403 error on image files

[Mark]

Image Links that used to work fine are now getting 403 errors.

 

ie https://xyz.com/405/(product url).jpg used to be fine, now its  a 403 error

 

The theme version works ok  ie https://xyz.com/405-Niara_thickbox/(product url).jpg but not in all cases. 

 

This means that catalogues outside the website are not able to upload the images and the catalogue data is being rejected and catalogue products being removed until problem fixed and the 403 error goes away.

[datakick]

.htaccess rules, nginx settings, watermark module,.... this is deployment issue, not an application one. 

[e-com]

8 hours ago, datakick said:

.htaccess rules, nginx settings, watermark module,.... this is deployment issue, not an application one. 

That's right, but not really 🙂
https://xyz.com/405/product-url.jpg - is correct
https://xyz.com/405/product-url.webp - is bug

 

[datakick]

17 hours ago, e-com said:

That's right, but not really 🙂
https://xyz.com/405/product-url.jpg - is correct
https://xyz.com/405/product-url.webp - is bug

 

??? I don't follow....

[e-com]

6 hours ago, datakick said:

??? I don't follow....

This urls rewrite rule works properly only for images with jpg extension.
For images with webp extension it does not work.

[Mark]

Problem solved as you guys identified... was the Watermark module... Installing it created .htaccess changes.... These changes seem to have not been undone when uninstalled....

Solution for others' information (provided by @datakick)was to remove/comment the following from .htaccess in the root folder (ensure Rewrite Engine left On)

# start ~ module watermark section
<IfModule mod_rewrite.c>
Options +FollowSymLinks
RewriteEngine On
RewriteCond expr "! %{HTTP_REFERER} -strmatch '*://%{HTTP_HOST}*/admindir/*'"
RewriteRule [0-9/]+/[0-9]+\.jpg$ - [F]
</IfModule>
# end ~ module watermark section

 

After removing the module server error log

[Wed Nov 02 09:21:03.036116 2022] [core:alert] [pid 31153:tid 47073019844352] [client ip address] /home/xyx/public_html/.htaccess: </IfModule> without matching <IfModule> section

Edited November 1, 2022 by Mark

[datakick]

I've just tested watermark module .htaccess modification functionality, and it seems to be working. Module correctly remove its section when uninstalled. If this did not happen for you, then maybe

• permissions or ownership of the .htaccess file has changed sometimes in between the module installation and uninstallation
• module wasn't uninstalled properly, but simply deleted
• somebody modified .htaccess file and removed or modified delimiters that watermark module uses to detect borders of the section.

 

[the.rampage.rado]

@datakick, today at work I saw your fixes in the module and it was one of the first tasks today to update and check if it works.

Unfortunately when the module code is added to the front of htaccess file it gives again the same 403 in product images. But if I move it to the end of the htaccess file they are working fine.

The issue with 403 in SEO settings save is persistent.

And by just testing it twice I got locked out by modsecurity. What settings are triggering it and what is the issue that makes the pictures work only when placed at the end of the file?

[the.rampage.rado]

Just updated the store to edge and did the same checks again - some items worked but most gave 403 for the product images. I moved the watermark code to the end and now every image loads in BO->Products.


The save 403 issue in SEO persist no matter if I disable mod_security in htaccess or not (obviously forbidden by my host).

[datakick]

3 minutes ago, the.rampage.rado said:

@datakick, today at work I saw your fixes in the module and it was one of the first tasks today to update and check if it works.

Unfortunately when the module code is added to the front of htaccess file it gives again the same 403 in product images. But if I move it to the end of the htaccess file they are working fine.

The issue with 403 in SEO settings save is persistent.

And by just testing it twice I got locked out by modsecurity. What settings are triggering it and what is the issue that makes the pictures work only when placed at the end of the file?

The bug I fixed today in watermark module was not related to your issue. It only fixes specific situation when module did not properly clean up when uninstalled.

Regarding your issue -- this is NOT A BUG.

When you install watermark module, access to source image files is supposed to be blocked. This is, after all, the reason why anyone would use this module -- to protect their image assets. It doesn't make any sense to have watermarked images on product page, but allow access to source/high resolution version without any watermark image. 

The watermark section should be at the beginning of the .htaccess file, otherwise other rules have precedence 

[datakick]

3 minutes ago, the.rampage.rado said:

Just updated the store to edge and did the same checks again - some items worked but most gave 403 for the product images. I moved the watermark code to the end and now every image loads in BO->Products.


The save 403 issue in SEO persist no matter if I disable mod_security in htaccess or not (obviously forbidden by my host).

See my previous answer.

Moving watermark section to the end of .htaccess is not a solution, as other rules have precedence. You can even delete the watermark section, as it is a no-op when at the end of the file.

The watermark section explicitly says that access to source image files is forbidden, unless the referrer header matches your admin directory. When you load Bo > Products page, your browser requests image from your server. This requests contains REFERER http header, and your apache server use it to authorize request. If you have problems with this, it might be by string Referer-Policy -- your server might have instructed browser to never send this REFERER header, and that would couse your problems. For more info, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

[the.rampage.rado]

I believe I'm not understanding what you mean. My issue is not that they show in front end to the customer, my issue is that they don't show up here:

Some of my products differ only by tiny details (I can imagine it's not me in this siuation) and if a merchant's employee is not very familiar with differences in the products and can't enlarge this during order preparation this could lead to troubles.

I'm in the same boat as you that the original images should not be visible in FO or by bots or scrapers, but they should be visible in BO (or at least let's make BO use some of the larger thumbnails with watermark) and keep the originals for regeneration only.

[the.rampage.rado]

2 minutes ago, datakick said:

See my previous answer.

Moving watermark section to the end of .htaccess is not a solution, as other rules have precedence. You can even delete the watermark section, as it is a no-op when at the end of the file.

The watermark section explicitly says that access to source image files is forbidden, unless the referrer header matches your admin directory. When you load Bo > Products page, your browser requests image from your server. This requests contains REFERER http header, and your apache server use it to authorize request. If you have problems with this, it might be by string Referer-Policy -- your server might have instructed browser to never send this REFERER header, and that would couse your problems. For more info, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

Thanks for the elaboration. Will look into it with my host!