[Solved] Header showing 200 OK but title 400 Bad Request

Discussion in 'General' started by thehelpdesk, Jan 5, 2012.

  1. thehelpdesk

    thehelpdesk Member

    We're having trouble passing PCI Compliance testing because it seems that LiteSpeed Web Server is outputting a 200 OK header with just a title of 400 Bad Request. How can we get LSWS to stop this behavior?

    We have tried different LSWS versions with and without custom ErrorDocument statements. The current LSWS version is installed, Enterprise 4.1.9.

    Here is an example (with the domain name changed) of the test failure:

    [root@server /]# curl --max-time 10 -iskL 'http://www.domain.com:443/info.php'
    HTTP/1.0 200 OK
    Cache-Control: private, no-cache, max-age=0
    Pragma: no-cache
    Connection: Close

    <html><head><title>400 Bad Request</title></head><body>
    <h2>HTTPS is required</h2>
    <p>This is an SSL protected page, please use the HTTPS scheme instead of the plain HTTP scheme to access this URL.<br />
    <blockquote>Hint: The URL should starts with <b>https</b>://</blockquote> </p>
    <hr />
    Powered By LiteSpeed Web Server<br />
    <a href='http://www.litespeedtech.com'><i>http://www.litespeedtech.com</i></a>
  2. webizen

    webizen Well-Known Member

    try https instead.

  3. thehelpdesk

    thehelpdesk Member

    That is not an option. The command line that I listed is what McAfee Secure servers are running intentionally to test the server for PCI Compliance. The actual file info.php does not exist, it's part of their test of the web server software.

    All of our other web servers pass the test just fine (Apache and IIS). However, our LSWS servers will not pass the test. McAfee indicates this is an error on the part of the web server and will not pass any of our sites on the LSWS servers or grant an exception.
  4. mistwang

    mistwang LiteSpeed Staff

    Looks like apache reply does not have any response header, just response body directly.
    can you confirm it? we certainly can change LiteSpeed response accordingly.
  5. thehelpdesk

    thehelpdesk Member

    While we cannot confirm what the ASV is looking for (they won't tell us), it would be safe to assume that based on their responses that the problem is the status code 200 OK that LSWS is returning.

    You are correct that Apache and other servers appear to just return a blank header and just the body. An example of a passing server is below:

    [root@server /]# curl --max-time 10 -iskL 'http://www.domain.com:443/info.php'
    <title>400 Bad Request</title>
    <h1>Bad Request</h1>
    <p>Your browser sent a request that this server could not understand.<br />
    Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
    Instead use the HTTPS scheme to access this URL, please.<br />
    <blockquote>Hint: <a href="https://domain.com/"><b>https://domain.com/</b></a></blockquote></p>
    [root@server /]#
  6. webizen

    webizen Well-Known Member

    will let you know once a fix is available.
  7. mistwang

    mistwang LiteSpeed Staff

    Please try the latest build of 4.1.10.
  8. thehelpdesk

    thehelpdesk Member


    With the upgrade to version 4.1.10 the issue appears to now be fixed. LSWS is returning a page without the header status. There's no doctype. But, the return value is now passing the ASV tests.

Share This Page