Google Checkout, 501 Error with Mod Security + Solution

If you are pulling your hair out trying to figure out why you are seeing a 501 error in your Google Checkout integration console I may well have the answer and solution for you.

This is the error message you will see in the integration console.

The first thing to do is log into your server via SSH and examine the error logs.

find the error logs, open the file up in vi using this command:

Then go to the bottom of the file using the [shift] + [g] shortcut. Then to search backwards in the log use the following command:

If you find something with this error message then you have mod security installed. If you search around you may well find an error message like this:

[Thu Mar 26 10:22:11 2009] [error] [client 94.229.166.12] ModSecurity: Access denied with code 501 (phase 2). Match of "rx (?:^(?:application\\/x-www-form-urlencoded(?:;(?:\\s?charset\\s?=\\s?[\\w\\d\\-]{1,18})?)??$|multipart/form-data;)|text/xml)" against "REQUEST_HEADERS:Content-Type" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_30_http_policy.conf"] [line "71"] [id "960010"] [msg "Request content type is not allowed by policy"] [severity "WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [hostname "247electrical.co.uk"] [uri "/googlecheckout/api"] [unique_id "-UMIen8AAAEAAFsDLH4AAAAB"]

This error message tells us which particular rule is causing it to fail. What we need to do now is either edit this rule or disable it altogether. I will first try to edit it so that the request can get through, but the rule is still active. The rule we need to edit is in this rules file:

modsecurity_crs_30_http_policy.conf

and is on line 71.

I'm no mod security expert. Having had a quick look through the documentation I am not sure how to edit this rule to allow Google Checkout callbacks through. So for the time being I am going to disable this particular rule altogether by adding a # in front of lines 70,71 and 72.

If any mod security experts out there read this blog and know a better solution please do post it in the comments.

More...

More Reading:

• Plesk + Mod Security
• Online SSL Checker (Google Checkout)

4 Comments

Victor Julien March 26th, 2009

You can also disable a rule for a specific location like this: PLAIN TEXT CODE: <LocationMatch "/googlecheckout/api">     SecRuleRemoveById 960010 </LocationMatch> The nice thing about it is that you can put this in a separate file (disabled.conf for example) so you don't have to redo the change to the rules file every time you update it...

 

admin March 26th, 2009

this is a much better solution as it only disabled the rule at the point we need to disable it, but will keep the rule active everywhere else.. cheers Victor

 

Ryan Barnett January 11th, 2011

What version of CRS are you using? You should be able to go into the modsecurity_crs_10_config.conf file and update the HTTP Policy variables. There is a setvar line that lets you customize your local, allowed Content-Type values - setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml application/x-amf', These values are used in macro expansion by the detection rules in the 30 file. Just add the legit Content-Type request header value for the googlecheckout API.

 

admin January 11th, 2011

Hi Ryan thanks for the feedback not sure for this client now tbh, its a while since I did this post. glad your comment is here for future reference though!

 

 

Leave a Reply

Your Name *

Your E-mail * (will not be published)

Website

Your Message