Join Log in
Score:1
Ryflex avatar Server

Setting Apache header with conditions of excluding paths/directorys / server ips

id flag
Ryflex

I use a WordPress plugin called Duplicator Pro and the best way of installing with their installers is to use the servers IP rather than the domain because that way it autofills & conects to the server easier, while also not triggering multiple ModSecurity rules.

The best installation URL is:

http://111.222.333.444/~customcpanelaccount/customfolder/installer.php

Instead of:

https://website.com/customfolder/installer.php

If you load either of those files it automatically redirects you to:

/customfolder/dup-installer/main.installer.php

However because the server has the following Apache/LiteSpeed rule, it automatically redirects the http:// to https:// which causes it to throw up the following message:

Connect to Network

<IfModule mod_headers.c>
    Header always set Content-Security-Policy "upgrade-insecure-requests;"
</IfModule>

I'm trying to figure out a way to make the above Apache/LiteSpeed rule to only apply to domains, not direct IPs OR to make it so it doesn't trigger when using the file of installer.php, main.installer.php and the directory of /dup-installer/

It's a shame there is no FilesNotMatch / DirectoryNotMatch / LocationNotMatch type if statements.

Any one have any ideas, I would greatly appreciate the help/advice!

18
0 + 0
Score:0
avatar Server
kz flag
MrWhite

You could set an environment variable (eg. DOMAIN_REQUESTED) if a domain is requested (as opposed to the IP address) and set the Header conditionally based on whether this env var is set by using the env= argument.

For example:

SetEnvIf Host "[a-z]" DOMAIN_REQUESTED
Header always set Content-Security-Policy "upgrade-insecure-requests;" env=DOMAIN_REQUESTED

If the Host header contains a character a-z then you must be requesting a domain name, not the IP address. In which case the DOMAIN_REQUESTED env var is set to 1.

However...

  • It seems odd that it would be preferable to install this over insecure HTTP using the server's IP address and a per-user web directory?! Per-user web directories (mod_userdir) are generally best avoided as it really messes with root-relative URL-paths.

  • If this is only for the installation process, can you not simply comment out that Header directive temporarily?

It's a shame there is no FilesNotMatch / DirectoryNotMatch / LocationNotMatch type if statements.

Well, there kind-of is, as you can use a negative-lookahead (or lookbehind) in the regex to determine when a match does not occur.

...OR to make it so it doesn't trigger when using the file of installer.php, main.installer.php and the directory of /dup-installer/

The Content-Security-Policy: upgrade-insecure-requests; HTTP response header only affects linked assets, not the top-level navigation. So this doesn't apply to installer.php and main.installer.php anyway. If these requests are being upgraded (or, more likely "redirected") then something else is doing that.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.