Support » Fixing WordPress » REST API errors

  • Lucker

    (@lucker)


    Hello there,

    I use single site WP FEMP setup behind nginx proxy, which terminates https requests (also 301 redirect all requests to https) and passing them to another nginx servers (in freebsd jails). In jails I have only local IPs (10.0.0.2, etc) and connections from external IP redirected with pf firewall to proxy (which distribute them to different services, including the WP installation). All usually works smoothly without any problem. Except the REST API.

    I noticed quite long time ago that Site Health Status reports two problems, both related to loopback requests, though quite non-specific:

      1. The REST API encountered an error: The REST API request failed due to an error.
      Error: Connection refused (http_request_failed)
      2. Your site could not complete a loopback request: The loopback request to your site failed, this means features relying on them are not currently working as expected.
      Error: Connection refused (http_request_failed)

    Since I do not use scheduling for posts (at least at the moment) it didn’t bother me much. Alas, the problem comes from the further astonishing WP development. After updates of WP and plugins (I do the chores once in couple of months) some plugins refused to work, namely “Redirection”, “Yoast SEO” to index content, etc.

    My fingers grew really tired while searching info to mitigate the issue. A lot of try and error, but eventually I managed to pin down the problem to some extent. If I specify the domain of the WP website in hosts file, like 10.0.0.3 example.com, where the IP is for nginx proxy, Site Health Status stops to complain. But other issues appear:

      1. in Site Health Status the warning: A scheduled event has failed. The scheduled event, action_scheduler_run_queue, failed to run
      2. in Site Health Status the warning: The REST API did not behave correctly. The REST API did not process the context query parameter correctly
      3. XSS cookies, I suppose due to the difference of the hosts (proxy and WP)

    I can mitigate such by disabling all advanced security setup in naxsi, but that against my vision. Also I could live without scheduling, at least for a while till the further progressive development render this a real problem.

    If I specify tor the localhosts the IP of the WP installation, which probably is intended to work this way, the REST API still doesn’t work, though I easily access website from curl from inside the jail.

    The wp-cli works except the cron command. In wp-config.php I have besides other staff the following:

    
    if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false && $_SERVER['REMOTE_ADDR'] != '10.0.0.3')
    	$_SERVER['HTTPS']='on';
    // Code for showing correct client IP address
    if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) { 
       $mte_xffaddrs = explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] ); 
       $_SERVER['REMOTE_ADDR'] = $mte_xffaddrs[0]; 
    }
    define('FORCE_SSL_ADMIN', true);
    

    The nginx configs are rather long, but comply with codex and I would post them if needed.

    My wild guess is that REST API make request to WP with https, but I don’t know how to proof or exclude this, since I have almost no knowledge of PHP and where to look for.

    I have a strong feeling, that I miss something very obvious, which prevent the REST API to work as expected. But I have exhausted all ideas and feel like I am about to jeopardies security eventually.

    Could you please point me to the right direction? I am banging my head against the wall…

    • This topic was modified 1 year ago by .
Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator t-p

    (@t-p)

    Status reports two problems, both related to loopback requests, though quite non-specific

    Contact your hosting provider support and ask them why loopback is failing.

    Thread Starter Lucker

    (@lucker)

    @t-p Thank you for the suggestion. Long before I decided to ask for support here I was chasing this ghost for nothing. You might see how misleading this messages are and why I called them ‘non-specific’.

    The loopback works, WP can’t communicate with it. Please take a look at the line < Location: https://mydomain.com/wp-json/wp/v2/plugins – it seems like the WP asks for https

    
    # jexec myjail curl -vv localhost/wp-json/wp/v2/plugins
    *   Trying 10.0.0.3:80...
    * Connected to localhost (10.0.0.3) port 80 (#0)
    > GET /wp-json/wp/v2/plugins HTTP/1.1
    > Host: localhost
    > User-Agent: curl/7.72.0
    > Accept: */*
    >
    * Mark bundle as not supporting multiuse
    < HTTP/1.1 301 Moved Permanently
    < Server: nginx
    < Date: Sat, 28 Nov 2020 11:53:02 GMT
    < Content-Type: text/html; charset=UTF-8
    < Transfer-Encoding: chunked
    < Connection: keep-alive
    < Location: https://mydomain.com/wp-json/wp/v2/plugins
    < Last-Modified: Sat, 28 Nov 2020 11:27:02 GMT
    < Expires: Sat, 28 Nov 2020 12:27:02 GMT
    < Pragma: public
    < Cache-Control: max-age=2040, public
    < ETag: "d41d8cd98f00b204e9800998ecf8427e"
    < Cache-Control: public
    < X-Frame-Options: SAMEORIGIN
    < Strict-Transport-Security: max-age=31536000; preload
    < X-XSS-Protection: 1; mode=block
    < X-Content-Type-Options: nosniff
    < Referrer-Policy: no-referrer-when-downgrade
    ...
    * Connection #0 to host localhost left intact
    

    The more curious thing is that the same WP installation on the identical FEMP setup (except the nginx proxy has no server block to redirect http to https) on local virtual machine gives slightly different response. Instead of < Location: https://mydomain.com/wp-json/wp/v2/plugins it has < Link: <http://mydomain.com/wp-json/>; rel="https://api.w.org/" and definitely communicates with REST API since it denied authorisation.

    
     # jexec myjail curl -vv localhost/wp-json/wp/v2/plugins
    *   Trying 10.0.0.3:80...
    * Connected to localhost (10.0.0.3) port 80 (#0)
    > GET /wp-json/wp/v2/plugins HTTP/1.1
    > Host: localhost
    > User-Agent: curl/7.72.0
    > Accept: */*
    >
    * Mark bundle as not supporting multiuse
    < HTTP/1.1 401 Unauthorized
    < Server: nginx
    < Date: Sat, 28 Nov 2020 11:33:58 GMT
    < Content-Type: application/json; charset=UTF-8
    < Transfer-Encoding: chunked
    < Connection: keep-alive
    < X-Robots-Tag: noindex
    < Link: <http://mydomain.com/wp-json/>; rel="https://api.w.org/"
    < X-Content-Type-Options: nosniff
    < Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages, Link
    < Access-Control-Allow-Headers: Authorization, X-WP-Nonce, Content-Disposition, Content-MD5, Content-Type
    < Vary: Origin
    <
    * Connection #0 to host localhost left intact
    {"code":"rest_cannot_view_plugins","message":"\u041a \u0441\u043e\u0436\u0430\u043b\u0435\u043d\u0438\u044e, \u0432\u044b \u043d\u0435 \u0438\u043c\u0435\u0435\u0442\u0435 \u043f\u0440\u0430\u0432\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0442\u044c \u043f\u043b\u0430\u0433\u0438\u043d\u0430\u043c\u0438 \u0434\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0441\u0430\u0439\u0442\u0430.","data":{"status":401}}
    

    So, here I have stuck. It’s either the WP mistakenly asks for https from localhost, or the backend nginx somehow passes to the php-fpm protocol and insists on using it.

    Any idea where to dig further?

    • This reply was modified 1 year ago by . Reason: Spelling
    Thread Starter Lucker

    (@lucker)

    Just in case post the configs.

    wp-config.php

    
    <?php
    /** Enable W3 Total Cache */
    define('WP_CACHE', true); // Added by W3 Total Cache
    /* Turn HTTPS 'on' if HTTP_X_FORWARDED_PROTO matches 'https' */
    if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
    	$_SERVER['HTTPS']='on';
    // Code for showing correct client IP address
    if ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) { 
       $mte_xffaddrs = explode( ',', $_SERVER['HTTP_X_FORWARDED_FOR'] ); 
       $_SERVER['REMOTE_ADDR'] = $mte_xffaddrs[0]; 
    }
    
    define('FORCE_SSL_ADMIN', true);
    define('FORCE_SSL_LOGIN', true);
    
    define('WP_FAIL2BAN_PROXIES','10.0.0.1');
    include __DIR__.'/wp-content/plugins/wp-fail2ban/lib/constants.php';
    define('WP_FAIL2BAN_LOG_SPAM', true);
    define('WP_FAIL2BAN_PLUGIN_LOG_SPAM', true);
    define('WP_FAIL2BAN_BLOCK_USER_ENUMERATION', true);
    define('WP_FAIL2BAN_LOG_PASSWORD_REQUEST', true);
    define('WP_FAIL2BAN_PLUGIN_LOG_XMLRPC', true);
    define('WP_FAIL2BAN_PLUGIN_LOG_REST', true);
    define('WP_FAIL2BAN_LOG_PINGBACKS', true);
    define('WP_FAIL2BAN_COMMENT_LOG', LOG_LOCAL7);
    define('WP_FAIL2BAN_LOG_COMMENTS', true);
    define('WP_FAIL2BAN_COMMENT_EXTRA_LOG', LOG_LOCAL7);
    define('WP_FAIL2BAN_LOG_COMMENTS_EXTRA', WPF2B_EVENT_COMMENT_NOT_FOUND | WPF2B_EVENT_COMMENT_CLOSED | WPF2B_EVENT_COMMENT_TRASH | WPF2B_EVENT_COMMENT_DRAFT | WPF2B_EVENT_COMMENT_PASSWORD);
    
    define('DB_NAME', 'mysite_202010');
    define('DB_USER', 'user');
    define('DB_PASSWORD', 'pAs$woRt');
    define('DB_HOST', '10.0.0.15');
    define('DB_CHARSET', 'utf8');
    define('DB_COLLATE', '');
    @ini_set( ‘upload_max_size’ , ’10MB’ );
    @ini_set( ‘post_max_size’, ’15MB’);
    
    define('WP_HOME','https://mysite.com');
    define('WP_SITEURL','https://mysite.com');
    
    define( 'WP_REDIS_CLIENT', 'pecl' );
    define( 'WP_REDIS_SCHEME', 'tcp' );
    define( 'WP_REDIS_HOST', '10.0.0.16' );
    define( 'WP_REDIS_PORT', '6379' );
    define( 'WP_REDIS_DATABASE', '0' );
    
    define('AUTH_KEY',         'dfhrdst');
    define('SECURE_AUTH_KEY',  'xtgdfbx');
    define('LOGGED_IN_KEY',    'xbcvbrftgbret');
    define('NONCE_KEY',        'rthergtbgfbd');
    define('AUTH_SALT',        'xcfbgxfthdrt');
    define('SECURE_AUTH_SALT', 'mjutyurtghn');
    define('LOGGED_IN_SALT',   'nyhyujmghn');
    define('NONCE_SALT',       'gfbnrtyghjtry');
    
    $table_prefix  = 'wp_';
    
    define('WPLANG', 'ru_RU');
    define('WP_MEMORY_LIMIT', '128M');
    define( 'AUTOMATIC_UPDATER_DISABLED', true );
    
    define( 'DISALLOW_FILE_EDIT', true );
    define('WP_DEBUG', false);
    
    if ( ! defined( 'ABSPATH' ) ) {
    	define( 'ABSPATH', __DIR__ . '/' );
    }
    
    require_once(ABSPATH . 'wp-settings.php');
    
    if ( ! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) && $_SERVER["REMOTE_ADDR"] == "10.10.0.1")  {     $forwardip = explode(",", $_SERVER['HTTP_X_FORWARDED_FOR']);     $_SERVER['REMOTE_ADDR'] = $forwardip[0];}
    

    nginx-proxy.conf

    
    user                	www;
    worker_processes    	auto;
    worker_rlimit_nofile  	1024;
    pcre_jit            	on;     # Offers a performance boost to regular expression processing
    worker_priority     	10;	
    error_log           	/var/log/nginx/error.nc.log warn;
    events  {
    worker_connections	1024;
    use 			kqueue; # No epoll on FreeBSD
                }
    http    {
    client_body_timeout		5s; # maximum time between packets the client can pause when sending nginx any data
    client_header_timeout		5s; # maximum time the client has to send the entire header to nginx
    #keepalive_timeout		75s; # timeout which a single keep-alive client connection will stay open
    keepalive_timeout     300 300;
    send_timeout			15s; # maximum time between packets nginx is allowed to pause when sending the client data
    
    ## General Options
    aio				on;  # asynchronous file I/O, fast with ZFS, make sure sendfile=off
    charset				utf-8; # adds the line "Content-Type" into response-header, same as "source_charset"
    default_type			application/octet-stream;
    gzip_proxied			any;  # allows compressed responses for any request even from proxies
    gzip_vary               	on;  # send response header "Vary: Accept-Encoding"
    ignore_invalid_headers  	on;
    include                 	mime.types;
    keepalive_disable       	none; # allow all browsers to use keepalive connections
    keepalive_requests      	50;  # number of requests per connection, does not affect SPDY
    max_ranges              	0;   # disabled to stop range header DoS attacks as resumed downloads are denied
    msie_padding            	off;
    output_buffers          	1 512;
    postpone_output         	1460;   # postpone sends to match our machine's MSS
    proxy_headers_hash_bucket_size  128;
    proxy_headers_hash_max_size	1024;
    read_ahead              	512K;   # kernel read head set to the output_buffers
    recursive_error_pages   	on;
    reset_timedout_connection	on;  # reset timed out connections freeing ram
    sendfile                	off;  # on for decent direct disk I/O
    server_tokens           	off; # version number in error pages
    server_name_in_redirect 	off; # if off, nginx will use the requested Host header
    source_charset          	utf-8; # same value as "charset"
    tcp_nodelay             	on; # Nagle buffering algorithm, used for keepalive only
    tcp_nopush              	on; #highly recommend testing your server with this option enabled
    
    ## Log Format
    log_format      	main    '$remote_addr - $remote_user [$time_local] "$request" '
    					'$status $body_bytes_sent "$http_referer" '
    					'"$http_user_agent" "$http_x_forwarded_for"';
    access_log			/var/log/nginx/access.log  main buffer=32k;
    
    proxy_http_version		1.1;
    proxy_connect_timeout      900;
    proxy_send_timeout         900;
    proxy_read_timeout         900;
    proxy_intercept_errors     on;
    proxy_buffering    			off;
    
    set_real_ip_from  10.0.0.1;
    real_ip_header    X-Forwarded-For;
    limit_req_zone  $binary_remote_addr  zone=gulag:10m   rate=1250r/m;
    
    add_header  Cache-Control "public";
    add_header  X-Frame-Options SAMEORIGIN always;
    listen      10.0.0.1:80;
    limit_req   zone=gulag  burst=500 nodelay;
    server_name             mysite.com www.mysite.com;
    
    client_max_body_size 5M;
    
    proxy_cache			off;
    proxy_redirect		off;
    
    location / {
                return 301 https://$host$request_uri;
                }
    }
    
    server  	{
        add_header         Cache-Control "public";
        add_header         X-Frame-Options SAMEORIGIN always;
        limit_req          zone=gulag  burst=500 nodelay;
        listen             10.0.0.1:443 default_server ssl http2 sndbuf=512k reuseport accept_filter=dataready;
        server_name        mysite.com www.mysite.com;
    
    access_log  /var/log/nginx/access.mysitecom.log  main buffer=32k;
    error_log  /var/log/nginx/error.mysitecom.log  warn;
    
    proxy_buffering             off;
    proxy_request_buffering     off;
    proxy_redirect          	off;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    
    proxy_set_header        X-Forwarded-Port    $server_port;
    proxy_set_header        X-Forwarded-Proto   $scheme;
    
    ssl_certificate			/usr/local/acme/mysitecom/rsa-certs/fullchain.pem;
    ssl_certificate_key		/usr/local/acme/mysitecom/rsa-certs/privkey.pem;
    ssl_trusted_certificate	/usr/local/acme/mysitecom/rsa-certs/chain.pem;
    ssl_certificate			/usr/local/acme/mysitecom/ecc-certs/fullchain.pem;
    ssl_certificate_key		/usr/local/acme/mysitecom/ecc-certs/privkey.pem;
    ssl_dhparam				/etc/ssl/certs/dhparam.pem;
    ssl_session_timeout			1d;
    ssl_session_cache			shared:le_nginx_SSL:10m;
    ssl_prefer_server_ciphers		off;  # off for TLSv1.3 so clients assumed cipher is used, save one(1) round trip 
    ssl_session_tickets			on;  # off for Perfect Forward Secrecy (PFS)
    ssl_buffer_size				128k;
    ssl_protocols				TLSv1.3 TLSv1.2;
    ssl_ciphers				'TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384';
    ssl_ecdh_curve				secp521r1:secp384r1;
    ssl_stapling				on;
    resolver 9.9.9.9 8.8.8.8 valid=30s;
    resolver_timeout 5s;
    
        proxy_set_header        Early-Data $ssl_early_data;
    
        location / {
                    proxy_pass          http://10.0.0.3:80;
                    http2_push_preload  on;
                    }
    }
    

    nginx-backend.conf

    
    user                  www;
    worker_processes      auto;
    worker_priority       15;    # renice workers to reduce priority compared to system processes for
                                # machine health. worst case nginx will get ~25% system resources at nice=15
    worker_rlimit_nofile  1024; # maximum number of open files                            
    pcre_jit              on;
    load_module /usr/local/libexec/nginx/ngx_http_naxsi_module.so;
    events {
        use kqueue; # No epoll on FreeBSD
        worker_connections  1024;
    }
    
    http {
    include /usr/local/etc/nginx/naxsi_core.rules;
      client_body_timeout      10s; # maximum time between packets the client can pause when sending nginx any data
      client_header_timeout    10s; # maximum time the client has to send the entire header to nginx
      keepalive_timeout       75s; # timeout which a single keep-alive client connection will stay open
      send_timeout            15s; # maximum time between packets nginx is allowed to pause when sending the client data
    ## General Options
    aio                     on;	# asynchronous file I/O, fast with ZFS, make sure sendfile=off
    charset                 utf-8; # adds the line "Content-Type" into response-header, same as "source_charset"
    default_type            application/octet-stream;
    gzip_static             on;  # precompress content (gzip -1) with an external script
    gzip                    off; # disable on the fly gzip compression due to higher latency, only use gzip_static
    gzip_vary               on;  # send response header "Vary: Accept-Encoding"
    gzip_proxied            any;  # allows compressed responses for any request even from proxies
    include                 gzip_types;
    ignore_invalid_headers  on;
    include                 mime.types;
    keepalive_requests      50;  # number of requests per connection, does not affect SPDY
     keepalive_disable       none; # allow all browsers to use keepalive connections
    max_ranges              1;
    msie_padding            off;
    open_file_cache         max=1000 inactive=30d;
    open_file_cache_errors  on;
    open_file_cache_min_uses 1;
    open_file_cache_valid   1h;
    output_buffers          2 512k;  # 1MB for gigabit/sec outward bandwidth, 1 buffer for static content
    postpone_output         1460;   # postpone sends to match our machine's MSS
    read_ahead              512K;   # kernel read head set to the output_buffers
    recursive_error_pages     on;
    reset_timedout_connection on;  # reset timed out connections freeing ram
    sendfile                  off;  # on for decent direct disk I/O
    server_tokens             off; # version number in error pages
    server_name_in_redirect   off; # if off, nginx will use the requested Host header
    source_charset            utf-8; # same value as "charset"
    tcp_nodelay               on; # Nagle buffering algorithm, used for keepalive only
    tcp_nopush                on; #highly recommend testing your server with this option enabled
    
    set_real_ip_from  10.0.0.1;
    real_ip_header    X-Forwarded-For;
    
    limit_req_zone  $binary_remote_addr  zone=gulag:5m   rate=1000r/m;
    
        log_format				main  '$remote_addr - $remote_user [$time_local] "$request" '
    									'$status $body_bytes_sent "$http_referer" '
    									'"$http_user_agent" "$http_x_forwarded_for"';
    server {
    add_header  Cache-Control "public";
    add_header  X-Frame-Options SAMEORIGIN always;
    limit_req   zone=gulag burst=500 nodelay;
    listen       10.0.0.3:80 sndbuf=512k accept_filter=httpready;
    server_name  mysite.com www.mysite.com;
    
        include snippets/mysitecom-redirection-rewrite;
    
    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }
    location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|rar|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
        access_log off; log_not_found off; expires max;
    }
    location ~ \.php$ {
        fastcgi_param  QUERY_STRING       $query_string;
        fastcgi_param  REQUEST_METHOD     $request_method;
        fastcgi_param  CONTENT_TYPE       $content_type;
        fastcgi_param  CONTENT_LENGTH     $content_length;
    
        fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
        fastcgi_param  REQUEST_URI        $request_uri;
        fastcgi_param  DOCUMENT_URI       $document_uri;
        fastcgi_param  DOCUMENT_ROOT      $document_root;
        fastcgi_param  SERVER_PROTOCOL    $server_protocol;
        fastcgi_param  REQUEST_SCHEME     $scheme;
        fastcgi_param  HTTPS              $https if_not_empty;
    
        fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
        fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
    
        fastcgi_param  REMOTE_ADDR        $remote_addr;
        fastcgi_param  REMOTE_PORT        $remote_port;
        fastcgi_param  SERVER_ADDR        $server_addr;
        fastcgi_param  SERVER_PORT        $server_port;
        fastcgi_param  SERVER_NAME        $server_name;
    
        fastcgi_param  REDIRECT_STATUS    200;
        
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
    
    try_files $fastcgi_script_name =404;
    set $path_info $fastcgi_path_info;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_pass_header Authorization;
    fastcgi_param SCRIPT_FILENAME $request_filename;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_index index.php;
    
        fastcgi_pass unix:/var/run/php-fpm.sock;
    }
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
        include /home/mysitecom/public_html/w3tc-nginx.conf;
    
    access_log  /var/log/nginx/access.mysitecom.log  main buffer=32k;
    error_log  /var/log/nginx/error.mysitecom.log warn;
    
    root   /home/mysitecom/public_html;
    index index.php index.html index.htm;
    
    add_header Link "</fonts/lora-v15-latin_cyrillic-700.woff2>; as=font; rel=preload; type=font/woff2; crossorigin";
    add_header Link "</wp-includes/js/jquery/jquery.js>; as=script; rel=preload; type=text/javascript";
    
    client_max_body_size    5M;
    
      error_page 404 /404.html;
      error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/local/www/nginx-dist;
    }
      location = /nginx.conf {
      deny all;
      }
    }
    }
    
    Thread Starter Lucker

    (@lucker)

    Seems like I found a proof, that the cause is in WP.

    The same request but with additional header output shows that WP redirects the request to https://mysite.com/ instead of getting script from localhost:

    
    jexec myjail curl -i -vv localhost/wp-json/wp/v2/plugins
    *   Trying 10.0.0.3:80...
    * Connected to localhost (10.0.0.3) port 80 (#0)
    > GET /wp-json/wp/v2/plugins HTTP/1.1
    > Host: localhost
    > User-Agent: curl/7.72.0
    > Accept: */*
    >
    * Mark bundle as not supporting multiuse
    < HTTP/1.1 301 Moved Permanently
    HTTP/1.1 301 Moved Permanently
    < Server: nginx
    Server: nginx
    ...
    < X-Redirect-By: WordPress
    X-Redirect-By: WordPress
    < Location: https://mysite.com/wp-json/wp/v2/plugins
    Location: https://mysite.com/wp-json/wp/v2/plugins
    ...
    < Link: </fonts/lora-v15-latin_cyrillic-700.woff2>; as=font; rel=preload; type=font/woff2; crossorigin
    ...
    * Connection #0 to host localhost left intact
    

    If I made request on the same installation, but for a file outside the WP, it works perfectly. The file contains <?php var_export($_SERVER)?> only.

    
    jexec myjail curl -vv localhost/test-vars.php
    *   Trying 10.0.0.3:80...
    * Connected to localhost (10.0.0.3) port 80 (#0)
    > GET /test-vars.php HTTP/1.1
    > Host: localhost
    > User-Agent: curl/7.72.0
    > Accept: */*
    >
    * Mark bundle as not supporting multiuse
    < HTTP/1.1 200 OK
    < Server: nginx
    < Date: Sat, 28 Nov 2020 15:09:51 GMT
    < Content-Type: text/html; charset=UTF-8
    < Transfer-Encoding: chunked
    < Connection: keep-alive
    < Vary: Accept-Encoding
    < Cache-Control: public
    < X-Frame-Options: SAMEORIGIN
    < Strict-Transport-Security: max-age=31536000; preload
    < X-XSS-Protection: 1; mode=block
    < X-Content-Type-Options: nosniff
    < Referrer-Policy: no-referrer-when-downgrade
    < Link: </fonts/lora-v15-latin_cyrillic-700.woff2>; as=font; rel=preload; type=font/woff2; crossorigin
    ...
    < Link: </wp-includes/js/jquery/jquery.js>; as=script; rel=preload; type=text/javascript
    <
    array (
      'HOME' => '/nonexistent',
      'USER' => 'www',
      'HTTP_ACCEPT' => '*/*',
      'HTTP_USER_AGENT' => 'curl/7.72.0',
      'HTTP_HOST' => 'localhost',
      'SCRIPT_FILENAME' => '/home/mysitecom/public_html/test-vars.php',
      'PATH_INFO' => '',
      'REDIRECT_STATUS' => '200',
      'SERVER_NAME' => 'mysite.com',
      'SERVER_PORT' => '80',
      'SERVER_ADDR' => '10.0.0.3',
      'REMOTE_PORT' => '36565',
      'REMOTE_ADDR' => '10.0.0.3',
      'SERVER_SOFTWARE' => 'nginx/1.18.0',
      'GATEWAY_INTERFACE' => 'CGI/1.1',
      'REQUEST_SCHEME' => 'http',
      'SERVER_PROTOCOL' => 'HTTP/1.1',
      'DOCUMENT_ROOT' => '/home/mysitecom/public_html',
      'DOCUMENT_URI' => '/test-vars.php',
      'REQUEST_URI' => '/test-vars.php',
      'SCRIPT_NAME' => '/test-vars.php',
      'CONTENT_LENGTH' => '',
      'CONTENT_TYPE' => '',
      'REQUEST_METHOD' => 'GET',
      'QUERY_STRING' => '',
      'FCGI_ROLE' => 'RESPONDER',
      'PHP_SELF' => '/test-vars.php',
      'REQUEST_TIME_FLOAT' => 1606576191.918095,
      'REQUEST_TIME' => 1606576191,
    * Connection #0 to host localhost left intact
    

    So, the main question for now is why the WP redirects requests to REST API from localhost? From outside it works as expected.

    • This reply was modified 1 year ago by .
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘REST API errors’ is closed to new replies.