406 Not Acceptable and Apache mod_security

Maybe you saw my YM status rant a few days ago—406 Not Acceptable. (With “WTF! WP 2.1 sucks!” appended.) Or maybe not. Either way, I tried looking up why I was getting that error, but found no real clues except a hint at a certain .htaccess fix. And I didn’t see the connection between an HTTP response code and an .htaccess edit, especially when you read something like this, so I ignored it.

Today, I had the same unacceptable problem on a non-WordPress site and this worried me more. It’s a corporate site. If I couldn’t figure it out I’d probably die of shame and/or ignorance. Maybe because the chances of finding support for that type of problem were lower than if you were addressing a WordPress-related one, given its large community and all.

I couldn’t find anything substantial. I found a PHP bug report. I saw something on Drupal. Not helpful either. Several more email discussion lists on various topics. Now something’s fishy here. There’s no clear common denominator in any of these leads!

I gave up, did other work, checked my mail, and Googled once more. Then I found Urban Giraffe’s entry.

Some Googling later and I found information about an optional Apache module called mod_security. This is a very nice module that acts as an Apache firewall – it blocks a lot of the usual routes that people use to hack websites. In particular it scans POST requests (sent when you “save” something on a website), and displays a 406 error for anything controversial. Bingo!

Hmm. Okay. Humor me.

The reason I’m documenting these frustrating few hours of my life is in the hope that it may prove useful to someone else. It appears that mod_security, if configured aggressively, can cause a lot of problems and these may manifest themselves in Mambo, WordPress, or any piece of web software.

The solution was very simple. The following lines were added to the .htaccess file to disable mod_security:

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off

And that is the solution I first saw a few days ago. At least things seemed fixed after I tried it.

Assuming debugging is done through trial and error and following the post hoc ergo propter hoc fallacy, the lesson here is that if you’re onto something, it’s probably correct.

Second, you can’t find everything on Google the first time around. After scouring one results page after the other, you have to modify your search phrases. If that isn’t enough, use—gasp!—other search engines.

Third and most important of all, keep on blogging. You never know whom you might end up helping. Thanks Urban Giraffe!

Hi! Thanks for stopping by ★

Design + code + words for a better web, made in the Philippines by Sophia Lucero.