding this above al virtualhosts in apache.

Code:
<Location />
RewriteEngine On
RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php)$ [NC]
RewriteRule ^(.*)$ - [F]
</Location>
 
Hello,

We use this:

Code:
        <Files xmlrpc.php>
            Order allow,deny
            Deny from all
            ErrorDocument 403 "Sorry, you are not allowed to view this page!"
        </Files>

it gives no page hit.
 
Yes, it's under Virtualhost in templates...and the directive

Code:
[/COLOR][COLOR=#333333]ErrorDocument 403 "Sorry, you are not allowed to view this page!"

overwrites user's defined instructions for ErrorDocument 403 and no PHP script is ever triggered.
 
So if I'm correct we can copy the httpd-vhost.conf template to the /custom/ap2/extra directory, adjust it, rebuild apache and then this should stay also in there after upgrades, correct?
 
Oh LoL, I was thinking about the wrong one.
However, these configs have al those pipelines in front and after and endif statements.
I've never use all that before.

Can I just put that code in there? Without pipes and endifs etc.?
Is only the virtualhost2.conf and virtualhost2_secure needed or do I need to put the code in all 4 of the virtualhost2* templates somewhere?
 
Nevermind. Fixed it by creating new custom templates.
 
Last edited:
Update for future references.
When using custom templates as shown above, I discovered that the "Force SSL Redirect" will not be working anymore in DA. You can switch it, but nothing happens.

Since version 1.533 we can use .pre templates for some custom code, which you can put this blocking code in, and you don't need to use the other custom templates way, which is blocking the redirect feature.
So it's better to use this.
https://www.directadmin.com/features.php?id=2155
 
Actually custom templates are never get overwritten by DirectAdmin or custombuild, so they need to updated manually if you need to add new features into it.

And yes, the possible solution Richard found is good if it fits all the needs. I believe the .pre and .post templates do not support tokens (at least they did not the last time I tested them). And if they do not support tokens and IF-ELSE-ENDIF constructions, you can not disable or enable a block per user/domain.
 
Thank you for clarifying this some more Alex.

Also:
you can not disable or enable a block per user/domain.
That would be no problem, as this thread has as title the request for a serverwide block to the xmlrpc.php.
 
Back
Top