2

Short version: We'd like Apache to catch when a 500 status is given and return something like 404 instead. Is there a way to do this?

Longer version: These servers are running applications that aren't ours, and they recently failed a PCI compliance scan because of the 500 status errors they can throw if you mess with the Host. In the long run we'll move them to a different network so they don't need to be PCI compliant, but in the short run we'd like a quick fix and just not show the 500 status that the applications return. Both applications this is happening with accept their requests through Apache.

I am hoping/assuming this would be a mod_rewrite rule, but don't know to make mod_rewrite change based on status code.

William W
  • 127
  • 6

3 Answers3

2

If I understand correctly, you want to catch the 500 error status in the logs while presenting a regular error looking page to your customers and scanners.

Some web shops do this to "hide" the more serious errors on their website from attackers. A page which generates a 500 error status may be a good target in a DOS attack. Scan the site to find the page which generates a 500 server error, hammer away at those pages, trigger the bad code over and over wait for the the database to melt-down underneath.

You can present custom error pages using ErrorDocument 500 yourerrorpage.html

http://httpd.apache.org/docs/2.2/custom-error.html

Stefan Lasiewski
  • 22,949
  • 38
  • 129
  • 184
  • I haven't had luck actually changing the status code to a different one, but I think this should be enough for the scan by just having it display a very generic message. – William W Jun 11 '13 at 22:12
1

A PCI scan failure due to a 500 error? That's a bit strange. Anyway...

Set up a default VirtualHost (you should already have one) that serves nothing; any requests made to it should then result in a 404.

<VirtualHost *:80>
ServerName *
DocumentRoot /var/empty
</VirtualHost>
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • I'm pretty sure our scan just flags any 500 pages it finds regardless of their content. I told them I think it's a false positive, but I'm not in charge of the scan. – William W Jun 11 '13 at 22:09
0

This would be better done using an output filter than a rewrite rule.

A mod_rewrite rule would have to make a subrequest on the side, then decide what URL to serve to take based on what it returned. If the subrequest is successful, the content would still be discarded, and you would have to repeat the transaction as the main request.

On the other hand, an output filter can intercept the 500 response and transform it into a 404.

200_success
  • 4,701
  • 1
  • 24
  • 42
  • I'll have to read up on output filters as they seem a little complicated. For now we're re-doing the scan with just it still a 500 status, but replacing their error message with a generic one. – William W Jun 11 '13 at 22:12