apache error 403 forbidden loading files css js img

September 17, 2019 541 views
Ubuntu 16.04 Apache WordPress PHP DigitalOcean

Please can someone help / debug and hopefully solve a strange issue I am having?

For some reason when I go to a URL that contains the word ‘blue’ the website css, js and images won’t load; in the browser console it says 403 forbidden for each asset.
If I go to a page without blue in the URL everything loads! Really strange.

I’ve tested this on different devices / IPs. Same result when I go to -

  • example.com/blue (doesn’t work)
  • example.com/blue-room (doesn’t work)
  • example.com/big-blue-ball (doesn’t work)
  • example.com/sky-is-blue (doesn’t work)
  • example.com/orange (works)
  • example.com/orange-room (works)

Here’s logs from apache running php 7 ubuntu 16 -

error log

[access_compat:error] [pid 17355] [client 1.23.45.67:123] **AH01797**: client denied by server configuration: /sites/example/public_html/wp-content/themes/example/styles.css, referer: https://example.com/tag/blue/

access log

"GET /wp-content/themes/example/styles.css HTTP/1.1" 403 3907 "https://example.com/blue/" "Mozilla/5.0 (Windows NT 6.1; W$in64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36"

I’ve got fail2ban installed and the error code above matches this filter apache-auth.conf -

failregex = ^%(_apache_error_client)s (AH(01797|01630): )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$

I disabled this filter and all references to it and tried testing with the fail2ban service stopped to see if the css, js and images load for the 'blue’ pages but the issue still remains.

I’ve also flushed the fail2ban log and sql db. The issue is still there so it can’t be a fail2ban issue.

Is it possible fail2ban is still running when it is switched off? The apache log still produces the AH01797 error when fail2ban is off after I’ve visited a 'blue’ page URL.

All I can think of there was a wordpress tag that had a fullstop in it like example.com/blue.room and fail2ban would ban my IP everytime I visited the page so I removed the fulltop and the page partially loaded but without the css, js and images which I am experiencing now.

The site has 2 config files as let encrypt the free SSL script duplicates the original. Here’s what they look like -

examplesite.com.conf

<VirtualHost *:80>
ServerAdmin example@example.com
ServerName www.example.com
DocumentRoot /sites/examplesite/public_html
<Directory />
AllowOverride All
</Directory>
<Directory /sites/examplesite/public_html>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Require all granted
</Directory>
ErrorLog /var/log/apache2/examplesite.com-error.log
LogLevel error
CustomLog /var/log/apache2/examplesite.com-access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.examplesite.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:80>
ServerName examplesite.com
Redirect permanent / http://www.examplesite.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =examplesite.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

examplesite.com-le-ssl.conf

<VirtualHost *:443>
ServerAdmin example@example.com
ServerName example.com

SSLEngine on

DocumentRoot /sites/examplesite/public_html
<Directory />
AllowOverride All
</Directory>
<Directory /sites/examplesite/public_html>
Options Indexes FollowSymLinks MultiViews
Include /etc/apache2/custom.d/globalblacklist.conf
AllowOverride all
Require all granted
</Directory>
ErrorLog /var/log/apache2/examplesite.com-error.log
LogLevel error
CustomLog /var/log/apache2/examplesite.com-access.log combined
SSLCertificateFile /etc/letsencrypt/live/examplesite.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/examplesite.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/examplesite.com/chain.pem
</VirtualHost>

<VirtualHost *:443>
ServerAdmin example@example.com
ServerName example.com

SSLEngine on

Redirect permanent / https://examplesite.com/
SSLCertificateFile /etc/letsencrypt/live/examplesite.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/examplesite.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/examplesite.com/chain.pem
</VirtualHost>

<VirtualHost *:80>
ServerName examplesite.com
ServerAlias www.examplesite.com
Redirect permanent / https://examplesite.com/
</VirtualHost>

Any ideas what is going on?

2 Answers

Hello,

My guess would be that you have some Failregex defined in your /etc/fail2ban/filter.d directory. I would recommend checking your config files in that directory for anything that could be matching the blue keyword.

Also, another thing that could be causing the problem might be a security Wordpress plugin. I would recommend going through your plugins as well and as a test try to temporary disable the security ones like Wordfence and see if this has any effect.

Regards,
Bobby

Hi Bobby,

Inside filter.d there is a filter called apache-auth.conf which has -

failregex = ^%(_apache_error_client)s (AH(**01797**|01630): )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$

The code AH01797 matches this in the access log -

[access_compat:error] [pid 17355] [client 1.23.45.67:123] ****AH01797****: client denied by server configuration: /sites/example/public_html/wp-content/themes/example/styles.css, referer: https://example.com/tag/blue/
access log

I’ve tried stopping fail2ban and restarting apache but bug is still there :(

I haven’t got wordfence plugin or any wp security plugin like that I just use fail2ban.

Here’s a screenshot of Google devtools network tab comparing the bug page headers and a working page header info -
https://i.imgur.com/EOEQN0i.jpg

Do you think as a last resort create a new site folder on the droplet?

Have another answer? Share your knowledge.