Admin Backend Webo optimization" changes cause "client denied by server"

[GoogleCodeExporter]

Webo works fine on the front end (once setup), however when [admin only]
optimization changes are made the following ERRORS occur rapidly:

** Log Begins **
=================================================================
client denied by server configuration:

/var/www/virtual/peterbowey.com.au/wp-content/plugins/web-optimizer/cache/
progress.html

referer:http://www.peterbowey.com.au/wp-admin/admin.php?page=web_optimizer_manag
er
=================================================================
** Log Ends **

The above error typically repeats (as seen in the Apache Site Log) about 20
times after making ONE change to Webo optimization settings.

Fixing the Problem: I find I either need to do either:

1) Clear the webo /wp-content/plugins/web-optimizer/cache + force "service
httpd restart"

  or

2) Manually enter the required changes into either: "config.webo.php" or
"config.user.php" depending on what I need to achieve.

My limited 'debugging' indicates the Javascript reference and creation of
"progress.html" within "yass.loadbar.js" is the culprit here. If i edit
yass.loadbar.js to NOT use the referenced "progress.html", then no error
occurs.

There is something a little weird about how the intended javascript call +
creation of "progress.html" falls outside of the normal Apache VirtualHost
DocumentRoot area!

Regards,

Peter Bowey

Original issue reported on code.google.com by peterbowey on 11 Apr 2010 at 2:40

[GoogleCodeExporter]

Webo SVN Full Version used = r1611 - Sunday 11th April 2010

Original comment by peterbowey on 11 Apr 2010 at 2:56

[GoogleCodeExporter]

Please provide more info, why progress.html is restricted in configuration? 
It's used to 
show progress on cache refresh / application activation.

Also please provide step-by-step description, i.e.:
1) enable an option in custom (active) configuration
2) press 'save'
[see errors in Apache log] or
3) go to control panel
4) press activate / cache refresh
[see errors in log]

Original comment by sunny.dr...@gmail.com on 11 Apr 2010 at 3:50

• Changed state: NeedInfo
• Added labels: Component-UI, Priority-Low
• Removed labels: Priority-Medium

[GoogleCodeExporter]

Thanks Sunny,

I do understand what "progress.html" is used for but all I can advise you is 
that it
appears that the Javascript creator of this process comes from 
"yass.loadbar.js".

Somehow, the callback reference to progress.html falls outside of the Apache
VirtualHost DocumentRoot area!

By simply over-writing the given javascript yass.loadbar.js reference to using 
the
file handle => "wss_c+'progress.html?'+Math.random()" I can STOP this Apache 
ERROR.

Code View State: (withinyass.loadbar.js)

================================================================================
== 

{if(_.s){_.x(wss_c+'progress.html?'+Math.random(),'GET',null,function(){if(this.
readyState==4&&this.status==200){_.l(this.responseText)}else{if(_.b.ie&&_.o>82){
_.s=0;_.stop=0;_.a({href:'#wss_dashboard'})}if(_.s&&this.status==404&&_.stop>3){
_.s=0}if(_.s&&this.status==404)
 ........

================================================================================
==

Regards,

Peter Bowey

Original comment by peterbowey on 11 Apr 2010 at 4:08

[GoogleCodeExporter]

Quote:

----------------------------------------------------
Also please provide step-by-step description, i.e.:
1) enable an option in custom (active) configuration
2) press 'save'
[see errors in Apache log] or
3) go to control panel
4) press activate / cache refresh
[see errors in log]
----------------------------------------------------

Sunny, I have been through all that! I spend my entire waking life with code 
and bugs!!

I know we will eventually solve this, and I am patient about it.

Peter

Original comment by peterbowey on 11 Apr 2010 at 4:11

[GoogleCodeExporter]

this may be caused by incorrect cache folder (wss_c JS variable). It's 
calculated from
document_root
and 
javascript_cachedir
variables (from PHP config - config.webo.php). Can you please give values of 
these 
variables?

Original comment by sunny.dr...@gmail.com on 11 Apr 2010 at 4:36

[GoogleCodeExporter]

Thnaks Sunny,

I Agree, as I have already been there, and checked and attempted some debugging!

I found if I overwrote the javascript to be: (inside yass.loadbar.js)

wss_c='http://www.peterbowey.com.au/wp-content/plugins/web-optimizer/cache/progr
ess.html'

Instead of the original:

wss_c=_('#wss_javascript_cachedir')[0].value.replace(_('#wss_website_root')[0].v
alue,'/'

That the Apache logged error did NOT occur. Ofcourse this blew in other user
interface errors (display and NOT Apache), so then tried moving the change 
direct to
the line: {if(_.s){_.x(wss_c+'progress.html?'+Math.random(),

============================================================

You asked for the current javascript_cachedir variables (via config.webo.php) - 
so
here they are:

================================================================================
===
## Path info. Cache directory for JS files
$compress_options['javascript_cachedir'] =
"/var/www/virtual/peterbowey.com.au/wp-content/plugins/web-optimizer/cache/";
## Cache directory for CSS files
$compress_options['css_cachedir'] =
"/var/www/virtual/peterbowey.com.au/wp-content/plugins/web-optimizer/cache/";
## Cache directory for HTML files
$compress_options['html_cachedir'] =
"/var/www/virtual/peterbowey.com.au/wp-content/plugins/web-optimizer/cache/";
## Website installation directory
$compress_options['website_root'] = "/var/www/virtual/peterbowey.com.au/";
## Document Root directory of the website
$compress_options['document_root'] = "/var/www/virtual/peterbowey.com.au/";
================================================================================
=

Peter

Original comment by peterbowey on 11 Apr 2010 at 5:02

[GoogleCodeExporter]

Being a bit more expansive on config.webo.php listing:

<?php
#########################################
## WEBO Site SpeedUp configuration ######
#########################################
## Access control
$compress_options['username'] = "";
$compress_options['password'] = "7d4a3ba95fa6880e4848269dfa846720";
$compress_options['htpasswd'] = "";
$compress_options['optimization'] = "1";
$compress_options['showbeta'] = "1";
$compress_options['email'] = "support@pbcomp.com.au";
$compress_options['name'] = "Peter Bowey";
## Active configuration
$compress_options['config'] = "user";
## Path info. Cache directory for JS files
$compress_options['javascript_cachedir'] =
"/var/www/virtual/peterbowey.com.au/wp-content/plugins/web-optimizer/cache/";
## Cache directory for CSS files
$compress_options['css_cachedir'] =
"/var/www/virtual/peterbowey.com.au/wp-content/plugins/web-optimizer/cache/";
## Cache directory for HTML files
$compress_options['html_cachedir'] =
"/var/www/virtual/peterbowey.com.au/wp-content/plugins/web-optimizer/cache/";
## Website installation directory
$compress_options['website_root'] = "/var/www/virtual/peterbowey.com.au/";
## Document Root directory of the website
$compress_options['document_root'] = "/var/www/virtual/peterbowey.com.au/";
## Host name, to include before static resources
$compress_options['host'] = "www.peterbowey.com.au";

Original comment by peterbowey on 11 Apr 2010 at 5:07

[GoogleCodeExporter]

mentioned
wss_c=_...
in JS only duplicates server-side logic on saving Options on System Status 
page. It 
seems it doesn't related to this issue.

JS variable wss_c is set on dashboard page (on the first load). So please 
provide 
current value of this JS variable in your case.

Original comment by sunny.dr...@gmail.com on 11 Apr 2010 at 6:48

[GoogleCodeExporter]

Thanks Sunny,

The following Apache ACCESS log will help us track this Problem:
(notes: this was logged while using / refreshing the Webo UI

================================================================================
165.228.91.94 - "GET /wp-content/plugins/web-optimizer/libs/css/wss.png?1.1.0
HTTP/1.0" 304 -
"http://www.peterbowey.com.au/wp-content/plugins/web-optimizer/libs/css/wss.css?
1.1.0b"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401
Firefox/3.6.3 (.NET CLR 3.5.30729)"

165.228.91.94 - "GET
/wp-content/plugins/web-optimizer/?wss_page=dashboard_awards&wss__password=7d4a3
ba95fa6880e4848269dfa846720
HTTP/1.0" 403 235
"http://www.peterbowey.com.au/wp-admin/admin.php?page=web_optimizer_manager"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401
Firefox/3.6.3 (.NET CLR 3.5.30729)"
165.228.91.94 - - [12/Apr/2010:09:44:30 +0930] "GET
/wp-admin/admin.php?page=web_optimizer_manager HTTP/1.0" 200 7744 "-" 
"Mozilla/5.0
(Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 
(.NET
CLR 3.5.30729)"

165.228.91.94 - "GET
/wp-content/plugins/web-optimizer/cache/progress.html?0.9067180443556447 
HTTP/1.0"
200 21 
"http://www.peterbowey.com.au/wp-admin/admin.php?page=web_optimizer_manager"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401
Firefox/3.6.3 (.NET CLR 3.5.30729)"

165.228.91.94 - "GET
/wp-content/plugins/web-optimizer/?wss_page=dashboard_awards&wss__password=7d4a3
ba95fa6880e4848269dfa846720
HTTP/1.0" 403 235
"http://www.peterbowey.com.au/wp-admin/admin.php?page=web_optimizer_manager"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401
Firefox/3.6.3 (.NET CLR 3.5.30729)"

165.228.91.94 - "GET
/wp-content/plugins/web-optimizer/cache/progress.html?0.6446990762584982 
HTTP/1.0"
403 254 
"http://www.peterbowey.com.au/wp-admin/admin.php?page=web_optimizer_manager"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401
Firefox/3.6.3 (.NET CLR 3.5.30729)"

203.45.193.236 - "GET / HTTP/1.0" 200 1858 "www.peterbowey.com.au" "Mozilla/5.0
(Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 
(.NET
CLR 3.5.30729)"
================================================================================

Note the occurrences of "403" on "GET", and now we can see allocated values 
parsed
from Webo UI.

Notes: I was wondering if the regular (rapid) HTTP "GETs" were triggering
"mod_evasive" or "mod_security"? Time will tell!

Peter

Original comment by peterbowey on 12 Apr 2010 at 12:41

[GoogleCodeExporter]

Speaking of possible issues with [mod_evasive] and [mod_security], here is the
related section in my [httpd.conf] :

===============================[httpd.conf]==================================
#Mod_evasive20.c settings
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSWhitelist 127.0.0.1
DOSEmailNotify support@pbcomp.com.au

#Mod_security.c settings
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
#SecFilterEngine DynamicOnly

SecFilterEngine On

# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:403"

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1

#SecServerResponseToken Off

#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"

# Accept almost all byte values
SecFilterForceByteRange 1 255

# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
#SecServerSignature "Evo-Sec_CustomHTTPD_v1.2"

#SecUploadDir /tmp
#SecUploadKeepFiles Off

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/audit_log

# You normally won't need debug logging
SecFilterDebugLevel 1
SecFilterDebugLog /var/log/modsec_debug_log

SecFilterSelective THE_REQUEST "wget "

SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
SecFilterSelective THE_REQUEST "/config.php?v=1&DIR "
SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "
SecFilterSelective THE_REQUEST "arta\.zip "
SecFilterSelective THE_REQUEST "cmd=cd\x20/var "
SecFilterSelective THE_REQUEST "HCL_path=http "
SecFilterSelective THE_REQUEST "clamav-partial "
SecFilterSelective THE_REQUEST "vi\.recover "
SecFilterSelective THE_REQUEST "netenberg "
SecFilterSelective THE_REQUEST "psybnc "
SecFilterSelective THE_REQUEST "fantastico_de_luxe "
SecFilter "bcc:"
SecFilter "bcc\x3a"
SecFilter "cc:"
SecFilter "cc\x3a"
SecFilter "bcc:|Bcc:|BCC:" chain
SecFilter
"[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}\,\x20[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]
{2,4}"
SecFilterSelective POST_PAYLOAD "Bcc:"
SecFilterSelective POST_PAYLOAD "Bcc:\x20"
SecFilterSelective POST_PAYLOAD "cc:"
SecFilterSelective POST_PAYLOAD "cc:\x20"
SecFilterSelective POST_PAYLOAD "bcc:"
SecFilterSelective POST_PAYLOAD "bcc:\x20"
SecFilterSelective POST_PAYLOAD "bcc: "
SecFilterSelective THE_REQUEST "Bcc:"
SecFilterSelective THE_REQUEST "Bcc:\x20"
SecFilterSelective THE_REQUEST "cc:"
SecFilterSelective THE_REQUEST "cc:\x20"
SecFilterSelective THE_REQUEST "bcc:"
SecFilterSelective THE_REQUEST "bcc:\x20"
SecFilterSelective THE_REQUEST "bcc: "
# WEB-PHP phpbb quick-reply.php arbitrary command attempt
##SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
##SecFilter "phpbb_root_path="

##Include /etc/modsecurity/rootkits.conf
##Include /etc/modsecurity/exclude.conf
##Include /etc/modsecurity/jitp.conf
##Include /etc/modsecurity/apache2-rules.conf

# end
==============================================================================

Peter

Original comment by peterbowey on 12 Apr 2010 at 12:54

[GoogleCodeExporter]

Hi Sunny,

I think I have tracked this problem down, and it is because of my given Apache
mod_evasive security! Basically, Webo UI makes [so many HTTP "GET" calls] in a 
very
short time window - that it triggers dos_evasive then it BAN's my own IP's 
*smile*

I am wondering the best way of not losing my dDoS protection?? Hmmm, thinking

Peter

Original comment by peterbowey on 12 Apr 2010 at 3:20

[GoogleCodeExporter]

Thanks Sunny,

*** RESOLVED ***

I added my own IP's as a Whitelist to Apache's mod_evasive and all is well! 
Webo is
very happy about this!

Eg:

#Mod_evasive20.c settings
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSWhitelist 127.0.0.1
DOSWhitelist 165.228.91.94
DOSWhitelist 203.45.193.236

Regards,

Peter

Original comment by peterbowey on 12 Apr 2010 at 6:34

[GoogleCodeExporter]

Original comment by sunny.dr...@gmail.com on 12 Apr 2010 at 8:32

• Changed state: Fixed
• Added labels: Type-Task
• Removed labels: Type-Defect