AJAX response and 403 permission errors

[SystemXIII]

I’m currently trying to trouble shoot an issue with getting “Invalid AJAX response” and “HTTP/1.1 403 forbidden return” errors in Grav admin. So far this has been seen on an existing website (Running Grav v1.7.18 - Admin v1.10.18) and also on a brand new Grav setup for testing (running Grav v1.7.31 - Admin v1.10.31 - different domain, same shared hosting space).

So far I’ve been trying solutions found in related posts, including setting Remote Fetch to fopen and curl and Remote Verify Peer (SSL) to No (as mentioned here: Invalid AJAX response and here: Error while trying to download (code:0): · Issue #1626 · getgrav/grav-plugin-admin · GitHub).

Currently trying to explore any other firewall or connection blocking reasons with my host provider as well but no luck there either so far.

Nothing has changed recently that I’m aware to explain the sudden issue either, not sure if anyone’s experienced similar or aware of anything that could help with a solution. Would be really appreciated! Cheers!

(related post on the Grav Discourse - https://discourse.getgrav.org/t/issue-with-ajax-response-and-403-permission-errors-trying-existing-recommendations-but-running-low-on-options/20217)

[rhukster]

Nothing has changed on Grav's side either. You are the only person to report these issues lately so that makes me think it's something on your end. Could be related to some security settings being changed on your server either by you accidentally or your hosting company?

Most of the issues like in this in the past have been related to out of date SSL certificates or bad OpenSSL library files. All things that are server-related.

[SystemXIII]

Thanks for confirming @rhukster! I did suspect it was less likely to be a change in Grav after I replicated in the latest version of the admin.

I'll continue trying to trouble shoot with the assumption is server related with something interrupting the connections there.

[rhukster]

Actually I might of found something. I was getting some weird failures with getNotifications and getNewsFeeds that I tracked down to PHP 8.0 and gzip enabled. When i disabled gzip, it was fine, or when i switched to PHP 7.4, also fine. Turns out that PHP 8.0 makes these two calls use gzip where 7.4 doesn't (at least on the new versions I had just updated to: 8.0.17 and 8.1.4).

The fix was to tweak how we close the output buffers: https://github.com/getgrav/grav/commit/82015d4ae7b00c543ecca52b19ffbc7fa1b4d96e

This will be in the next update of Grav.

[SystemXIII]

Hi @rhukster - Thanks for the update on the above . I haven't been using php 8.0 so I don't think this is the same as my original issue but glad it's at least helped identify this one.

A little progress myside, I've been doing a curl trace on getgrav.org and on my shared server there does seem to be a Cloudflare security check that's interrupting the connection (development.xtra-med.com/test-script.php). I'm exploring with my hosting company again but just thought I would mention it in case the above issue you identified could have shown something in Cloudflare's security algorithms or something (I don't have Cloudflare setup on my domain specifically so not sure how to look up the ID its returning).

[drzraf]

In case it helps, any additional parameters reaching Grav (like added by a reverse-proxy, a WAF, ...) is considered when it computes the nonce-token leading to possible nonce verification situations.

[mahagr]

This is a bug in PHP 8.0.17 and PHP 8.1.4, see https://github.com/php/php-src/issues/8218

[rhukster]

@mahagr didn’t mention burner already have a workaround for this php bug with plans to release on Monday

[rhukster]

Quick fix unti next release is to turn off gzip compression.