Request exceeded the limit of 10 internal redirects

Home Forums BulletProof Security Free Request exceeded the limit of 10 internal redirects

Viewing 11 posts - 16 through 26 (of 26 total)
  • Author
    Posts
  • #16092
    Vilmondes
    Participant

    Hello,

    Sorry for resurrecting this topic.

    I’m getting that same message Request exceeded the limit of 10 internal redirects due to probable configuration error. Use ‘LimitInternalRecursion’ to increase the limit if necessary. Use ‘LogLevel debug’ to get a backtrace. The errors are being trigged by external IP addresses (not localhost).

    I have two plugins that handle 404 and 301 errors. They are:
    “404 Redirected” and “Simple 301 Redirects”, so this might be the reason why I’m getting those errors. What do you suggest me to do? I wanted to keep the plugins. What I need to disable in BPS? Just turn off Logging?

    Thanks,
    Vilmondes

    #16100
    AITpro Admin
    Keymaster

    Before you can find a solution to any problem you need to understand what the problem is.

    http://httpd.apache.org/docs/current/mod/core.html#errordocument
    http://httpd.apache.org/docs/2.2/mod/core.html#errordocument

    The .htaccess ErrorDocument directive is a redirect directive that redirects Requests based on their HTTP response code to another URL.  You can also display a message instead of redirecting to another URL.

    BPS uses the ErrorDocument directive in the root .htaccess file to redirect 403 HTTP response codes to the BPS 403.php error logging template file.  The 403.php error logging template file then logs the HTTP response code in your Security Log file.

    Before assuming that any of these things below is the cause of the problem you need to check that you do not actually really have a redirect that is invalid that is redirecting back to itself and causing an infinite redirect loop.  If you have redirect code that is redirecting back to the original URL then this will create in infinite redirect loop.  Example:  redirect X to X = infinite redirect loop.  X is going to be either a full URL or a partial URL that is redirecting back to itself.

    If your server does not allow the use of the ErrorDocument directive in an .htaccess file then either it will be ignored or an infinite redirect problem will occur and the error above will be displayed.

    If you are using mod_security and mod_security is handling error logging an infinite redirect problem will occur and the error above will be displayed.

    If something else you have installed on your website (another plugin or theme) is handling error logging an infinite redirect problem will occur and the error above will be displayed.

    Normally when only BPS is handling error logging then a 403 HTTP response code will redirect to the 403.php error logging template, the 403 HTTP response code will be logged in your Security Log file and the process is complete per Request/HTTP response code.  If something else on your website is also trying to redirect HTTP response codes then this creates in infinite redirect loop.

    Solution:  Either turn off error logging in whatever else you have installed on your website that is handling error logging or turn off BPS Security Log logging.

    #20026
    Matt Alhaarth
    Participant

    [Topic merged into this relevant Topic]

    Hello,

    I have been trying to isolate the cause of occasional 502 errors I have been seeing across my sites. Examining the error logs, I see frequent instances of “Request exceeded the limit of 10 internal redirects due to probable configuration error.” I am aware that this is often due to something within the .htaccess file.

    Yesterday, the error logs showed the following example in exactly the same timeframe, across three of my sites:

    [Tue Dec 16 15:48:30 2014] [error] [client 188.114.104.16] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
    [Tue Dec 16 21:19:26 2014] [error] [client 212.227.158.62] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
    

    I have six sites on the server in total and what these three have in common (and where they differ from the other three) is that they use BPS in conjunction with W3TC (as undeveloped sites with little traffic, I have not as yet implemented caching on these).

    I read a suggestion here and on my main site I deactivated all plugins except BPS. I then reactivated W3TC before locking the .htaccess and reactivating other plugins, in case anything else was playing a role. No joy.

    I’m not using any custom code, other than BPS bonus elements and W3TC. This is my current .htaccess:

    #   BULLETPROOF .51.4 >>>>>>> SECURE .HTACCESS     
    
    [BPS standard htaccess code edited/deleted]
    
    # CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
    # WP AUTHOR ENUMERATION BOT PROBE PROTECTION
    # Redirects to author=999999 that does not actually exist
    # which results in a standard 404 error. To the hacker bot
    # it appears that this author does not exist without giving
    # any clues that the author does actually exist.
    
    RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
    RewriteRule ^(.*)$ $1?author=999999 [L]
    
    # BEGIN W3TC Browser Cache
    [W3TC htaccess cache code edited/deleted]
    # END W3TC Page Cache core
    

    Is there anything here which could be the cause of infinite loops? Any other suggestions?

    Thanks for looking.

    #20031
    AITpro Admin
    Keymaster

    I believe the problem is being caused by the W3TC htaccess code being at the bottom of your root htaccess file.  W3TC htaccess code needs to go in the top root Custom Code text box – See this forum topic for the steps to do that:  http://forum.ait-pro.com/forums/topic/installing-w3-total-cache-with-bulletproof-security-pro/#post-12199

    If adding W3TC htaccess code in the BPS Custom Code text box does not work then see this reply link below:
    http://forum.ait-pro.com/forums/topic/request-exceeded-the-limit-of-10-internal-redirects/#post-1430

    #20038
    Matt Alhaarth
    Participant

    Thank you for your rapid response.
    The issue has been intermittent and so it is difficult to know immediately whether the change has had the desired affect but if you could please confirm that I have actioned this correctly and I can then implement it on the other two sites and report back on the result when known. Thanks again.

    The forum topic you linked to refers to the pro version and includes steps for AutoRestore Exclude which I don’t have but I believe I have achieved the required change successfully. My .htaccess now looks like this:

    #   BULLETPROOF .51.4 >>>>>>> SECURE .HTACCESS     
    
    # CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
    # BEGIN W3TC Browser Cache
    [W3TC htaccess code edited/deleted]
    # END W3TC Browser Cache
    # BEGIN W3TC Page Cache core
    [W3TC htaccess code edited/deleted]
    # END W3TC Page Cache core
    
    [BPS standard htaccess code edited/deleted]
    
    # CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
    # WP AUTHOR ENUMERATION BOT PROBE PROTECTION
    # Redirects to author=999999 that does not actually exist
    # which results in a standard 404 error. To the hacker bot
    # it appears that this author does not exist without giving
    # any clues that the author does actually exist.
    
    RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
    RewriteRule ^(.*)$ $1?author=999999 [L]
    
    #20040
    AITpro Admin
    Keymaster

    Yes you have the W3TC code in the right place now.  If the problem is intermittent then it is either being caused by W3TC or something installed on your server or your server itself.  If the issue/problem was related to BPS it would be permanent.  ie either it does not work consistently or does work consistently.  There is no inbetween / intermittent things that occur with BPS.

    #20045
    Vilmondes
    Participant

    That’s me again =].

    Can Security log be turned on automatically? I have turned it off a few times, then after a few minutes it’s on again.

    #20046
    AITpro Admin
    Keymaster

    @ Vilmondes – No.  Security Logging does not automatically turn itself on or off.

    #20156
    Matt Alhaarth
    Participant

    Unfortunately, the error was not resolved. I see infinite loop errors perhaps 4 or 5 times daily on the busier site. However, this specific instance was interesting in that it appeared across 3 sites and only 3 sites. I have since seen other errors that are similar but then again one instance the next day across 3 sites and only these 3 sites and in the same timeframe.

    I examined the access logs and discovered this:

    212.227.158.62 - - [16/Dec/2014:21:19:26 -0500] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.0" 500 531 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"

    Is this some kind of attack? Still no idea why this should result in an infinite loop though.

    #20158
    AITpro Admin
    Keymaster

    Yes, that is an attack. This is what the string looks like using this online decoder:  http://meyerweb.com/eric/tools/dencoder/

    -d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n

    The HTTP Status Response code is 500 meaning that the attack failed with a 500 Internal Server Error. It is possible, but not very likely, that that 500 error is causing some sort of chain reaction with your caching plugin resulting in a redirect problem – very unlikely, but might be possible.

    As long as your PHP server version is at least 5.3 then that attack will fail.  See this link for more info:  http://security.stackexchange.com/questions/46566/protect-against-post-cgi-bin-php-attacks

    #20164
    Matt Alhaarth
    Participant

    Thats good to know, thank you. I have PHP version 5.4 so I can safely disregard this particular instance and explore other occurrences that may perhaps provide an indication as to the cause of the infinite looping.

    Many thanks for your assistance and enabling me to confirm that my .htaccess is at least in order.

Viewing 11 posts - 16 through 26 (of 26 total)
  • You must be logged in to reply to this topic.