Wordpress Install CORS 403 Error, cross origin from domain to IP?

MeaningPoetry · January 4, 2022, 9:24pm

1. Caddy version (`caddy version`):

caddy version: v2.4.6

2. How I run Caddy:

a. System environment:

Arch Linux

Linux meaningpoetry.com 5.15.12-arch1-1 #1 SMP PREEMPT Wed, 29 Dec 2021 12:04:56 +0000 x86_64 GNU/Linux

I believe it is systemd

b. Command:

sudo systemctl start caddy.service

c. Service/unit/compose file:

Description=Caddy web server
Documentation=https://caddyserver.com/docs/
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
StartLimitIntervalSec=14400
StartLimitBurst=10

[Service]
User=caddy
Group=caddy
Environment=XDG_DATA_HOME=/var/lib
Environment=XDG_CONFIG_HOME=/etc
ExecStartPre=/usr/bin/caddy validate --config /etc/caddy/Caddyfile
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
ExecStopPost=/usr/bin/rm -f /run/caddy/admin.socket

# Do not allow the process to be restarted in a tight loop. If the
# process fails to start, something critical needs to be fixed.
Restart=on-abnormal

# Use graceful shutdown with a reasonable timeout
TimeoutStopSec=5s

LimitNOFILE=1048576
LimitNPROC=512

# Hardening options
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DevicePolicy=closed
LockPersonality=true
MemoryAccounting=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
ReadWritePaths=/var/lib/caddy /var/log/caddy /run/caddy
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

# The Caddyfile is an easy way to configure your Caddy web server.
#
# https://caddyserver.com/docs/caddyfile
#
# The configuration below serves a welcome page over HTTP on port 80.
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace the line below with your
# domain name.
#
# https://caddyserver.com/docs/caddyfile/concepts#addresses

{
        # Restrict the admin interface to a local unix file socket whose directory
        # is restricted to caddy:caddy. By default the TCP socket allows arbitrary
        # modification for any process and user that has access to the local
        # interface. If admin over TCP is turned on one should make sure
        # implications are well understood.
        admin "unix//run/caddy/admin.socket"
}

http:// {
        # Set this path to your site's directory.
        root * /usr/share/caddy

        # Enable the static file server.
        file_server

        # Another common task is to set up a reverse proxy:
        #reverse_proxy localhost:3000 {
        #       header_down Strict-Transport-Security max-age=31536000;
        #}

        # Or serve a PHP site through php-fpm:
        # php_fastcgi localhost:9000

        # Refer to the directive documentation for more options.
        # https://caddyserver.com/docs/caddyfile/directives
}

# Import additional caddy config files in /etc/caddy/conf.d/
import /etc/caddy/conf.d/*

meaningpoetry.com {
    handle_path /hoc/* {
      root * /var/www/html/hoc
      php_fastcgi unix//run/php-fpm/www.sock
      file_server
   }
    reverse_proxy localhost:3000  {
      header_down Strict-Transport-Security max-age=31536000;
   }
}

a.meaningpoetry.com {
  reverse_proxy localhost:1337  {
    header_down Strict-Transport-Security max-age=31536000;
  }
}

m.meaningpoetry.com {
  reverse_proxy localhost:7700  {
    header_down Strict-Transport-Security max-age=31536000;
  }
}

roundcube.meaningpoetry.com {
        root * /usr/share/webapps/roundcubemail/
        encode gzip
        file_server

        php_fastcgi unix//run/roundcubemail/roundcubemail.sock {
        split .php
        index index.php
        }
}

mad.meaningpoetry.com {
        root * /usr/share/webapps/postfixadmin/public/
        encode gzip
        file_server

        php_fastcgi unix//run/postfixadmin/postfixadmin.sock {
        split .php
        index index.php
        }
}

awakening.observer:443 {
   root * /home/thero/ao/wordpress
   encode gzip
   php_fastcgi unix//run/php-fpm/www.sock
   file_server
}

3. The problem I’m having:

I serve numerous services fine on https://meaningpoetry.com including a strapi admin at a.meaningpoetry.com, I am trying to configure https://awakening.observer to run a wordpress install, however I am running into a 403 error, and Brave indicates it’s CORS related with redirection to my IP from https://awakening.observer to 45.56.114.165:443 erroring from strict-origin when cross-origin

4. Error messages and/or full log output:

*   Trying 45.56.114.165:80...
* Connected to awakening.observer (45.56.114.165) port 80 (#0)
> GET / HTTP/1.1
> Host: awakening.observer
> User-Agent: curl/7.80.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://awakening.observer/
< Server: Caddy
< Date: Tue, 04 Jan 2022 21:16:40 GMT
< Content-Length: 0
<
* Closing connection 0

5. What I already tried:

I’ve tried to pinpoint what was happening which is how I stumbled upon the network tab in my browsers and thus found a 403 occurring. All secure files are being rejected.
I’ve tried tweaking Caddyfile from the first few errors I ran into due to outdated citations on the setup of wordpress, I think Caddy is fine, I will be enabling debugging, but not sure where logfiles would go

I did run sudo pacman -Syu today, but everything with my previous setup for meaningpoetry.com seems a-o.k., no pages yield a 403?

6. Links to relevant resources:

francislavoie · January 4, 2022, 10:12pm

Do you mean your Wordpress app is serving a redirect to the IP address? That’s strange, sounds like a Wordpress misconfiguration.

That curl output you posted seems to be a request over HTTP, and Caddy is serving an HTTP->HTTPS redirect (see the Location header). You can tell curl to follow the redirect by using the -L flag (L for Location), or just do curl -v https://awakening.observer (i.e. directly make a request to HTTPS and skip the redirect).

MeaningPoetry · January 4, 2022, 10:30pm

* Connected to awakening.observer (45.56.114.165) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=awakening.observer
*  start date: Dec 15 00:00:00 2021 GMT
*  expire date: Mar 15 23:59:59 2022 GMT
*  subjectAltName: host "awakening.observer" matched cert's "awakening.observer"
*  issuer: C=AT; O=ZeroSSL; CN=ZeroSSL ECC Domain Secure Site CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x563dca4919f0)
> GET / HTTP/2
> Host: awakening.observer
> user-agent: curl/7.80.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 403
< server: Caddy
< content-length: 0
< date: Tue, 04 Jan 2022 22:28:52 GMT
<
* Connection #0 to host awakening.observer left intact

There is no wordpress install, there’s no way to actually create a functional install due to the majority of the resources 403, it’s not even installed yet. I don’t get redirected to installer or anything, and going manually is just plain text with some input fields

MeaningPoetry · January 4, 2022, 10:40pm

This might be a duplicate of my previous issue, it’s been awhile. I think it has to do with serving static files from home directory.

francislavoie · January 4, 2022, 10:43pm

Oh, yeah that would make sense. Since you’re running Caddy as a service with user caddy, then that user needs permissions to read the files in /home/thero/ao/wordpress.

If you turn on the debug global option then look at Caddy’s logs after making a request, you should see that permission error appear in the logs. They’re logged at debug level because otherwise permission errors would be kinda noisy.

MeaningPoetry · January 4, 2022, 10:46pm

Solution: Moved files to the previously created /var/www/html directory from previous run-in with this. Issue instantly solved. I saw my previous forum topic and realized there was that 403 issue then too, read through and realized I should move the directory.

system · February 3, 2022, 9:24pm

This topic was automatically closed after 30 days. New replies are no longer allowed.