search

crowell / modpagespeed_tmp

Automatically exported from code.google.com/p/modpagespeed
Apache License 2.0
0 stars 0 forks source link

CSS returns 403 Forbidden #582

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
I think its an update that broke it. We have been running the same code for 
over an year. But lately it has been giving this problem. No changes what so 
ever except for applying the recommended updates by the os.

What is the expected output? What do you see instead?
I expect normal page. But I see a css less page. Plane text.

What version of the product are you using (please check X-Mod-Pagespeed
header)?
1.1.23.1-2169

On what operating system?
Ubuntu 10.04

Which version of Apache?
Server version: Apache/2.2.14 (Ubuntu)
Server built:   Nov  6 2012 20:40:54

Which MPM?
How can I find this?

URL of broken page:
I would prefer not disclosing this. Although I don't mind if really necessary.

Original issue reported on code.google.com by sn...@darkbattlers.com on 4 Dec 2012 at 10:31

GoogleCodeExporter commented 9 years ago 
Example:

/application/css.php?request=application/modules/Core/externals/styles/admin/mai
n.css&c=7

Gets converted to:

http://www.domain.com/application/W.css.php,qrequest=application,_modules,_Core,
_externals,_styles,_admin,_main.css,ac=7.pagespeed.cf.fjlGupuHGz.css

The first one works just fine.
The second one returns 403 Forbidden.

Original comment by sn...@darkbattlers.com on 4 Dec 2012 at 10:40

GoogleCodeExporter commented 9 years ago 
Another example:

1.

/application/css.php?request=application/themes/midnight/theme.css&c=7

Gets converted to:

2.

http://www.domain.com/application/W.css.php,qrequest=application,_themes,_midnig
ht,_theme.css,ac=7.pagespeed.cf.yEbgaHPSKe.css

I think the right one would be:

3.

http://www.domain.com/W.application,,_css.php,,qrequest==application,,_themes,,_
midnight,,_theme.css,,ac==7+externals,,_fancyupload,,_fancyupload.css,,qc==7,Mcc
.EyOi1Q4C23.css.pagespeed.cf.VJ4wYOmbc0.css

1. Returns fine
2. 403 Forbidden
3. Returns fine and optimized

Original comment by sn...@darkbattlers.com on 4 Dec 2012 at 10:47

GoogleCodeExporter commented 9 years ago 
This is indeed strange.  Is there anything in your logs that might explain this?

It might help us to see your URL but if you don't want to share it you can just 
mail it to me (jmarantz@google.com) and I won't reveal it in public forums.

Original comment by jmara...@google.com on 5 Dec 2012 at 12:13

GoogleCodeExporter commented 9 years ago 
I have emailed you the same.

Original comment by sn...@darkbattlers.com on 5 Dec 2012 at 1:28

GoogleCodeExporter commented 9 years ago 
I just updated pagespeed to 1.1.23.2-2191 using apt-get update && apt-get 
upgrade and the issue still exists.

Original comment by sn...@darkbattlers.com on 5 Dec 2012 at 1:30

GoogleCodeExporter commented 9 years ago 
OK I repro'd your problem.  This fails with a 403:

  wget --save-headers http://DOMAIN/application/W.css.php,qrequest=application,_themes,_midnight,_theme.css,ac=7.pagespeed.cf.yEbgaHPSKe.css

I manually decoded that URL, which is the result of 'rewrite_css', and tried 
this:

  wget --save-headers http://DOMAIN/application/css.php?request=application/themes/midnight/theme.css&c=7

That passes.  What's the difference in terms of Apache 403-handling?  Not much 
as far as I can tell.  My best guess is that some apache conf file is 
disallowing access to http://DOMAIN/application from outside your network, but 
somehow, possibly via mod_rewrite, the PHP script is whitelisted through.

Is that plausible?

Original comment by jmara...@google.com on 5 Dec 2012 at 2:11

GoogleCodeExporter commented 9 years ago 
One more point, I can load your site and it gets rewritten by mod_pagespeed 
(except for CSS) and loads fine by browsing to:

  http://DOMAIN/?ModPagespeedFilters=-rewrite_css,-extend_cache_css

That says 'load your site, but turn off the rewrite_css and extend_cache_css 
filters leaving all other filters configured as they are in your .conf file'

Original comment by jmara...@google.com on 5 Dec 2012 at 6:39

GoogleCodeExporter commented 9 years ago 
I could give you server access if you wanna check the server out. I checked 
.htaccess and stuff and could find nothing.

Plus I would like to mention this again, we have been running the same setup 
forever but this problem just started recently without any changes at all 
except for applying recommended updates by ubuntu.

Original comment by sn...@darkbattlers.com on 5 Dec 2012 at 6:43

GoogleCodeExporter commented 9 years ago 
I have disabled rewrite_css and extend_cache_css as you recommended and it 
seems to work perfectly now.

Original comment by sn...@darkbattlers.com on 5 Dec 2012 at 7:03

GoogleCodeExporter commented 9 years ago 
That is not necessarily the best workaround as optimizing CSS files has a fair 
amount of benefit.  I think the problem likes probably not in .htaccess files 
but in some other .conf file that Apache is loading.

Original comment by jmara...@google.com on 5 Dec 2012 at 7:10

GoogleCodeExporter commented 9 years ago 
I have looked around the best I can. I got nothing at all.

Original comment by sn...@darkbattlers.com on 5 Dec 2012 at 7:58

GoogleCodeExporter commented 9 years ago 
This problem also occurs on  http://www.altiuzreports.com/ -- a Joomla site, 
and is worked around with a similar disable directive.

[Thu Dec 06 12:49:34 2012] [error] [client 66.102.14.16] client denied by 
server configuration: uri 
/media/system/css/W.modal.css.pagespeed.cf.n4Iy-tN7Sj.css, referer: 
http://www.altiuzreports.com/
[Thu Dec 06 12:49:34 2012] [error] [client 66.102.14.16] client denied by 
server configuration: uri 
/templates/gk_music_free/css/W.k2.css.pagespeed.cf.CAwb_G0DGG.css, referer: 
http://www.altiuzreports.com/
[Thu Dec 06 12:49:34 2012] [error] [client 66.102.14.16] client denied by 
server configuration: uri 
/templates/gk_music_free/css/system/W.system.css.pagespeed.cf.-6JzBKRCca.css, 
referer: http://www.altiuzreports.com/
[Thu Dec 06 12:49:34 2012] [error] [client 66.102.14.16] client denied by 
server configuration: uri 
/templates/gk_music_free/css/W.template.css.pagespeed.cf.KMzAU3E_vw.css, 
referer: http://www.altiuzreports.com/
[Thu Dec 06 12:49:34 2012] [error] [client 66.102.14.16] client denied by 
server configuration: uri 
/templates/gk_music_free/css/W.menu,,_menu.css+gk.stuff.css+style1.css+typograph
y,,_typography.style1.css+typography,,_typography.iconset.style1.css,Mcc.7uFo2kL
m78.css.pagespeed.cf.WUAqmH3wHd.css, referer: http://www.altiuzreports.com/
[Thu Dec 06 12:49:34 2012] [error] [client 66.102.14.16] client denied by 
server configuration: uri 
/templates/gk_music_free/css/W.joomla.css.pagespeed.cf.91Tuzm8f88.css, referer: 
http://www.altiuzreports.com/
[Thu Dec 06 12:49:35 2012] [error] [client 66.102.14.16] client denied by 
server configuration: uri 
/modules/mod_pwebcontact/css/general/W.modal-static.css.pagespeed.cf.sE_aH60lyT.
css, referer: http://www.altiuzreports.com/
[Thu Dec 06 12:49:35 2012] [error] [client 66.102.14.16] client denied by 
server configuration: uri 
/W.modules,,_mod_news_pro_gk4,,_interface,,_css,,_style.css+media,,_mod_language
s,,_css,,_template.css,Mcc.aoUArEshID.css.pagespeed.cf.5eiUdy5dmX.css, referer: 
http://www.altiuzreports.com/
[Thu Dec 06 12:49:35 2012] [error] [client 66.102.14.16] client denied by 
server configuration: uri 
/modules/mod_pwebcontact/css/modal/W.blue.css.pagespeed.cf.ThOd3KEkI-.css, 
referer: http://www.altiuzreports.com/
[Thu Dec 06 12:49:35 2012] [error] [client 66.102.14.16] client denied by 
server configuration: uri 
/media,_system,_js,_mootools-core.js,Mjm.icm_DCUluU.js+media,_system,_js,_core.j
s,Mjm.AESYeh_Qiv.js+media,_system,_js,_modal.js,Mjm.UjILsGpGmy.js+media,_k2,_ass
ets,_js,_k2.noconflict.js,Mjm.MK0q4iT8Mf.js+components,_com_k2,_js,_k2.js,Mjm.25
g2o7ZNG3.js+media,_system,_js,_caption.js,Mjm.N0DmbmP4fF.js+media,_system,_js,_m
ootools-more.js,Mjm.SMODr-WPPp.js+templates,_gk_music_free,_js,_gk.scripts.js,Mj
m.1c5Za4-I6o.js+templates,_gk_music_free,_js,_gk.menu.js,Mjm.fP4LZhZD6N.js+templ
ates,_gk_music_free,_js,_moo.masonry.js,Mjm.tx9VIy3Aqn.js+media,_system,_js,_val
idate.js,Mjm.70rhqASwDx.js+modules,_mod_pwebcontact,_js,_mootools.pwebcontact.js
,Mjm.hlHEI1yQNI.js+modules,_mod_news_pro_gk4,_interface,_scripts,_engine.js,Mjm.
hNv-F7rKL3.js.pagespeed.jc.Kvg4NkbrMV.js, referer: http://www.altiuzreports.com/
[Thu Dec 06 12:49:35 2012] [error] [client 66.102.14.16] client denied by 
server configuration: uri 
/templates/gk_music_free/images/logo.png.pagespeed.ce.mbYA5XENbi.png, referer: 
http://www.altiuzreports.com/
[Thu Dec 06 12:49:35 2012] [error] [client 66.102.14.16] client denied by 
server configuration: uri /images/xaltiuz.png.pagespeed.ic.8BaCsglGLo.png, 
referer: http://www.altiuzreports.com/
[Thu Dec 06 12:49:35 2012] [error] [client 66.102.14.16] client denied by 
server configuration: uri 
/templates/gk_music_free/css/W.tablet.css.pagespeed.cf.JjmW0gK3Q-.css, referer: 
http://www.altiuzreports.com/
[Thu Dec 06 12:49:36 2012] [error] [client 66.102.14.16] client denied by 
server configuration: uri 
/templates/gk_music_free/css/W.mobile.css.pagespeed.cf.Lq4CWSwtmD.css, referer: 
http://www.altiuzreports.com/
[Thu Dec 06 12:49:36 2012] [error] [client 66.102.14.16] client denied by 
server configuration: uri 
/templates/gk_music_free/css/system/W.print.css.pagespeed.cf.I29YUSeJym.css, 
referer: http://www.altiuzreports.com/
[Thu Dec 06 12:54:09 2012] [error] (113)No route to host: proxy: HTTP: attempt 
to connect to 192.168.0.51:8080 (192.168.0.51) failed
[Thu Dec 06 12:54:09 2012] [error] ap_proxy_connect_backend disabling worker 
for (192.168.0.51)
[Thu Dec 06 12:56:49 2012] [error] [client 192.168.0.1] client denied by server 
configuration: uri 
/templates/gk_music_free/css/menu,_menu.css+gk.stuff.css+style1.css+typography,_
typography.style1.css+typography,_typography.iconset.style1.css.pagespeed.cc.7uF
o2kLm78.css, referer: http://www.altiuzreports.com/es/
[Thu Dec 06 12:56:49 2012] [error] [client 192.168.0.1] client denied by server 
configuration: uri 
/media,_system,_js,_mootools-core.js,Mjm.icm_DCUluU.js+media,_system,_js,_core.j
s,Mjm.AESYeh_Qiv.js+media,_system,_js,_modal.js,Mjm.UjILsGpGmy.js+media,_k2,_ass
ets,_js,_k2.noconflict.js,Mjm.MK0q4iT8Mf.js+components,_com_k2,_js,_k2.js,Mjm.25
g2o7ZNG3.js+media,_system,_js,_caption.js,Mjm.N0DmbmP4fF.js+media,_system,_js,_m
ootools-more.js,Mjm.SMODr-WPPp.js+templates,_gk_music_free,_js,_gk.scripts.js,Mj
m.1c5Za4-I6o.js+templates,_gk_music_free,_js,_gk.menu.js,Mjm.fP4LZhZD6N.js+templ
ates,_gk_music_free,_js,_moo.masonry.js,Mjm.tx9VIy3Aqn.js+media,_system,_js,_val
idate.js,Mjm.70rhqASwDx.js+modules,_mod_pwebcontact,_js,_mootools.pwebcontact.js
,Mjm.hlHEI1yQNI.js+modules,_mod_news_pro_gk4,_interface,_scripts,_engine.js,Mjm.
hNv-F7rKL3.js.pagespeed.jc.Kvg4NkbrMV.js, referer: 
http://www.altiuzreports.com/es/
[Thu Dec 06 12:56:49 2012] [error] [client 192.168.0.1] client denied by server 
configuration: uri 
/templates/gk_music_free/css/W.mobile.css.pagespeed.cf.Lq4CWSwtmD.css, referer: 
http://www.altiuzreports.com/es/
[Thu

Original comment by jmara...@google.com on 6 Dec 2012 at 4:21

GoogleCodeExporter commented 9 years ago 
Gonzalo, could you do some tests for me please?

1. Stop your reverse proxy Apache, edit its httpd.conf, change LogLevel to 
debug, then restart it.
2. Do wget -O /dev/null  
http://www.altiuz.com/media/system/css/W.modal.css.pagespeed.cf.n4Iy-tN7Sj.css
   You should get a 403 error.
3. Email/post the log entries for that request. You should see the same ones as 
above (client denied) but I want to see if there are any messages from 
mod_pagespeed.

Thanks! m.

Original comment by matterb...@google.com on 6 Dec 2012 at 8:46

GoogleCodeExporter commented 9 years ago 
Correction: It should be www.altiuzreports.com of course.

Also, what domain related directives do you have in pagespeed.conf?
Perhaps you are mapping altiuzreports.com to altiuz.com in there?

Original comment by matterb...@google.com on 6 Dec 2012 at 8:58

GoogleCodeExporter commented 9 years ago 
No domain specific directives at all (just default ones) in pagespeed.conf

Will test tomorrow as I'm leaving office right now

Gonzalo V�squez S�ez
Gerente Investigaci�n y Desarrollo (R&D)
Altiuz Soluciones Tecnol�gicas de Negocios Ltda.
Av. Nueva Tajamar 555 Of. 802, Las Condes - CP 7550099
+56 2 335 2461
gvasquez@altiuz.cl
http://www.altiuz.cl
http://www.altiuzreports.com

El 06-12-2012, a las 17:58, modpagespeed@googlecode.com escribi�:

Original comment by gvasq...@altiuz.cl on 6 Dec 2012 at 9:40

GoogleCodeExporter commented 9 years ago 
gvasquez: can you check for and send us the authorization blocks you have in 
*.conf?  We are looking for a pattern we can use to reproduce the issue on our 
own servers.

Original comment by jmara...@google.com on 7 Dec 2012 at 6:10

GoogleCodeExporter commented 9 years ago 
gvasquez: never mind; I see you emailed them already.  Pasting them here.

We have three different sites working on our servers:
altiuz.com
altiuz.cl
altiuzreports.com

On the "outside" box, we are directly running altiuz.com under Apache which has 
mod_pagespeed enabled, this apache also has two virtualhosts enabled for the 
other two domains, which are being served by other separate Debian Apache 
servers, via ReverseProxy setup, which also have mod_pagesped enabled.

Relevant sections of the CentOS apache cfg file:

NameVirtualHost *:80
<VirtualHost *:80>
    DocumentRoot /var/www/altiuz
    ServerName altiuz.cl
    ServerAlias www.altiuz.cl
    ProxyPass / http://192.168.0.17/
    ProxyPassReverse / http://192.168.0.17 
    ProxyHTMLURLMap http://192.168.0.17 / 

#GZIP compression
SetOutputFilter INFLATE;proxy-html;DEFLATE
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css 
application/x-javascript
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot /var/www/areports
    ServerName altiuzreports.com
    ServerAlias www.altiuzreports.com
    ProxyPass / http://192.168.0.18/
    ProxyPassReverse / http://192.168.0.18
    ProxyHTMLURLMap http://192.168.0.18 /
ProxyHTMLEnable On
SetOutputFilter INFLATE;proxy-html;DEFLATE
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css 
application/x-javascript
</VirtualHost>

Original comment by jmara...@google.com on 7 Dec 2012 at 6:12

GoogleCodeExporter commented 9 years ago 
Just updated via apt-get on a debian box to the latest mod_pagespeed and this 
problem showed up, I had to disable css filter and extended_cache_css. We use 
no proxy at all. 

client denied by server configuration: uri 
/application/W.css.php,qrequest=application,_modules,_Hecore,_externals,_styles,
_imagezoom,_core.css,ac=494.pagespeed.cf.ysPO7tuQMt.css

Any news on how to fix this?

Original comment by l...@burning.it on 29 Dec 2012 at 2:17

GoogleCodeExporter commented 9 years ago 
Followup issue with the same update also the service aliases broke:  

When trying to access /mod_pagespeed_console or statistics

Request exceeded the limit of 10 internal redirects due to probable 
configuration error. Use 'LimitInternalRecursion' to increase the limit if 
necessary. Use 'LogLevel debug' to get a backtrace.

mod_pagespeed 1.1.23.2-2258 @20053 (received from stable repository)

Original comment by l...@burning.it on 29 Dec 2012 at 2:45

GoogleCodeExporter commented 9 years ago 
Fixed in r2358. If either of you can build from source and test I'd be 
grateful, otherwise wait until the next release.

Original comment by matterb...@google.com on 4 Jan 2013 at 2:25

GoogleCodeExporter commented 9 years ago 
Just installed the update to the latest stable: 1.2.24.1-2581 This problem 
persists.

The service aliases now report a generic Internal server error, while CSS 
rewriting causes the aforementioned 403 forbidden access.

2 stable releases ago it worked without a problem.

Original comment by l...@burning.it on 16 Mar 2013 at 12:17

GoogleCodeExporter commented 9 years ago 
This bug fix has not made it to Stable yet.  It is in the latest Beta.

Original comment by jmara...@google.com on 16 Mar 2013 at 1:42

GoogleCodeExporter commented 9 years ago 
confirmed this fixed the 403 issue for us.  thanks. do you know when it will 
make it into the stable?

Original comment by joelnew...@gmail.com on 22 Mar 2013 at 3:22

GoogleCodeExporter commented 9 years ago

Original comment by sligocki@google.com on 24 Jun 2013 at 2:14