I recently migrated a Silverstripe 3 site to a new server and now all form submissions on the site throw a 403 Forbidden (nginx) error.
I've read references of this symptom, but can find no leads which seem to apply to my situation as none of them change the behavior. However, my web host does suggest it could be a .htaccess issue.
My .htaccess file at the site root is as follows:
### SILVERSTRIPE START ###
<Files *.ss>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Files>
<Files web.config>
Order deny,allow
Deny from all
</Files>
# This denies access to all yml files, since developers might include sensitive
# information in them. See the docs for work-arounds to serve some yaml files
<Files ~ "\.ya?ml$">
Order allow,deny
Deny from all
</Files>
ErrorDocument 404 /assets/error-404.html
ErrorDocument 500 /assets/error-500.html
<IfModule mod_alias.c>
RedirectMatch 403 /silverstripe-cache(/|$)
RedirectMatch 403 /vendor(/|$)
RedirectMatch 403 /composer\.(json|lock)
</IfModule>
<IfModule mod_rewrite.c>
SetEnv HTTP_MOD_REWRITE On
RewriteEngine On
RewriteCond %{REQUEST_URI} ^(.*)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !\.php$
RewriteRule .* framework/main.php?url=%1 [QSA]
RewriteCond %{REQUEST_URI} ^(.*)/framework/main.php$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule . %1/install.php? [R,L]
</IfModule>
### SILVERSTRIPE END ###
Have you checked your $allowed_actions property in the Controller.
In SilverStripe 3.1.0 you need to define $allowed_actions as a private static
See the following link for more info
http://doc.silverstripe.org/framework/en/changelogs/3.1.0 on Upgrading (info below)
Statics in custom Page classes need to be "private"
Requires action on every SilverStripe installation.
Typical error message: Access level to ErrorPage::$db must be public
Related to the configuration change described above, many statics in core are now marked with private visibility. While PHP allows making variables more visible (e.g. from "private" to "public"), it complains if you try to restrict visibility in subclasses. The core framework extends from the Page class in your own codebase (mysite/), which means you need to change those statics to private yourself. The same rules apply to controllers subclassd from Page_Controller.
Related
I have been trying to edit the rules for my Wordpress site through the .htaccess file. I've tried several different options with no luck. My goal is to make the wp-login.php page accessible only to a certain list of IP addresses. Each method I've tried results in no change, meaning even if I put in a bogus IP address as the only one to be allowed access, I can still get to the page from any device.
These are the methods I have tried:
Adding this to the root .htaccess file
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx
</Files>
And this to the wp-admin .htaccess file
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx
I've also tried this in the wp-admin .htaccess file:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist IP address
allow from xx.xx.xx.xxx
</LIMIT>
This option in the root .htaccess file:
# BEGIN wp-admin restriction based on IP address
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.1$
RewriteRule ^(.*)$ - [R=403,L]
# END IP restriction
I'm not very familiar with .htaccess rules. Each of these options was tried at the beginning and the end of the files. The only other code in the file is:
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Any ideas on what I am doing incorrectly?
For anyone else that ran into this issue. I was never able to get the .htaccess file to work. I tried adding the access rules to the web.config file and had some issues there as well, however I eventually found a way to add access rules through the IIS Manager using IP Address and Domain Restrictions. I did have to install that feature as it wasn't in my list of options right away however it worked right away and I noticed that after installing it, making changes to my web.config file also started working.
I have several wordpress sites installed in their respective directories under public_html/ and I want to restrict access to public_html/dev/wp-login.php. The dev folder is the root of the WordPress installation for that site.
Since I have Apache 2.4.12 I updated the blocking directive to the new syntax... here's public_html/dev/.htaccess now
<Files wp-login.php>
Require all denied
# Whitelist my IP
Require ip xxx.xxx.xxx.xxx
</Files>
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
This setup will block access to all IPs, not allowing mine. Removing it leaves wp-login.php accessible to all.
Is there something wrong within this code itself? Is something else interfering with it?
The moment it sees Require all denied (or Deny from all) everything stops.
I've checked, double- and triple-checked my IP.
I'm currently using the WP htaccess Control plugin for my WordPress website and I would like to make a modification to its code. Presently, each page is accessible via multiple url structures. For example, site.com/page/ is accessible as is site.com/page
I would like to setup the htaccess whereas the non trailing slash redirects to the trailing slash, for every page of the site.
I believe I have the code, but I've seen a couple different variations. I want to make sure I implement the right one, plus I'm not exactly sure how it should be done with this particular plugin.
Do I just add the additional lines to the "custom" section? To my understanding it has to be placed with the rewrite rules, but the custom code I can input only goes to the top.
Currently, the following line is in "custom htaccess":
php_value memory_limit 96M
the entire file is:
# BEGIN WordPress
# WPhtc: Begin Custom htaccess
php_value memory_limit 96M
# WPhtc: End Custom htaccess
# WPhtC: Disable ServerSignature on generated error pages
ServerSignature Off
# WPhtC: Protect WP-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# WPhtC: Protect .htaccess file
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
</files>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
thank you
I'm trying to use basic .htaccess authentication in a subdirectory of the root where Wordpress is installed. The problem is the same as this question. The root .htaccess file that Wordpress uses for permalinks doesn't play nice with a .htaccess file I have in a subdirectory that requires authentication.
However, the solution does not work, and even if it did, I cannot use that solution. This is because Wordpress's htaccess generation overwrites anything I put in that section.
What it generates is:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
And what I would like to stick in that RewriteCond list is
RewriteCond %{REQUEST_URI} !(^/admin(/.*)?$)
Navigating to http://www.example.com/admin should use the .htaccess file in that directory to authenticate the user. eg:
AuthName "Admin Area"
AuthType Basic
AuthUserFile "/home/.htpasswd"
AuthGroupFile "/home/.htgroups"
require valid-user
Navigating to http://www.example.com/anywhereelse should redirect to index.php
As it is, I can't even get the RewriteCond shown here to work. It always just shows the 404 page when going into the /admin directory, unless I remove the require valid-user line from the admin .htaccess file. One thing to note is that on that 404 page, the response still contains the WWW-Authenticate header.
So main questions are:
How can I make this work?
Why doesn't it just work as is? Why do I need to exclude the /admin directory?
I've found a solution here. Adding
ErrorDocument 401 default
To the root .htaccess file outside of the section that Wordpress edits seems to have fixed the issue. I'm not sure if it's the best option though. If there are any better solutions, please feel free to post them.
Im trying to develop a web page based on wordpress, i have done many localy, but want try make the production on the cloud, but want close page access with .htpasswd.
I read a lot of articles, and im follow this steps:
Insatlling wordpress..etc
At point 2, i tried few things:
Create a manually .htacces on the root and put:
<Files .htaccess>
order allow,deny
deny from all
</Files>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^/directoryname1/(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/directoryname2/(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/failed_auth.html$
RewriteRule ^.*$ - [L]
</IfModule>
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
AuthName "Texto al gusto"
AuthUserFile /test/.htpasswd
AuthType basic
Require valid-user
Or use some plugins for edit htacces because maybe i was deleting some line uploading mine.
Im triyed deleting some parragrahps on the htacces, the wordpress because i dont have permalinks active, and others.
I put the htpasswd on the test folder and all correct.
I actualize my webpage and appear the popup of the htacces, i put the user and pass and then...always appear this...
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webadmin#kundenserver.de and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.