i access forbidden by rule /.well-known/ directory – All things in moderation

access forbidden by rule /.well-known/ directory

The /.well-known directory access forbidden by rule

Sometimes you may see in your error log file and noticed some requests to ./well-known diectory:

[error] 11830#11830: *1947 access forbidden by rule, client: x.x.x.x, server: wwww.example.com, request: "GET /.well-known/apple-app-site-association HTTP/1.1", host: "example.com"
[error] 11830#11830: *1954 access forbidden by rule, client: x.x.x., server: wwww.example.com, request: "GET /.well-known/assetlinks.json HTTP/1.1", host: "example.com"

So, what is this ?

/.well-known directory what is this ?

The .well-known subdirectory is defined by RFC 5785
Here are some infomation you should considered:
“It is increasingly common for Web-based protocols to require the discovery of policy or other information about a host (“site-wide metadata”) before making a request. For example, the Robots Exclusion Protocol http://www.robotstxt.org/ specifies a way for automated processes to obtain permission to access resources; likewise, the Platform for Privacy Preferences [W3C.REC-P3P-20020416] tells user-agents how to discover privacy policy beforehand.”

“To address this, this memo defines a path prefix in HTTP(S) URIs forthese “well-known locations”, “/.well-known/”. Future specifications that need to define a resource for such site-wide metadata can register their use to avoid collisions and minimise impingement upon sites’ URI space well-known URI’s

The /.well-known/assetlinks.json file

The assetlinks.json file is part of the Digital asset link protocol which allows website owners to link URLs with native apps and share credentials with other websites:

The Digital Asset Links protocol and API enable an app or website to make public, verifiable statements about other apps or websites. For example, a website can declare that it is associated with a specific Android app, or it can declare that it wants to share user credentials with another website.
For more information you can visit https://developers.google.com/digital-asset-links/v1/getting-started

The ./well-known/apple-app-site-association file

The apple-app-site-association file is used for Apple’s Universal Links
“When you support universal links, iOS users can tap a link to your website and get seamlessly redirected to your installed app without going through Safari. If your app isn’t installed, tapping a link to your website opens your website in Safari.”
For more information about you can visit https://developer.apple.com/library/content/documentation/General/Conceptual/AppSearch/UniversalLinks.html
Both of assetlinks.json and apple-app-site-association file which support a similar purpose, they allow the site operator to instruct a visitor to open the site in an associated app, rather than in the (mobile) browser.

Why some server prevent access ./well-known directory

There are a couple of webservers configurations that prevent opening directories that start with dot “.”. The reasoning behind it is that it might give away sensitive information, like a** .git** or ** .svn** directory (which probably shouldn’t even be on your webserver in the first place)
Here are some solutions:
If you have that directory, you can config in configuration file(nginx) like below:

location ~ /.well-known { 
    allow all;
}

If your website is not support ./well-known :

location ~ /\.(?!well-known).* {
    deny all;
    access_log off;
    log_not_found off;
}

References

https://tools.ietf.org/html/rfc5785
nginx-disable-htaccess-and-hidden-files-but-allow-well-known-directory
well-known-directory-webservers-aka-rfc-5785

Leave a Reply