BPS 6.5 default secure htaccess blocking cURL requests

Home Forums BulletProof Security Free BPS 6.5 default secure htaccess blocking cURL requests

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • July 27, 2022 at 1:10 pm #42031
    Aimee
    Participant

    Hi there,

    I noticed something new about the 6.5 secure htaccess file is that out of the gate it’s not blocking UptimeRobot and also returns a 405 if I send a cURL request. I managed to solve the fact that UptimeRobot is blocked by using this which I found on the forum (placed in “9. CUSTOM CODE REQUEST METHODS FILTERED”):

    # REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(UptimeRobot|uptimerobot.com).* [NC]
RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

    But a single, personal cURL request from my machine still seem to be returning a 405 error.

    Do I need to whitelist myself in this instance?

    July 27, 2022 at 2:05 pm #42032
    Aimee
    Participant

    I take that back. Adding that code did not allow Uptime to hit the site. I’m just getting notification it’s returning a 405 still.

    July 27, 2022 at 4:42 pm #42033
    AITpro Admin
    Keymaster

    Use the steps here to allow/whitelist all curl Requests > https://forum.ait-pro.com/forums/topic/mailchimp-embed-code-verification-gets-403/#post-40237. Note: HEAD Requests and curl Requests are typically just nuisance Bot Requests. So it is fine/safe to allow them.

    To allow all HEAD Requests use this code:

    # REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
#RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
#RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
    August 18, 2022 at 2:44 pm #42067
    Aimee
    Participant

    Hi thanks. This appears to be near identical (with the exception of two commented lines) to the code I posted in the OP which does not work. A cURL request from my machine is returning a 403 now instead of 405.

    Other ideas?

    August 18, 2022 at 6:58 pm #42068
    AITpro Admin
    Keymaster

    Did you also do this additional fix?

    Use the steps here to allow/whitelist all curl Requests > https://forum.ait-pro.com/forums/topic/mailchimp-embed-code-verification-gets-403/#post-40237. Note: HEAD Requests and curl Requests are typically just nuisance Bot Requests. So it is fine/safe to allow them.

    September 7, 2022 at 8:07 am #42098
    Aimee
    Participant

    Hi thanks, sorry it’s taking so long for me to reply. The forum doesn’t seem to be sending me notification emails unfortunately. 😛 No, seems I missed that. I implemented that section of code and am receiving a 200 from my machine. Waiting to see what Uptime robot thinks but I’m hopeful!

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.