Forbid serverwide access to xmlrpc.php

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
I stumbled on this solution, which is to be put in the httpd.conf file of apache (I don't have nginx).
Code:
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
Deny from all
</FilesMatch>
What is the best way to do this?
Copy a httpd.conf to /usr/local/directadmin/custombuild/custom/ap2 and then put this code somewhere in there? If yes where is the best place to put it in the config?

If no, what is a better solution?
 

Awd

Verified User
Joined
Aug 9, 2015
Messages
316
Same question, but then for Apache with nginx as reverse proxy.

Do I need to put in httpd.conf. file as or this

Code:
location = /xmlrpc.php {
	deny all;
	access_log off;
	log_not_found off;
}
in nginx.conf file?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Looks to me the nginx.conf as I found on the same site I found my code:
5. Blocking access in nginx
If you are running nginx instead of Apache you should add this code to your nginx configuration:
server {
location = /xmlrpc.php {
deny all;
}
}
 

Driesp

Verified User
Joined
Mar 12, 2007
Messages
80
We are also looking into this.

Your solution generates a 404 error. This is not a solution for us, because there is still a page hit.
We would like to forbid the action (HTTP 403)

This can be done with mod_rewrite.
But this causes issues with existing modrewrite rules.

I am adding this above al virtualhosts in apache.

Code:
<Location />
RewriteEngine On
RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php)$ [NC]
RewriteRule ^(.*)$ - [F]
</Location>
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
Hello,

We use this:

Code:
        <Files xmlrpc.php>
            Order allow,deny
            Deny from all
            ErrorDocument 403 "Sorry, you are not allowed to view this page!"
        </Files>
it gives no page hit.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
Yes, it's under Virtualhost in templates...and the directive

Code:
[/COLOR][COLOR=#333333]ErrorDocument 403 "Sorry, you are not allowed to view this page!"
overwrites user's defined instructions for ErrorDocument 403 and no PHP script is ever triggered.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
So if I'm correct we can copy the httpd-vhost.conf template to the /custom/ap2/extra directory, adjust it, rebuild apache and then this should stay also in there after upgrades, correct?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Oh LoL, I was thinking about the wrong one.
However, these configs have al those pipelines in front and after and endif statements.
I've never use all that before.

Can I just put that code in there? Without pipes and endifs etc.?
Is only the virtualhost2.conf and virtualhost2_secure needed or do I need to put the code in all 4 of the virtualhost2* templates somewhere?
 

MvdL

Verified User
Joined
Jul 10, 2015
Messages
21
Nevermind. Fixed it by creating new custom templates.
 
Last edited:

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Update for future references.
When using custom templates as shown above, I discovered that the "Force SSL Redirect" will not be working anymore in DA. You can switch it, but nothing happens.

Since version 1.533 we can use .pre templates for some custom code, which you can put this blocking code in, and you don't need to use the other custom templates way, which is blocking the redirect feature.
So it's better to use this.
https://www.directadmin.com/features.php?id=2155
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
Actually custom templates are never get overwritten by DirectAdmin or custombuild, so they need to updated manually if you need to add new features into it.

And yes, the possible solution Richard found is good if it fits all the needs. I believe the .pre and .post templates do not support tokens (at least they did not the last time I tested them). And if they do not support tokens and IF-ELSE-ENDIF constructions, you can not disable or enable a block per user/domain.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Thank you for clarifying this some more Alex.

Also:
you can not disable or enable a block per user/domain.
That would be no problem, as this thread has as title the request for a serverwide block to the xmlrpc.php.
 
Top