-
Notifications
You must be signed in to change notification settings - Fork 284
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ModSecurity: Impacting setup / redirects to homepage #1113
Comments
Additionally, ModSecurity has been reported to affect the setup/ connection of services like Analytics and Adsense as seen in these topics: https://wordpress.org/support/topic/i-cant-configure-analytics-and-adsense/ (Site Health avail) |
Another potentially impacted user: |
@jamesozzie the topic referenced above might be related to #1034 per the users update that they changed from http to https. |
Additional information/context posted by other users at the below WordPress support topic: |
The problem in the log above is related to a known rule in ModSecurity's free WAF rules which is designed to block access to the local This isn't specific to Site Kit and would likely happen with any Google OAuth flow that included this scope. According to this post, if the host supports ModSecurity changes via
This is still not a great solution though. I tried removing this scope in favor of using @felixarntz since the OAuth callback hits the auth proxy first, is it possible we could remove the problematic scope from the site's URL before sending them back to the site? We could then rely on the presence of the openID |
@cole10up This was fixed on our end (not in the plugin), but I marked this as part of the release. Could you do some QA on this or follow up with @jamesozzie? Thanks! |
I ran some tests on my end installing application based security plugins such as (WordFence, W3TC, Redirect). Installed and activated Site Kit. No issues discovered. Unfortunately my hosting test server doesn't have Mod Security. In order to properly retest this we'll need to invest more time into this ticket to validate with a full setup of an instance with an Apache server running Mod Security. |
@jamesozzie - Here's a guide to Mod Security and where to configure it if you have a server running with cpanel and wordpress installed. https://sysally.com/blog/how-modsecurity-protects-wordpress-website/ |
@cole10up No issues from my side with either Happy to share logs or provide testing login if needed. |
Thanks @jamesozzie for the help. Transitioning this one to approval. |
Hello, I have the same issue with the Loop "Sign in with Google to configure Site Kit" |
@Imagine775 We'd be happy to assist you with this error. If none of the troubleshoot steps listed on the website work for you please open a WordPress support topic and we can look at your individual case. |
Switching off security rule 210580 worked for me |
You can also use this CRS plugin to modsecurity to do the same : https://github.com/coreruleset/google-oauth2-plugin |
Bug Description
Some users are experiencing issues with Site Kit setup, even with the proxy based setup solution.
While temporarily deactivating ModSecurity can allow setup to proceed in some cases asking users to temporarily deactivate is not ideal and in many cases not possible (for shared hosting solutions).
Below is an example of an error log provided by one hosting provider, shared by one user on the WordPress support forum.
Other related support topics:
Another redirection occurrence reported by one user, this time with redirection to CentOS error page. Awaiting log files.
Screenshots
Additional Context
Do not alter or remove anything below. The following sections will be managed by moderators only.
Acceptance criteria
Implementation Brief
QA Brief
Changelog entry
The text was updated successfully, but these errors were encountered: