PUT / PATCH / DELETE requests to REST API blocked by Nginx

[activeyossi]

Better solution added at the bottom, no need to change anything in nginx

When trying to update products via WC API nginx returns 405 Not Allowed.

A developer friend was able to apply a quick hack to solve it by updating nginx.conf (/etc/nginx/nginx.conf): Add dav_methods PUT DELETE; like so:

autoindex off;
 index index.php;
 dav_methods PUT DELETE;
 # root /var/www/html;

And commenting out a rewrite section which was causing a 409 conflict when adding the methods. in /var/www/sites/production:

## fixes potential 403 denied issues with WP-JSON ##
#    location ~ ^/wp-json/ {
#        ## if permalinks not enabled or not loaded properly in the browser ##
#        rewrite ^/wp-json/(.*?)$ /?rest_route=/$1 last;
#    }

from @muxoarz:

dav_methods PUT DELETE; should be in nginx.conf for all urls but this rewrite conflicts with this config

Now, one more note. I can't confirm that exactly, but commenting this out changed the response of GET /wc/v3/products/:id which started returning data without attributes which we solved by adding ?context=view to the request (which is supposed to be by default usually)

[jessuppi]

Hello thanks for reporting @activeyossi

It looks like your team recompiled Nginx using the WebDAV module... and we've discussed previously adding support for custom Nginx modules in SlickStack, but I don't think that will ever happen because it complicates things so much and is really outside of what we envision for this project for 99% of use cases (i.e. creating as many "standards" as possible).

Ref: https://www.robpeck.com/2020/06/making-webdav-actually-work-on-nginx/

That said, from my understanding, I'm not sure if that module is actually necessary. From what I've seen on other threads, certain PUT requests can simply be redirected using PHP-FPM try_files itself:

Ref: https://stackoverflow.com/questions/43636210/how-to-allow-put-delete-on-nginx-for-form-submission Ref: https://stackoverflow.com/questions/16912270/how-do-i-allow-a-put-file-request-on-nginx-server

...this may be related to what you discovered re: that rewrite rule.

Anyway, this is a bit outside my expertise and it's not something I'd have time to research, however if you (or others) want to figure out if this can be solved without the DAV module then maybe we can add more options to ss-config accordingly in order to support minor adjustments to the Nginx server block configurations, etc.

[activeyossi]

Hey guys, just wanted to add a little info in case someone has API issues when using DELETE/PUT/PATCH methods for WordPress or Woo and getting back a 405 Not Allowed from Nginx.

The Nginx settings are correct and don't need to be modified in any way. WordPress understood these security standards and added a solution to their core API core.

To execute any of the above methods:

1. You will be sending a POST with form data
2. the First parameter should be the ?_method=PUT
3. Following by whatever you want to update (depends of course on the endpoint body requirements)

This will work perfectly for inventory updates, and any update really that needed PUT/DELETE credit: https://gridpane.com/kb/making-nginx-accept-put-delete-and-patch-verbs/ https://github.com/woocommerce/woocommerce/issues/15218

[jessuppi]

A few other relevant pages:

Ref: https://stackoverflow.com/questions/30154875/right-way-to-enable-requests-with-method-delete-in-nginx Ref: https://core.trac.wordpress.org/ticket/40886 Ref: https://stackoverflow.com/questions/30379940/how-do-i-get-the-wordpress-json-api-to-work-on-nginx-server Ref: https://wordpress.org/support/topic/server-does-not-support-put-or-delete-api-warning-in-wizard/ Ref: https://gridpane.com/kb/put-requests-woocommerce-api/

[jessuppi]

FYI... a user in our Discord server mentioned the Fluent CRM plugin wasn't working by default on SlickStack, and after researching this topic for a while it seems like they don't allow you setup new Managers (users) or generate REST API keys in their plugin anymore in the free version, and the REST API throws authentication errors.

At this point, I don't think this problem is related to SlickStack or Nginx settings... as per prior discussion, properly coded plugins should be able to use query parameters whenever needed.

[jessuppi]

https://slickstack.io/forum/topic/why-does-slickstack-block-put-and-delete-requests-in-nginx

[jessuppi]

https://slickstack.io/forum/topic/broken-rest-api