xataface urls blocked by hosting service provider

A place for users and developers of the Xataface to discuss and receive support.

xataface urls blocked by hosting service provider

Postby razzetto » Sat Jul 28, 2012 6:00 am

Hi steve, hi all.

first of all thanks again for this framework, and for its documentation (i really could configure everything to suit my needs).

the installation on the hosted server was a little trauma for me but i could install xataface at last.

i was very happy but just for a while : a stupid configuration on the server is giving me a server error 406 on all pages.

the problem is in how requests are formatted : the server is blocking requests with the dash appanded to 'php?'

to explain it better :

Code: Select all
http://www.mysite.it/sportello/index.php?-table=formazione_professionale
is a bad request and gives a 406 error

while
Code: Select all
http://www.mysite.it/sportello/index.php?table=formazione_professionale
would be a good request.


now.. my skills really stop here. i just suppose i could rewrite urls in some way, but i don't know how to get xataface respond to reformatted urls.
(and don't know if this is possible.. perhaps it's a great waste of time and it's just better to change service provider).

Any suggestion?

thanx.

paolo
razzetto
 
Posts: 16
Joined: Thu Jul 12, 2012 6:58 pm

Re: xataface urls blocked by hosting service provider

Postby razzetto » Sat Jul 28, 2012 6:34 am

well.. i took a look here http://xataface.com/wiki/URL_Conventions

and seems the only option is to change provider
razzetto
 
Posts: 16
Joined: Thu Jul 12, 2012 6:58 pm

Re: xataface urls blocked by hosting service provider

Postby shannah » Sat Jul 28, 2012 1:01 pm

What hosting provider? I've had problems with Godaddy recently blocking requests with the -table parameter. It is absolutely ridiculous that the hosting provider would step in at this level to block requests.

I have also, though, heard of people getting their hosting providers to remove these restrictions when they run into them. That is *if* you can get the hosting provider to understand that it is, in fact, their problem. I recently had a client switch from GoDaddy to Dreamhost with a similar issue. GoDaddy support just couldn't be convinced that it was their problem. It was probably just the particular tech that the client was dealing with.

-Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: xataface urls blocked by hosting service provider

Postby razzetto » Sun Jul 29, 2012 1:33 pm

it's an italian hosting service provider, tophost.it

i must admit that prices are really low (just because this provider started a price-war in this segment , some years ago).

anyway tech assistance is extremely ridicolous.

i opened 2 tickets trying to explain my point of view, but nothing to do. the second ticket was closed in less than one minute (the tech took about 40 seconds, including reading my message and answering).

well.. i'll switch to ovh (hoping that their systems aren't so snob about hyphens.. )
razzetto
 
Posts: 16
Joined: Thu Jul 12, 2012 6:58 pm

Re: xataface urls blocked by hosting service provider

Postby goxatago » Mon Jul 30, 2012 12:29 am

Hello,

Same problem with the US based provider Dotster (old 000domains.com)
The xataface installation was smooth - no problems at all.

In my case I had access to the web server logs. This is part of my message to tech support:

//

I receive a "403 error - access denied" when I click on
http://www.xxxx.com/zzzz/db/index.php?- ... ust_id%3D1
I believe the server perms are correct.

The error log of your server shows that apache modsecurity thinks this is a php exploit, which is not.

[Tue cc:cc:cc:cc] [error] [client xx.xx.xxx.xx] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^-" at QUERY_STRING. [msg "php exploit"] [hostname "www.xxxx.com"] [uri "/zzzz/db/index.php?-table=customers&-action=browse&-cursor=0&-skip=0&-limit=30&-mode=list&-recordid=customers%3Fcust_id%3D1"] [unique_id "5hl@jMaRKz"]

Then, In my .htaccess, in order to disable modsecurity I added the line

SecFilterEngine Off

but this creates an Internal server error 500 with the message

[Tue cc cc:cc:cc] [alert] [client xx.xx.xx.xx] /usr/local/pem/vhosts/259303/webspace/httpdocs/zzzz/db/.htaccess: Invalid command 'SecFilterEngine', perhaps mis-spelled or defined by a module not included in the server configuration, referer: http://www.xxxxx.com/zzzzz/db/index.php

I understand that this is a security setting but I need to be able to override it only for this particular directory.

///

Their canned reply follows:

///

Thank you for contacting Customer Care,

I'm sorry to hear that you're having difficulty with the design and functionality of your website. This error appears to be due to coding, and unfortunately technical support does not support coding, web design nor web development and this falls into that realm. I apologize for any inconvenience.

///

No escalation, no additional questions. I explained to them that I was using this framework in other servers w/o any problems and that there was no security issue, but no luck.

I am switching hosts as soon as this subscription ends.

S.
goxatago
 
Posts: 14
Joined: Fri Jul 09, 2010 2:08 am

Re: xataface urls blocked by hosting service provider

Postby shannah » Mon Jul 30, 2012 9:57 am

Thanks for the update. This is Dotster? Wow. Just wow. That is utterly ridiculous, blocking all requests where the query string begins with "-".
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: xataface urls blocked by hosting service provider

Postby shannah » Mon Jul 30, 2012 10:16 am

Here is a workaround that should fix the URLs in most cases. Some urls may be hardcoded with a "-" at the beginning of the query string that may need to be changed, but this should fix 99% of them.

Step 1: If you are using Xataface version 1.3.x, update your Dataface/Application.php file to the latest from the 1.3.x branch as it contains a fix to allow registering of URL filters. You can get the latest from
http://weblite.ca/svn/dataface/core/bra ... cation.php

Step 2: In your application delegate class, create a method that takes a URL as input, and outputs a URL that is "safe" for your mod_security settings. e.g.

Code: Select all
function patchUrl($url){
    return str_replace('?-', '?foo=bar&-', $url);
}


Step 3: Register this method as a URL filter inside your application delegate class's beforeHandleRequest() method. E.g.
Code: Select all
function beforeHandleRequest(){
    $app = Dataface_Application::getInstance();
    $app->registerUrlFilter(array($this, 'patchUrl'));
   
}



An example full application delegate:
Code: Select all
<?php
class conf_ApplicationDelegate {

    function patchUrl($url){
        return str_replace('?-', '?foo=bar&-', $url);
    }

    function beforeHandleRequest(){
        $app = Dataface_Application::getInstance();
        $app->registerUrlFilter(array($this, 'patchUrl'));
   
    }
}


This will change it so that URLs will usually be generated in the form index.php?foo=bar&-table=xxxx&-action=yyyy instead of index.php?-table=xxx&-action=yyy

This will at least get around the mod_security rule that you quoted here. There may be other rules that they have added that could cause problems though. One hurdle at a time.

-Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: xataface urls blocked by hosting service provider

Postby razzetto » Thu Aug 16, 2012 9:00 am

hi.

thanks, again, Steve (i came back now from vacations and - voilà - i found your solution).

i'll give it a try (even if i'm getting irritated from lack of support from the so-called support service of my hosting provider).

for now, i'm testing it locally and i get this error

Code: Select all
Fatal error: Call to undefined function df_IPv4To6() in D:\xampp\htdocs\xataface-1.3.2\Dataface\Application.php on line 1665


any idea? perhaps i need to upgrade some other file?

thanks. Paolo
razzetto
 
Posts: 16
Joined: Thu Jul 12, 2012 6:58 pm

Re: xataface urls blocked by hosting service provider

Postby razzetto » Thu Aug 16, 2012 2:35 pm

ok . the definition of this function is in a file: public-api.php

the link to the file is http://weblite.ca/svn/dataface/core/trunk/public-api.php

after the download, i renamed it to dataface-public-api, and everything (seems) going good.
razzetto
 
Posts: 16
Joined: Thu Jul 12, 2012 6:58 pm


Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved