Question

assets not loading 403 & document 404.. cialis token? apache error AH01797: client denied by server configuration

Posted July 19, 2021 83 views
ApacheWordPress

Hi I’ve got a WordPress website and when I go to a URL containing the word ’specialis’ the assets don’t load. The dev console shows 403 error on the assets (CSS, JS & images) and the document 404.

What’s strange is if I go to speciali the assets load.

I can’t figure out why the assets load for speciali and don’t load for specialis.

The .htaccess file doesn’t have anything conflicting in it.

I’ve searched the database for all specialis entries and there’s nothing obvious there.

Here’s what the apache error log shows -

[accesscompat:error] [pid 16518:tid 139963730081536] [client myip:53260] AH01797: client denied by server configuration: /sites/mysite/publichtml/wp-content/themes/mysite-child/css/global.css, referer: https://mysite.com/specialis

The file and folder permissions are also OK.

My friend says a cialis token is causing this issue. I’ve never heard of a cialis token.

Can someone please advise on how to fix this so the assets load again?

Many thanks in advance

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hello,

As the file permissions are correct what I could suggest is:

  • If you have a plugin like WordFence, check if it is blocking specific requests or words
  • Check your .htaccess file for any deny rules
  • Check your Apache config file and your Apache Vhost config for any deny rules
  • If you have a content delivery network like Cloudflare, make sure that you don’t have specific deny rules there

Let me know how it goes.
Regards,
Bobby

  • Hi Bobby thanks for writing back.

    WordFence isn’t installed but Fail2ban is.

    Haven’t got a CDN.

    I can’t see any problematic deny rules in the vhost and .htaccess files. Here’s a dump of those files maybe you can see something a miss?

    /etc/apache2/sites-available/mysite.com-le-ssl.conf

    <VirtualHost *:443>
        ServerAdmin my@email.com
        ServerName mysite.com
    
        SSLEngine on
    
        DocumentRoot /sites/mysite/public_html
        <Directory />
            AllowOverride All
        </Directory>
            <Directory /sites/mysite/public_html>
            Options Indexes FollowSymLinks MultiViews
                    Include /etc/apache2/custom.d/globalblacklist.conf
            AllowOverride all
            Require all granted
        </Directory>
        ErrorLog /var/log/apache2/mysite.com-error.log
        LogLevel error
        CustomLog /var/log/apache2/mysite.com-access.log combined
    SSLCertificateFile /etc/letsencrypt/live/mysite.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mysite.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateChainFile /etc/letsencrypt/live/mysite.com/chain.pem
    </VirtualHost>
    <VirtualHost *:443>
            ServerAdmin my@email.com
            ServerName www.mysite.com
    
            SSLEngine on
    
            Redirect permanent / https://mysite.com/
            SSLCertificateFile /etc/letsencrypt/live/mysite.com/cert.pem
            SSLCertificateKeyFile /etc/letsencrypt/live/mysite.com/privkey.pem
            Include /etc/letsencrypt/options-ssl-apache.conf
            SSLCertificateChainFile /etc/letsencrypt/live/mysite.com/chain.pem
    </VirtualHost>
    
    <VirtualHost *:80>
        ServerName mysite.com
        ServerAlias www.mysite.com
        Redirect permanent / https://mysite.com/
    </VirtualHost>
    
    

    .htaccess

    <IfModule pagespeed_module>
        ModPagespeed on
        # using commands,filters etc
    </IfModule>
    
    # Enable Compression
    <ifModule mod_deflate.c>
        AddType image/svg+xml .svg
        AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/css text/javascript application/javascript application/x-javascript image/svg+xml
        AddOutputFilterByType DEFLATE application/rss+xml
        AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
        AddOutputFilterByType DEFLATE application/x-font
        AddOutputFilterByType DEFLATE application/x-font-opentype
        AddOutputFilterByType DEFLATE application/x-font-otf
        AddOutputFilterByType DEFLATE application/x-font-truetype
        AddOutputFilterByType DEFLATE application/x-font-ttf
        AddOutputFilterByType DEFLATE application/x-javascript
        AddOutputFilterByType DEFLATE font/opentype
        AddOutputFilterByType DEFLATE font/otf
        AddOutputFilterByType DEFLATE font/ttf
        AddOutputFilterByType DEFLATE image/x-icon
    </ifModule>
    
    # BEGIN Turn ETags Off
    <IfModule mod_headers.c>
    Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    </IfModule>
    <ifModule mod_headers.c>
      Header unset ETag
    </ifModule>
    FileETag None
    # END Turn ETags Off
    
    ## EXPIRES CACHING ##
    <IfModule mod_expires.c>
    ExpiresActive On
    ExpiresDefault "access plus 1 seconds"
    ExpiresByType image/jpg "access plus 600 seconds"
    ExpiresByType image/jpeg "access plus 600 seconds"
    ExpiresByType image/gif "access plus 600 seconds"
    ExpiresByType image/png "access plus 600 seconds"
    ExpiresByType text/css "access plus 600 seconds"
    ExpiresByType text/html "access plus 600 seconds"
    ExpiresByType application/pdf "access plus 600 seconds"
    ExpiresByType text/x-javascript "access plus 600 seconds"
    ExpiresByType application/x-shockwave-flash "access plus 600 seconds"
    ExpiresByType image/x-icon "access plus 600 seconds"
    </IfModule>
    ## EXPIRES CACHING ##
    
    # BEGIN Cache-Control Headers
    <ifModule mod_headers.c>
        <filesMatch ".(css|jpg|jpeg|png|gif|js|ico)$">
        Header set Cache-Control "max-age=1, public"
        </filesMatch>
        <filesMatch "\.(x?html?|php)$">
            Header set Cache-Control "max-age=1, private, must-revalidate"
        </filesMatch>
    </ifModule>
    # END Cache-Control Headers
    
    
    <IfModule mod_gzip.c>
      mod_gzip_on Yes
      mod_gzip_dechunk Yes
      mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
      mod_gzip_item_include handler ^cgi-script$
      mod_gzip_item_include mime ^text/.*
      mod_gzip_item_include mime ^application/x-javascript.*
      mod_gzip_item_exclude mime ^image/.*
      mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
    </IfModule>
    
    # BEGIN WordPress
    # The directives (lines) between "BEGIN WordPress" and "END WordPress" are
    # dynamically generated, and should only be modified via WordPress filters.
    # Any changes to the directives between these markers will be overwritten.
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    # END WordPress
    
    #Disable Directory Browsing
    Options All -Indexes
    
    • Hello,

      The configuration looks good. I could suggest a couple of things:

      • Check your fail2ban config to see if there are any deny rules and also check the fail2ban logs to see if you could get some more information there

      • I can see that you have Mod PageSpeed, have you try disabling it as a test to see if it fixes the 403 errors for your static files?

      Regards,
      Bobby

      • Hi Bobby,

        I removed Mod Pagespeed and I stopped fail2ban then restarted apache and the assets still have 403 error :(

        • Hello,

          This is quite strange, do you see the file in the /sites/mysite/public_html/wp-content/themes/mysite-child/css/global.css directory? If so could you run an ls -lah followed by the name of the file and share the output here?

          • Yup very strange!

            Yes I can see that file when going to it directly and all the other pages on the website can load it.

            Here’s the output -

            -rwxrwxr-x  1 mysite www-data 299K Jul 22 14:29 global.css
            
          • Hi @twc8ac35a8636,

            It seems like Apache is blocking the requests from specific referrers.

            Do you have any HTTP_REFERER references in your .htaccess file?

            Feel free to share your .htaccess file here, after removing any sensitive information from there.

          • Hi Bobby,

            The WordPress homepage was called Specialist and then I removed Specialist from the homepage title and renamed the about page Specialist.. That’s when I noticed the assets don’t load for this specialist page.

            Here’s whats inside the .htaccess, there is a 301 redirect but no HTTP_REFERER -

            # BEGIN Turn ETags Off
            <IfModule mod_headers.c>
            Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
            </IfModule>
            <ifModule mod_headers.c>
              Header unset ETag
            </ifModule>
            FileETag None
            # END Turn ETags Off
            
            ## EXPIRES CACHING ##
            <IfModule mod_expires.c>
            ExpiresActive On
            ExpiresDefault "access plus 1 seconds"
            ExpiresByType image/jpg "access plus 600 seconds"
            ExpiresByType image/jpeg "access plus 600 seconds"
            ExpiresByType image/gif "access plus 600 seconds"
            ExpiresByType image/png "access plus 600 seconds"
            ExpiresByType text/css "access plus 600 seconds"
            ExpiresByType text/html "access plus 600 seconds"
            ExpiresByType application/pdf "access plus 600 seconds"
            ExpiresByType text/x-javascript "access plus 600 seconds"
            ExpiresByType application/x-shockwave-flash "access plus 600 seconds"
            ExpiresByType image/x-icon "access plus 600 seconds"
            </IfModule>
            ## EXPIRES CACHING ##
            
            # BEGIN Cache-Control Headers
            <ifModule mod_headers.c>
                <filesMatch ".(css|jpg|jpeg|png|gif|js|ico)$">
                Header set Cache-Control "max-age=1, public"
                </filesMatch>
                <filesMatch "\.(x?html?|php)$">
                    Header set Cache-Control "max-age=1, private, must-revalidate"
                </filesMatch>
            </ifModule>
            # END Cache-Control Headers
            
            
            <IfModule mod_gzip.c>
              mod_gzip_on Yes
              mod_gzip_dechunk Yes
              mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
              mod_gzip_item_include handler ^cgi-script$
              mod_gzip_item_include mime ^text/.*
              mod_gzip_item_include mime ^application/x-javascript.*
              mod_gzip_item_exclude mime ^image/.*
              mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
            </IfModule>
            
            # BEGIN WordPress
            # The directives (lines) between "BEGIN WordPress" and "END WordPress" are
            # dynamically generated, and should only be modified via WordPress filters.
            # Any changes to the directives between these markers will be overwritten.
            <IfModule mod_rewrite.c>
            RewriteEngine On
            RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
            RewriteBase /
            RewriteRule ^index\.php$ - [L]
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteCond %{REQUEST_FILENAME} !-d
            RewriteRule . /index.php [L]
            </IfModule>
            
            # END WordPress
            
            #Disable Directory Browsing
            Options All -Indexes
            
            
            
            Redirect 301 /specialist /new-expert
            Redirect 301 /specialists /new-expert