May 10, 2011

client denied by server configuration: app/etc/local.xml

Yireo Blog Post

You might have seen it in your Apache logs, but with Magento sites, your webserver might show messages that access to the file app/etc/local.xml. This is good, but web-access to the Magento local.xml file could indicate serious security problems. But what is causing this behaviour, and how to stop this from happening.

Magento checks for security

The message looks something like the following:

client denied by server configuration: MAGENTO_DIR/app/etc/local.xml

If you would check a bit further, you might notice that this message occurs when you try to visit the file app/etc/local.xml from within your browser: This is very good, because htaccess-rules should exist to block access to this XML-configuration file containing sensitive information about your database amongst others.

But you might notice that this message is actually logged by Apache for every webpage in the Magento Admin Panel. If the Magento backend is visited a lot, this actually floods the Apache logs - or even worse, it downgrades the performance of your backend slightly.

Magento security notifications

This behaviour can be traced down to the following PHP-class:

app/code/core/Mage/Adminhtml/Block/Notification/Security.php

That class contains a method that tries to fetch the app/etc/local.xml through CURL, and if this succeeds it will generate a security error. But if you're a site administrator and you know for sure that your security is up to date, you actually might want to get rid of the message.

Getting rid of the security notification

To get rid of this security check, do not attempt to hack the Magento core (as some forum threads have suggested in the past). Instead, you can just modify the admin-theme to remove this check. Open up the following file or create it if it does not exist:

app/design/adminhtml/default/default/layout/local.xml

Then add the following code to it:

{snippet tutorials/magento_disable_notification.xml}

This removes the blocks notification_security and notification_survey from the backend-pages entirely, skipping therefor the security check. No core hacks involved.

Posted on May 10, 2011

About the author

Author Jisse Reitsma

Jisse Reitsma is the founder of Yireo, extension developer, developer trainer and 3x Magento Master. His passion is for technology and open source. And he loves talking as well.

Sponsor Yireo

Looking for a training in-house?

Let's get to it!

We don't write too commercial stuff, we focus on the technology (which we love) and we regularly come up with innovative solutions. Via our newsletter, you can keep yourself up to date on all of this coolness. Subscribing only takes seconds.

Do not miss out on what we say

This will be the most interesting spam you have ever read

We don't write too commercial stuff, we focus on the technology (which we love) and we regularly come up with innovative solutions. Via our newsletter, you can keep yourself up to date on all of this coolness. Subscribing only takes seconds.