• Resolved kendawes

    (@kendawes)


    Hi,
    I’ve installed Ninjafirewall on a site and it seems to be working properly.

    However, when I run WP Site Health, I get the following…

    The REST API request failed due to an error.
    Error: [] cURL error 28: Operation timed out after 10000 milliseconds with 0 bytes received

    I have disabled all plugins and changed the theme and added plugins back one at a time and its Ninjafirewall that triggers the message.

    If Ninjafirewall is enabled in the Firewall Options – the problem exists.(there is no problem evident in the log files)

    If Ninjafirewall is enabled and debug is turned on – the problem exists. (no problem shows in the Firewall log)

    If Ninjafirewall is active and disabled in Firewall Options – the problem goes away.

    Any idea what’s going on? This problem doesn’t seem to occur on other websites where I have Ninjafirewall installed.

Viewing 15 replies - 1 through 15 (of 20 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Hi,

    This is a known issue with Site Health: it does not handle well PHP sessions. If you have a plugin or theme that, like NinjaFirewall, uses PHP sessions, the test will always fail. But that does not mean the REST API is not working, just the Site Health test fails.
    You can see this discussion: https://wordpress.org/support/topic/wp-5-2-ninjafirewall-blocks-api-rest-wp-json-calls/#post-11520829

    Maybe you have the same problem on your site: the blog and REST API URI don’t match? You can try to download the utils.php mentioned in the discussion and see if it helps.

    kendawes

    (@kendawes)

    Hi!

    The utils.php file cures the problem!

    Thank you!

    Hi,
    Same problem on the latest version (4.0.1). Reverting back to 3.9.1 fixed the problem for me for now.

    Thanks
    Alex

    Plugin Author nintechnet

    (@nintechnet)

    Does the blog and REST API have the same URL (see this discussion)?

    Yes urls are identical.

    Alex

    Plugin Author nintechnet

    (@nintechnet)

    There must be a difference somewhere. Maybe the protocol? One use HTTPS and the other HTTP?
    The firewall takes [the protocol + ‘://’ + the hostname] from both the get_site_url() function and the REST API call and simply compare them.

    No protocol is identical, pure HTTPS through and through.

    3.9.1 works fine, just 4.x behaving like that.

    Fails when trying to access it directly or using a local wp_remote_post to mp/v1/transactions (memberpress endpoint) for example.

    Plugin Author nintechnet

    (@nintechnet)

    That seems to be a different issue that the one mentioned by the OP, because you cannot access the API directly.
    * When you access the API, is there an error message?
    * Right after trying to access it, can you check in the firewall log if there’s anything related to this issue?
    * Did you enable any policy from the “Firewall Policies > Basic Policies” such as “Protect against username enumeration” and “WordPress REST API”?

    1. Same exact error as above

    `The REST API request failed due to an error.
    Error: [] cURL error 28: Operation timed out after 10000 milliseconds with 0 bytes received

    2. Nothing in the log.
    3. None of the REST API policies are enabled, if so it would fail under 3.9.1 as well.

    Plugin Author nintechnet

    (@nintechnet)

    The error message is the same, but it must be a different issue. I believe it is related to PHP sessions too, though.
    Can you scan your memberpress plugin and see if it is using PHP sessions? Search for session_start for instance.
    If you find it, can you paste on pastebin.com that line of code, as well as the 10 lines of preceding and following it?

    No sessions are being started within memberpress or my own code. There is a function present within my own code, that allows to start a session, but is not being used.

    Plugin Author nintechnet

    (@nintechnet)

    Can you try to access the API directly from another device or browser?
    Or better, from command line so that we can test without cookies, for instance:

    $ curl -I http://your-blog/path/to/rest/api/
    

    Used pure curl to testdrive, switching from 3.9.1 to 4.0.1 and back.

    The REST API is using Basic Auth, using application passwords (https://github.com/georgestephanis/application-passwords).

    Using 3.9.1 resolves and works perfectly.
    Using 4.0.1 the request times out as before.

    Plugin Author nintechnet

    (@nintechnet)

    There must be a conflict with that plugin. I’ll check that as soon as I have the time to test this plugin.

    Plugin Author nintechnet

    (@nintechnet)

    Using x-debug, I was able to locate the issue on this line:
    https://plugins.trac.wordpress.org/browser/ninjafirewall/tags/4.0.1/lib/utils.php#L962

    current_user_can('edit_users')
    

    This throws an error.
    I’ll have to find out why the call to current_user_can is a problem.

Viewing 15 replies - 1 through 15 (of 20 total)
  • You must be logged in to reply to this topic.