Api Page Not Found

tbirnseth · January 8, 2018, 12:00am

Went to implement a new entity for an addon but finding during testing that the api is always returning page not found.

I.e. doing:

curl --user [MY ADMIN USER EMAIL]:[MY API KEY] -X GET https://[SITE].com/api/products/12

always generates a 404 page not found page. But doing

url --user [MY ADMIN USER EMAIL]:[MY API KEY] -X GET https://[SITE].com

will return the homepage of the site but anything with /api will return page not found.

Assuming this is something simple in config but not sure what and would appreciate any pointers.

And yes, the user is enabled for API and I cut/pasted the API key.

tbirnseth · January 27, 2018, 12:00am

Okay, after many back and forth's with helpdesk (normal 1 message per day) and my hosting company, the answer for this problem is:

helpdesk - mod_security is causing the problem but they can't tell me which rule to disable and recommend disabling modsecurity entirely. But it cost me 20 support credits.

My hosting - identified the rule as 990011 which has to do with an issue of the user-agent of the request (assuming because this is done via command line). It took my hosting 3 days to figure out where to disable the rule for easy-apache 4. And of course, they disable it for the engine and not on a site-by-site basis.

Seems like there should be a way to disable the rule by adding something like:

SecRuleRemoveById 990011

in the .htaccess file rather than having to comment out the rule in the 01_base_rules.conf file located in the /etc/apache2/conf.d/imh-modsec directory!!

If someone knows how to do this via .htaccess, please advise and you'd be a God in my eyes!

Still unclear why it's generating a 404 given the rule says it should generate a 406 (all modsecurity rules are supposed to generate 406).

thetool · April 7, 2018, 12:00am

Hey Tony. I was just searching around to see how safe it was to use modsecurity with CSC and came across this post. I don't know if you figured it out or not but you can use ConfigServer ModSecurity Control (cmc) to disable rules for individual accounts instead of globally.

tbirnseth · April 7, 2018, 12:00am

Generally, that's probably true. My hosting has their own instance of the rules setup so it makes it more difficult. I just did it globally since 9 out of 10 of my sites run some instance of cs-cart and most of them are development or test sites. But do appreciate the pointer.

bazzaretta · September 4, 2018, 12:00am

If you're on CPanel, check the api.php file permission - it should be 755 (no group write). Hope this helps someone!