apache 2.4 authz_core issue

Resolved tamramc
(@tamramc)

5 years, 10 months ago

I’m trying to make adjustments to secure htaccess w/ apache 2.4.
Limit directives need to be changed to Require instead of Allow from Deny from.

the following error appears in log for your plugin:

[Sun May 17 23:48:33.892427 2020] [authz_core:error] [pid 23750] [client xxx.xxx.xxx.xx:35674] AH01630: client denied by server configuration: ./wp-content/plugins/defender-security/languages/wpdef-default.pot, referer: http://[domain-info]/wp-content/plugins/defender-security/languages/wpdef-default.pot

one thing I do see wrong: the URL for domain should be https://www not http://domain-info

but any idea what additional requirements/permissions are needed for your plugin, while all others work fine with new directive?

thanks.

Viewing 8 replies - 1 through 8 (of 8 total)

Plugin Support Imran – WPMU DEV Support
(@wpmudev-support9)

5 years, 10 months ago

Hello @tamramc

I trust you’re doing well!

The following message shows that the Defender is working as it should. It has denied access to a certain IP to access wpdef-default.pot file.

The logs showing your actual domain address that is set up from Settings > General on your site. If you have any www redirect added in an .htaccess file or on your hosting end, the Defender can’t see it.

Hope this helps!

Cheers,
Nastia
Thread Starter tamramc
(@tamramc)

5 years, 10 months ago
ooooh the irony: 😊 you stopped by w/in the 15-minutes that I was playing around w/ redirect from host, versus redirect normally in htaccess. then I disabled 301 Redirect from host because of inconsistent results.

WordPress only gives one site URL option www or non-www. with an SSL certificate, if someone enters just domain-name .com vs. http://www.domain-name .com, “unsafe errors” will occur.

but I updated to your plugin’s latest version, I have not seen server error yet. will let you know, and mark this as resolved.

thanks again.
- This reply was modified 5 years, 10 months ago by tamramc.
Thread Starter tamramc
(@tamramc)

5 years, 10 months ago
oh and stay safe you guys, and thanks for the quick response. 😊

and I forgot to mention, the IP denied was the actual host IP, not a general IP. which is why I created this topic. I figured “Require local” should be enough, as host should match local environment.

Require local or Require host hostname is required for WordPress to read wp-admin, if certain security is set in htaccess. But all other plugins were working fine, except Defender and another plugin (resolved before topic) using 2.4 authz_core syntax requirements.

but, hey I’m in pajamas and just woke up, ask me what day it is in NYC right now, and that’ll give you an idea of memory right now LOLLLL
- This reply was modified 5 years, 10 months ago by tamramc.
- This reply was modified 5 years, 10 months ago by tamramc. Reason: clarity formatting
Plugin Support Saurabh – WPMU DEV Support
(@wpmudev-support7)

5 years, 10 months ago

Hello @tamramc

We are all safe and doing great. I hope you are doing fine and safe inside your home too. About the actual host IP, do you mean to say the hosting server IP?

Could you help me understand that a bit more with a help of a screenshot or something? I’m still wondering how could defender block the host IP itself.

Should you need us to investigate and replicate this further, we would be really happy for the same. Looking forward to hearing from you. on it.

Also, it is great to know everything is back to normal as of now.

Regards,
Prathamesh Palve
Plugin Support Saurabh – WPMU DEV Support
(@wpmudev-support7)

5 years, 10 months ago
Hello @tamramc,

Adding to the last reply, the host IP could be blocked because of the difference in the URLS as you stated earlier.

Looking forward to hearing from you.

Regards,
Prathamesh Palve
- This reply was modified 5 years, 10 months ago by Saurabh - WPMU DEV Support.
Thread Starter tamramc
(@tamramc)

5 years, 10 months ago

sorry, I’m just seeing these messages because the issue has been resolved. but the original topic contained the server’s ERROR LOG entry with your info. the IP masked, yup, it’s the server’s address, same local host as site.

but possibly related to what was blocking your plugin: deprecated htaccess containers and directives which was not compatible w/ Apache 2.4. Site Health was reporting that background updates weren’t working and loopback was disabled.

once I changed htaccess from Limit container to simply Require from local, while all else was blocked, all was fine. gonna be a lotta unhappy folks, because of their security required to secure financial and personal info on WordPress. certain security directives could prevent functionality, as what was working fine one or two releases ago, now fails, until htaccess options are changed.
Thread Starter tamramc
(@tamramc)

5 years, 10 months ago
to clarify: the [client IP] is the actual server IP address (one server, multiple hosts/domains)

[Sun May 17 23:48:33.892427 2020] [authz_core:error] [pid 23750] [client xxx.xxx.xxx.xx:35674] AH01630: client denied by server configuration: ./wp-content/plugins/defender-security/languages/wpdef-default.pot, referer: http://[domain-info]/wp-content/plugins/defender-security/languages/wpdef-default.pot

the referer url was the site’s path to your plugin on the same host. the url was also not https://, which is correct because of SSL

while making sure loopback and background updates functioned, happened to notice the error, which appeared several times throughout the day.
- This reply was modified 5 years, 10 months ago by tamramc.
Plugin Support Imran – WPMU DEV Support
(@wpmudev-support9)

5 years, 10 months ago

Hello @tamramc

I hope you are doing well!

Thank you for letting us know that the issue has been resolved and thank you for providing additional information. I’ve marked this ticket as resolved. If you do have any followup questions or require further assistance feel free to reopen it and let us know here.

Kind regards,
Nastia

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘apache 2.4 authz_core issue’ is closed to new replies.