Getting “access forbidden by rule” error at magento in nginx server /app/etc/local.xml

magento.stackexchange https://magento.stackexchange.com//questions/74146

Question

I am getting this error for my website which is built on magento-1.9.0.

2015/07/13 05:50:44 [error] 1371#0: *491517 access forbidden by rule, client: **.***.***.***, server: www.example.com, request: "POST /app/etc/local.xml HTTP/1.1", host: "www.example.com"

For your information: the IP address is always my own server. This only happens whenever I try to edit or update any item of "Shopping Cart Price Rules". There was a magento bug of shopping cart price rule and I have used a extension which is mentioned here https://github.com/husseycoding/cartrulefix . That extension works perfectly in my local environment however it is also not working in live. I guess this error is preventing that extension to work perfectly. My live server is running on nginx.

Could someone please help me? Thanks in advance.

Was it helpful?

Solution

Since Why does Magento POST to its own app/etc/local.xml? might not have been clear enough, I'll add this as an answer:

Actually these messages are a good thing, Magento would warn you in the admin panel if it could access the file via HTTP. If you see this log message, everything is fine. Magento tries to access app/etc/local.xml via HTTP, which fails, so you get this error log. And the point is, that it should fail! Otherwise everybody could see your database credentials, by accessing http://example.com/app/etc/local in the browser.

However, if these log messages annoy you and you are confident that your server setup will stay as secure as it is, you can easily remove this feature:

Getting rid of the security notification

To get rid of this security check, do not attempt to hack the Magento core (as some forum threads have suggested in the past). Instead, you can just modify the admin-theme to remove this check. Open up the following file or create it if it does not exist:

app/design/adminhtml/default/default/layout/local.xml

Then add the following code to it:

<layout>
    <default>
        <remove name="notification_security" />
        <remove name="notification_survey" />
    </default>
</layout>

This removes the blocks notification_security and notification_survey from the backend-pages entirely, skipping therefor the security check. No core hacks involved.

Source: http://www.yireo.com/tutorials/magento/magento-administration/1322-client-denied-by-server-configuration-appetclocalxml

Remember to clean the layout cache afterwards.

Licensed under: CC-BY-SA with attribution
Not affiliated with magento.stackexchange
scroll top