• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved Password protection breaks static files access (404 error)

Monty

Silver Pleskian
Plesk Guru
Username:

TITLE

Password protection breaks static files access (404 error)

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Product version: Plesk Obsidian 18.0.51.0
OS version: CentOS 7.9.2009 x86_64
Build date: 2023/03/10 09:00

PROBLEM DESCRIPTION

When the directory "/" of a domain is password protected and nginx proxy mode is enabled, requests to static files like "page.html" result in a 404 error.

Installation:
* Default Plesk 18.0.51 installation

nginx settings:
* Proxy mode: enabled
* Smart static files processing: enabled
* Serve static files directly by nginx: disabled
* Enable nginx caching: disabled
* Additional nginx directives: none

STEPS TO REPRODUCE

  1. Create a domain "example.tld" with above (default) nginx settings
  2. Create a file "page.html" in the httpdocs of that domain
  3. Add a password protection on the directoy "/" with a user/pass combination
  4. Access the page http://example.tld/page.html

ACTUAL RESULT

Server returns 404 error

access_ssl_log: "GET /internal-nginx-static-location/page.html HTTP/1.0" 404 960

EXPECTED RESULT

Server returns content of "page.html"

ANY ADDITIONAL INFORMATION

This used to work up and including Plesk 18.0.50 update 2.
Problem first appeared on Plesk 18.0.51

Workaround: Disable "Smart static files processing" or enable "Serve static files directly by nginx" (caution: mod_rewrite rules will not be applied)

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
OK, I did some more tests and found that the problem only occurs when the created html file is larger than 1023 bytes!

Here are my updated steps to reproduce:
  1. Install OS (CentOS 7 or Debian 11), minimum installation
  2. Run Plesk one-click installer as outlined here: Installing Plesk for Linux in One Click
  3. Log in to Plesk and create a domain "example.tld"
  4. On that domain, create a file "index.html" with 1024 bytes (or larger) of content
  5. Open website http://example.tld => Result: Content of index.html is displayed
  6. Go to "Password-Protected Directories" => "Add Protected Directory": => "Directory name": /, Title of the protected area: "Test"
  7. Add a username and password for that directory
  8. Open website http://example.tld again and enter credentials created above => Result: 404 not found
  9. Edit "index.html" and remove content from it until its size is below 1024 bytes
  10. Open website http://example.tld again and enter credentials created above => Result: Content of index.html is displayed

This looks a bit similar to an issue I've reported some time ago: Resolved - [PPP-53248] nginx not returning 404 for non-existing files larger than 1023 bytes
 
HI there, same here. After the update to Plesk 18.0.51 some of the websites which have the home dir protected are throwing 404 error for all the assets:


This happens to images, js, css...

The hostings have all the "Common Apache settings" to default, no additional apache directives and proxy mode / smart static processing active. Disabling "Smart static files processing" fixes it, but seems to be some bug there.

Regards
 
We are not sure if this is related to this bug but we have on top the following issue on our test servers where we did roll out this upgrade:

- when trying to create a password protected directory + user the Plesk GUI could not finish the operations and we got timeouts plus the changes were not applied
- we saw hanging processes on the console for the nginx config test (nginx -t): as the timeout is quite high for those operations more and more of those zombie processes were created when different users did try to make such changes, where the webserver config had to be reloaded
- the Plesk repair utility got also stuck to regenerate the whole web server config as the config checks could also not be fulfilled in time

As a result the upgraded servers are quite unusable right now. We hope for a very fast patch.
 
@Hangover2 Regarding the Nginx symptoms it sounds like a known issue with OCSP stapling. I suggest to change the nameservers in /etc/resolv.conf and test again. There is a known issue when OCSP stapling is used and nameserver resolution to the Let's Encrypt servers is slow, because for every web configuration entry Nginx will try to resolv that address and connect. If it takes too long it will run into a timeout. This issue is caused by nameserver resolution specificially for the r3.o.lencr.org server(s) and it has been seen with various public resolvers. It is unclear why public resolvers sometimes have this issue.
 
Nevertheless is there an ETA for this bug? It would be great to have a fix in "Plesk 18.0.51 Update 1" as right now this is a main blocker for any upgrade of live systems.
 
There is no ETA yet. Please note the workaround provided by @Monty:
Disable "Smart static files processing" or enable "Serve static files directly by nginx" (caution: mod_rewrite rules will not be applied)
 
There is no ETA yet. Please note the workaround provided by @Monty:
I have the same problem

if Disable "Smart static files processing" and work correct
if Enable "Serve static files directly by nginx" work correct

Which is the best option?
Is it a permanent solution or are they working on the problem?
 
Hello,

We have set Plesk to update only with safe updates and now I confirm that after updateting to v...51 protected folders stop process files properly and show 404 err plus starts receiving System Updates error for pum is called with arguments: ['--list', '--repo-info', '--json'] with response ERROR: Exited with return code 1 any solution for second issue after that update ?
 
Hello,

We have set Plesk to update only with safe updates and now I confirm that after updateting to v...51 protected folders stop process files properly and show 404 err plus starts receiving System Updates error for pum is called with arguments: ['--list', '--repo-info', '--json'] with response ERROR: Exited with return code 1 any solution for second issue after that update ?
Hello.
Maybe not necessary if already acknowledged by the plesk development team, but exactly the same problem for us. (approximately 30 subscriptions impacted)
Disabling "Serve static files directly by nginx" helps bypass the bug.
 
Hello.
Maybe not necessary if already acknowledged by the plesk development team, but exactly the same problem for us. (approximately 30 subscriptions impacted)
Disabling "Serve static files directly by nginx" helps bypass the bug.
Sorry, it's disabling "Smart static files processing" that helps !
(Can't edit our previous post and need correction in order to avoid contradictory statement)
 
We can only warn every Plesk user with high amounts of customers on their servers. Plesk 18.0.51 is a support nightmare concerning this bug. Even Plesk 18.0.51 Update 1 does not address it.
 
We can only warn every Plesk user with high amounts of customers on their servers. Plesk 18.0.51 is a support nightmare concerning this bug. Even Plesk 18.0.51 Update 1 does not address it.
I can only agree. Of course, it's really not a problem if you only have a few webs on one server, but if you have a large number of servers with many customers, the only option left is to completely disable automatic Plesk updates in the future.

who would like to get unnecessary support just because there are bugs in new versions that may affect some customers.

once again completely disappointing that this bug is classified as so minor that it is not worth a hotfix.
 
At the moment the update policy of Plesk is getting more and more headache. Nearly with every new feature release 18.0.x new bugs on existing functionalities are introduced. In the past it was enough to wait for Update 2 or 3. But nowadays we have to skip even complete feature releases. Right now the last stable release we can "burden" to our clients is "18.0.49 Update 2". Looks like we cannot upgrade till "18.0.52 Update 3" is released and all red flags from version .50 and .51 and .52 are fixed. Plesk should focus some months on bug fixes only and freeze any feature requests.
 
Back
Top