CDN Routing issues with VPS getting blocked

December 12, 2016 220 views
Scaling Apache Caching VPN WordPress Ubuntu 16.04


I've currently setup a CDN using Stackpath, and after I had my whole Wordpress VPS site under their CDN + WAF - everything was working great! However about 5 days later, I started noticing random images, css, and js assets not loading. On one browser, one image would not load. Open that same page up in another browser - a different image would not load, but that first image would load. So I contacted Stackpath and it turns out that when my site is under the CDN + WAF security, my VPS would intermittently block communications with their servers. I've added all their IP's to my iptable so that the firewall lets them through, but something is still not letting them through 100%. They had the same issue with their curl test and that its connection would work partially, but then would get connection refused error. So is something on my end throttling their servers? If so how would I check that? Or what else could be the issue?

As a side note - right now the site is just serving up static assets from their CDN just fine, but ideally I would like to take advantage of the WAF.

Thanks in advance for any troubleshooting help with the cdn.

2 Answers

I think that the first place to start would be by reviewing your log files. The blocked connections should be logged. Are you using a WordPress plugin for your WAF or just iptables on your droplet? If a plugin, which one?

I would recommend reviewing your logs and if this does not lead to a solution, disable your WAF long enough to test and verify if it is the source of the problem.

Hello Ryanpq,

Right now I disabled the WAF and the site is currently using WT3C for static file caching and its working 100%. In the logs I have been able to locate several 404's requests from my server to theirs, but its unclear why it is 404ing on random files, especially when the request works without WAF enabled.

No plugin for WAF - Im using iptables to make sure ALL their IP's are whitelisted on my droplet. Is there a better way to do that?

Does that give you any additional ideas?

Thanks so much!

Have another answer? Share your knowledge.