Want to subscribe to topics you're interested in?
Become a Member

Maintenance page on wp-login password reset

Discussion in 'Blogs & CMS usage' started by Daniel J. Lewis, Jul 6, 2018.

  1. Daniel J. Lewis

    Daniel J. Lewis Award-winning podcaster and consultant

    117
    15
    18
    Oct 20, 2014
    Ratings:
    +33
    Local Time:
    12:32 PM
    1.8.0
    5.6
    I'm running into a really weird error on WordPress sites. If a user tries to reset their password and visit /wp-login.php?action=rp&key=[TOKEN]&login=[USERNAME], they're redirected to the maintenance.html page.

    The problem seems to be in this block of the site's conf file (made with option 22):

    Code:
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
        #auth_basic_user_file /home/nginx/domains/[DOMAIN].com/htpasswd_wplogin;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    If I comment out this whole section, password resets work. If I comment out only the php-wpsc.conf line, the login page downloads a PHP file.

    So there's something in that conf file messing up the log ins.

    Although I installed with option 22 and the WPSC option, I'm using WP Rocket and have its appropriate rocket-nginx included and the appropriate
    Code:
    try_files[/url].
    
    Here's the complete vhost conf for one such site (repeatable on all my sites, even with all plugins disabled):
    
    [code]
    
    #x# HTTPS-DEFAULT
     server {
    
       server_name [DOMAIN].com www.[DOMAIN].com;
       return 302 https://[DOMAIN].com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2;
      server_name [DOMAIN].com www.[DOMAIN].com;
    
      include /usr/local/nginx/conf/wpms-redirects.conf; # Redirecting old WPMS uploads URL
    
      # include /usr/local/nginx/conf/ssl/[DOMAIN].com/[DOMAIN].com.crt.key.conf;
      # include /usr/local/nginx/conf/ssl_include.conf;
    
      ssl_certificate /usr/local/nginx/conf/ssl/[DOMAIN]-2018.crt;
      ssl_certificate_key /usr/local/nginx/conf/ssl/[DOMAIN].com.key;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_prefer_server_ciphers on;
      ssl_ecdh_curve  secp384r1;
      ssl_session_cache      shared:SSL:10m;
      ssl_session_timeout  10m;
      ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      add_header Strict-Transport-Security "max-age=0";
    
      ## OCSP Stapling
      # resolver 127.0.0.1;
      # ssl_stapling on;
      # ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/[DOMAIN]-comodo-2018.crt;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/[DOMAIN].com/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      # ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      # ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/[DOMAIN].com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/[DOMAIN].com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/[DOMAIN].com/autoprotect-[DOMAIN].com.conf;
      root /home/nginx/domains/[DOMAIN].com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # include /usr/local/nginx/conf/wpincludes/[DOMAIN].com/wpcacheenabler_[DOMAIN].com.conf;
      #include /usr/local/nginx/conf/wpincludes/[DOMAIN].com/wpsupercache_[DOMAIN].com.conf;
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/wpincludes/[DOMAIN].com/rediscache_[DOMAIN].com.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # for wp cache enabler plugin
      # try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;
    
      # Wordpress Permalinks
      try_files $uri $uri/ /index.php?q=$uri&$args;
    
      # Nginx level redis Wordpress
      # https://community.centminmod.com/posts/18828/
      #try_files $uri $uri/ /index.php?$args;
    
      }
    
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
        #auth_basic_user_file /home/nginx/domains/[DOMAIN].com/htpasswd_wplogin;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-scripts\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-styles\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
      include /usr/local/nginx/conf/wpincludes/[DOMAIN].com/wpsecure_[DOMAIN].com.conf;
      include /usr/local/nginx/conf/php-wpsc.conf;
      include /usr/local/nginx/conf/rocket-nginx/default.conf;
    
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/php-rediscache.conf;
      include /usr/local/nginx/conf/pre-staticfiles-local-[DOMAIN].com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    Any ideas how to fix this? I discovered this problem because a developer I'm working with thinks there's some query caching going on that's messing with WooCommerce's ability to server plugin updates to my clients with the API Manager extension. But let's focus only on one problem at a time. :)
     
  2. Daniel J. Lewis

    Daniel J. Lewis Award-winning podcaster and consultant

    117
    15
    18
    Oct 20, 2014
    Ratings:
    +33
    Local Time:
    12:32 PM
    1.8.0
    5.6
    I tested switching from WP Rocket to Cache Enabler and it made no difference. I expected as much anyway.
     
  3. eva2000

    eva2000 Administrator Staff Member

    46,492
    10,557
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,390
    Local Time:
    2:32 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    quoting myself :)

     
  4. Daniel J. Lewis

    Daniel J. Lewis Award-winning podcaster and consultant

    117
    15
    18
    Oct 20, 2014
    Ratings:
    +33
    Local Time:
    12:32 PM
    1.8.0
    5.6
    This isn't HTTP password protection. I chose not to have that when I created the site. But even if I comment out
    Code:
    auth_basic "Private";
    , the problem still exists.
     
  5. eva2000

    eva2000 Administrator Staff Member

    46,492
    10,557
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,390
    Local Time:
    2:32 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    both lines need commenting out
    Code (Text):
    #auth_basic "Private"; 
    #auth_basic_user_file /home/nginx/domains/[DOMAIN].com/htpasswd_wplogin;
    

    then restart nginx and php-fpm
    Code (Text):
    nprestart
    
     
  6. Daniel J. Lewis

    Daniel J. Lewis Award-winning podcaster and consultant

    117
    15
    18
    Oct 20, 2014
    Ratings:
    +33
    Local Time:
    12:32 PM
    1.8.0
    5.6
    Yup yup. Option 22 automatically commented auth_basic_user_file, but it left the other one uncommented.

    But anyway, these are irrelevant to this maintenance page problem on tokenized password reset URLs.
     
  7. eva2000

    eva2000 Administrator Staff Member

    46,492
    10,557
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,390
    Local Time:
    2:32 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    checked the code, centmin.sh comments out both as far as I can see

    contents of /usr/local/nginx/conf/rocket-nginx/default.conf ?
     
  8. Daniel J. Lewis

    Daniel J. Lewis Award-winning podcaster and consultant

    117
    15
    18
    Oct 20, 2014
    Ratings:
    +33
    Local Time:
    12:32 PM
    1.8.0
    5.6
    I can take WP Rocket completely out of WP and Nginx and the problem still happens. But here's /usr/local/nginx/conf/rocket-nginx/default.conf anyway:

    Code:
    ###################################################################################################
    # Rocket-Nginx
    #
    # Rocket-Nginx is a NGINX configuration to speedup your WordPress
    # website with the cache plugin WP-Rocket (http://wp-rocket.me)
    #
    # Author: Maxime Jobin
    # URL: https://github.com/maximejobin/rocket-nginx
    #
    # Tested with WP-Rocket version: 3.0.5.1
    # Tested with NGINX: 1.15 (mainline)
    #
    # Version 2.1.1
    #
    ###################################################################################################
    
    # Add debug information into header
    set $rocket_debug 0;
    
    
    ###################################################################################################
    # Do not alter theses values
    #
    set $rocket_bypass 1;                # Should NGINX bypass WordPress and call cache file directly ?
    set $rocket_encryption "";            # Is GZIP accepted by client ?
    set $rocket_file "";                # Filename to use
    set $rocket_is_bypassed "No";        # Header text added to check if the bypass worked or not. Header: X-Rocket-Nginx-Serving-Static
    set $rocket_reason "";                # Reason why cache file was not used. If cache file is used, what file was used
    set $rocket_https_prefix "";        # HTTPS prefix to use when cached files are using HTTPS
    set $rocket_hsts 0;                    # Is HSTS is off (0) by default. Will be turned on (1) if request is HTTPS
    
    # HSTS value
    set $rocket_hsts_value "max-age=31536000; includeSubDomains";
    
    ###################################################################################################
    # PAGE CACHE
    #
    
    # Is GZIP accepted by client ?
    if ($http_accept_encoding ~ gzip) {
        set $rocket_encryption "_gzip";
    }
    
    # Is Brotli accepted by client ?
    if ($http_accept_encoding ~ br) {
        set $rocket_encryption "";
    }
    
    # Is SSL request ?
    if ($https = "on") {
        set $rocket_https_prefix "-https";
        set $rocket_hsts 1;
    }
    
    # If HSTS is disabled, unset HSTS set for Rocket-Nginx configuration
    if ($rocket_hsts = "0") {
        set $rocket_hsts_value "";
    }
    
    # File/URL to return IF we must bypass WordPress
    # Desktop: index.html or index-https.html
    # Mobile:  index-mobile.html or index-mobile-https.html
    set $rocket_end "/cache/wp-rocket/$http_host/$request_uri/index$rocket_https_prefix.html$rocket_encryption";
    set $rocket_url "/wp-content$rocket_end";
    set $rocket_file "$document_root/wp-content$rocket_end";
    set $rocket_mobile_detection "$document_root/wp-content/cache/wp-rocket/$http_host/$request_uri/.mobile-active";
    
    
    # Do not bypass if it's a POST request
    if ($request_method = POST) {
        set $rocket_bypass 0;
        set $rocket_reason "POST request";
    }
    
    # Do not bypass if arguments are found (e.g. ?page=2)
    if ($is_args) {
        set $rocket_bypass 0;
        set $rocket_reason "Arguments found";
    }
    
    # Do not bypass if the site is in maintenance mode
    if (-f "$document_root/.maintenance") {
        set $rocket_bypass 0;
        set $rocket_reason "Maintenance mode";
    }
    
    # Do not bypass if one of those cookie if found
    # wordpress_logged_in_[hash] : When a user is logged in, this cookie is created (we'd rather let WP-Rocket handle that)
    # wp-postpass_[hash] : When a protected post requires a password, this cookie is created.
    if ($http_cookie ~* "(wordpress_logged_in_|wp\-postpass_|woocommerce_items_in_cart|woocommerce_cart_hash|wptouch_switch_toogle|comment_author_|comment_author_email_)") {
        set $rocket_bypass 0;
        set $rocket_reason "Cookie";
    }
    
    if (-f "$rocket_mobile_detection") {
        set $rocket_bypass 0;
        set $rocket_reason "Specific mobile cache activated";   
    }
    
    # Do not bypass if the cached file does not exist
    if (!-f "$rocket_file") {
        set $rocket_bypass 0;
        set $rocket_reason "File not cached";
    }
    
    # If the bypass token is still on, let's bypass WordPress with the cached URL
    if ($rocket_bypass = 1) {
        set $rocket_is_bypassed "Yes";
        set $rocket_reason "$rocket_url";
    }
    
    # Clear variables if debug is not needed
    if ($rocket_debug = 0) {
        set $rocket_reason "";
        set $rocket_file "";
    }
    
    # If the bypass token is still on, rewrite according to the file linked to the request
    if ($rocket_bypass = 1) {
        rewrite .* "$rocket_url" last;
    }
    
    # Add header to HTML cached files
    location ~ /wp-content/cache/wp-rocket/.*html$ {
        etag on;
        add_header Vary "Accept-Encoding, Cookie";
        add_header Cache-Control "no-cache, no-store, must-revalidate";
        add_header X-Rocket-Nginx-Serving-Static $rocket_is_bypassed;
        add_header X-Rocket-Nginx-Reason $rocket_reason;
        add_header X-Rocket-Nginx-File $rocket_file;
        add_header Strict-Transport-Security "$rocket_hsts_value";
       
       
    }
    
    # Do not gzip cached files that are already gzipped
    location ~ /wp-content/cache/wp-rocket/.*_gzip$ {
        etag on;
        gzip off;
        types {}
        default_type text/html;
        add_header Content-Encoding gzip;
        add_header Vary "Accept-Encoding, Cookie";
        add_header Cache-Control "no-cache, no-store, must-revalidate";
        add_header X-Rocket-Nginx-Serving-Static $rocket_is_bypassed;
        add_header X-Rocket-Nginx-Reason $rocket_reason;
        add_header X-Rocket-Nginx-File $rocket_file;
        add_header Strict-Transport-Security "$rocket_hsts_value";
       
       
    }
    
    # Debug header (when file is not cached)
    add_header X-Rocket-Nginx-Serving-Static $rocket_is_bypassed;
    add_header X-Rocket-Nginx-Reason $rocket_reason;
    add_header X-Rocket-Nginx-File $rocket_file;
    
    # No HSTS header added here. We suppose it's correctly added in the site configuration
    
    
    ###################################################################################################
    # BROWSER CSS CACHE
    #
    location ~* \.css$ {
        etag on;
        gzip_vary on;
        expires 30d;
       
    }
    
    
    ###################################################################################################
    # BROWSER JS CACHE
    #
    location ~* \.js$ {
        etag on;
        gzip_vary on;
        expires 30d;
       
    }
    
    
    ###################################################################################################
    # BROWSER MEDIA CACHE
    #
    location ~* \.(ico|gif|jpe?g|png|svg|eot|otf|woff|woff2|ttf|ogg)$ {
        etag on;
        expires 30d;
       
    }
    
    
     
  9. eva2000

    eva2000 Administrator Staff Member

    46,492
    10,557
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,390
    Local Time:
    2:32 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    strange indeed then.. how are you resetting passwords ? I just tested this on fresh centmin.sh menu option 22 installed wordpress install with keycdn cache enabler and hitting Lost your password ? link on wp-login.php page works and asks for email/username to reset password and redirects to /wp-login.php?checkemail=confirm

    then visiting email shows /wp-login.php?action=rp&key=nnrzohvBy08nVwQMdcf1&login=USERNAME url which i visit to set a new password

    i have this in my vhost
    Code (Text):
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
        #auth_basic_user_file /home/nginx/domains/domain.com/htpasswd_wplogin; 
        include /usr/local/nginx/conf/php-wpsc.conf;
     
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    

    ah i do see auth_basic doesn't get commented out but still works heh but was it comments out the non-https vhost mistakenly so will fix that
     
  10. Daniel J. Lewis

    Daniel J. Lewis Award-winning podcaster and consultant

    117
    15
    18
    Oct 20, 2014
    Ratings:
    +33
    Local Time:
    12:32 PM
    1.8.0
    5.6
    It's visiting the /wp-login.php?action=rp&key=[TOKEN]&login=[USERNAME] URL a user gets from their email that is resulting in the maintenance page problem after they're redirected from an expired token. But a browser refresh after that takes them to the login page.
     
  11. eva2000

    eva2000 Administrator Staff Member

    46,492
    10,557
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,390
    Local Time:
    2:32 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    just noticed in you vhost you have
    Code (Text):
    include /usr/local/nginx/conf/wpms-redirects.conf; # Redirecting old WPMS uploads URL
    

    anything in /usr/local/nginx/conf/wpms-redirects.conf that high up on vhost config may cause unintended redirects ?

    anything in autoprotect includes file causing wp plugins or themes to not work properly ?
    Code (Text):
    /usr/local/nginx/conf/autoprotect/[DOMAIN].com/autoprotect-[DOMAIN].com.conf
    


    strange no able to reproduce this on a fresh centmin.sh menu option 22 wordpress install.

    You can verify this yourself. Install a 2nd dummy fresh wordpress install via centmin.sh menu option 22 on a test domain, and try the password reset routine and see what happens without woocommerce and without wp-rocket first. Then one by one install and configure those 2 and each time test the password reset routine and see what happens.