Welcome to Centmin Mod Community
Register Now

Wordpress Ajax wordpress preloader 403 on accessing dynamic php css files after update

Discussion in 'Blogs & CMS usage' started by cpharlok, Oct 26, 2017.

  1. cpharlok

    cpharlok New Member

    5
    2
    3
    Oct 26, 2017
    Ratings:
    +3
    Local Time:
    7:17 AM
    1.13.6
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.13.6
    • PHP Version Installed: 7.0.18
    • MariaDB MySQL Version Installed:
    • When was last time updated Centmin Mod code base ? : Today via menu
    • Persistent Config: No
    Hi,

    I installed centmin mod in my VPS and wordpress using menu, all went smooth and site was working fast and steady, no problems in two months. However, today I updated both the nginx to 1.13.6 and centmin and now I get these errors:

    Code:
    GET https://(domain)/wp-content/themes/bridge/css/style_dynamic.php?ver=4.8.2 net::ERR_ABORTED  (index):50
    GET https://(domain)/wp-content/themes/bridge/css/custom_css.php?ver=4.8.2 net::ERR_ABORTED  (index):53
    GET https://(domain)/wp-content/themes/bridge/css/style_dynamic_responsive.php?ver=4.8.2 net::ERR_ABORTED  (index):52
    GET https://(domain)/wp-content/themes/bridge/js/default_dynamic.php?ver=4.8.2 net::ERR_ABORTED  rocket.min.js:2
    GET https://(domain)/wp-content/themes/bridge/js/custom_js.php?ver=4.8.2 net::ERR_ABORTED  rocket.min.js:2
    (domain) means website domain.

    Those prevent from ajax preloader do the job and site just don't appear obviously.

    I have tried several fixes but I think I am stuck as I am totally new to this server thing. Sorry about that.

    Help would be greatly appreciated.

    Thank you!
     
    Last edited: Oct 26, 2017
  2. cpharlok

    cpharlok New Member

    5
    2
    3
    Oct 26, 2017
    Ratings:
    +3
    Local Time:
    7:17 AM
    1.13.6
    The error log shows this (seems there is a rule preventing the file access, but I did not touch anything):

    [...]
    Code:
    2017/10/26 01:52:37 [error] 15338#15338: *114 access forbidden by rule, client: 88.23.193.45, server: domain, request: "GET /wp-content/themes/bridge/js/default_dynamic.php?ver=4.8.2 HTTP/1.1", host: "domain", referrer: "https://domain/"
    2017/10/26 01:52:37 [error] 15337#15337: *112 access forbidden by rule, client: 88.23.193.45, server: domain, request: "GET /wp-content/themes/bridge/js/default_dynamic.php?ver=4.8.2 HTTP/1.1", host: "domain", referrer: "https://domain/"
    2017/10/26 01:52:37 [error] 15338#15338: *114 access forbidden by rule, client: 88.23.193.45, server: domain, request: "GET /wp-content/themes/bridge/js/custom_js.php?ver=4.8.2 HTTP/1.1", host: "domain", referrer: "https://domain/"
    2017/10/26 01:52:45 [error] 15337#15337: *115 access forbidden by rule, client: 88.23.193.45, server: domain, request: "GET /wp-content/themes/bridge/css/style_dynamic.php?ver=4.8.2 HTTP/1.1", host: "domain", referrer: "https://domain/"
    2017/10/26 01:52:45 [error] 15337#15337: *116 access forbidden by rule, client: 88.23.193.45, server: domain, request: "GET /wp-content/themes/bridge/css/style_dynamic_responsive.php?ver=4.8.2 HTTP/1.1", host: "domain", referrer: "https://domain/"
    2017/10/26 01:52:45 [error] 15338#15338: *117 access forbidden by rule, client: 88.23.193.45, server: domain, request: "GET /wp-content/themes/bridge/css/custom_css.php?ver=4.8.2 HTTP/1.1", host: "domain", referrer: "https://domain/"
    
    
     
    Last edited: Oct 26, 2017
  3. eva2000

    eva2000 Administrator Staff Member

    30,580
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,275
    Local Time:
    4:17 PM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod values security and puts additional measures in place so that end users are also mindful of security. So in your case, you might need to whitelist or unblock the WP plugins related to your 403 permission denied messages.

    If you used centmin.sh menu option 22 auto installer Wordpress Nginx Auto Installer, the default wpsecure conf file at /usr/local/nginx/conf/wpsecure_${vhostname}.conf where vhostname is your domain name, blocks php scripts from executing in wp-content for security

    Below links you can see examples of setting up specific wordpress location matches to punch a hole in the wpsecure blocking to whitelist specific php files that need to be able to run.
    If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.
     
    • Like Like x 1
  4. cpharlok

    cpharlok New Member

    5
    2
    3
    Oct 26, 2017
    Ratings:
    +3
    Local Time:
    7:17 AM
    1.13.6
    Ok, thank you, found the issue in wpsecure:

    Code:
    # Block PHP files in uploads, content, and includes directory.
    #location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
    #  deny all;
    #}
    I just commented and now PHP files execute properly, so I think I have to work a bit that rule as there are php files in theme folder that needs to be executed.
     
    • Informative Informative x 1
  5. eva2000

    eva2000 Administrator Staff Member

    30,580
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,275
    Local Time:
    4:17 PM
    Nginx 1.13.x
    MariaDB 5.5
    yes if you look in wpsecure there's many examples of specifically whitelisting wp plugins (and themes) specifically for php execution - while a pain to do, can be more secure log term to prevent rougue wp plugins from executing php (as is for whitelisting themes) :)
     
  6. cpharlok

    cpharlok New Member

    5
    2
    3
    Oct 26, 2017
    Ratings:
    +3
    Local Time:
    7:17 AM
    1.13.6
    Yes, I understand, really appreciate this security approach. Nice! Thank you for your great work!
     
    • Like Like x 1