Related

Subdomain with different DocumentRoot Question Question
You don't have permission to access / on this server. Wordpress multiple sites Ubuntu Question Question

Question

assets not loading 403 & document 404.. cialis token? apache error AH01797: client denied by server configuration

Posted July 19, 2021 83 views
ApacheWordPress

Hi I’ve got a WordPress website and when I go to a URL containing the word ’specialis’ the assets don’t load. The dev console shows 403 error on the assets (CSS, JS & images) and the document 404.

What’s strange is if I go to speciali the assets load.

I can’t figure out why the assets load for speciali and don’t load for specialis.

The .htaccess file doesn’t have anything conflicting in it.

I’ve searched the database for all specialis entries and there’s nothing obvious there.

Here’s what the apache error log shows -

[accesscompat:error] [pid 16518:tid 139963730081536] [client myip:53260] AH01797: client denied by server configuration: /sites/mysite/publichtml/wp-content/themes/mysite-child/css/global.css, referer: https://mysite.com/specialis

The file and folder permissions are also OK.

My friend says a cialis token is causing this issue. I’ve never heard of a cialis token.

Can someone please advise on how to fix this so the assets load again?

Many thanks in advance

Add a comment
twc8ac35a8636
By:
twc8ac35a8636

Related

Subdomain with different DocumentRoot Question Question
You don't have permission to access / on this server. Wordpress multiple sites Ubuntu Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer
bobbyiliev July 21, 2021

Hello,

As the file permissions are correct what I could suggest is:

  • If you have a plugin like WordFence, check if it is blocking specific requests or words
  • Check your .htaccess file for any deny rules
  • Check your Apache config file and your Apache Vhost config for any deny rules
  • If you have a content delivery network like Cloudflare, make sure that you don’t have specific deny rules there

Let me know how it goes.
Regards,
Bobby

Reply Report
  • twc8ac35a8636 July 22, 2021

    Hi Bobby thanks for writing back.

    WordFence isn’t installed but Fail2ban is.

    Haven’t got a CDN.

    I can’t see any problematic deny rules in the vhost and .htaccess files. Here’s a dump of those files maybe you can see something a miss?

    /etc/apache2/sites-available/mysite.com-le-ssl.conf

    <VirtualHost *:443>
    ServerAdmin my@email.com
    ServerName mysite.com

    SSLEngine on

    DocumentRoot /sites/mysite/public_html
    <Directory />
        AllowOverride All
    </Directory>
        <Directory /sites/mysite/public_html>
        Options Indexes FollowSymLinks MultiViews
                Include /etc/apache2/custom.d/globalblacklist.conf
        AllowOverride all
        Require all granted
    </Directory>
    ErrorLog /var/log/apache2/mysite.com-error.log
    LogLevel error
    CustomLog /var/log/apache2/mysite.com-access.log combined
SSLCertificateFile /etc/letsencrypt/live/mysite.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mysite.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/mysite.com/chain.pem
</VirtualHost>
<VirtualHost *:443>
        ServerAdmin my@email.com
        ServerName www.mysite.com

        SSLEngine on

        Redirect permanent / https://mysite.com/
        SSLCertificateFile /etc/letsencrypt/live/mysite.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/mysite.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateChainFile /etc/letsencrypt/live/mysite.com/chain.pem
</VirtualHost>

<VirtualHost *:80>
    ServerName mysite.com
    ServerAlias www.mysite.com
    Redirect permanent / https://mysite.com/
</VirtualHost>

    .htaccess

    <IfModule pagespeed_module>
    ModPagespeed on
    # using commands,filters etc
</IfModule>

# Enable Compression
<ifModule mod_deflate.c>
    AddType image/svg+xml .svg
    AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/css text/javascript application/javascript application/x-javascript image/svg+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
    AddOutputFilterByType DEFLATE application/x-font
    AddOutputFilterByType DEFLATE application/x-font-opentype
    AddOutputFilterByType DEFLATE application/x-font-otf
    AddOutputFilterByType DEFLATE application/x-font-truetype
    AddOutputFilterByType DEFLATE application/x-font-ttf
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE font/opentype
    AddOutputFilterByType DEFLATE font/otf
    AddOutputFilterByType DEFLATE font/ttf
    AddOutputFilterByType DEFLATE image/x-icon
</ifModule>

# BEGIN Turn ETags Off
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</IfModule>
<ifModule mod_headers.c>
  Header unset ETag
</ifModule>
FileETag None
# END Turn ETags Off

## EXPIRES CACHING ##
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 seconds"
ExpiresByType image/jpg "access plus 600 seconds"
ExpiresByType image/jpeg "access plus 600 seconds"
ExpiresByType image/gif "access plus 600 seconds"
ExpiresByType image/png "access plus 600 seconds"
ExpiresByType text/css "access plus 600 seconds"
ExpiresByType text/html "access plus 600 seconds"
ExpiresByType application/pdf "access plus 600 seconds"
ExpiresByType text/x-javascript "access plus 600 seconds"
ExpiresByType application/x-shockwave-flash "access plus 600 seconds"
ExpiresByType image/x-icon "access plus 600 seconds"
</IfModule>
## EXPIRES CACHING ##

# BEGIN Cache-Control Headers
<ifModule mod_headers.c>
    <filesMatch ".(css|jpg|jpeg|png|gif|js|ico)$">
    Header set Cache-Control "max-age=1, public"
    </filesMatch>
    <filesMatch "\.(x?html?|php)$">
        Header set Cache-Control "max-age=1, private, must-revalidate"
    </filesMatch>
</ifModule>
# END Cache-Control Headers


<IfModule mod_gzip.c>
  mod_gzip_on Yes
  mod_gzip_dechunk Yes
  mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
  mod_gzip_item_include handler ^cgi-script$
  mod_gzip_item_include mime ^text/.*
  mod_gzip_item_include mime ^application/x-javascript.*
  mod_gzip_item_exclude mime ^image/.*
  mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

#Disable Directory Browsing
Options All -Indexes
    Reply Report
    • bobbyiliev July 23, 2021

      Hello,

      The configuration looks good. I could suggest a couple of things:

      • Check your fail2ban config to see if there are any deny rules and also check the fail2ban logs to see if you could get some more information there

      • I can see that you have Mod PageSpeed, have you try disabling it as a test to see if it fixes the 403 errors for your static files?

      Regards,
      Bobby

      Reply Report
      • twc8ac35a8636 July 23, 2021

        Hi Bobby,

        I removed Mod Pagespeed and I stopped fail2ban then restarted apache and the assets still have 403 error :(

        Reply Report
        • bobbyiliev about 17 hours ago

          Hello,

          This is quite strange, do you see the file in the /sites/mysite/public_html/wp-content/themes/mysite-child/css/global.css directory? If so could you run an ls -lah followed by the name of the file and share the output here?

          Reply Report
          • twc8ac35a8636 about 16 hours ago

            Yup very strange!

            Yes I can see that file when going to it directly and all the other pages on the website can load it.

            Here’s the output -

            -rwxrwxr-x  1 mysite www-data 299K Jul 22 14:29 global.css
            Reply Report
          • bobbyiliev about 15 hours ago

            Hi @twc8ac35a8636,

            It seems like Apache is blocking the requests from specific referrers.

            Do you have any HTTP_REFERER references in your .htaccess file?

            Feel free to share your .htaccess file here, after removing any sensitive information from there.

            Reply Report
          • twc8ac35a8636 about 12 hours ago

            Hi Bobby,

            The WordPress homepage was called Specialist and then I removed Specialist from the homepage title and renamed the about page Specialist.. That’s when I noticed the assets don’t load for this specialist page.

            Here’s whats inside the .htaccess, there is a 301 redirect but no HTTP_REFERER -

            # BEGIN Turn ETags Off
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</IfModule>
<ifModule mod_headers.c>
  Header unset ETag
</ifModule>
FileETag None
# END Turn ETags Off

## EXPIRES CACHING ##
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 seconds"
ExpiresByType image/jpg "access plus 600 seconds"
ExpiresByType image/jpeg "access plus 600 seconds"
ExpiresByType image/gif "access plus 600 seconds"
ExpiresByType image/png "access plus 600 seconds"
ExpiresByType text/css "access plus 600 seconds"
ExpiresByType text/html "access plus 600 seconds"
ExpiresByType application/pdf "access plus 600 seconds"
ExpiresByType text/x-javascript "access plus 600 seconds"
ExpiresByType application/x-shockwave-flash "access plus 600 seconds"
ExpiresByType image/x-icon "access plus 600 seconds"
</IfModule>
## EXPIRES CACHING ##

# BEGIN Cache-Control Headers
<ifModule mod_headers.c>
    <filesMatch ".(css|jpg|jpeg|png|gif|js|ico)$">
    Header set Cache-Control "max-age=1, public"
    </filesMatch>
    <filesMatch "\.(x?html?|php)$">
        Header set Cache-Control "max-age=1, private, must-revalidate"
    </filesMatch>
</ifModule>
# END Cache-Control Headers


<IfModule mod_gzip.c>
  mod_gzip_on Yes
  mod_gzip_dechunk Yes
  mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
  mod_gzip_item_include handler ^cgi-script$
  mod_gzip_item_include mime ^text/.*
  mod_gzip_item_include mime ^application/x-javascript.*
  mod_gzip_item_exclude mime ^image/.*
  mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

#Disable Directory Browsing
Options All -Indexes



Redirect 301 /specialist /new-expert
Redirect 301 /specialists /new-expert
            Reply Report

Related

Looking for something else?

Ask a new question Search for more help