[Tutorial] How to block XMLPRC.php in OLS

qtwrk

Hi,

In Apache , we used to use `deny from all` directive to deny access to xmlrpc.php , but this directive doesn't work in OLS, so there is an alternative way to do

In your .htaccess file , add following code

RewriteRule xmlrpc - [F,L]

And then restart OLS, then when you access /xmlrpc.php , you will have a 403 forbidden result

Best regards,

qtwrk

Type your comment> @sailorrr said:
> Hi, thank you, but how to deny access to multiple files?

https://openlitespeed.org/kb/access-control/

sailorrr

Yes, I found this, thanks. But when I tried to use context for that - it doesn't works for some reason. Will appreciate any advice or direction.

qtwrk

then you need to enable debug log for it

or try rewrite rule way

sailorrr

# Allow only server IP to run wp-cron.php and deny the rest of the world

RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule wp-cron.php$ - [F,L]

This doesn't work, can you give me the right direction please? I think it would be nice to add in your tutorial above.

qtwrk

if only

RewriteRule wp-cron.php$ - [F,L]

does it work ?

then create a phpinfo page, to check the actual value of remote_addr , sometimes if behind proxy , the IP might be different

sailorrr

Just:

RewriteRule wp-cron.php$ - [F,L]

Doesn't work as well... Still loads white page instead of 403

While this:

RewriteCond %{REQUEST_URI} error_log|wp-config-sample.php|readme.html|readme.txt|license.txt|wp-trackback.php|wp-config.php|php.ini|xmlrpc.php [NC]
RewriteRule .* - [F,L]

Works just fine and shows 403. What is the problem it can be?

qtwrk

what was the URI you entered ? was this placed at top of your htaccess ? did you restart OLS ?

sailorrr

Initially I placed this at the bottom, but now just moved it at the top. No difference. I'm editing Rewrite Rules in Cyberpanel, so it should automatically restart OLS when Rewrite Rules changed isn't it? And also I pressed Reboot Litesspeed button as well. It doesn't help. But I didn't really understand your question about URI.

And this works just perfect right after saving rules:

RewriteCond %{REQUEST_URI} error_log|wp-config-sample.php|readme.html|readme.txt|license.txt|wp-trackback.php|wp-config.php|php.ini|xmlrpc.php [NC]
RewriteRule .* - [F,L]

qtwrk

did you access it by "wp-cron.php" only ? or like "wp-cron.php?doing_cron......" ?


this is more like rewrite rule didn't match the pattern

you can enable OLS debug log , to see what exactly OLS understood that regex and fix on it

sailorrr

So, I want to block any external access to Domain.com/wp-cron.php
But to allow when server's cron calling to Domain.com/wp-cron.php?doing_cron......
and yes I access it by "wp-cron.php" only

qtwrk

you need to enable debug log

see how OLS responded to the rewritecond and rewriterule


it will something like

RewriteCond : value XXXXX check against XXXXX : match X

where after match it will show a number , negative number means no match , positive number means matched


so is same to RewriteRule

it will say something like

rewrite rule : URI xxxx , check against pattern xxxxx , match X

this will help you to debug rewrite rule

sailorrr

Debug log in OLS panel or somewhere in Cyberpanel?

sailorrr

Just one moment - when I add wp-cron.php to this sentention:

RewriteCond %{REQUEST_URI} xmlrpc.php|wp-cron.php [NC]
RewriteRule .* - [F,L]

It works. But doesn't works in:

RewriteRule wp-cron.php$ - [F,L]

qtwrk

that one actually works on me


```
2021-03-05 19:14:09.446991 [INFO] [29812] [xxx:51931-Q:49B5225303773A50-3#xxx] [REWRITE] strip base: '/' from URI: '/wp-cron.php'
2021-03-05 19:14:09.447071 [INFO] [29812] [xxx:51931-Q:49B5225303773A50-3#xxx] [REWRITE] Rule: Match 'wp-cron.php' with pattern 'wp-cron.php$', result: 1
```


like I said , enable debug log for rewrite rule , it will log each steps for how it checks

sailorrr

Some news: Domain.com/wp-cron.php?doing_wp_cron - gives 403,
but just a Domain.com/wp-cron.php - gives white page reloading...
And for some reason I have zero [REWRITE] INFO in my logs

My rules looks like:

RewriteCond %{SERVER_ADDR} !^123\.123\.123\.123
RewriteRule wp-cron.php$ - [F,L]

qtwrk

you need to go to webadmin console -> vhost -> your domain -> rewrite -> rewrite log , set to 9


https://www.litespeedshare.net/2021/03/7f10cd-ScreenShot2021-03-05_19.23.26.png


restart it

then check on /usr/local/lsws/logs/error.log

sailorrr

Yes, did it exactly as you said. No such (REWRITE) records...

qtwrk

then you got weirder issue

can try enable full debug log on OLS , that will tell every single action from start up

sailorrr

Yes, did it, and still have only Info/Notice records without a single rewrite record...

qtwrk

go to server conf -> log

set Log Level to DEBUG

set Debug Level to HIGH

sailorrr

and this moment is confusing:

RewriteCond %{SERVER_ADDR} !^123\.123\.123\.123
RewriteRule wp-cron.php$ - [F,L]

Why it gives 403 if I request /wp-cron.php?doing_cron
But it doesn't restrict access if I request just /wp-cron.php

sailorrr

Yes, yes. Exactly like this:

go to server conf -> log
set Log Level to DEBUG
set Debug Level to HIGH

qtwrk

you can combine the server add with request uri in rewrite cond , so you can get rid of wp-cron.php in rewrite rule

sailorrr

Please can you show an example? And thanks for your time and patience :)

qtwrk

RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteCond %{REQUEST_URI} xmlrpc.php|wp-cron.php [NC]
RewriteRule .* - [F,L]


somethign like this

this means , if request url is wp-cron or xmlrpc , and client ip is not 123.123.123.123 , then 403

sailorrr

is {SERVER_ADDR} possible here instead of {REMOTE_ADDR} ?

qtwrk

https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritecond


you need to check this doc first

qtwrk

server addr is the server itself

when request to a page, it is always a remote addr , even it is from 127.0.0.1 or server itself's public/private ip

sailorrr

Ok, you tired of me )) I will try to recognize these admin's hieroglyphs :)
Thanks for your help!

sailorrr

Ok, got it. Thanks you.