Link to home
Start Free TrialLog in
Avatar of xenium
xenium

asked on

Error: Not Acceptable! An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security

hi
I'm getting the following error on my bluehost server when i use a certain script.

Not Acceptable! An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.

I think it has something to do with the .htaccess file, if so how can I edit it to remove this issue ?

Here is my htaccess file from the public_html folder (some URLs replaced with 'mydomain'):

RewriteEngine on
# Use PHP5.6 as default
# AddHandler application/x-httpd-php56 .php
RewriteCond %{HTTP_HOST} ^mydomain\.net$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydomain\.net$
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^/?$ "http\:\/\/www\mydomain\.com\/" [R=302,L]


# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php56” package as the default “PHP” programming language.
<IfModule mime_module>
  AddType application/x-httpd-ea-php56 .php .php5 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit

Open in new window


Thanks a lot
Avatar of gr8gonzo
gr8gonzo
Flag of United States of America image

Per this page:
https://www.tipsandtricks-hq.com/apache-mod-security-update-how-to-fix-error-406-or-not-acceptable-issue-259

Backup your .htaccess file if you have one in the public_html directory.

Open the .htaccess file with any text editor and observe the lines between the “# BEGIN WordPress” and “# END WordPress” tags. Make sure the lines look somewhat like the following. If not then update the file with the following content and upload it to the ‘public_html’ directory.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Open in new window

Avatar of xenium
xenium

ASKER

The htaccess file in the question does not have those tags. If I should add them, where should they be inserted?

Thanks a lot
Sorry, I assumed you were using Wordpress - that's typically where it shows up.

Basically, that error is a "file not found" type of error. So you're requesting something that doesn't exist.

I don't quite understand the purpose of the htaccess rules you have in place right now. It looks like it reads:

1. When the HTTP host is either mydomain.net or www.mydomain.net
2. And when the URI being requested does NOT look like /12345.abcdef.cpaneldcv
3. And when the URI being requested does NOT look like /.well-known/pki-validation/ABCDEF0123456789ABCDEF0123456789.txt (optionally ending with " Comodo DCV"

...then redirect any empty requests (e.g. "http://www.mydomain.net/") to http://www.mydomain.net.

The last RewriteRule seems wrong:
RewriteRule ^/?$ "http\:\/\/www\mydomain\.com\/" [R=302,L]

If all domains mentioned are actually the same domain, then this seems like it would create an infinite loop in some circumstances, so I'm assuming you're redirecting from one domain to another.

Can you provide an example of a URL that generates the error?
Avatar of xenium

ASKER

original htaccess file

RewriteEngine on
# Use PHP5.6 as default
# AddHandler application/x-httpd-php56 .php
RewriteCond %{HTTP_HOST} ^enex\.net$ [OR]
RewriteCond %{HTTP_HOST} ^www\.enex\.net$
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^/?$ "http\:\/\/www\.autoreconuk\.com\/" [R=302,L]


# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php56” package as the default “PHP” programming language.
<IfModule mime_module>
  AddType application/x-httpd-ea-php56 .php .php5 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of gr8gonzo
gr8gonzo
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of xenium

ASKER

Thanks a lot for the info and feedback, very interesting. I'd like to understand these risks better. Is it simply a question of deception (hacker can present a webpage from my domain as if i produced it) or is there a deeper risk of allowing the hacker to make changes on my server? If just the former, then I'd still like to answer the question as is, and then raise a follow-up to manage such risks.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of xenium

ASKER

Thanks again.  I'll see if i can do the nginx.conf test to validate that.

Is there a way to ensure only HTML can be processed?  no php or server side processes

Or..

The page is not intended for the public, so if there's a way to validate the source of the request would that be one safeguard option?

What other options might there be? Apart from not allowing the script.

Thanks
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of xenium

ASKER

Thanks a lot for all the great info and advice. As there's quite a lot to it, I'll close off this question and link to any branching follow-ups as and when needed.

Thanks again.