Issue 403 Error Nginx TLS/SSL

[MISHO0o]

Server operating system version

Debian 12

Plesk version and microupdate number

18.0.65

Hello,

i face this issue for a payment gateway callback URL got 403 error


it was working fine before migrating to plesk,
so is there a setting should be done in nginx to allow this callback URL ?

 

[Raul A.]

Check the corresponding entry in the domain error log or in the global php-fpm log

 

[MISHO0o]

i already did that and the above screenshot from log

 

[Raul A.]

That is from the access log, not from the error log.

The error log will contain additional information regarding the 403 request. It might also be in the php-fpm error log (/var/log/plesk-php83/error.log)(replace 83 with the PHP version)

 

[MISHO0o]

in the mentioned log file there are only warning, and there is nothing about the 403 error

 

[Raul A.]

Check at the exact date and time in the error log. Checking the log file directly might be easier.
The log entry will not say 403. It will say something else, why do you get a 403.

 

[MISHO0o]

Error time: 22:13

log time not have this time

 

[MISHO0o]

@Sebahat.hadzhi
can you help please

 

[Raul A.]

Any security plugin like Wordfence or security application like modSecurity or Imunify360?

 

[MISHO0o]

Any security plugin like Wordfence or security application like modSecurity or Imunify360?

i have Wordfence and Modsecurity enabled

but it's not related to Wordfence

i don't know if it's related to modsecurity or not

the strange thing is it happens for some transactions not for all, while all transcations uses same callback URL but some of them gives 200 reponse and others gives 403

and i didn't find in the log thing other than the one attached.

so i don't know which causes this to happen

 

[MISHO0o]

here is the ngnix full Access log:

172.70.83.127 - - [01/Dec/2024:07:22:09 +0200] "POST /xmlrpc.php HTTP/1.1" 403 146 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
172.71.156.134 - - [01/Dec/2024:07:22:15 +0200] "POST /xmlrpc.php HTTP/1.1" 403 146 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
172.69.223.161 - - [01/Dec/2024:07:27:40 +0200] "GET /wp-includes/Requests/about.php HTTP/1.1" 403 146 "-" "-"
172.69.223.154 - - [01/Dec/2024:07:27:41 +0200] "GET /wp-includes/style-engine/about.php HTTP/1.1" 403 146 "-" "-"
172.71.127.87 - - [01/Dec/2024:07:27:41 +0200] "GET /wp-includes/rest-api/about.php HTTP/1.1" 403 146 "-" "-"
172.71.118.203 - - [01/Dec/2024:07:27:41 +0200] "GET /wp-includes/SimplePie/about.php HTTP/1.1" 403 146 "-" "-"
172.71.123.151 - - [01/Dec/2024:07:27:43 +0200] "GET /wp-includes/Text/about.php HTTP/1.1" 403 146 "-" "-"
141.101.97.64 - - [01/Dec/2024:07:27:43 +0200] "GET /wp-includes/ID3/about.php HTTP/1.1" 403 146 "-" "-"
172.71.135.80 - - [01/Dec/2024:07:27:45 +0200] "GET /wp-includes/customize/about.php HTTP/1.1" 403 146 "-" "-"
172.71.130.87 - - [01/Dec/2024:07:27:46 +0200] "GET /wp-includes/widgets/about.php HTTP/1.1" 403 146 "-" "-"
141.101.95.95 - - [01/Dec/2024:07:27:46 +0200] "GET /wp-includes/IXR/about.php HTTP/1.1" 403 146 "-" "-"
172.69.222.159 - - [01/Dec/2024:07:27:48 +0200] "GET /wp-includes/pomo/about.php HTTP/1.1" 403 146 "-" "-"
172.71.123.90 - - [01/Dec/2024:07:27:48 +0200] "GET /wp-includes/block-patterns/about.php HTTP/1.1" 403 146 "-" "-"
172.71.118.166 - - [01/Dec/2024:07:27:53 +0200] "GET /wp-includes/images/about.php HTTP/1.1" 403 146 "-" "-"
172.71.130.178 - - [01/Dec/2024:07:27:53 +0200] "GET /wp-includes/about.php HTTP/1.1" 403 146 "-" "-"
172.71.122.143 - - [01/Dec/2024:07:27:54 +0200] "GET /wp-includes/blocks/about.php HTTP/1.1" 403 146 "-" "-"
141.101.96.42 - - [01/Dec/2024:07:28:06 +0200] "GET /wp-includes/Requests/Text/admin.php HTTP/1.1" 403 146 "-" "-"
172.69.222.63 - - [01/Dec/2024:07:28:16 +0200] "GET /wp-includes/repeater.php HTTP/1.1" 403 146 "-" "-"
172.70.83.184 - - [01/Dec/2024:07:35:57 +0200] "POST /xmlrpc.php HTTP/1.1" 403 146 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
108.162.212.78 - - [01/Dec/2024:07:36:03 +0200] "POST /xmlrpc.php HTTP/1.1" 403 146 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
172.70.35.184 - - [01/Dec/2024:09:25:57 +0200] "GET /robots.txt HTTP/1.1" 403 146 "http://iamalive.store/robots.txt" "Mozilla/5.0 (compatible; SemrushBot-BA; +Semrush Bot | Semrush)"
172.70.38.187 - - [01/Dec/2024:11:14:52 +0200] "POST /?wc-api=paymob_callback HTTP/1.1" 403 146 "-" "python-requests/2.28.1"
172.70.35.182 - - [01/Dec/2024:12:43:59 +0200] "POST /?wc-api=paymob_callback HTTP/1.1" 403 146 "-" "python-requests/2.28.1"
172.68.244.183 - - [01/Dec/2024:12:56:14 +0200] "GET /?author=1 HTTP/1.1" 403 548 "Google" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
172.71.191.124 - - [01/Dec/2024:12:56:15 +0200] "POST /xmlrpc.php HTTP/1.1" 403 146 "-" "Apache-HttpClient/4.5.13 (Java/11.0.25)"
172.71.120.13 - - [01/Dec/2024:13:09:12 +0200] "GET /?author=1 HTTP/1.1" 403 548 "Google" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
172.69.130.55 - - [01/Dec/2024:13:09:13 +0200] "POST /xmlrpc.php HTTP/1.1" 403 146 "-" "Apache-HttpClient/4.5.13 (Java/11.0.25)"
172.69.214.63 - - [01/Dec/2024:13:19:10 +0200] "GET /?author=1 HTTP/1.1" 403 548 "Google" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
172.69.130.54 - - [01/Dec/2024:13:19:12 +0200] "POST /xmlrpc.php HTTP/1.1" 403 146 "-" "Apache-HttpClient/4.5.13 (Java/11.0.25)"
172.70.174.105 - - [01/Dec/2024:13:46:03 +0200] "POST /?wc-api=paymob_callback HTTP/1.1" 403 146 "-" "python-requests/2.28.1"
172.71.191.4 - - [01/Dec/2024:13:56:21 +0200] "POST /?wc-api=paymob_callback HTTP/1.1" 403 146 "-" "python-requests/2.28.1"
172.68.245.72 - - [01/Dec/2024:14:03:39 +0200] "POST /?wc-api=paymob_callback HTTP/1.1" 403 146 "-" "python-requests/2.28.1"
172.70.42.161 - - [01/Dec/2024:14:32:19 +0200] "POST /?wc-api=paymob_callback HTTP/1.1" 403 146 "-" "python-requests/2.28.1"
172.68.245.73 - - [01/Dec/2024:14:34:16 +0200] "POST /?wc-api=paymob_callback HTTP/1.1" 403 146 "-" "python-requests/2.28.1"
172.70.255.54 - - [01/Dec/2024:14:37:03 +0200] "POST /xmlrpc.php HTTP/1.1" 403 146 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
172.70.55.88 - - [01/Dec/2024:14:37:08 +0200] "POST /xmlrpc.php HTTP/1.1" 403 146 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
172.70.38.29 - - [01/Dec/2024:14:39:25 +0200] "POST /?wc-api=paymob_callback HTTP/1.1" 403 146 "-" "python-requests/2.28.1"
108.162.210.138 - - [01/Dec/2024:15:19:38 +0200] "POST /xmlrpc.php HTTP/1.1" 403 146 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"
172.70.254.251 - - [01/Dec/2024:15:19:54 +0200] "POST /xmlrpc.php HTTP/1.1" 403 146 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0"

 

[Raul A.]

403 on robots.txt. Check the mod security log, since the Nginx error log doesn't have any entries.

I would also set up mod_realip in nginx so that the real visitor IP gets logged: Module ngx_http_realip_module

 

[Sebahat.hadzhi]

Hello, @MISHO0o. Unfortunately, the log entries are not very informative, so I am not quite sure what might be causing the issue here. If you can check the WooCommerece log for possible entries? Also, as suggested by Raul A. ModSecurity is a good starting point, it often blocks requests as false positives.

 

[MISHO0o]

@Raul A. @Sebahat.hadzhi

finally i got the reason.

it's from WP toolkit bot protection,
i disabled it and works fine

can i adjust it or config it or it's just on/off ?

also i have a question:
- i added an "A" record to open the plesk as a subdomain so the link will be > https://plesk.iamalive.store:8443/
but when i typed the user and password it just reload with no error.

but it opens normally with: https://sd-152937.dedibox.fr:8443 (this is the name which created by Scaleway setup) so how can i make it work with my desired link name

 

[Raul A.]

plesk.iamalive.store is passed trough Cloudflare and they usually use several IP addresses to send requests to the origin server. Plesk, by default, doesn't accept IP address changes during a session. That is why you get logged out and sent back to the login page.

Go to https://sd-152937.dedibox.fr:8443/admin/sessions/settings/ and enable "Allow IP address changes during a single session"

 

[MISHO0o]

plesk.iamalive.store is passed trough Cloudflare and they usually use several IP addresses to send requests to the origin server. Plesk, by default, doesn't accept IP address changes during a session. That is why you get logged out and sent back to the login page.

Go to https://sd-152937.dedibox.fr:8443/admin/sessions/settings/ and enable "Allow IP address changes during a single session"

Thx, it works ♥♥