Referer Gotcha

From DreamHost
Jump to: navigation, search

Referer gotcha

Problem

You don't use any active content, you don't have .htaccess file, but you get cryptic HTTP errors:

Service Temporarily Unavailable.
The server is temporarily unable to service your request
due to maintenance downtime or capacity problems.
Please try again later.

The title of this page will be something like that: "503 Service Temporarily Unavailable".

Symptom

You can see directories just fine, if you type in the URL, but when you try to follow a link to a subdirectory or file you get an error. If you refresh the page, you will get the error again. But if you "enter" it (e.g., click your left mouse button inside the box and hit "Enter" key), it works fine until you click a link again. When you inspect logs, you will find the following reason:

mod_security: Access denied with code 503. Pattern match
"(go\\.to|get\\.to|drop\\.to|hey\\.to|switch\\.to|dive\\.to|move\\.to|again\\.at)"
at HEADER.

Reason

It seems that mod_security checks for Referer HTTP header. If the header is present, it checks if it includes one of following substrings:

  • go.to
  • get.to
  • drop.to
  • hey.to
  • switch.to
  • dive.to
  • move.to
  • again.at

If both conditions are met, it fails with 503 code. Apparently it was made by DreamHost to prevent somebody from stealing your bandwidth or to foil some other nefarious schemes. Unfortunately it can affect completely innocent URLs. For example, this page was prompted by bizarre behavior of following web site: django.tomas********.com. You can see that any URL of this web site includes the dreaded "go.to" pattern.

If the name of your php file is lala.php, Pattern match "/lala\\.ph(p(3|4)?|tml)\\?" at THE_REQUEST, you can change the name of your file.

Solution

There are two known solutions:

  1. Don't use domain names with "forbidden" patterns (see them above).
  2. Turn off mod_security for problematic domain (this solution was originated by DreamHost support):
    1. Go to https://panel.dreamhost.com/index.cgi?tree=domain.manage
    2. Select your domain in question.
    3. Uncheck "Enable Extra Web Security" checkbox.
    4. Wait for several minutes before checking your web site again (it takes time to propagate the change).

You should be good now.

Thank you Tomas Jacobsen and Michael Radziej for investigating the problem.

Update 6/21/2007

Seems there are many additional "forbidden" patterns now:

Access denied with code 503. Pattern match
"(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|
proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|
posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\\\\(.*\\\\)\\\\;"


See Also