Question How to allow the download of files with custom extensions from a Plesk server?

[o2k]

Server operating system version

Ubuntu 24.04 LTS (GNU/Linux 6.8.0-36-generic x86_64)

Plesk version and microupdate number

Plesk Obsidian Versión 18.0.62, 28/June/2024 22:53

I have a dedicated Plesk server with several domains. In one of them I want to make available a file called, say, "file.db"
If I try to download that file from a web browser, I get a 403 error page saying:

Forbidden
You do not have permission to access this document.
Web Server at @domain_name@

If I rename the file to a more standard extension, like "mp3" (even though it's not really an mp3 file), then I can download the file from the browser.
So there must be some restriction to let browsers only download files with some extensions.

I tried to edit the files "mime.types" and "mime.types.default" inside /etc/nginx to add a line with "application/octet-stream db;" and then restarting the service/server but that accomplished nothing. I still get the 403 page when trying to download the file.

So how can I make the server allow downloading files with ".db" extension? (renaming the file extension is not an option for me since the file name is hard coded into an app that downloads that file).

Thanks!

 

[Kaspar@Plesk]

Is it a Wordpress site? In that case it could be the "Block access to sensitive files" option. Which can enabled and disabled via the Security settings in the WP toolkit.

 

[Yaroslav_T]

Hello! I'd bet on WP security too but I also would suggest checking /var/www/vhosts/example.com/logs/error_log (in Plesk it's DOmains > example.com > Logs) since ModSecurity can also block specific file extensions (you can add such a rule to ModSec exceptions)

 

[o2k]

Hello! I'd bet on WP security too but I also would suggest checking /var/www/vhosts/example.com/logs/error_log (in Plesk it's DOmains > example.com > Logs) since ModSecurity can also block specific file extensions (you can add such a rule to ModSec exceptions)

Thanks for the reply. I'm not using Wordpress but a custom PHP web application made by me. With other Plesk installations using this application I didn't have this problem, so it's definitely something related to server security settings.

I checked the logs as you suggested and I got this error message when trying to download the .db file:

"[client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). Match of "pmFromFile userdata_wl_extensions" against "TX:extension" required. [file "/etc/apache2/modsecurity.d/rules/comodo_free/10_HTTP_HTTP.conf"] [line "27"] [id "210730"] [rev "5"] [msg "COMODO WAF: URL file extension is restricted by policy||subdomain.domain.com|F|2"] [data ".db"] [severity "CRITICAL"] [tag "CWAF"] [tag "HTTP"] [hostname "subdomain.domain.com"] [uri "local/data/data.db"] [unique_id "xxxx"]

Line 27 of the file "10_HTTP_HTTP.conf", as indicated in the message, contains the following:

SecRule REQUEST_BASENAME "@rx \.(.{0,399}R)$" \
"id:210730,chain,msg:'COMODO WAF: URL file extension is restricted by policy||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.extension=.%{tx.1}/',logdata:'%{TX.0}',t:none,t:urlDecodeUni,t:lowercase,rev:5,severity:2,tag:'CWAF',tag:'HTTP'"

I'm a bit lost. So how can I allow or whitelist the .db extension?

 

[o2k]

Also, I've tried to add an .htaccess file to the folder with the .db file which says:

<IfModule mod_security2.c>
SecRuleRemoveById 210730
</IfModule>

I got the Id from the above error message from the logs. Anyway, that just results in a generic 500 "Internal Server Error" instead of the 403 "Forbidden".

I'm a bit stumped about what to do.

 

[Yaroslav_T]

Hi! Just exclude it as described in this article - https://support.plesk.com/hc/en-us/articles/12377453278871
In your case it's id "210730" as you found out correctly.

 

[o2k]

Hi! Just exclude it as described in this article - https://support.plesk.com/hc/en-us/articles/12377453278871
In your case it's id "210730" as you found out correctly.

Thanks!
Is it possible to just whitelist ".db" instead of disabling the whole security rule altogether?

 

[Yaroslav_T]

Welcome. There is a tab "disabling rules server-wide" in the article I've mentioned. You simply need to go to Tools & Settings > ModSecurity and add the exception there. Regarding the ".db", there is pretty UI for that but you can try to add a custom rule inside Tools & Settings > ModSecurity > Settings > Custom directives. I believe the directive should look like this:

SecRule REQUEST_FILENAME "\.db$" "phase:1,pass,id:10001,ctl:ruleEngine=Off,log"

The first part here means that a custom rule will process the request that matches the pattern "\.db$". The processing options are:

• phase:1 - Specifies that the rule is executed in phase 1 (request headers phase).
• pass - Allows the request to proceed without interruption.
• id:10001 - Unique ID for the rule (you can change it to whatever you like).
• ctl:ruleEngine=Off - Turns off rule engine for requests matching this rule (meaning that all such requests will not be affected by ModSecurity anyhow).
• log - Logs the action taken by this rule.

A screenshot for better visualization:

 

[o2k]

Thank you for the detailed reply. You've been really helpful!

 

[WSNHosting]

How to find SecRuleID ?

 

[Kaspar@Plesk]

How to find SecRuleID ?

The rule ID can be found the errors which get logged in the error log of a domain. For example in the error below the ID is 210730.

"[client x.x.x.x] ModSecurity: Access denied with code 403 (phase 2). 
Match of "pmFromFile userdata_wl_extensions" against "TX:extension" required. [file "/etc/apache2/modsecurity.d/rules/comodo_free/10_HTTP_HTTP.conf"] [line "27"] [id "210730"] [rev "5"] [msg "COMODO WAF: URL file extension is restricted by policy||subdomain.domain.com|F|2"] [data ".db"] [severity "CRITICAL"] [tag "CWAF"] [tag "HTTP"] [hostname "subdomain.domain.com"] [uri "local/data/data.db"]