High server CPU with proxy login

Resolved haleeben
(@haleeben)

9 years, 11 months ago
Hey guys

I’m staying at a hotel and used their wifi to try to login to WordPress.

After I entered my details it would just load the login page again without any error message.

Then after a short amount of time I got notices from my server that the CPU was up to 90% ( it is usually around < 10% ).

After alot of debugging and mucking around I realised it was caused by the option Forbid Proxy Comment Posting.

Removing the code below from the .htaccess file solved the problem.
```
#AIOWPS_FORBID_PROXY_COMMENTS_START
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]
#AIOWPS_FORBID_PROXY_COMMENTS_END
```
I’m presuming it has something to do with the hotel wifi internet access using a proxy.

https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

Viewing 3 replies - 1 through 3 (of 3 total)

Plugin Contributor mbrsolution
(@mbrsolution)

9 years, 11 months ago

Hi haleeben, yes it might have to do with the wifi proxy settings in the hotel however that should not increase your sever CPU so much. I don’t receive any spike in my server and I also have that security option enabled.

Do you have any other security plugin installed?

Regards.
Thomas O.
(@thomas-o)

9 years, 11 months ago
I’m pretty sure that code is a bit in error. You cannot concatenate conditions like that. You could use atomic back references to do a comparison, but it still wouldn’t work like that.

Also, using the “everything pattern” at the end of a string is not needed, because it means the same thing whether it is there or not. So why use it?

And I’m not aware of any proxy condition using HTTP headers that would be an internal request. So you shouldn’t need the NS flag. Nor should you need the L flag, because L is assumed with F.
http://httpd.apache.org/docs/2.2/rewrite/flags.html#flag_f
```
RewriteCond %{REQUEST_METHOD} ^POST
RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_HOST} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteCond %{REQUEST_URI} !^/wp-(login.php|admin/|content/plugins/|includes/) [NC]
RewriteRule .* - [F]
```
I’ve included a bonus condition in there if you can find it. 🙂

But that brings up another question. If you’re only wanting to use this with comments, why use that request_uri condition. Why not just make it for the file itself. This code below is much smoother:
```
RewriteCond %{REQUEST_METHOD} ^POST
RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_HOST} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule wp-comments-post\.php - [F]
```
mra13
(@mra13)

9 years, 11 months ago

@thomas, Thank you for the good suggestions. We will make some changes to this feature.