A mysterious 406 error

Some work I’ve been doing recently has involved debugging a Mambo installation. The website had developed the curious ability to block the editing of certain articles, but allowed other ones through. These blocked attempts to save articles were resulting in a ‘406 Not Acceptable’ error.According to the W3 specification, this means:

The resource identified by the request is only capable of generating response entities which have content characteristics not acceptable according to the accept headers sent in the request.

Say what?

After a lot of hair-pulling I tracked the problem down to a few words, such as ‘<script‘ and ‘&‘, which when included caused the error. This made me very suspicious – why would Mambo only block this HTML code? I explored further by inserting debug code into Mambo and then waited for the result… nothing. Mambo wasn’t even being called.

This meant the problem must be before Mambo, and there was only one thing that could be responsible: Apache.

Some Googling later and I found information about an optional Apache module called mod_security. This is a very nice module that acts as an Apache firewall – it blocks a lot of the usual routes that people use to hack websites. In particular it scans POST requests (sent when you ’save’ something on a website’), and displays a 406 error for anything controversial. Bingo!

The reason I’m documenting these frustrating few hours of my life is in the hope that it may prove useful to someone else. It appears that mod_security, if configured aggressively, can cause a lot of problems and these may manifest themselves in Mambo, WordPress, or any piece of web software.

The solution was very simple. The following lines were added to the .htaccess file to disable mod_security:


<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

Naturally you loose any benefits that mod_security might bring, but that’s better than a non-functioning website, and you can always ask for the security configuration to be toned down to a more acceptable level.

source : http://www.urbangiraffe.com/2005/08/20/mysterious-406-error/

Tentang Oka Wirasatha

Focus, Mandiri dan Konsisten
Pos ini dipublikasikan di Joomla dan tag . Tandai permalink.

8 Balasan ke A mysterious 406 error

  1. Webgrrl berkata:

    ooh i found this post on google looking to resolve the 406 issue…
    hehe.. and i noticed that u said that u wrote this down incase anyone else is finding same issue too.

    bagus sekali! i too, been doing same.. and blogging it..

    hope you having a great day…

    selamat petang🙂

  2. arifkurniawan berkata:

    I just read these. Well great! Thanks for the info. I guess it already asked by some folks in joomla forum. Anyway, it’s cool man. Thanks.

  3. Oka berkata:

    Thank’s ya command nya, memang benar artikel ini diambil di forum. saya taruh disini biar suatu saat ada masalah spt ini nyarinya nggak susah lagi. somoga teman2 kalau ada masalah yang sama dapat bermanfaat.

    http://www.balebanjar.com

  4. Michelle Theado berkata:

    I would actually find having mod_security enabled is better than a functioning website, because chances are pretty good that without it your website wouldn’t be functioning for long.
    The proper solution would have been to tone-down in mod_security whatever was causing the error, not to mention you shouldn’t have even been messing with mambo development on a production machine. (Did you even bother to RTFM?)

  5. shantanu goel berkata:

    With Mod security 2, this is no longer valid. I’ve written about it and a workaround at
    http://tech.shantanugoel.com/2008/05/01/http-406-errors-galore.html

  6. Pula berkata:

    Hi,
    for me it doesn’t work out because my web hosting doesn’t allow this code to be executed in .htaccess

  7. Ping balik: Okaw savings | Calicastillo

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s