• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question How to allow the download of files with custom extensions from a Plesk server?

o2k

New Pleskian
Server operating system version
Ubuntu 24.04 LTS (GNU/Linux 6.8.0-36-generic x86_64)
Plesk version and microupdate number
Plesk Obsidian Versión 18.0.62, 28/June/2024 22:53
I have a dedicated Plesk server with several domains. In one of them I want to make available a file called, say, "file.db"
If I try to download that file from a web browser, I get a 403 error page saying:

Forbidden
You do not have permission to access this document.
Web Server at @domain_name@

If I rename the file to a more standard extension, like "mp3" (even though it's not really an mp3 file), then I can download the file from the browser.
So there must be some restriction to let browsers only download files with some extensions.

I tried to edit the files "mime.types" and "mime.types.default" inside /etc/nginx to add a line with "application/octet-stream db;" and then restarting the service/server but that accomplished nothing. I still get the 403 page when trying to download the file.

So how can I make the server allow downloading files with ".db" extension? (renaming the file extension is not an option for me since the file name is hard coded into an app that downloads that file).

Thanks!
 
Is it a Wordpress site? In that case it could be the "Block access to sensitive files" option. Which can enabled and disabled via the Security settings in the WP toolkit.
 
Hello! I'd bet on WP security too but I also would suggest checking /var/www/vhosts/example.com/logs/error_log (in Plesk it's DOmains > example.com > Logs) since ModSecurity can also block specific file extensions (you can add such a rule to ModSec exceptions)
 
Hello! I'd bet on WP security too but I also would suggest checking /var/www/vhosts/example.com/logs/error_log (in Plesk it's DOmains > example.com > Logs) since ModSecurity can also block specific file extensions (you can add such a rule to ModSec exceptions)
Thanks for the reply. I'm not using Wordpress but a custom PHP web application made by me. With other Plesk installations using this application I didn't have this problem, so it's definitely something related to server security settings.

I checked the logs as you suggested and I got this error message when trying to download the .db file:

"[client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Match of "pmFromFile userdata_wl_extensions" against "TX:extension" required. [file "/etc/apache2/modsecurity.d/rules/comodo_free/10_HTTP_HTTP.conf"] [line "27"] [id "210730"] [rev "5"] [msg "COMODO WAF: URL file extension is restricted by policy||subdomain.domain.com|F|2"] [data ".db"] [severity "CRITICAL"] [tag "CWAF"] [tag "HTTP"] [hostname "subdomain.domain.com"] [uri "local/data/data.db"] [unique_id "xxxx"]

Line 27 of the file "10_HTTP_HTTP.conf", as indicated in the message, contains the following:

SecRule REQUEST_BASENAME "@rx \.(.{0,399}R)$" \
"id:210730,chain,msg:'COMODO WAF: URL file extension is restricted by policy||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.extension=.%{tx.1}/',logdata:'%{TX.0}',t:none,t:urlDecodeUni,t:lowercase,rev:5,severity:2,tag:'CWAF',tag:'HTTP'"

I'm a bit lost. So how can I allow or whitelist the .db extension?
 
Also, I've tried to add an .htaccess file to the folder with the .db file which says:

<IfModule mod_security2.c>
SecRuleRemoveById 210730
</IfModule>

I got the Id from the above error message from the logs. Anyway, that just results in a generic 500 "Internal Server Error" instead of the 403 "Forbidden".

I'm a bit stumped about what to do.
 
Welcome. There is a tab "disabling rules server-wide" in the article I've mentioned. You simply need to go to Tools & Settings > ModSecurity and add the exception there. Regarding the ".db", there is pretty UI for that but you can try to add a custom rule inside Tools & Settings > ModSecurity > Settings > Custom directives. I believe the directive should look like this:

SecRule REQUEST_FILENAME "\.db$" "phase:1,pass,id:10001,ctl:ruleEngine=Off,log"

The first part here means that a custom rule will process the request that matches the pattern "\.db$". The processing options are:
  • phase:1 - Specifies that the rule is executed in phase 1 (request headers phase).
  • pass - Allows the request to proceed without interruption.
  • id:10001 - Unique ID for the rule (you can change it to whatever you like).
  • ctl:ruleEngine=Off - Turns off rule engine for requests matching this rule (meaning that all such requests will not be affected by ModSecurity anyhow).
  • log - Logs the action taken by this rule.

A screenshot for better visualization:
1719908520625.png
 
How to find SecRuleID ?

The rule ID can be found the errors which get logged in the error log of a domain. For example in the error below the ID is 210730.

Code:
"[client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). 
Match of "pmFromFile userdata_wl_extensions" against "TX:extension" required. [file "/etc/apache2/modsecurity.d/rules/comodo_free/10_HTTP_HTTP.conf"] [line "27"] [id "210730"] [rev "5"] [msg "COMODO WAF: URL file extension is restricted by policy||subdomain.domain.com|F|2"] [data ".db"] [severity "CRITICAL"] [tag "CWAF"] [tag "HTTP"] [hostname "subdomain.domain.com"] [uri "local/data/data.db"]
 
Back
Top