Issue Bug: Plesk Nginx proxy stripping performance headers - CPU spikes on all woocommerce downloads

thinkjarvis

Basic Pleskian
Server operating system version
Ubuntu 24.04.4 LTS
Plesk version and microupdate number
Plesk Obsidian 18.0.78 Update #4
Bug overview:
We have discovered that Plesk is stripping off the X-Acccel and Xsendfile headers added by woocommerce for faster secure downloadable products.

This means the woocommerce_uploads folder cannot be restricted using the recommended Nginx settings - Meaning downloads can be stolen.
This applies to all Woocommerce sites running on plesk with an apach proxy to nginx.
On sites with large downloadable products this causes the CPU to get tied up serving downloads.

More details:

This site has downloadable products as big as 4gb. But this applies to all Woocommerce sites running on plesk with an apach proxy to nginx.

We have had to increase the CPU cores substantially to deal with download spikes.

We have the following Additional Apache directives
XSendFile On
XSendFilePath /var/www/vhosts/domain.com/httpdocs/wp-content/uploads/woocommerce_uploads

Nginx:

1782806188390.png


This issue came about when setting the following in Woocommerce:

1782805982133.png


Woocommerce Nginx setting guidance:

Code:
# Protect WooCommerce upload folder from being accessed directly.
# You may want to change this config if you are using "X-Accel-Redirect/X-Sendfile" or "Force Downloads" method for downloadable products.
# Place this config towards the end of "server" block in NGINX configuration.
location ~* /wp-content/uploads/woocommerce_uploads/ {
    if ( $upstream_http_x_accel_redirect = "" ) {
        return 403;
    }
    internal;
}

Because the x_accel headers are not applying - The woocommerce_uploads folder can be accessed directly - Meaning downloads can be stolen for free.

Security work around
Insert this snippet instead: Which stops Nginx serving the folder directly

Code:
location ^~ /wp-content/uploads/woocommerce_uploads/ {

return 403;

}

Nginx serving files over X_accel fix?
Please can I ask if the community have any suggestions and solutions?
 
Note we know the x_accel header isnt getting sent because you can access woocommerce_uploads directly when using the recommended settings.
 
Back
Top