MaxCDN 403 Error

[Noah]

Hi,

I’m using MaxCDN to cache my site for content delivery. I had everything working fine for a year and something happened during the last BPS update.  MaxCDN is getting a Forbidden 403 error when trying to update cache (tested using curl statement). I added the proper “RewriteEngine on” statements to the Hotlinking section per http://support.maxcdn.com/debugging/403-forbidden/ to allow the HTTP_REFERER for my site but MaxCDN is getting a Forbidden Error when testing using a Curl statement.

I’m hosting with Hostgator and opened a trouble ticket with them. They said the cause of the 403 error appears to be a redirect loop caused by the “…./public_html/.htaccess file”. This is the error that occurs when attempting to curl the style.css file from a remote server

When I follow the BPS troubleshooting guide and deactivate for both Root and WP-admin File, we no longer see the 403 error.  Alternately when we activate BulletProof Mode we see the 403 error again.  When we rename the .htaccess file to .htaccess.bak to prevent it from being read, the curl executes properly. Can anyone shed light on how what to update in my htaccess file to stop the redirection or what else do I need to do so that MaxCDN does not get the 403 error?

Thank you.

[AITpro Admin]

Nothing has changed regarding .htaccess code in BPS that would affect MaxCDN.   BPS will block some cURL requests.  You would need to allow cURL HTTP requests in your root .htaccess file.  Typically cURL code in general is not blocked, but at the HTTP level it might be blocked. Try clicking the activating Root folder BulletProof Mode again. If that does not work then make a copy of all of your Custom Code and delete it and activate Root folder BulletProof Mode again.

http://forum.ait-pro.com/forums/topic/whitelist-maxcdn/

[Noah]

Hi thanks for the quick response. The issue isn’t the curl request, the issue is the redirect loop.  I’ve tried the activate buttons, and we get the same error.  I added the hotlinking code directly into the root htaccess using the editor not custom code, would that make a difference?

[AITpro Admin]

Remove the HotLinking code and see if it is the problem.
Check that your domain name is in the root .htaccess file.  See this Topic for what code to check.  http://forum.ait-pro.com/forums/topic/whitelist-maxcdn/#post-6107

What is known to cause a redirect loop are these things:
invalid code in the root .htaccess file
Error Logging conflict.  The host or another plugin is handling Error Logging and you would need to turn Off BPS Security Logging / Error Logging otherwise this would cause an infinite redirect loop if another plugin or your Host is trying to handle error logging or does not allow anything else to handle error logging like a plugin.

[AITpro Admin]

Based on the MaxCDN link you posted you would need to whitelist the MaxCDN domains in your HotLink Protection code.

NOTE:  I have no idea why they would add these additional file types since they are not image files:  css, js and pdf so use with caution

SetEnvIfNoCase Referer "^(http|https)://www\.ait-pro\.com$" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*google.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*yahoo.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*bing.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*netdna-cdn.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*cdn.*" whitelist

<FilesMatch "\.(jpg|jpeg|png|gif|png|webp|css|js|gif|pdf)$">
Order Allow,Deny
Allow from env=whitelist
# Add Your Server IP Address
Allow from 173.201.92.1
</FilesMatch>

[Noah]

Thank you, yep, domain is in root .htaccess file at bottom of TIMTHUMB FORBID statements.  Does this include subdomains as written – RewriteCond %{HTTP_REFERER} ^.*atmdepot.com.*

Thanks for the tip on the cpanel hotlink protection, I did try to disable it and I’m getting the error
Could not open htaccess file “../public_html/.htaccess”
I have locked the htaccess file and will test again with CDNMax and update if necessary. thank you.

[AITpro Admin]

Yes subdomains are included.  .* means match anything.  blah.blah.com,  foo.bar.net, etc

You cannot disable the HotLink Protection Tool – Enable / Disable is also broken in that broken tool.  The only thing that will prevent the Broken HotLink Protection Tool from causing problems and breaking your website is to lock your root .htaccess file.  Since your root .htaccess file is already locked then that rules out the Broken HotLink Protection Tool problem and the flush_rewrite_rules problem.  Maybe it is just as simple as the post the MaxCDN folks created:  if you want to use HotLink Protection .htaccess code then you need to whitelist the MaxCDN domain names.  Use the HotLink Protection code above and add your domain name and IP address.

[Noah]

Thanks guys..   I opened a ticket with Hostgator and they replied as follows: It appears that the file permissions for the .htaccess file were incorrect:
edited for security:

----------------------------------------------------------
root@senku [....../public_html]# ll .htaccess
-r-----r-- 1 .............. 19926 Dec 16 20:59 .htaccess

I went ahead and changed these to 644 and I was able to disable Hotlink Protection via this user's cPanel.
---------------------------------------------------------

The redirect loop and the 403 error were a combination of things and since BPS does such a great job at security it got caught in the middle of this mess. I greatly appreciate all the feedback, tips and links to help me resolve this mess. It was quite a ride, but it’s working now. I did not need to add all the above (SetEnvIfNoCase Referer) to the htaccess, however I did need to add my CDN domain(s) to the hotlink section pursuant to http://support.maxcdn.com/debugging/403-forbidden/ It’s all working, thanks so much again for the help.

Since I’m planning to upgrade to BPS Pro after the new year, is there anything I need to do regarding my new htaccess. Since I did not use the custom code section, and added it directly into my htaccess, when I upgrade to pro will that change anything I need to know about?

Thanks again,

Noah
atmdepot.com

[AITpro Admin]

404, 444 and 644 file permissions are all correct for the root .htaccess file.  That would not have anything to do with anything, unless you have a DSO Server and then you can ONLY/MUST use 644 file permissions on a DSO Server.  The HotLink Protection Tool cannot be disabled because Disable and Enable are also broken for the broken HotLink Protection Tool.

Lock your root .htaccess file again with 404 file permissions on the htaccess File Editor tab page.  We have a HostGator hosting account as well as many other hosting accounts.  404 file permissions for the root .htaccess file work fine on HostGator.

If you add your custom htaccess code to BPS Custom Code then if you upgrade to BPS Pro then your Custom Code will still be saved and you will not have to add it to your root .htaccess file again.

See the Forum link below for where and how to add HotLink Protection htaccess code to BPS Custom Code.

http://forum.ait-pro.com/forums/topic/hotlink-protection-do-not-block-google-bing-or-yahoo/

[Noah]

So it seems when Hostgator changed my htaccess file permissions the curl statement works, but now I see:

BPS Alert! Your site does not appear to be protected by BulletProof Security

Was this caused by Hostgator changing file permissions?
If I click on the htaccess File Editor tab I see the files there, why would I have to create them again?
AutoLock is On but I see:

The htaccess file that is activated in your root folder is:
BULLETPROOF .49.8 >>>>>>> SECURE .HTACCESS

ERROR: Either a BPS htaccess file was NOT found in your root folder or you have not activated BulletProof Mode for your Root folder yet, Default Mode is activated, Maintenance Mode is activated or the version of the BPS Pro htaccess file that you are using is not the most current version or the BPS QUERY STRING EXPLOITS code does not exist in your root htaccess file. Please view the Read Me Help button above.

wp-config.php is NOT htaccess protected by BPS

√ Deny All protection activated for BPS Master /htaccess folder
√ Deny All protection activated for /wp-content/bps-backup folder

The htaccess file that is activated in your wp-admin folder is:
BULLETPROOF .49.8 WP-ADMIN SECURE .HTACCESS</td>

It was all fine until hostgator changed permissions.   Also, If I login to my cPanel I do see that Hotlink protection is currently disabled http://screencast.com/t/cWyCiKDryDwm

Should I start over and remove BPS, then install BPS Pro?

[AITpro Admin]

I do not think unlocking your .htaccess file did anything in the first place.  So lock it, then click the Root folder BulletProof Mode Activate button.

The Enable and Disable settings do not work / are broken in the HotLink Protection Tool.  Whether it says Enable or Disable does not matter – it is always turned On and cannot be turned Off because the HotLink protection Tool is broken.  The reason you are seeing this alert:  BPS Alert! Your site does not appear to be protected by BulletProof Security is because your root .htaccess file was not locked and the HotLink Protection Tool wiped out the root .htaccess file since Disable is broken in the HotLink Protection Tool like everything else is broken with that tool.

[Noah]

Right, I did all that and I get the WP Super Cache Error again.

WP Super Cache is activated, but either you are not using WPSC mod_rewrite to serve cache files or the WPSC .htaccess code was NOT found in your root .htaccess file.
If you are not using WPSC mod_rewrite then just add this commented out line of code in anywhere in your root htaccess file - # WPSuperCache. If you are using WPSC mod_rewrite and the WPSC htaccess code is not in your root htaccess file then click this Update WPSC link to go to the WPSC Settings page and click the Update Mod_Rewrite Rules button. If your root .htaccess file is locked then you will need to unlock it to allow WPSC to write its htaccess code to your root htaccess file. BPS Lock and Unlock buttons are on the htaccess File Editor page. Refresh your browser to perform a new htaccess file check after updating WPSC mod_rewrite.

Since I am using WPSC Mod_rewrite, and this happens every time. Is there a way to put something in custom code to avoid this error?

[AITpro Admin]

You need to copy and paste your WP Super Cache code to BPS Custom code.

See this Forum Topic link below on how to do that.  Disregard any references to BPS Pro and if you do not want to use the Speed Boost Cache bonus code then do not add that code.

http://forum.ait-pro.com/forums/topic/where-is-the-log/#post-2715

[Author]

Posts