Resolved Password protection breaks static files access (404 error)

[Monty]

Username:

TITLE

Password protection breaks static files access (404 error)

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Product version: Plesk Obsidian 18.0.51.0
OS version: CentOS 7.9.2009 x86_64
Build date: 2023/03/10 09:00

PROBLEM DESCRIPTION

When the directory "/" of a domain is password protected and nginx proxy mode is enabled, requests to static files like "page.html" result in a 404 error.

Installation:
* Default Plesk 18.0.51 installation

nginx settings:
* Proxy mode: enabled
* Smart static files processing: enabled
* Serve static files directly by nginx: disabled
* Enable nginx caching: disabled
* Additional nginx directives: none

STEPS TO REPRODUCE

1. Create a domain "example.tld" with above (default) nginx settings
2. Create a file "page.html" in the httpdocs of that domain
3. Add a password protection on the directoy "/" with a user/pass combination
4. Access the page http://example.tld/page.html

ACTUAL RESULT

Server returns 404 error

access_ssl_log: "GET /internal-nginx-static-location/page.html HTTP/1.0" 404 960

EXPECTED RESULT

Server returns content of "page.html"

ANY ADDITIONAL INFORMATION

This used to work up and including Plesk 18.0.50 update 2.
Problem first appeared on Plesk 18.0.51

Workaround: Disable "Smart static files processing" or enable "Serve static files directly by nginx" (caution: mod_rewrite rules will not be applied)

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[Peter Debik]

Thank you. Reported as ID [PPS-14113].

 

[Peter Debik]

Developers could not reproduce the issue. Could it have a different reason? For example

Site shows 404 not found on Plesk server: nginx error: index.html is not found (2: No such file or directory)

Applicable to: Plesk for Linux Symptoms Domain is inaccessible with 404 error.Rewrite rules specified in /var/www/vhosts/example.com/httpdocs/.htaccess file do not work. FPM application served...

support.plesk.com

 

[Monty]

OK, I did some more tests and found that the problem only occurs when the created html file is larger than 1023 bytes!

Here are my updated steps to reproduce:

1. Install OS (CentOS 7 or Debian 11), minimum installation
2. Run Plesk one-click installer as outlined here: Installing Plesk for Linux in One Click
3. Log in to Plesk and create a domain "example.tld"
4. On that domain, create a file "index.html" with 1024 bytes (or larger) of content
5. Open website http://example.tld => Result: Content of index.html is displayed
6. Go to "Password-Protected Directories" => "Add Protected Directory": => "Directory name": /, Title of the protected area: "Test"
7. Add a username and password for that directory
8. Open website http://example.tld again and enter credentials created above => Result: 404 not found
9. Edit "index.html" and remove content from it until its size is below 1024 bytes
10. Open website http://example.tld again and enter credentials created above => Result: Content of index.html is displayed

This looks a bit similar to an issue I've reported some time ago: Resolved - [PPP-53248] nginx not returning 404 for non-existing files larger than 1023 bytes

 

[Peter Debik]

Thank you for the update, I have added it to the case.

 

[felixja]

HI there, same here. After the update to Plesk 18.0.51 some of the websites which have the home dir protected are throwing 404 error for all the assets:

404	GET /internal-nginx-static-location/assets/images/comun/cabecera-interior.png HTTP/1.0

This happens to images, js, css...

The hostings have all the "Common Apache settings" to default, no additional apache directives and proxy mode / smart static processing active. Disabling "Smart static files processing" fixes it, but seems to be some bug there.

Regards

 

[Peter Debik]

A product issue has been confirmed and is now tracked as ID [PPPM-13942].

 

[Hangover2]

We are not sure if this is related to this bug but we have on top the following issue on our test servers where we did roll out this upgrade:

- when trying to create a password protected directory + user the Plesk GUI could not finish the operations and we got timeouts plus the changes were not applied
- we saw hanging processes on the console for the nginx config test (nginx -t): as the timeout is quite high for those operations more and more of those zombie processes were created when different users did try to make such changes, where the webserver config had to be reloaded
- the Plesk repair utility got also stuck to regenerate the whole web server config as the config checks could also not be fulfilled in time

As a result the upgraded servers are quite unusable right now. We hope for a very fast patch.

 

[Peter Debik]

@Hangover2 Regarding the Nginx symptoms it sounds like a known issue with OCSP stapling. I suggest to change the nameservers in /etc/resolv.conf and test again. There is a known issue when OCSP stapling is used and nameserver resolution to the Let's Encrypt servers is slow, because for every web configuration entry Nginx will try to resolv that address and connect. If it takes too long it will run into a timeout. This issue is caused by nameserver resolution specificially for the r3.o.lencr.org server(s) and it has been seen with various public resolvers. It is unclear why public resolvers sometimes have this issue.

 

[Hangover2]

@Peter Debik You made my day. Our issue was caused by the problem you did describe.

 

[Hangover2]

Nevertheless is there an ETA for this bug? It would be great to have a fix in "Plesk 18.0.51 Update 1" as right now this is a main blocker for any upgrade of live systems.

 

[Peter Debik]

There is no ETA yet. Please note the workaround provided by @Monty:

Disable "Smart static files processing" or enable "Serve static files directly by nginx" (caution: mod_rewrite rules will not be applied)

 

[scsjcm]

There is no ETA yet. Please note the workaround provided by @Monty:

I have the same problem

if Disable "Smart static files processing" and work correct
if Enable "Serve static files directly by nginx" work correct

Which is the best option?
Is it a permanent solution or are they working on the problem?

 

[a-plesk-forum]

Hello,

We have set Plesk to update only with safe updates and now I confirm that after updateting to v...51 protected folders stop process files properly and show 404 err plus starts receiving System Updates error for pum is called with arguments: ['--list', '--repo-info', '--json'] with response ERROR: Exited with return code 1 any solution for second issue after that update ?

 

[Peter Debik]

Current plans are to have a fix available in Plesk 18.0.52, but as always this is only an estimate.

 

[Zéfyx]

Hello,

We have set Plesk to update only with safe updates and now I confirm that after updateting to v...51 protected folders stop process files properly and show 404 err plus starts receiving System Updates error for pum is called with arguments: ['--list', '--repo-info', '--json'] with response ERROR: Exited with return code 1 any solution for second issue after that update ?

Hello.
Maybe not necessary if already acknowledged by the plesk development team, but exactly the same problem for us. (approximately 30 subscriptions impacted)
Disabling "Serve static files directly by nginx" helps bypass the bug.

 

[Zéfyx]

Hello.
Maybe not necessary if already acknowledged by the plesk development team, but exactly the same problem for us. (approximately 30 subscriptions impacted)
Disabling "Serve static files directly by nginx" helps bypass the bug.

Sorry, it's disabling "Smart static files processing" that helps !
(Can't edit our previous post and need correction in order to avoid contradictory statement)

 

[Hangover2]

We can only warn every Plesk user with high amounts of customers on their servers. Plesk 18.0.51 is a support nightmare concerning this bug. Even Plesk 18.0.51 Update 1 does not address it.

 

[moswak]

We can only warn every Plesk user with high amounts of customers on their servers. Plesk 18.0.51 is a support nightmare concerning this bug. Even Plesk 18.0.51 Update 1 does not address it.

I can only agree. Of course, it's really not a problem if you only have a few webs on one server, but if you have a large number of servers with many customers, the only option left is to completely disable automatic Plesk updates in the future.

who would like to get unnecessary support just because there are bugs in new versions that may affect some customers.

once again completely disappointing that this bug is classified as so minor that it is not worth a hotfix.

 

[Hangover2]

At the moment the update policy of Plesk is getting more and more headache. Nearly with every new feature release 18.0.x new bugs on existing functionalities are introduced. In the past it was enough to wait for Update 2 or 3. But nowadays we have to skip even complete feature releases. Right now the last stable release we can "burden" to our clients is "18.0.49 Update 2". Looks like we cannot upgrade till "18.0.52 Update 3" is released and all red flags from version .50 and .51 and .52 are fixed. Plesk should focus some months on bug fixes only and freeze any feature requests.