Why certain requests are blocked
URL Blacklist
MageHost has developed an extensive list of URLs which are potentially harmful for Magento. Some examples are:
- Known leaks in extensions or in older versions of the Magento core
- URLs often tried with many attempts to login (hammering)
- URLs potentially leaking data, for example SQL dumps
When you hit such an URL you can get a 307 redirect to the URL
https://magehost.pro/info/url-blocked/ showing this message:
This URL is blocked for security reasons.
If you are the owner of this site and you want to allow this URL, please contact MageHost.pro
Web Application Firewall
Besides the URL Blacklist we have a set of more extensive rules in our WAF (Web Application Firewall).
These include filters for:
- SQL injection attempts
- Attempt to post PHP code to be executed on the server
These requests are blocked with a 406 Not Acceptable response code.
For some of these requests an exception can be made using the instructions below, but not in all cases.
Making exceptions
You may want to allow some of these blocked requests to certain trusted IP addresses.
You can do this by adding these lines on top of the .htaccess
file in the httpdocs
directory.
Allow a single IP:
# Name of who uses this IP
SetEnvIfExpr "-R '192.0.2.1'" allow_insecure=1
Allow an IP range:
# Name of external party
SetEnvIfExpr "-R '86.109.16.0/21'" allow_insecure=1
# Name of other party
SetEnvIfExpr "-R '2001:985:2e3b::/48'" allow_insecure=1