Custom ErrorDocument is Ignored

[continet]

Hello, my shared hosting started using LiteSpeed v8.0.1 Cloudlinux 1.3 recently and I am having issues with my custom 403 page.
When I browse this link it should redirect to my custom 403 page (I am using example domain for this thread): https://example.com/electronics/etc/passwd, but it shows LiteSpeed's internal 403 Forbidden page. I am using ErrorDocument 403 /err/403.html line in my .htaccess file, at the top of the file (I tried changing its place below RewriteEngine On directive but it didn't change anything). I tried with different rules to force 403 error, they all go to same default 403 page.

When I use ErrorDocument 403 https://example.com/err/403.html, it shows my custom 403 page. It comes to mind if the path is wrong, but I double checked it, it is present. And also my cPanel's Errors page show no error about 403.html not being there.

When I intentionally change the path to ErrorDocument 403 /errrrr/403.html, I get this error on my cPanel: 2023-10-14 17:42:46.277747 [INFO] [1802051] [T0] [x.x.x.x:xxxxx-49#APVH_example.com] File not found [/home/user/public_html/errrrr/403.html]

I am missing something, maybe there are RewriteRule loops etc. but I don't know what. I can share my whole .htaccess file if needed.

 

[serpent_driver]

Place error_document in document_root and try again.

 

[continet]

I think you meant putting 403.html file on root folder. It is on both root and /err folder, and I tried ErrorDocument 403 /403.html, unfortunately it didn't work. If I got it wrong please tell me. Also I have no control on the web server, can't change configurations or edit LiteSpeed files :/

 

[serpent_driver]

If you use cPanel, then you are not allowed to define an error_document for 403, because 403 means that access to any source is prohibited and therefore also to a custom error_document. That sounds paradoxical, but it is true. The cPanel configuration expects a 403.shtml in the document_root. Either create a 403.shtml or use the attached 403.shtml and place this file in the document _root and remove the definition for the ErrorDocument 403 from the .htaccess.

 

[continet]

I removed ErrorDocument definition from .htaccess and put 403.shtml file in the root. I still see the same internal 403 Forbidden page of LiteSpeed.

 

[serpent_driver]

Of course you see the same content because the 403.shtml is the LiteSpeed 403.shtml page. You can change the 403.shtml as you wish, but it must always remain the 403.shtml file and you are not allowed to include any static elements in it.

 

[continet]

They look the same but they are not the same, mine has powered by LS div at the bottom. Nevertheless, I changed the content of shtml file by only changing some text in it but I still see the default one

 

[serpent_driver]

Yes, I removed LiteSpeed label in this (my) 403.shtml. What else are you complaining about now?

 

[continet]

I am not complaining, I just can't set my own 403 file with what I'd like. Your 403.shtml, and mine are both not working. Can we think of anything else?

 

[serpent_driver]

You can set your own 403.shtml. .shtml is just html and can be styled and filled with every content, but you must follow 403 restrictions. You can't deny access to whatever source and allow access to sources at the same time.

cPanel follows Apache directive for errorDocument. If you don't like this please go to cPanel Support. This is not a LiteSpeed issue.

 

[continet]

I just followed your instructions and used your 403.shtml which is slightly different than default 403 & it is OK, and I still see the old default 403 page of LiteSpeed. What did I do wrong? What is preventing to show the custom 403 page? I am trying to figure out this issue.

I didn't understand the thing you said about following 403 restrictions. I don't think I am denying access to a source while still allowing it. I have some RewriteRule's that have [F] flag which triggers 403, that's all.

 

[serpent_driver]

I didn't understand the thing you said about following 403 restrictions. I don't think I am denying access to a source while still allowing it.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403
https://en.wikipedia.org/wiki/HTTP_403
https://httpd.apache.org/docs/2.4/rewrite/flags.html

Using the [F] flag causes the server to return a 403 Forbidden status code to the client. While the same behavior can be accomplished using the Deny directive, this allows more flexibility in assigning a Forbidden status.

The following rule will forbid .exe files from being downloaded from your server.

RewriteRule "\.exe"   "-" [F]

This example uses the "-" syntax for the rewrite target, which means that the requested URI is not modified. There's no reason to rewrite to another URI, if you're going to forbid the request.

When using [F], an [L] is implied - that is, the response is returned immediately, and no further rules are evaluated.

 

[continet]

RewriteEngine On

RewriteCond %{THE_REQUEST} etc/passwd [NC]
RewriteRule ^(.*)$ - [F,L]

This is the only rule, my whole .htaccess right now. like I said, I don't think I am denying access to a source while still allowing it. Still I see the default 403 page. Maybe I am doing something else wrong, what do you think?

- I put the custom 403.shtml page (only changed some text on your version) in root, and one copy in public_html folder. (I tried copying into only root, only public_html, and both of them the at the same time for experimenting)
- Changed the .htaccess file and put only the above rule.
- I tried with different rules to force 403 but every time the same default page.
- I also tried adding ErrorDocument 403 /403.shtml directive
I became a headache I know but can you help me please?

 

[serpent_driver]

I became a headache I know but can you help me please?

Please describe (exactly) what should be displayed if someone requests a source he isn't allowed to access.

 

[continet]

At this point your 403.shtml version is enough for me. The one without the powered by LiteSpeed div. If I can make that one work, I can edit that later.

 

[serpent_driver]

Do you try to block access to cpanel location for passwords?

 

[serpent_driver]

Since the user @continet doesn't give an answer to my last question, but perhaps other users want to know the answer to my last question, here is the answer.

Directories that are not within the publicly accessible area do not need to be specifically protected from access, simply because they are not accessible via HTTP. @continet's need is therefore meaningless.

 

[continet]

It's not just cPanel location for passwords, maybe my example was not good. I tried with different structure and experimented a bit with different variables. Say that this is a restricted location: "https://example.com/forbiddenfolder/"
With this condition and rule

RewriteCond %{THE_REQUEST} forbiddenfolder [NC]
RewriteRule ^(.*)$ - [F,L]

access will be denied with server response 403, right? While I have your custom 403.shtml file in the root and public_html folder, I expect from server to show me that custom file but it shows default one instead.

When I use this one:

RewriteCond %{REQUEST_URI} ^/forbiddenfolder/ [NC]
RewriteRule ^(.*)$ - [F,L]

server successfully shows my custom 403 page.

Why does it matter if the string is in requestline or in URL? I have some other rules relying on using %{THE_REQUEST} variable and can't use something other than %{THE_REQUEST} with peace in mind.
Using %{THE_REQUEST} changes something but I couldn't understand why. Please enlighten me if I am missing a key point.

 

[serpent_driver]

access will be denied with server response 403, right? While I have your custom 403.shtml file in the root and public_html folder, I expect from server to show me that custom file but it shows default one instead.

What you expect works, if the location of 403.shtml is correct. cPanel expects 403.shtml in document_root while document_root is the location/path where the domain points to. Any other location doesn't work and is not respected.

Why does it matter if the string is in requestline or in URL?

Ofcourse it matters, so why to define a rewrite rule to protect access to a source that isn't accessible through HTTP?!

Anyway, 403 follows specific rules and isn't comparible with other status codes. The error document for 403 can be custom and must not be a 403.shtml file, but the sources/code of this custom error document must not contain sources to other location like CSS, JS, images and so on.

 

[continet]

I think there's still a misunderstanding, 403 file location is correct and rules defined without %{THE_REQUEST} variable works (I mean it redirects to my custom 403 file), but the ones with %{THE_REQUEST} doesn't. So it isn't about web server not being able to find the 403 file. It was the variable issue all along. That's why I couldn't see my custom 403 page. That is my deduction.

Why is that when I use %{THE_REQUEST}, only LiteSpeed default 403 page is shown and when I use the other variables (e.g. %{REQUEST_URI}, %{QUERY_STRING} etc.), I see my 403? Is this web server specific behavior, or some syntax discrepancy between Apache-LiteSpeed or is something wrong on my end? I am trying to understand.

By the way, I am not trying to argue with you, I am trying to learn from you, don't get me wrong. I appreciate your responses, thank you.