#34823 – Akeeba page not found url's in my cms

Posted in ‘Akeeba Solo (standalone)’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Thursday, 11 March 2021 05:39 CST
Joris

Hi Nicholas,

 

I have installed the Akeeba backup Solo on domainname.nl/backup

After installation and configuration the Drupal on main domain gives page not found errors.

age not found 11/03/2021 - 12:28 backups
page not found 11/03/2021 - 12:28 backups/akaccesscheck...
page not found 11/03/2021 - 12:27 backups
page not found 11/03/2021 - 12:27 backups/akaccesscheck...
page not found 11/03/2021 - 12:26 backups Anoniem
page not found 11/03/2021 - 12:26 backups/akaccesscheck...
page not found 11/03/2021 - 12:26 backups
page not found 11/03/2021 - 12:26 backups/akaccesscheck...
page not found 11/03/2021 - 12:26 backups
page not found 11/03/2021 - 12:26 backups/akaccesscheck

I run wget crons every night (well last night first one) and those are working.

Any idea what could cause this?

Custom Fields

PHP version (in x.y.z format) 7.3
Akeeba Solo version (x.y.x) n/a
 
Thursday, 11 March 2021 05:57 CST
nicholas

This is not an error. It's Akeeba Solo checking the security of your backup output directory.

If your backup output directory is open to the public for reading it is a security risk. An attacker may guess correctly where your backups are stored — especially if you are using the default backup output directory. Guessing the correct backup filename is fairly trivial because most people will use the default backup archive file naming pattern of site-hostname-date-time and take their backups around whole hours, especially between 11pm and 6am. This means that an attacker would be able to try a few hundred URLs in just under 1 minute and download your backup archives.

Akeeba Solo has two defences against that. The first defence is putting a specially constructed .htaccess and a web.config file in the backup output directory. On most Apache, Litespeed and IIS servers this will forbid direct access to the files inside that folder. However, we have no way of knowing that unless we test for access. Akeeba Solo does that by creating a small file inside that folder and trying to access it over an HTTP(S) connection back to your site. If that fails an error is recorded in your Apache error log (403 access forbidden) which is a GOOD THING.

If Akeeba Solo can access this file over the HTTP(S) connection it will instead forcibly add the -[RANDOM] suffix to your backup filenames, i.e. it will add a dash followed by 16 random alphanumeric, mixed case characters. This addresses the potential security issue by increasing the search space by a few hundreds of billions times. That is to say, an attacker would have to test hundreds of billions of URLs before they could download your backups. This would take hundreds of millions of times longer than the Earth has been around, i.e. it's practically impossible.



Nicholas K. Dionysopoulos

Lead Developer and Director



🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



Thursday, 11 March 2021 08:37 CST
Joris

I understand, this is important :-)

I do not save the files there, always uploading to Dropbox.
And always use the Random code.

Also from the check it looks like it goes to domain.nl/backups
While the backup folder is in domain.nl/backup/backups
Is it possible it checks at the wrong location?

Is it possible to disable this check to not fill the cms with errors?

 
Thursday, 11 March 2021 09:13 CST
nicholas

The URL is determined by the Solo URL and the path of the backup output folder relative to the Solo URL root. 

The Solo URL is reported by the browser but can be overridden in the configuration. If it's detected wrong, try overriding it.

You cannot disable this check. It's a security feature. It only occurs when you visit Solo's Control Panel page.



Nicholas K. Dionysopoulos

Lead Developer and Director



🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



Saturday, 10 April 2021 20:17 CDT
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!