I was recently working on an installation of Magento for a friend of mine when I noticed that on the Online Customers page of the admin, there were 10+ requests for the ./app/etc/local.xml file. Most magento users will know that local.xml is a file that stores some crucial data for magento. My immidiate response was oh crap my site is being hacked. I immediately used htAccess to block the IP from the site in general. After this the pings stopped.
Later I went back and removed the ban just to see it was still happening and it was. After this I ran a trace route on the IP Address and got a curious result. It was my web server pinging my file. This confused me to the point that I sent a support request in to find out more. Unfortunatly they didn’t know.
After further investigation, I came across a thread on the magento forums (Client denied by server configuration) that shed some light on the issue. It turns out that this is a security check that Magento does new to 1.4. The basics of it is that it try’s to ping the URL of the ./app/etc/local.xml file to verify it can’t be reached. If it can be reached a message is displayed on the admin.
This is all fine and dandy but it does have it’s drawbacks. First up, it does this check on every page in the admin. So no matter what you do, it checks. This can cause delays on the page load that aren’t really needed. In addition to this, it causes server loads you don’t really need once everything is set up. The entire core of magento is loaded and processed, when it doesn’t need to be. This also causes 404 errors in the apache log, in addition to all the entries on the Online Customers page requesting ./app/etc/local.xml. All of this is redundant and thank fully easily fixed.
This check is ran by the Magento block file ./app/code/core/Mage/Adminhtml/Block/Notification/Security.php. While the Client denied thread at the Magento Forums just modifies this file, there is a better way. PLEASE!!! DO NOT MODIFY the magento core files. Try to avoid even copying the file over to the local file. There is generally another way to fix the issue, especially if it’s a block.
As a general rule, a lot of blocks can be controlled via the XML files in the layout folder of the skin. Since the Admin is a skin (./app/design/adminhtml), this rule applies here as well. If you open the ./app/design/adminhtml/default/default/layout/main.xml, you should see a line that looks like:
<block type="adminhtml/notification_security" name="notification_security" as="notification_security" template="notification/security.phtml"></block>
This is the line that enables the security block. All you have to do is comment out this line, or remove it. Once removed delete your ./var/cache folder and check the Online Customers page. You should no longer see any calls to the ./app/etc/local.xml file.
Please note that *technically* if you want to be fully correct, you should define your own custom admin skin and override the admin layout and the block that’s loaded…but that’s just a little much in my opinion. You’re call.
Links
client denied by server configuration (Magento 1.4.2.0)