Site Scan Error After Enabling Basic Auth

(@jkzsjk)

My WordPress with (iThemes Security Plugin installed) is hosted on AWS EKS, behind NGiNX Ingress.

Ever since we have enabled basic authentication login at the path /wp-login.php, our twice daily scheduled site scan has been failing consistently with the following error:

Error The scan failed to properly scan the site.

Error Message: Unable to determine if the scan target is allowed: Scan target is not publicly accessible.

Error Code: site_verification_failed.private_host

If you contact support about this error, please provide the following debug details:

Array
    code   => site_verification_failed.private_host
    data   => Array
        url   => https://<KUBERNETES POD IP>:8443

id => 3671705
module => site-scanner
type => warning
code => scan-failure-client-error
timestamp => 2024-04-04 17:16:05
init_timestamp => 2024-04-04 17:16:05
remote_ip => <KUBERNETES NODE IP>
user_id => [empty string]
url => https://<KUBERNETES POD IP>:8443/wp-login.php
memory_current => 7023904
memory_peak => 7060576
data => Array
results => Object WP_Error
errors => Array
site_verification_failed.private_host => Array
0 => Unable to determine if the scan target is allowed: Scan target is not publicly accessible.
error_data => Array
site_verification_failed.private_host => Array
url => https://<KUBERNETES POD IP>:8443
cached => [boolean] false

This error has not appeared prior to this basic authentication login change.

Any assistance on this issue would be very much appreciated, thank you!

Viewing 14 replies - 1 through 14 (of 14 total)

Plugin Support chandelierrr
(@shanedelierrr)

2 years, 1 month ago

Hi @jkzsjk, glad you reached out!

The error message indicates that Solid Security can’t scan the site because it is not publicly accessible.

Was this site recently moved from a staging site to a live one? Which plugin version are you using, the Solid Security Pro version or the Basic version?

Also, which basic authentication are you using? Can Solid Security scan your site if the basic authentication is disabled?

Looking forward to hearing from you.
Thread Starter jkzsjk
(@jkzsjk)

2 years ago
Hi @shanedelierrr,

Thanks for the reply.

Was this site recently moved from a staging site to a live one?

No.

Which plugin version are you using, the Solid Security Pro version or the Basic version?

iThemes Security Pro, version 7.1.3 currently.

Also, which basic authentication are you using?

As mentioned, my WordPress is hosted on AWS EKS, behind NGiNX Ingress. The basic authentication is enabled via Ingress object with the following annotations:
```
nginx.ingress.kubernetes.io/auth-secret: <namespace>/<secret-name>
nginx.ingress.kubernetes.io/auth-secret-type: auth-file
nginx.ingress.kubernetes.io/auth-type: basic
```
Can Solid Security scan your site if the basic authentication is disabled?

We did try this to check, the answer is no as well. Whenever it fails, we’d notice that the Security dashboard logs would show the following:
- Host: It’s a private IP, beginning with 10 (e.g. 10.0.0.1). Upon further checking, this IP belongs to cluster’s worker node’s IP.
- URL: The URL would be https://10.0.33.21:8443/wp-login.php. This IP belongs to the WordPress deployment pod within the cluster.
Not sure what else we could be missing, looking forward to your next reply. Appreciate the help!
Plugin Support chandelierrr
(@shanedelierrr)

2 years ago

Hi @jkzsjk, thanks for the additional details.

We did try this to check, the answer is no as well.

Can you please confirm if the Site Scan ever had a successful scan on your site before? If so, it started having issues after enabling basic auth, but when you tried removing basic auth it did not help, correct?

Is your site publicly accessible? If so, can you please double-check that the Licensed URL in WP Admin > Settings > SolidWP Licensing is correct? Please try also to re-license the plugin after saving the correct Licensed URL.

If the issue persists, please try to whitelist the Site Scanner’s IP address via NGiNX Ingress to bypass the basic auth.

Please let me know how it goes!

Plugin Support chandelierrr
(@shanedelierrr)

2 years ago

Hi there,

I’m circling back here to check if the previous reply helped resolve the issue. Tracking notifications on this forum can become tricky over time, and since we haven’t received a response, I’ll mark this post resolved.

If you still require further assistance, feel free to open a new support topic, and we’d be happy to assist.

Thank you!
Thread Starter jkzsjk
(@jkzsjk)

1 year, 8 months ago
Hi, @shanedelierrr

Sorry for replying late as this item was deprioritised on my end previously.

Can you please confirm if the Site Scan ever had a successful scan on your site before?

Yes.

Can you please confirm if the Site Scan ever had a successful scan on your site before? If so, it started having issues after enabling basic auth, but when you tried removing basic auth it did not help, correct?

Yes & yes, but sometimes (even with Basic Auth still enabled) it might still be successful.

Is your site publicly accessible? If so, can you please double-check that the Licensed URL in WP Admin > Settings > SolidWP Licensing is correct? Please try also to re-license the plugin after saving the correct Licensed URL.

Yes, publicly accessible but we’re not licensed. We’re using the free iThemes security plugin.

If the issue persists, please try to whitelist the Site Scanner’s IP address via NGiNX Ingress to bypass the basic auth.

Will consider doing this, thank you! Though It’s worth noting that all successful attempts we’ve had so far, had never needed this whitelisting to be done.

Additionally, here’s more context. Usually when it’s successful (do note that the difference in URL, i.e. url =>), the logs would look like this:
```
id               => 3674473
module           => site-scanner
type             => critical-issue
code             => vulnerable-software
timestamp        => 2024-08-15 15:09:37
init_timestamp   => 2024-08-15 15:09:36
remote_ip        => 204.246.166.146
user_id          => [empty string]
url              => https://www.<REDACTED>.com/
memory_current   => 8295960
memory_peak      => 8497448
data             => Array
    results   => Array
        url       => https://www.<REDACTED>.com
        version   => 1.0
        entries   => Array
            blacklist         => Array
                0   => Array
                    report_details   => https://transparencyreport.google.com/safe-browsing/search?url=www.<REDACTED>.com
                    status           => clean
                    vendor           => Array
                        slug    => google
                        label   => Google Safe Browsing
            vulnerabilities   => Array
                0    => Array
                    type     => wordpress
                    issues   => Array
                        0   => Array
                            title               => WordPress core < 6.5.5 - Contributor+ Path Traversal (Windows Only) vulnerability
                            description         => Contributor+ Path Traversal (Windows Only)
```
When it’s failing (10.1.0.1 is a sample of internal IP):
```
id               => 3674444
module           => site-scanner
type             => warning
code             => scan-failure-client-error
timestamp        => 2024-08-15 03:09:34
init_timestamp   => 2024-08-15 03:09:32
remote_ip        => 10.9.68.67
user_id          => [empty string]
url              => https://10.1.0.1:8443/wp-login.php
memory_current   => 7858472
memory_peak      => 7895080
data             => Array
    results   => Object WP_Error
        errors       => Array
            site_verification_failed.private_host   => Array
                0   => Unable to determine if the scan target is allowed: Scan target is not publicly accessible.
        error_data   => Array
            site_verification_failed.private_host   => Array
                url   => https://10.1.0.1:8443
    cached    => [boolean] false
```
My next few questions are:
- Am aware that free and paying are able to do site scan, but is paying necessary for specific support to resolve this issue?
- How is the URL get decided or set when scan is triggered? With the same WordPress instance, we would occasionally see it in the form of public URL or internal private IP otherwise.
- Is it correct to assume the site scanning will always be done successfully via public internet? Or it will fail otherwise?
Thanks for reading & looking forward to your further assistance, appreciate it!
Thread Starter jkzsjk
(@jkzsjk)

1 year, 8 months ago

Hi @shanedelierrr,

Would appreciate your assistance on the matter, many thanks in advance.

Plugin Support chandelierrr
(@shanedelierrr)

1 year, 8 months ago

Hi @jkzsjk, sorry for the slow turnaround here!

First, premium support is certainly not necessary to get this resolved, we’re here to help all our users.

Our team reviewed this case and we think that there is something within your server configuration that’s returning the host IP to Solid Security instead of the actual public-facing URLs. So, what’s happening is that the failed scans are running via Cron, and during those scans, Solid Security picks up the host IP because of how it’s resolved on the server and returns an error (which is the expected behavior) because it thinks it’s a private site.

How is the URL get decided or set when scan is triggered? With the same WordPress instance, we would occasionally see it in the form of public URL or internal private IP otherwise.

The scanner will use get_home_url to retrieve the URL to scan. You may be experiencing an error if your home URL is set dynamically based on the request URL. When running Cron, often times there is no site URL, and so the IP address of the machine is being provided instead. You’ll need to update your server configuration to ensure get_home_url returns valid values in all runtimes.

Is it correct to assume the site scanning will always be done successfully via public internet? Or it will fail otherwise?

Yes, the site scanner is designed to scan publicly accessible sites and not private sites

Moving forward, can you please check into how your site’s URL is being configured on your server? Please also check and let us know how Kubernetes handles DNS resolutions because it could be causing inconsistencies in how URLs are resolved on your site.

Looking forward to your update!

Thread Starter jkzsjk
(@jkzsjk)

1 year, 8 months ago

Hi @shanedelierrr,

Thanks again for the feedback and explanation especially, appreciate it!

So, what’s happening is that the failed scans are running via Cron, and during those scans, Solid Security picks up the host IP because of how it’s resolved on the server and returns an error (which is the expected behavior) because it thinks it’s a private site.

Yes, this is exactly what’s happening to me so far. If it’s triggered manually (via WordPress admin’s security dashboard), it would work fine with the public URL but failing with private IP when triggered via Cron.

The scanner will use get_home_url to retrieve the URL to scan. You may be experiencing an error if your home URL is set dynamically based on the request URL. When running Cron, often times there is no site URL, and so the IP address of the machine is being provided instead. You’ll need to update your server configuration to ensure get_home_url returns valid values in all runtimes.

Would defining WP_HOME & WP_SITEURL beforehand help? I noticed they weren’t defined in my environment so far, so I did it subsequently but the results are still the same. The only other difference it made was it fixed wp itsec site-scanner scan for me. The CLI triggered scan would fail with https://127.0.0.1 as URL prior to this. When Cron site scan happens, when get_home_url is triggered, does it replace/define WP_HOME & WP_SITEURL for me?

Moving forward, can you please check into how your site’s URL is being configured on your server? Please also check and let us know how Kubernetes handles DNS resolutions because it could be causing inconsistencies in how URLs are resolved on your site.

Besides the 2 aforementioned variables, are there any others I should check? In my WordPress General settings page, I could see WordPress Address (URL) & Site Address (URL) are defined correctly with my public facing URL though. Would appreciate it if you could share what other Kubernetes components I should check as well. E.g. pod container’s /etc/hosts file/DNS pods logs or configuration & etc.

Thread Starter jkzsjk
(@jkzsjk)

1 year, 8 months ago

Hi @shanedelierrr,

Any updates so far?

Plugin Support chandelierrr
(@shanedelierrr)

1 year, 8 months ago

Hi @jkzsjk, thanks for waiting!

Can you try proceeding to define WP_HOME & WP_SITEURL variables, then once done, send a copy of your Site Health Info to us? You may send it to us here and reference this post.

Thread Starter jkzsjk
(@jkzsjk)

1 year, 8 months ago

Hi @shanedelierrr,

Apologies for the late response as well, I have already reached out as per instructed.

Looking forward to your/SolidWP’s support, thank you & appreciate it!

Thread Starter jkzsjk
(@jkzsjk)

1 year, 7 months ago

Hi @shanedelierrr,

Any updates on the matter so far?

Plugin Support chandelierrr
(@shanedelierrr)

1 year, 5 months ago

Hi @jkzsjk, I’m truly sorry for the slow turnaround here!

I’ve looked at our internal ticket system and could not find a submission related to this issue. Can you please contact us again along with the necessary information? You can mention both my name and this thread’s link so that it can be passed to our support team.

Thank you.

Plugin Support chandelierrr
(@shanedelierrr)

1 year, 4 months ago

Hi @jkzsjk, just wanted to reach back out here to see if you had any updates on my previous suggestion.

Viewing 14 replies - 1 through 14 (of 14 total)

The topic ‘Site Scan Error After Enabling Basic Auth’ is closed to new replies.