I read into this that it should work with one and fail with the other. This isn’t the behaviour I’m seeing. My testing reveals it works for both.
root@wp-xxx:/usr/local/www # curl -v https://xxx.udance.com.au/wp-login.php
* Trying 10.1.1.4:443...
* Connected to xxx.udance.com.au (10.1.1.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.udance.com.au
* start date: Jul 31 18:08:01 2021 GMT
* expire date: Oct 29 18:07:59 2021 GMT
* subjectAltName: host "xxx.udance.com.au" matched cert's "*.udance.com.au"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x801480800)
> GET /wp-login.php HTTP/2
> Host: xxx.udance.com.au
> user-agent: curl/7.77.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200
< cache-control: no-cache, must-revalidate, max-age=0
< content-type: text/html; charset=UTF-8
< date: Mon, 30 Aug 2021 07:27:30 GMT
< expires: Wed, 11 Jan 1984 05:00:00 GMT
< server: Caddy
< server: Caddy
< set-cookie: wordpress_test_cookie=WP%20Cookie%20check; path=/; secure
< vary: Accept-Encoding
< x-frame-options: SAMEORIGIN
< x-powered-by: PHP/7.4.21
<
<!DOCTYPE html>
<html lang="en-US">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Log In ‹ Test — WordPress</title>
<meta name='robots' content='max-image-preview:large, noindex, noarchive' />
<link rel='dns-prefetch' href='//s.w.org' />
<link rel='stylesheet' id='dashicons-css' href='https://xxx.udance.com.au/wp-includes/css/dashicons.min.css?ver=5.8' media='all' />
<link rel='stylesheet' id='buttons-css' href='https://xxx.udance.com.au/wp-includes/css/buttons.min.css?ver=5.8' media='all' />
<link rel='stylesheet' id='forms-css' href='https://xxx.udance.com.au/wp-admin/css/forms.min.css?ver=5.8' media='all' />
<link rel='stylesheet' id='l10n-css' href='https://xxx.udance.com.au/wp-admin/css/l10n.min.css?ver=5.8' media='all' />
<link rel='stylesheet' id='login-css' href='https://xxx.udance.com.au/wp-admin/css/login.min.css?ver=5.8' media='all' />
<meta name='referrer' content='strict-origin-when-cross-origin' />
<meta name="viewport" content="width=device-width" />
</head>
<body class="login no-js login-action-login wp-core-ui locale-en-us">
<script type="text/javascript">
document.body.className = document.body.className.replace('no-js','js');
</script>
<div id="login">
<h1><a href="https://wordpress.org/">Powered by WordPress</a></h1>
<form name="loginform" id="loginform" action="https://xxx.udance.com.au/wp-login.php" method="post">
<p>
<label for="user_login">Username or Email Address</label>
<input type="text" name="log" id="user_login" class="input" value="" size="20" autocapitalize="off" />
</p>
<div class="user-pass-wrap">
<label for="user_pass">Password</label>
<div class="wp-pwd">
<input type="password" name="pwd" id="user_pass" class="input password-input" value="" size="20" />
<button type="button" class="button button-secondary wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="Show password">
<span class="dashicons dashicons-visibility" aria-hidden="true"></span>
</button>
</div>
</div>
<p class="forgetmenot"><input name="rememberme" type="checkbox" id="rememberme" value="forever" /> <label for="rememberme">Remember Me</label></p>
<p class="submit">
<input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" />
<input type="hidden" name="redirect_to" value="https://xxx.udance.com.au/wp-admin/" />
<input type="hidden" name="testcookie" value="1" />
</p>
</form>
<p id="nav">
<a href="https://xxx.udance.com.au/wp-login.php?action=lostpassword">Lost your password?</a>
</p>
<script type="text/javascript">
function wp_attempt_focus() {setTimeout( function() {try {d = document.getElementById( "user_login" );d.focus(); d.select();} catch( er ) {}}, 200);}
wp_attempt_focus();
if ( typeof wpOnload === 'function' ) { wpOnload() } </script>
<p id="backtoblog">
<a href="https://xxx.udance.com.au/">← Go to Test</a> </p>
</div>
<script src='https://xxx.udance.com.au/wp-includes/js/jquery/jquery.min.js?ver=3.6.0' id='jquery-core-js'></script>
<script src='https://xxx.udance.com.au/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2' id='jquery-migrate-js'></script>
<script id='zxcvbn-async-js-extra'>
var _zxcvbnSettings = {"src":"https:\/\/xxx.udance.com.au\/wp-includes\/js\/zxcvbn.min.js"};
</script>
<script src='https://xxx.udance.com.au/wp-includes/js/zxcvbn-async.min.js?ver=1.0' id='zxcvbn-async-js'></script>
<script src='https://xxx.udance.com.au/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.13.7' id='regenerator-runtime-js'></script>
<script src='https://xxx.udance.com.au/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=3.15.0' id='wp-polyfill-js'></script>
<script src='https://xxx.udance.com.au/wp-includes/js/dist/hooks.min.js?ver=a7edae857aab69d69fa10d5aef23a5de' id='wp-hooks-js'></script>
<script src='https://xxx.udance.com.au/wp-includes/js/dist/i18n.min.js?ver=5f1269854226b4dd90450db411a12b79' id='wp-i18n-js'></script>
<script id='wp-i18n-js-after'>
wp.i18n.setLocaleData( { 'text direction\u0004ltr': [ 'ltr' ] } );
</script>
<script id='password-strength-meter-js-extra'>
var pwsL10n = {"unknown":"Password strength unknown","short":"Very weak","bad":"Weak","good":"Medium","strong":"Strong","mismatch":"Mismatch"};
</script>
<script id='password-strength-meter-js-translations'>
( function( domain, translations ) {
var localeData = translations.locale_data[ domain ] || translations.locale_data.messages;
localeData[""].domain = domain;
wp.i18n.setLocaleData( localeData, domain );
} )( "default", { "locale_data": { "messages": { "": {} } } } );
</script>
<script src='https://xxx.udance.com.au/wp-admin/js/password-strength-meter.min.js?ver=5.8' id='password-strength-meter-js'></script>
<script src='https://xxx.udance.com.au/wp-includes/js/underscore.min.js?ver=1.8.3' id='underscore-js'></script>
<script id='wp-util-js-extra'>
var _wpUtilSettings = {"ajax":{"url":"\/wp-admin\/admin-ajax.php"}};
</script>
<script src='https://xxx.udance.com.au/wp-includes/js/wp-util.min.js?ver=5.8' id='wp-util-js'></script>
<script id='user-profile-js-extra'>
var userProfileL10n = {"user_id":"0","nonce":"ea886466a1"};
</script>
<script id='user-profile-js-translations'>
( function( domain, translations ) {
var localeData = translations.locale_data[ domain ] || translations.locale_data.messages;
localeData[""].domain = domain;
wp.i18n.setLocaleData( localeData, domain );
} )( "default", { "locale_data": { "messages": { "": {} } } } );
</script>
<script src='https://xxx.udance.com.au/wp-admin/js/user-profile.min.js?ver=5.8' id='user-profile-js'></script>
<script>
/(trident|msie)/i.test(navigator.userAgent)&&document.getElementById&&window.addEventListener&&window.addEventListener("hashchange",(function(){var t,e=location.hash.substring(1);/^[A-z0-9_-]+$/.test(e)&&(t=document.getElementById(e))&&(/^(?:a|select|input|button|textarea)$/i.test(t.tagName)||(t.tabIndex=-1),t.focus())}),!1);
</script>
<div class="clear"></div>
</body>
</html>
* Connection #0 to host xxx.udance.com.au left intact
If I use the not
version of the no-referer
matcher…
@no-referer not header Referer {scheme}://{host}*
it fails for both.
root@wp-xxx:/usr/local/www # curl -v https://xxx.udance.com.au/wp-login.php
* Trying 10.1.1.4:443...
* Connected to xxx.udance.com.au (10.1.1.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.udance.com.au
* start date: Jul 31 18:08:01 2021 GMT
* expire date: Oct 29 18:07:59 2021 GMT
* subjectAltName: host "xxx.udance.com.au" matched cert's "*.udance.com.au"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x801480800)
> GET /wp-login.php HTTP/2
> Host: xxx.udance.com.au
> user-agent: curl/7.77.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 502
< server: Caddy
< content-length: 0
< date: Mon, 30 Aug 2021 07:32:26 GMT
<
* Connection #0 to host xxx.udance.com.au left intact
I believe I need to use the not
version of the matcher, but accessing wp-login.php
from the browser shouldn’t trigger an abort.