Forbid serverwide access to xmlrpc.php

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
@Zeiter: Can you tell me what I did wrong?
To block acces for the complete server I created the .pre files mentioned in the feature page.
Then I added this:
Code:
        <Files xmlrpc.php>
            Order allow,deny
            Deny from all
            ErrorDocument 403 "Sorry, you are not allowed to view this page!"
        </Files>
However, after investigating, it looks like that does not work in .pre files. I can still access the files. What did I do wrong?
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
Richard,

And how does httpd.conf for any domain look like?

And what is the exact name of your *.pre file?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Hello Alex.
The httpd.conf for any domain should be default, at least I did not change anything to them as far as I know.

The exact name for the .pre files is like in the feature link:
Code:
-rw-r--r--  1 diradmin diradmin  177 2019-03-15 17:19 virtual_host2.conf.pre
-rw-r--r--  1 diradmin diradmin  177 2019-03-15 17:19 virtual_host2_secure.conf.pre
-rw-r--r--  1 diradmin diradmin  177 2019-03-15 17:20 virtual_host2_secure_sub.conf.pre
-rw-r--r--  1 diradmin diradmin  177 2019-03-15 17:20 virtual_host2_sub.conf.pre
When I visit a site and call the xmlrpc.php it says:
"XML-RPC server accepts POST requests only."
So this way I know it's not working.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
The idea to see httpd.conf is based on a need to understand whether your directives are parsed and added into httpd.conf or not.

That's not needed anymore, as I see the naming of the files is completely wrong.

Check the link
https://www.directadmin.com/features.php?id=2158 once more again for valid file-names. You are missing a token-name.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Thank you Alex

I used this one:
https://www.directadmin.com/features.php?id=2155
which by the way has the virtual_host2_secure.conf mentioned twice in there, so 1 time too much.

The link you gave me now, uses examples like this:
Like virtual_host2.conf.CUSTOM.pre
this was not described in the id=255 link so now I understand why I made the mistake. It should be described in there too. I have to use the word "custom" before the .per in the filename.

But now I'm confused due to the link you gave. The two links do not match.
My files should read like virtual_host2.conf.CUSTOM.pre however, what confuses me (I'm not native English), is when to use the numbers in there.
Like virtual_host2.conf.CUSTOM.1.pre or like virtual_host2.conf.CUSTOM.2.pre or /usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.3.pre (like mentioned in id=1816).
I also have seen:
/usr/local/directadmin/data/templates/custom/cust_httpd.pre

I don't understand what the 1, 2, 3, 4 etc. do there or if they are needed in my case.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Now I have these and it's still not working:
Code:
-rw-r--r--  1 diradmin diradmin  177 2019-03-15 17:19 virtual_host2.conf.custom.pre
-rw-r--r--  1 diradmin diradmin  177 2019-04-08 15:12 virtual_host2_secure.conf.custom.pre
-rw-r--r--  1 diradmin diradmin  177 2019-04-08 15:12 virtual_host2_secure_sub.conf.custom.pre
-rw-r--r--  1 diradmin diradmin  177 2019-04-08 15:13 virtual_host2_sub.conf.custom.pre
I'm totally confused now.

Or do I need this one too?
/usr/local/directadmin/data/templates/custom/cust_httpd.pre
And if yes, does it need the same content as the virtual host things?
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
It's said there on the page for id=2155:

For the main domain http/https/subomain templates, you can now create custom template files that will be tokenized and inserted outside of the VirtualHost/server{} entry.

Well, this feature of Directadmin slipped out of my mind completely. I've never used it, so that might be the reason.

I was totally sure that we speak about one and the same thing. I did not even notice the links are different until now https://www.directadmin.com/features.php?id=2158 ;) Funny is that the feature id=2155 is mentioned on the page with id=2158. I don't read all the text too...

Thanks, I will probably try
id=2155 some day for custom virtual hosts for webmails and proxing Directadmin over nginx/apache. Good idea.

Anyway the feature id=2155 is not the one you need here in the current case.

So, for your particular case you need to use:
https://www.directadmin.com/features.php?id=2158 with a proper naming on the files, and you should literally use the names from the text, and do not change CAPITAL letters to lowercase.

To make things easier run the following commands:

Code:
cd /usr/local/directadmin/data/templates/custom/
touch virtual_host2.conf.CUSTOM.4.post virtual_host2_secure.conf.CUSTOM.4.post virtual_host2_secure_sub.conf.CUSTOM.4.post virtual_host2_sub.conf.CUSTOM.4.post
chmod 644 virtual_host2.conf.CUSTOM.4.post virtual_host2_secure.conf.CUSTOM.4.post virtual_host2_secure_sub.conf.CUSTOM.4.post virtual_host2_sub.conf.CUSTOM.4.post
populate the newly created files with your instructions and run

Code:
cd /usr/local/directadmin/custombuild/
./build rewrite_confs

p.s. not sure why forums do not make my links clickable....
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Oke thank you very much Alex.
So you say I do not need the .pre commands but the .post commands?
Is there also some explanation to be found somewhere as why there should be a CUSTOM.4 and CUSTOM.3 because I don't understand these numbers either.

Links become clickable if you use them with the url= bbcode tags.
Not sure if I can explain it like this but have a try:


[url=http://www.someurl.com]http://www.someurl.com[/url]

 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
Whatever you prefer like.... Richard, that does not really matter for this particular case. Please let's do it simple and do not make it too complicated... if you want to understand where to put those directives then you'd better start with reading:

https://httpd.apache.org/docs/2.4/mod/core.html#files

where you can see that <Files> directive can be added into server config, virtual host, directory, .htaccess....

Then you open virtual_host2.conf and choose witch of 5 CUSTOM tokens you like more....

and finally you decide where to put your lines before the CUSTOM token (with .pre) or after the CUSTOM token (with .post).

;)

p.s. I've always posted links inline using Quick Reply form, and they were automatically made click-able without need to use TAGs.

p.p.s Going to compile all my replies into a next How-to article now. Thanks Richard.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Hello Alex.

I still find it complicated with those variables.

Oke I did exactly what you told me in your post #27. I even chowned to diradmin. But it's still not working.
Code:
-rw-r--r--  1 diradmin diradmin  161 2019-04-08 21:29 virtual_host2.conf.CUSTOM.4.post
-rw-r--r--  1 diradmin diradmin  161 2019-04-08 21:30 virtual_host2_secure.conf.CUSTOM.4.post
-rw-r--r--  1 diradmin diradmin  161 2019-04-08 21:30 virtual_host2_secure_sub.conf.CUSTOM.4.post
-rw-r--r--  1 diradmin diradmin  161 2019-04-08 21:31 virtual_host2_sub.conf.CUSTOM.4.post
And added what I stated before:
Code:
<Files xmlrpc.php>
            Order allow,deny
            Deny from all
            ErrorDocument 403 "Sorry, you are not allowed to view this page!"
</Files>
And also did the rewrite_confs but still no difference.

Then you open virtual_host2.conf and choose witch of 5 CUSTOM tokens you like more....
I only see 4. Which is 1.) server config, 2.) directory, 3.) .htaccess 4.) Virtualhost

P.s.1 You are correct, I also remembered that if I posted https://www.somedomain.com at first this would be automatically converted into a clickable link. Maybe something in the forum config changed.
p.s.2 You're welcome. Also thanks you for the reply's. When creating the howto, should it not include a "chown diradmin" for the files too?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Heej.... @ps1... lets have a try with quickreply option.
In my case it converted to clickable link. http://www.test2.com
Yep, works. I'm using Firefox. Maybe it's something with your cookies or browser?
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
And are you sure that templates are created under /usr/local/directadmin/data/templates/custom/ ?

If yes, then a /usr/local/directadmin/data/users/*/httpd.conf of any domain is much desired to be posted here (feel free to mask domain, IPs).

p.s. As for links, I believe it's working now fine. Thanks.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Yes I'm sure, made them .pre again to test:
Code:
[root@server18: /usr/local/directadmin/data/templates/custom]# l
total 24K
drwx--x--x  2 diradmin diradmin 4.0K 2019-04-08 21:50 .
drwx--x--x 10 diradmin diradmin 4.0K 2019-04-08 22:08 ..
-rw-r--r--  1 diradmin diradmin  130 2019-04-08 22:06 virtual_host2.conf.CUSTOM.4.pre
-rw-r--r--  1 diradmin diradmin  130 2019-04-08 22:05 virtual_host2_secure.conf.CUSTOM.4.pre
-rw-r--r--  1 diradmin diradmin  161 2019-04-08 21:30 virtual_host2_secure_sub.conf.CUSTOM.4.pre
-rw-r--r--  1 diradmin diradmin  161 2019-04-08 21:31 virtual_host2_sub.conf.CUSTOM.4.pre
And this is a sample of one of the httpd.conf files:
Code:
# Auto generated apache config file by DirectAdmin version 1.56.0
# Modifying this file is not recommended as any changes you make will be
# overwritten when the user makes any changes to their website

# For global config changes that affect all Users, see this guide:
# http://help.directadmin.com/item.php?id=2
# For local config changes that only affect one User, see this guide:
# http://help.directadmin.com/item.php?id=3


<Directory "/home/customer/public_html">
        <IfModule mod_ruid2.c>
                RMode config
                RUidGid customer customer
                #RGroups apache access
                RGroups @none
        </IfModule>
        <IfModule mod_fcgid.c>
                SuexecUserGroup customer customer
        </IfModule>
                php_admin_flag engine ON
                php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f customer@somedomain.nl'
                php_admin_value mail.log /home/customer/.php/php-mail.log
                php_admin_value open_basedir /home/customer/:/tmp:/var/tmp:/usr/local/lib/php/:/usr/local/php72/lib/php/
</Directory>

<VirtualHost 46.4.xxx.xxx:80 >
        ServerName www.somedomain.nl
        ServerAlias www.somedomain.nl somedomain.nl
        ServerAdmin webmaster@somedomain.nl
        DocumentRoot /home/customer/domains/somedomain.nl/public_html
        UseCanonicalName OFF
        <IfModule !mod_ruid2.c>
                SuexecUserGroup customer customer
        </IfModule>
        <IfModule mod_ruid2.c>
                RMode config
                RUidGid customer customer
                #RGroups apache access
                RGroups @none
        </IfModule>
        CustomLog /var/log/httpd/domains/somedomain.nl.bytes bytes
        CustomLog /var/log/httpd/domains/somedomain.nl.log combined
        ErrorLog /var/log/httpd/domains/somedomain.nl.error.log
        <Directory /home/customer/domains/somedomain.nl/public_html> 
                AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
                Options -ExecCGI -Includes +IncludesNOEXEC
                php_admin_flag engine ON
                php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f customer@somedomain.nl'
                php_admin_value mail.log /home/customer/.php/php-mail.log
                php_admin_value open_basedir /home/customer/:/tmp:/var/tmp:/usr/local/lib/php/:/usr/local/php72/lib/php/
        </Directory>
</VirtualHost>

<VirtualHost 46.4.xxx.xxx:443 >
        SSLEngine on
        SSLCertificateFile /usr/local/directadmin/data/users/customer/domains/somedomain.nl.cert.combined
        SSLCertificateKeyFile /usr/local/directadmin/data/users/customer/domains/somedomain.nl.key
        SSLCACertificateFile /usr/local/directadmin/data/users/customer/domains/somedomain.nl.cacert
        ServerName www.somedomain.nl
        ServerAlias www.somedomain.nl somedomain.nl
        ServerAdmin webmaster@somedomain.nl
        DocumentRoot /home/customer/domains/somedomain.nl/private_html
        UseCanonicalName OFF
        <IfModule !mod_ruid2.c>
                SuexecUserGroup customer customer
        </IfModule>
        <IfModule mod_ruid2.c>
                RMode config
                RUidGid customer customer
                #RGroups apache access
                RGroups @none
        </IfModule>
        CustomLog /var/log/httpd/domains/somedomain.nl.bytes bytes
        CustomLog /var/log/httpd/domains/somedomain.nl.log combined
        ErrorLog /var/log/httpd/domains/somedomain.nl.error.log
        <Directory /home/customer/domains/somedomain.nl/private_html>
                AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
                Options -ExecCGI -Includes +IncludesNOEXEC
                php_admin_flag engine ON
                php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f customer@somedomain.nl'
                php_admin_value mail.log /home/customer/.php/php-mail.log
                php_admin_value open_basedir /home/customer/:/tmp:/var/tmp:/usr/local/lib/php/:/usr/local/php72/lib/php/
        </Directory>
</VirtualHost>
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
The directive were not added into httpd.conf, hence the access is still not blocked.

And you are sure

Code:
cd /usr/local/directadmin/custombuild/
./build rewrite_confs
completed without errors?

And Directadmin is the latest?

And what you see?

Code:
ls -la  [COLOR=#333333]/usr/local/directadmin/data/templates/[/COLOR][COLOR=#333333]virtual_host2*.conf
[/COLOR]
Code:
grep CUSTOM  [COLOR=#333333]/usr/local/directadmin/data/templates/[/COLOR][COLOR=#333333]virtual_host2*.conf
[/COLOR]
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
I did indeed do the .build rewrite_confs.
The DA version is 1.56.0.

The build did not give any errors:
Code:
[root@server18: /usr/local/directadmin/custombuild]# ./build rewrite_confs
Checking to ensure /etc/httpd/conf/ssl.crt/server.ca is set.
Using 46.4.xx.xx for your server IP
Restarting apache.
Code:
directadmin (pid  26675) is running...
[root@server18: /usr/local/directadmin]# ls -la  /usr/local/directadmin/data/templates/virtual_host2*.conf
-rw-r--r-- 1 diradmin diradmin 4.5K Mar 23 01:05 /usr/local/directadmin/data/templates/virtual_host2.conf
-rw-r--r-- 1 diradmin diradmin 4.5K Mar 23 01:05 /usr/local/directadmin/data/templates/virtual_host2_secure.conf
-rw-r--r-- 1 diradmin diradmin 4.6K Mar 23 01:05 /usr/local/directadmin/data/templates/virtual_host2_secure_sub.conf
-rw-r--r-- 1 diradmin diradmin 4.5K Mar 23 01:05 /usr/local/directadmin/data/templates/virtual_host2_sub.conf
And the grep command gives this output:
Code:
[root@server18: /usr/local/directadmin]# grep CUSTOM  /usr/local/directadmin/data/templates/virtual_host2*.conf
/usr/local/directadmin/data/templates/virtual_host2.conf:|CUSTOM1|
/usr/local/directadmin/data/templates/virtual_host2.conf:|CUSTOM|
/usr/local/directadmin/data/templates/virtual_host2.conf:|CUSTOM2|
/usr/local/directadmin/data/templates/virtual_host2.conf:|CUSTOM3|
/usr/local/directadmin/data/templates/virtual_host2.conf:|CUSTOM4|
/usr/local/directadmin/data/templates/virtual_host2_secure.conf:|CUSTOM1|
/usr/local/directadmin/data/templates/virtual_host2_secure.conf:|CUSTOM|
/usr/local/directadmin/data/templates/virtual_host2_secure.conf:|CUSTOM2|
/usr/local/directadmin/data/templates/virtual_host2_secure.conf:|CUSTOM3|
/usr/local/directadmin/data/templates/virtual_host2_secure.conf:|CUSTOM4|
/usr/local/directadmin/data/templates/virtual_host2_secure_sub.conf:|CUSTOM1|
/usr/local/directadmin/data/templates/virtual_host2_secure_sub.conf:|CUSTOM|
/usr/local/directadmin/data/templates/virtual_host2_secure_sub.conf:|CUSTOM2|
/usr/local/directadmin/data/templates/virtual_host2_secure_sub.conf:|CUSTOM3|
/usr/local/directadmin/data/templates/virtual_host2_secure_sub.conf:|CUSTOM4|
/usr/local/directadmin/data/templates/virtual_host2_sub.conf:|CUSTOM1|
/usr/local/directadmin/data/templates/virtual_host2_sub.conf:|CUSTOM|
/usr/local/directadmin/data/templates/virtual_host2_sub.conf:|CUSTOM2|
/usr/local/directadmin/data/templates/virtual_host2_sub.conf:|CUSTOM3|
/usr/local/directadmin/data/templates/virtual_host2_sub.conf:|CUSTOM4|
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
At the moment I don't see anything wrong... everything looks fine, and I'd expect it to work.

You might open a ticket with John so that they could connect to your server and see what is wrong.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Thank you for checking Alex.

Indeed I need to put in a ticket then, because it's failing on both Centos 6 and the Centos 7 server as well.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Hello Alex.

Oke I can confirm that the .pre templates do not work with this but the .post templates do.

The reason I thought it did not work before was because I only checked with 1 site. This site has a .htaccess file with the <Files *> statement in it (with rules to deny ip ranges to visit the site), which clearly overrides the .post templates.

That's a pity, becaue this way there is still no real 100% serverwide blockade if a user has such .htaccess entry present.

At this mopment I don't know why the .pre are not working, I've asked this in the ticket.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,854
Location
GMT +7.00
This should work in *.4.post:

Code:
        <Location ~ "/xmlrpc.php">
                Order allow,deny
                Deny from all
                ErrorDocument 403 "Sorry, you are not allowed to view this page!"
        </Location>

p.s. Confirmed: *.pre templates does not work on my end too, both for Nginx and Apache.
 
Top