Home › Forums › BulletProof Security Free › Incapsula CDN 401 error: Authorization Required
Tagged: Incapsula
- This topic has 5 replies, 2 voices, and was last updated 9 years ago by AITpro Admin.
-
AuthorPosts
-
ChazzParticipant
When disabling caching or enabling Static Caching in my Incapsula CDN settings, the site works fine. However, when enabling Static+Dynamic Caching or Aggressive Caching, I am receiving a “401 Authorization required” error on both the front-facing site and the wordpress admin panel. Could BPS be giving me a problem when attempting to cache dynamic files/pages?
AITpro AdminKeymasterAre you using Basic Auth or Digest Authentication htaccess code in your wp-admin htaccess file? Or maybe Aggressive Caching is trying to cache your Login page and/or wp-admin area. You should NEVER cache either your Login page or your wp-admin folder / WordPress Dashboard.
ChazzParticipanti had already excluded /wp-admin, now i will exclude /wp-login.php as well. i am not sure about the auth type? below is the wp-admin htaccess code:
# BULLETPROOF .50.9 WP-ADMIN SECURE .HTACCESS ... ... ... # BEGIN OPTIONAL WP-ADMIN ADDITIONAL SECURITY MEASURES: # WP-ADMIN DIRECTORY PASSWORD PROTECTION - .htpasswd # The BPS root .htaccess file already has a security rule that blocks access to all # /wp-admin/includes files in the wp-admin folder. # The wp-admin directory already requires authentication to gain access to your # wp dashboard. Adding a second layer of authentication is not really necessary. # Users / visitors to your site will not be able to register or login # to your site without also having the additional login information. # htpasswd encrypts passwords using either a version of MD5 modified for Apache, # or the system's crypt() routine. Files managed by htpasswd may contain both types # of passwords; some user records may have MD5-encrypted passwords while others in # the same file may have passwords encrypted with crypt(). # User accounts and passwords can be added in your host Control Panel or directly # in the .htpasswd file. # The .htpasswd file should be in a Server protected directory and not in a public # directory. # You can specify a single specific user or use valid-user to allow all valid # user accounts to be able to login to your site. # EXAMPLE: #AuthType basic #AuthGroupFile /dev/null #AuthUserFile /path/to/protected/server/directory/.htpasswd #AuthName "Password Protected Area" #require user Zippy #require valid-user # ADD YOUR CURRENT IP ADDRESS TO THIS FILE # This will then require that you FTP to your site and manually change the IP # address in this .htaccess file. And users will not be able to register or login # to your site without having their IP addresses added to this file. It is possible # to automate this, but unfortunately in order to not lock you out of your own site # the IP address would have to be removed on exiting your site. This means that if # you are not currently logged in then no additional security is in effect. # If you are not going to access or login to your site for a long time and you # are not allowing additional users to access your site then # manually adding an IP address may be an option you want to use temporarily. # EXAMPLE: #AuthUserFile /dev/null #AuthGroupFile /dev/null #AuthName "Password Protected Area" #AuthType Basic #Order Deny,Allow #Deny from all # whitelist home IP address #Allow from 64.233.169.99 # whitelist work IP address #Allow from 69.147.114.210 #Allow from 199.239.136.200 # IP while in Kentucky; delete when back #Allow from 128.163.2.27 # END OPTIONAL WP-ADMIN ADDITIONAL SECURITY MEASURES ... ... ...
AITpro AdminKeymasterThe OPTIONAL WP-ADMIN ADDITIONAL SECURITY MEASURES are additional optional examples of things that can be done in the wp-admin htaccess file. These additional optional examples are commented out with a # sign since they are examples and not used by default. Basic Auth is also called Directory Password Protection. So it looks like you are not using any of these additional optional security measures and to answer your question no BPS probably does not have anything to do with the 401 Authorization required message. Check the Incapsula help link below or with the Incapsula folks to find out why that 401 Authorization required message is being displayed.
http://www.incapsula.com/blog/popping-the-hood-on-website-acceleration.html
AITpro AdminKeymasterAdditional Information: Using the Incapsula Static + Dynamic Caching or Aggressive Caching content caching options without creating an Advanced Caching rule to NOT cache the WordPress /wp-admin backend area URL will break the BPS Pro Plugin Firewall and most likely lots of other things in all of your other plugins. The WordPress wp-admin backend Dashboard area should NEVER be cached for any reason.
AITpro AdminKeymasterUpdated: 6-28-2017
BPS Pro Plugin Firewall usage: To whitelist the full range of Incapsula IP addresses:
1. Go to the Plugin Firewall > click the Plugin Firewall Additional Whitelist Tools accordion tab > copy and paste all of the Incapsula IP address ranges code below in the Whitelist by Hostname (domain name) and IP Address text box and click the Save Hostname and IP Address Rules button.
2. Click the Save Whitelist Options button and activate the Plugin Firewall.45.60.[0-9]{1,3}.[0-9]{1,3}, 45.64.[0-9]{1,3}.[0-9]{1,3}, 45.223.[0-9]{1,3}.[0-9]{1,3}, 103.28.[0-9]{1,3}.[0-9]{1,3}, 107.154.[0-9]{1,3}.[0-9]{1,3}, 149.126.[0-9]{1,3}.[0-9]{1,3}, 185.11.[0-9]{1,3}.[0-9]{1,3}, 192.230.[0-9]{1,3}.[0-9]{1,3}, 198.143.[0-9]{1,3}.[0-9]{1,3}, 199.83.[0-9]{1,3}.[0-9]{1,3}, 2620:28:400[:\\d\\w]+, 2a02:e98[:\\d\\w]+
Incapsula help page with current IP address ranges:
2 new IP address ranges were added on 5-2017 and have been added to the IP address ranges above.
https://incapsula.zendesk.com/hc/en-us/articles/200627570-Restricting-direct-access-to-your-website-Incapsula-s-IP-addresses- -
AuthorPosts
- You must be logged in to reply to this topic.