• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Issue with query value "https%3A" in URL-Parameters results in 403 forbidden

Azurel

Silver Pleskian
Server operating system version
AlmaLinux 8.5
Plesk version and microupdate number
18.0.44 Update #3
In one special page I have a script thats add a redirect-url to every URL. Offline in xampp all working fine. Upload it on my plesk server, I get a 403 page, if I try to call this urls. Simplified that is already enough to get a 403 page


Is this some kind of bug or is it meant to be?
 
That was my first thought too, but then shouldn't there be something about it in "/var/log/modsec_audit.log"? There is nothing to be found there.
 
Okay, I have new information about this. I can deactivate ModSecurity and this issue remains.

When I make this call on the top level of my domain
Like this https://www.mypage.com/?param=http
1. log access_ssl_log shows "GET /?param=http HTTP/1.0 403"
2. And I see a AlmaLunix test page
almatest.jpg

When I make this call in a subdirectory
Like this https://www.mypage.com/subdirectory/?param=http
Again in access_ssl_log a line with 403 and instead of "AlmaLinux Test Page" I get a page with
Forbidden
You don't have permission to access this resource.


@Peter Debik Thanks, but there is nothing related to this in /var/log/http/error_log or /var/www/vhosts/system/logs/mydomain.com/error_log

The only strange think are this lines in /var/log/http/error_log
[Sat Jun 25 10:32:43.632945 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: lists:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:43.633247 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: default-2a01_4f8_242_4f94__2:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:43.633513 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: default-168_119_4_235:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:43.634584 2022] [lbmethod_heartbeat:notice] [pid 3952182:tid 139665695881536] AH02282: No slotmem from mod_heartmonitor
[Sat Jun 25 10:32:43.713455 2022] [mpm_event:notice] [pid 3952182:tid 139665695881536] AH00489: Apache/2.4.37 (AlmaLinux) OpenSSL/1.1.1k mod_fcgid/2.3.9 Phusion_Passenger/6.0.13 configured -- resuming normal operations
[Sat Jun 25 10:32:43.713481 2022] [core:notice] [pid 3952182:tid 139665695881536] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Sat Jun 25 10:32:44.191499 2022] [mpm_event:notice] [pid 3952182:tid 139665695881536] AH00493: SIGUSR1 received. Doing graceful restart

[Sat Jun 25 10:32:47.303427 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: lists:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:47.303697 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: default-2a01_4f8_242_4f94__2:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:47.303942 2022] [ssl:warn] [pid 3952182:tid 139665695881536] AH01909: default-168_119_4_235:443:0 server certificate does NOT include an ID which matches the server name
[Sat Jun 25 10:32:47.304980 2022] [lbmethod_heartbeat:notice] [pid 3952182:tid 139665695881536] AH02282: No slotmem from mod_heartmonitor
[Sat Jun 25 10:32:47.375465 2022] [mpm_event:notice] [pid 3952182:tid 139665695881536] AH00489: Apache/2.4.37 (AlmaLinux) OpenSSL/1.1.1k mod_fcgid/2.3.9 Phusion_Passenger/6.0.13 configured -- resuming normal operations
[Sat Jun 25 10:32:47.375483 2022] [core:notice] [pid 3952182:tid 139665695881536] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Sat Jun 25 10:33:06.632605 2022] [mpm_event:notice] [pid 3952182:tid 139665695881536] AH00492: caught SIGWINCH, shutting down gracefully

But that not the timestamp with my issue. I can create now 403 and nothing is added to this error_log's for apache.
 
By the log excerpts I think you are looking into the general error_log of the server as httpd restarts or other service actions would not be logged to the site's error_log. Are you sure you are looking at /var/www/vhosts/<your subscription>/log/<your domain>/error_log?
 
Yes. The mention path
/var/www/vhosts/system/logs/mydomain.com/error_log
is equal to
/var/www/vhosts/<subscription>/logs/mydomain.com/error_log
Both files have the same content.

The log excerpts was for /var/log/http/error_log (genral error_log). In the domain erorr_log there is nothing related or timestamp for my issue.
 
Okay, I found the reason. I feel a little stupid right now. I did not expect that. This must have been in the htaccess (Additional Apache directives) for so many years. I don't even know why that's in there. Look like a very old protection, but I don't understand why this query string is here blocked.
RewriteCond %{HTTP_USER_AGENT} libwww [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)=http [NC]
RewriteRule ^(.*)$ – [F,L]
Thanks for your help :)
 
Back
Top