Webinoly is just the perfect tool for NGINX experts. Give it a try!
0 votes
3.6k views
by
edited

I have test webinoly in linode & digitalocean & my server.

Overall is very good. I can get daily 100k visitors without problem. I love it.

But every server that I use Webinoly have 403 Forbidden in Wordpress admin & login page.

Only when I click on wordpress menu very fast or refresh it 4-5 time

Check this video --> https://streamable.com/4edm3

More testing video --> https://streamable.com/d6m2z

I setup Webinoly just few command. I have follower this page. https://webinoly.com/en/install/

Thank you.

1 Answer

0 votes
by Expert

Yes, that's a security feature!

We limit the number of request your wp-admin pages can receive from the same IP.

You know, it's like we are detecting an attack and then we close that connection to protect your server.

by

Can I close that ? because my monitoring tool shows it error?

I need to monitoring user error load page on my website.

by Expert
You really shouldn't do that!
But if you want to do it you need to modify the NGINX conf.

Remove or customize the limit_req instruction located at:
/etc/nginx/common/wpcommon.conf

And zones are defined here:
/etc/nginx/nginx.conf
by
I think that a good security.  I don't touch it.

Thank a lot.
by
I use the Updraft Plugin for site/backup/restore, etc.   It is a fairly popular plug-in.  I was getting a 403 when trying to upload some restore files once it hit about 50MB.  Files upload in the background using ajax from the admin area.  I checked the max-upload and post size and they were good.  Looking in the logs, I saw indications that it was being limited.  After commenting these lines out, I was able to upload without any problems.  While I appreciate extra security, this is seems like an oversight.
by Expert
Read the docs, by default Webinoly have a limit of 50Mb to upload files, we have an option to modify this value. Read about the "webinoly" command.

This has nothing to do with the WP admin area security feature.
by
Uh yeah...I read the docs.  As my post eludes to, the first thing I did was add the max-mb-uploads parameter to the webinoly.conf, and I still received the 403 error.  I searched the forums and came across this post.  In the error log for my site there is the following:

2019/01/25 15:22:26 [error] 48440#48440: *10 limiting requests, excess: 6.052 by zone "wp", client: 172.16.1.1, server: www.mysite.org, request: "POST /wp-admin/admin-ajax.php HTTP/1.1", host: "https://www.mysite.org", referrer: "https://www.mysite.org/wp-admin/options-general.php?page=updraftplus"

I changed the domain for privacy purposes.  I then went to the wpcommon.conf and commented out the following:

location ~ /wp-admin/admin-ajax.php$ {
        #limit_req zone=wp burst=6 nodelay;

After a reset , I was able to upload a 225MB file.

Maybe you should try to reproduce the issue rather than flippantly refer me to the docs.
by Expert
We have a Premium Support service, where you can pay for new features and that way we are happy to reproduce and fix any issues you are having with your plugins and sites.
by
This was my initial attempt at using Webinoly, and with this other issues I had, I will be moving back to EasyEngine.  I posted to my experience here to be helpful, something you should think about if you are trying to grow a paying customer base.  Have a good one!

David
by Expert

Goodbye David!

We don't accept any kind of rude behaviour here, people that give answers the way you did are not welcome here.

Maybe you should try to reproduce the issue rather than flippantly refer me to the docs.
Seriously, you are wrong if you think that reproduce YOUR issues is my obligation.
by
I sincerely apologize if I offended you.  I think we are running into some language barriers here.  I was really just trying to add additional information to this post that others might find helpful, and if you were interested could take into consideration with improving the product.  I have no vested interest if you want to try to reproduce the problem, but this is a support forum, so it seems like the appropriate venue to share information.

What I can also tell you is that I read several of your responses in other posts, and your tone is short and abrasive, and could be mistakenly as rude to others.  

Regards,
David
by Expert
Yes and thanks for understanding.
Did you posted your issue in the plugin forum?

For what you said, seems like they are doing so many calls to the admin-ajax file, I don't know why, but seems like they need to fix this. Webinoly protect/limit this file because is a common target for brute force attacks.

Why do they need to call more than maybe 10 times the same file in a second?

Sounds like they need to fix this, not Webinoly!
by

I understand the frustration of trying to support this by yourself, and people not reading the docs before posting in the forums. 

Here is some additional info, in case you are interested.  Updraft is an extremely popular plugin (over 1 million installations), so you might want to take the following into consideration.  I'm sure there are other plugins that use admin-ajax for file upload/download.

The plugin uploads zip files to a backup repository on the site.  It is doing that in approximately 0.5MB chunks.  I have a fiber connection (1GB), so that all happens very fast, so naturally it is going to exceed the limit cap you set in the file.  The screen cap below shows what is going on.  This seems like you are being a little over-protective and your users could run into problems.  Maybe you could make this an option in your config?  Just a suggestion.  

Regards,
David

by Expert
You will be surprised when you know how a lot of these "extremely popular" plugins are awfuly coded (I don't know if it's the case with this specific plugin, I've never used it).

You can increment the "burst" value, instead of completely remove the line.

I will keep an eye on this issue, as I said before, I think you should report this to the plugin author, I have a "fiber" connection too and never ran into this problem before. This kind of code practices are the root cause of slow admin areas in some sites, there are a lot documentation about how some plugins abuse and have an intensive use of the admin-ajax file and all of them end up doing the same recommendation, that is stop using this bad coded plugins.

Regards.
by Rookie
I'll add that I'm running into this exact same problem when running Migrate DB Pro, another popular plugin written by the excellent folks at Delicious Brains. They are very strict about writing great code. In looking into the nginx logs, I noticed that I was running up against the rate limits, so am glad to find this thread. QROkes, I love Webinoly and thank you for creating and supporting it - I now run it on all of the 5 servers that I manage. It would be nice, though, if there was an easy setting to adjust the rate limit - I don't mind too much editing the nginx conf files, but I'd rather not if I can avoid it. In any case, keep up the great work!

Regards,
Jeff
by Expert

Hi Jeff,

Did you report this issue to the plugin author?

I've been doing some research about it and seems like everybody agree with the idea that an intensive use of admin-ajax file have a very important negative effect over the WP admin area.

As I said before, I will keep an eye on this issue.

I'm not really sure about change these settings in Webinoly, if you are using Webinoly is because you care about performance.

Regards.

by Rookie
I'll definitely ask the developer about this. Question, when I make the changes to the wpcommon.conf file, it seems that I can then never run webinoly -server-reset, since that'll overwrite the change, correct? So if I need to restart ngnix, I should just do it manually?

Thanks,
Jeff
by Expert
Ok. Just to clarify:

Server-reset command is intended to be used to "reset" the configuration to the original state, it will remove any custom change you made. If you want to reload (restart) a service like nginx, you should do it manually.

Regards.
by Expert

Following up this issue with UpdraftPlus and MigrateDB Pro plugins, seems like they (both) have a lot of tickets open about the same issue, a lot of people complaining for errors and slow admin areas due to an intensive use of admin-ajax.php caused by these plugins.

Seriously, read this answer: https://deliciousbrains.com/wp-migrate-db-pro/doc/modsecurity/

That not seems like a very "professional" answer, security features should never being disabled.

Just for the record:

Definitely, Webinoly will keep this security feature and you should be careful about how the plugins you are using are affecting your sites perfomance and security.
Regards.
by

Just to add my two cents: Updraftplus seems to work just fine for backing up wp sites in a webinoly setup. 

It fails when restoring for the reasons discussed above. However, it will restore perfectly if you restore one part at a time -- eg , plugins, then themes, then uploads, etc. Just select one of the parts of the backup at a time and it works fine -- at least for mesmiley.

Hope this helps someone.

Bill

Welcome to the Community site for Webinoly.

Our Optimized LEMP Web Server is a powerful set of commands for doing just about anything you could wish.

With Webinoly you can set up your NGINX web server in just one step.

* * * * * * *

To report a bug, please create a new issue on GitHub or ask a question here with the bug tag.
Webinoly Support Paypal Donations

PayPal · GitHub Sponsors · Bitcoin

It is very important that any visitor to the site read the disclaimer, terms of use and privacy and legal statement before start browsing.

...