I'm using PHP-FPM to host one of busy websites. I serve all php and html pages through PHP-FPM proxy. For 500 errors, I want to send Email to all stakeholders, with URL, its query strings and cookies through another PHP script hosted on the same server.
However adding ErrorDocument 500 /report/webmaster/dp-server-error.php inside virtual host results in redirect loop to error script i.e. dp-server-error.php. As work around, I have done something like this in virtual host file and it works.
ProxyPassMatch ^/(.*\.(php|html)(/.*)?)$ unix:/run/php/php7.0-fpm.sock|fcgi://localhost/var/www/example.com/
ProxyErrorOverride On
ErrorDocument 500 https://www.example.com/report/webmaster/dp-server-error.php?page=%{REQUEST_URI}?%{QUERY_STRING}&cookies=%{HTTP:Cookie}
However, the work around has some issues. The cookies might exceed number of valid characters in URL. The URL might be noticed by one of the crawlers and crawling this URL might send false Email alerts. I want ErrorDocument to work normally without using the full domain name. I want to know how can I avoid the redirect loop. Also using
ProxyPass /report/webmaster/dp-server-error.php !
to avoid redirection loop is not acceptable as I would not able to use the existing PHP framework to perform detailed analysis of error before sending Email for further analysis.
Related
I have a simple custom MVC app using $_GET to parse a url, and i've got it working on my dev server as well as a few different webhosts using php 7.1... but I'm trying to use x10hosting's free lamp hosting and the data being passed from $_GET is coming through as 403...
I've proved that it works on other servers as well as my own dev server with this
echo '<pre>', $route->path, $_GET['url'], '</pre>';
when going to the url http://app/admin... this line in my loop gives me what should be expected...
/admin
adminadmin
but on x10's server i get this
/403.shtml
admin403.shtml
I have tried encoding to base64 with urlencode($_GET) as well as disabling mod_sec in the .htaccess with
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
neither solution worked... I'm almost certain it's a server config issue but access is pretty much limited to .htaccess and php.ini .... I haven't touched php or apache in a while and am a little lost... any help would be greatly appreciated
This does sound like a mod_security type issue. And, as you have found, you are unable to disable mod_security on the free hosting platform.
I have encountered mod_sec rules on a number of shared hosts that simply block the request based on certain parameter names (supposedly blocking common XSS attempts). url is a common one. site is another. Simply changing the parameter name might be all that's required.
"Free" hosting accounts are always going to have some restrictions. If this is the only thing that holds you back then you are lucky.
I have an application which allows users to share there notes.
The front end is written in php and back end is driven by mysql database. The front end has an edit section, which is using Ueditor (web based editor). The problem is that if I am trying to edit small amount of data on the server it will work, but if I am trying to edit huge amount of data it will not work and shows this error.
Forbidden
You don't have permission to access /editnotes.php on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Additionally it is working perfectly alright in local host.
The ErrorDocument directive, when supplied a local URL path, expects the path to be fully qualified from the DocumentRoot.
Have this in your .htaccess file
ErrorDocument 403 /errorpagedir/403page.html
/errorpagedir/403page.html is your 403 error page.
I am having a problem like this:
403 Forbidden on PHP page called with url encoded in a $_GET parameter
I am getting "403 forbidden" error
When i pass a url as a GET variable like this
http://script/test.php?url=https://stackoverflow.com/questions/ask
But this is ok.
http://script/test.php?url=stackoverflow.com/questions/ask
And even if i urlencode the url it still gives me a 403.
Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at ----- Port 80
And I don't think this server has mod_security enabled, Because when I add SecFilterEngine Off in htaccess I get "500 Internal Server Error".
Code snippet:
$URL = mysql_real_escape_string($_GET['url']);
mysql_query("INSERT INTO `url` ...");
So the question is, can I fix this without editing httpd.conf, because I don't have root privilege.
Thanks
Do you have access to the apache error log itself? If this is a cPanel system and you have shell access, try viewing the log /usr/local/apache/logs/error_log - mod_security errors will appear there. Otherwise, you can look inside your control panel to see if it picks up any error messages.
Even if mod_security is installed, you can still get a 500 error after putting SecFilterEngine in .htaccess if the keyword isn't allowed.
I recommend contacting your web host to determine whether mod_security is the cause. If it is, you can ask them to create an exception. (I work for a web hosting company, and we're almost always happy to make mod_security exceptions for reasonable applications)
If it's caused by mod_security and your web host won't create an exception, you either need to change hosting companies or find a different way to pass the url (base64 encoding might work for you)
For me the solution to this issue was by getting my host (hostgator) to create an exception for mod_security on my site. mod_security's used for blacklisting certain types of operations, and it seems $_GET requests containing urls (http://www.etc) was one, for whatever reason. As stated by lunixbochs most hosts will be happy to sort it out for you.
So, we've got PHP 5.3.2 installed on a Windows 2008 R2 Server. PHP.ini file is loaded, everything looks good on that end. We are also running IIS 7.5 and ISAPI_Rewrite. We have a PHP-based CMS installed and it runs dandy.
The problem lies with posting variables. Example:
We have a contact page: http://example.com/contact with a form that posts the variables on submit via PHP.
But then, when a user submits the form, it seems as if any page with variables POSTed (like this one) end up returning a 500 error.
EDIT I have another idea: Not sure whether it could have to do with the .htaccess files. This server gives 500 errors for, like, everything.
The CMS we're using passes everything through an index.php file, so our .htaccess file takes index.php out of the url so that urls are clean.
RewriteEngine on
RewriteCond $1 !^(images|documents|admin|themes|favicon\.ico|robots\.txt|index\.php) [NC]
RewriteRule ^(.*)$ /index.php/$1 [L]
The headers for the posted-to page are as follows:
Request URL:http://domain.com/
Request Method:POST
Status Code:500 Internal Server Error
**Request Headers**
Accept:application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png;q=0.5
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Content-Type:application/x-www-form-urlencoded
I could be way off here, but is there some sort of regex or setting I missed in IIS that any .php file with post variables is just not assigned to get picked up by PHP?
*EDITS / UPDATES *
I RDC'd into the computer to test, and also turned on Detailed error reporting.
The website, with clean URLs, works fine until submitting a form.
Server error: HTTP Error 500.0 - Internal Server Error
The FastCGI process exceeded configured activity timeout (it took a while)
Handler: PHP5
And then in the logs:
2011-01-12 16:57:56 10.64.181.170 POST /index.php/ - 80 - 10.64.181.170 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1; +WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727; +.NET4.0C;+.NET4.0E) 500 0 258 82850
--Steph
I encountered this today on a customer website.
This customer was using UMBRACO as their CMS and had a large web.config file in the root of the site.
My background is in Linux rather than Windows, however after randomly shotgun-removing lines from the web.config, I discovered the problematic line was something like:
<trace enabled="true" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />
If you are still having this problem, check to see if you have a web.config in the root of the site with a line similar to this in it. Commenting it out seemed to do the trick, I'm not sure what it is used for.
IIS does not natively support .htaccess files and rewrite rules. To work around that you need to:
Install URL Rewrite for IIS
In IIS manager for your site double-click URL Rewrite
Click Import Rules
Locate your .htaccess file on the disk
Click Import
Review and click Apply
IIS rewrite rules will get saved as web.config XML file. Conversion works out-of-the-box for most rewrite rules.
Since it's a friday, I can't ask my host about this, but apparently, all the .php pages on my websites are giving out the "Internal Server Error"... this started just now, I was not on my admin cp, I did 0 changes to my website today, in fact, I changed nothing for about a week now.
I host a few forums and got alerted by some users just now who were browsing and suddenly this happens.
The website in question:
cudamine.com
The error:
Internal Server Error
The server encountered an internal
error or misconfiguration and was
unable to complete your request.
Please contact the server
administrator, xxx#email.com and
inform them of the time the error
occurred, and anything you might have
done that may have caused the error.
More information about this error may
be available in the server error log.
Additionally, a 404 Not Found error
was encountered while trying to use an
ErrorDocument to handle the request.
I use cPanel X.
Should I be worried about this? Some sort of attack or something? All HTML pages work fine, it's just .php that seems to have this issue, is this a problem on my hosts end, or can I do anything about this before monday? Thanks guys, and sorry if this is the wrong place to ask. It's just that I don't want to have no site for the whole weekend...
After reading up on the web about similar situations, I found some info on the .htaccess file, I found the file and this is what's in it:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^cudamine.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.cudamine.com$
RewriteRule ^santa\-maria\/forum\/?(.*)$ "http\:\/\/cudamine\.com\/santa\-maria\/\?page_id\=7\/$1" [R=301,L]
Those two RewriteCond are 2 of my links that use php... I tried deleting this file, nothing changed though.
Definitely check the error log (should be available in CPanel).
One common occurrence I see is when a host enables SuPHP (suexec for PHP scripts) and you have group writable scripts or directories containing scripts.
If your error log shows anything like "Apache SoftException", then this is the most likely cause. You need to change the filesystem permissions on your scripts and directories to remove the group "write" bit.
Another possible cause is your host has disabled mod_rewrite or removed the appropriate overrides (FileInfo) to use the Rewrite* directives.
PHP may be writing its error log elsewhere than the standard Apache error_log. You can retrieve the log's location with ini_get('error_log'). If the value's something other than "syslog", PHP is writing its errors to a file of the same name.