[Tutorial] How to block XMLPRC.php in OLS — CyberPanel - WebHosting Control Panel for OpenLiteSpeed
CyberHosting

[Tutorial] How to block XMLPRC.php in OLS

edited May 2019 in Tutorials
Hi,

In Apache , we used to use `deny from all` directive to deny access to xmlrpc.php , but this directive doesn't work in OLS, so there is an alternative way to do

In your .htaccess file , add following code

RewriteRule xmlrpc - [F,L]

And then restart OLS, then when you access /xmlrpc.php , you will have a 403 forbidden result :)

Best regards,
«1

Comments

  • Type your comment> @sailorrr said:
    > Hi, thank you, but how to deny access to multiple files?

    https://openlitespeed.org/kb/access-control/
  • Yes, I found this, thanks. But when I tried to use context for that - it doesn't works for some reason. Will appreciate any advice or direction.
  • then you need to enable debug log for it

    or try rewrite rule way
  • # Allow only server IP to run wp-cron.php and deny the rest of the world

    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
    RewriteRule wp-cron.php$ - [F,L]

    This doesn't work, can you give me the right direction please? I think it would be nice to add in your tutorial above.
  • if only

    RewriteRule wp-cron.php$ - [F,L]

    does it work ?

    then create a phpinfo page, to check the actual value of remote_addr , sometimes if behind proxy , the IP might be different
  • edited March 5
    Just:

    RewriteRule wp-cron.php$ - [F,L]

    Doesn't work as well... Still loads white page instead of 403

    While this:

    RewriteCond %{REQUEST_URI} error_log|wp-config-sample.php|readme.html|readme.txt|license.txt|wp-trackback.php|wp-config.php|php.ini|xmlrpc.php [NC]
    RewriteRule .* - [F,L]

    Works just fine and shows 403. What is the problem it can be?
  • what was the URI you entered ? was this placed at top of your htaccess ? did you restart OLS ?
  • edited March 5
    Initially I placed this at the bottom, but now just moved it at the top. No difference. I'm editing Rewrite Rules in Cyberpanel, so it should automatically restart OLS when Rewrite Rules changed isn't it? And also I pressed Reboot Litesspeed button as well. It doesn't help. But I didn't really understand your question about URI.

    And this works just perfect right after saving rules:

    RewriteCond %{REQUEST_URI} error_log|wp-config-sample.php|readme.html|readme.txt|license.txt|wp-trackback.php|wp-config.php|php.ini|xmlrpc.php [NC]
    RewriteRule .* - [F,L]
  • did you access it by "wp-cron.php" only ? or like "wp-cron.php?doing_cron......" ?


    this is more like rewrite rule didn't match the pattern

    you can enable OLS debug log , to see what exactly OLS understood that regex and fix on it
  • edited March 5
    So, I want to block any external access to Domain.com/wp-cron.php
    But to allow when server's cron calling to Domain.com/wp-cron.php?doing_cron......
    and yes I access it by "wp-cron.php" only
  • you need to enable debug log

    see how OLS responded to the rewritecond and rewriterule


    it will something like

    RewriteCond : value XXXXX check against XXXXX : match X

    where after match it will show a number , negative number means no match , positive number means matched


    so is same to RewriteRule

    it will say something like

    rewrite rule : URI xxxx , check against pattern xxxxx , match X

    this will help you to debug rewrite rule
  • Debug log in OLS panel or somewhere in Cyberpanel?
  • Just one moment - when I add wp-cron.php to this sentention:

    RewriteCond %{REQUEST_URI} xmlrpc.php|wp-cron.php [NC]
    RewriteRule .* - [F,L]

    It works. But doesn't works in:

    RewriteRule wp-cron.php$ - [F,L]
  • that one actually works on me


    ```
    2021-03-05 19:14:09.446991 [INFO] [29812] [xxx:51931-Q:49B5225303773A50-3#xxx] [REWRITE] strip base: '/' from URI: '/wp-cron.php'
    2021-03-05 19:14:09.447071 [INFO] [29812] [xxx:51931-Q:49B5225303773A50-3#xxx] [REWRITE] Rule: Match 'wp-cron.php' with pattern 'wp-cron.php$', result: 1
    ```


    like I said , enable debug log for rewrite rule , it will log each steps for how it checks
  • edited March 5
    Some news: Domain.com/wp-cron.php?doing_wp_cron - gives 403,
    but just a Domain.com/wp-cron.php - gives white page reloading...
    And for some reason I have zero [REWRITE] INFO in my logs

    My rules looks like:

    RewriteCond %{SERVER_ADDR} !^123\.123\.123\.123
    RewriteRule wp-cron.php$ - [F,L]
  • you need to go to webadmin console -> vhost -> your domain -> rewrite -> rewrite log , set to 9


    https://www.litespeedshare.net/2021/03/7f10cd-ScreenShot2021-03-05_19.23.26.png


    restart it

    then check on /usr/local/lsws/logs/error.log
  • Yes, did it exactly as you said. No such (REWRITE) records...
  • then you got weirder issue

    can try enable full debug log on OLS , that will tell every single action from start up
  • Yes, did it, and still have only Info/Notice records without a single rewrite record...
  • go to server conf -> log

    set Log Level to DEBUG

    set Debug Level to HIGH
  • and this moment is confusing:

    RewriteCond %{SERVER_ADDR} !^123\.123\.123\.123
    RewriteRule wp-cron.php$ - [F,L]

    Why it gives 403 if I request /wp-cron.php?doing_cron
    But it doesn't restrict access if I request just /wp-cron.php
  • Yes, yes. Exactly like this:

    go to server conf -> log
    set Log Level to DEBUG
    set Debug Level to HIGH
  • you can combine the server add with request uri in rewrite cond , so you can get rid of wp-cron.php in rewrite rule
  • Please can you show an example? And thanks for your time and patience :)
  • RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
    RewriteCond %{REQUEST_URI} xmlrpc.php|wp-cron.php [NC]
    RewriteRule .* - [F,L]


    somethign like this

    this means , if request url is wp-cron or xmlrpc , and client ip is not 123.123.123.123 , then 403
  • is {SERVER_ADDR} possible here instead of {REMOTE_ADDR} ?
  • edited March 5
    https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritecond


    you need to check this doc first
  • server addr is the server itself

    when request to a page, it is always a remote addr , even it is from 127.0.0.1 or server itself's public/private ip
  • Ok, you tired of me )) I will try to recognize these admin's hieroglyphs :)
    Thanks for your help!
  • Ok, got it. Thanks you.
Sign In or Register to comment.
CyberPanel Discord

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!