Wrong Apache Error codes!?

Discussion in 'Server Operation' started by zapyahoo, Apr 23, 2020.

  1. zapyahoo

    zapyahoo Member

    Maybe someone can give ideas on how to solve this nagging issue.

    I have an IP nagging thousands of hits a day... and it's a really old issue, so old that the hits are aimed at pages that do not exist anymore and are done via http 80.

    Over the years the website does not accept http anymore and only accepts https 443. This is done via ispconfg->website->Rewrite HTTP to HTTPS->On

    This ip is being denied via .htaccess deny from xxx.xxx.xxx.xxx

    So, this is what happening, since the vhost redirect http to https takes precedence over the .htaccess the ip hit first gets redirected with 301 followed by a 500 (internal server error). This only happens to this legacy http links, if the request is https it works fine... goes straight to 403 denied.

    I would not like to use ip tables, would rather just use .htaccess per site... and still the error code 500 is just weird.

    Any thoughts?
  2. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    This is done via ispconfg->website->Rewrite HTTP to HTTPS->On

    you could try removing this rewrite, so that it's not in the vhost config, and recreate it in the .httaccess file instead.
    some config settings depend on order, some don't, so I don't know if it'll make a difference....

    alternatively, you could just stop listening on port 80 completely, and thus only allow direct https requests. not sure how feasible that is for you though..

    what's the issue with using iptables/ufw instead? blocking the access there would avoid then having the unnecessary processing by apache / .htaccess.
  3. zapyahoo

    zapyahoo Member

    Thanks nhybgtvfr,
    Ip tables is a monster for known static ip networks and Ip's. I don't use it because of daily fresh proxy ip's specially coming from bots.
    In .htaccess I can simply discard these temporary proxy ip's and block requests via user-agent example:

    BrowserMatchNoCase VelenPublicWebCrawler bad_bot
    BrowserMatchNoCase Go-http-client bad_bot
    BrowserMatchNoCase SemrushBot bad_bot
    Deny from env=bad_bot

    But hey, that's just my 5 cents.

    That's a good idea "removing this rewrite, so that it's not in the vhost config, and recreate it in the .httaccess file instead"... I will test it.
    Last edited: Apr 23, 2020
  4. zapyahoo

    zapyahoo Member

    That works.
    Now I get I proper straight 403 without 301 redirect since the deny in .htaccess processes before the:
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    Much faster. Thanks.

Share This Page