..a dose of zero-day know-hows ..

8/06/2009

Getting "failed to open stream: HTTP request failed! HTTP/1.1 501 Method Not Implemented" When Passing Post Requests to JSON RPC Server

I spent some few hours trying to figure out how to go around the HTTP/1.1 501 error I am getting using the JSON Client Class from JSON-RPC_PHP (http://jsonrpcphp.org).

As it turns out the culprit was the modsecurity module for Apache2. The logs indicate that the JSON Server script is denying the JSON Client access.

[msg "Request content type is not allowed by policy"]


Instead of hacking the JSON-RPC library, what I did was disabled the restrictions inhibiting the JSON client from passing post request to JSON server by commenting out few lines in my /etc/httpd/modsecurity.d/modsecurity_crs_30_http_policy.conf, lines 68-70, specifically the following:


#SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \
#"phase:2,chain,t:none,t:lowercase,deny,log,auditlog,status:501,msg:'Request content type is not allowed by policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',severity:'4'"
#SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" "t:none"


After restarting apache, json server/client works fine. I hope this would spare someone from the hours of hair pulling.

No comments: