Why is LS Caching Error Pages (403)?

[findingpeace]

Sometimes I see a 403 page cached for two minutes, instead of the actual page. This is a big problem because it means if one bad user around the globe gets a 403, it's a 403 for everyone for 120 seconds!

How can I prevent error pages from ever being cached? Also, I've noticed it's not displaying my custom 403 error page, but instead the default server 403 error page.

Please let me know if something is wrong with my .htaccess file? Does anything need to be reordered? Should I just get rid of most of these old Apache rules? Does most of this look okay for vBulletin 4 on LS?

php_flag display_errors offhtaccess

Ran into character limit, .htaccess continued below

 

[findingpeace]

continued htaccess

 

[NiteWave]

suggest:
1. move up following lines to before "RewriteEngine on"
#Custom Error Pages
ErrorDocument 404 /404.php
ErrorDocument 403 /403.shtml

2.move following lines up to before "LS Cache" rules:
# Start Deny attempts to view the config file.
<Files includes/config.php>
Order allow,deny
Deny from all
</Files>
# End Deny attempts to view the config file.

# Block User-agent Libwww-perl
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
RewriteRule .* – [F,L]

3. in "# proc/self/environ? block", there are lot of RewriteCond directives, but no RewriteRule directive.

 

[findingpeace]

Hi @NiteWave, thanks again I've made your changes but unfortunately still receiving the 403 cached error page. Is there any logic built into the cache system to not cache 403 / 404 error pages?

Our host also uses csf to block IPs. Not sure if this gets applied before/after .htaccess and could be causing the problem?

 

[NiteWave]

can you PM the a URL which is cached with 403 ?

the csf (or firewall, iptables) takes effect before the IP reach any application on the server, including litespeed, it's OS level. so can ignore it in our discussion.

 

[findingpeace]

can you PM the a URL which is cached with 403 ?

the csf (or firewall, iptables) takes effect before the IP reach any application on the server, including litespeed, it's OS level. so can ignore it in our discussion.

Hi @NiteWave, I woke up this morning with an idea! After a bit of confirming, turns out it was the Bad Behavior mod for vB which generates its own error page through a plugin, so is naturally processed after everything else.

I've disabled the mod for now and the error pages are gone However, the frequency at which those errors were occurring indicates to me that the mod was doing a good job blocking a lot of bad stuff - so I'm going to go through and make some code changes so that it'll play nicely with caching.

Another similar problem area I noticed is with IP blocking. When a user is IP blocked through the vBulletin admin panel, the "Your IP has been blocked" page gets cached for everyone. I'm working on a quick plugin to manipulate the cookies for the IP block page, so it never gets cached.

Once I've gotten these two things finished up, I'd be glad to post my fixes here for anyone having the same questions.

I really appreciate your quick help! It means a lot, and I will be purchasing the license this week.

 

[NiteWave]

>I'm going to go through and make some code changes so that it'll play nicely with caching.
you can try to put following php code in the mod somewhere:

header('X-LiteSpeed-Cache-Control: no-cache');

this tell litespeed not cache the page generated by php engine.
it has been used in vBSEO + lsws cache mod:
https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:cache:lscache:vbseo

waiting for your final fixes ... Thanks in advance!

 

[findingpeace]

Hi @NiteWave, thanks for that header! I can't seem to get it working in vBulletin's IP ban function (header is at the end of the code below). Whenever I request the page through a banned IP, half the pages still come from cache - other pages show the IP ban message, but if I view that same page through a non-banned IP, it still shows the ban message for 2 minutes. I see X-LiteSpeed-Cache:hit, So it seems to not be applying the header?

I'm not totally sure if the header itself works - Just as a test, from your VBSeo tutorial, if I changed the logic from this:

if ( $vbulletin->userinfo['userid'] )
{
header('X-LiteSpeed-Cache-Control: no-cache');
};

To this:

header('X-LiteSpeed-Cache-Control: no-cache');

(ie. ALWAYS apply the header, regardless of guest/user status). But as a guest, I'm still getting X-LiteSpeed-Cache:hit

Anyway, here's the IP ban function. I'm pretty sure the area I put the header should work. I tried adding echo "test"; as well, and it definitely shows when the banned IP message is displayed, but no header

function verify_ip_ban()
{
    // make sure we can contact the admin
    if (THIS_SCRIPT == 'sendmessage' AND (empty($_REQUEST['do']) OR $_REQUEST['do'] == 'contactus' OR $_REQUEST['do'] == 'docontactus'))
    {
        return;
    }

    global $vbulletin;

    $user_ipaddress = IPADDRESS . '.';
    $user_alt_ipaddress = ALT_IP . '.';

    if ($vbulletin->options['enablebanning'] == 1 AND $vbulletin->options['banip'] = trim($vbulletin->options['banip']))
    {
        $addresses = preg_split('#\s+#', $vbulletin->options['banip'], -1, PREG_SPLIT_NO_EMPTY);
        foreach ($addresses AS $banned_ip)
        {
            if (strpos($banned_ip, '*') === false AND $banned_ip{strlen($banned_ip) - 1} != '.')
            {
                $banned_ip .= '.';
            }

            $banned_ip_regex = str_replace('\*', '(.*)', preg_quote($banned_ip, '#'));

            // Check both IP addresses, it doesnt really matter if they are the same.
            if (preg_match('#^' . $banned_ip_regex . '#U', $user_ipaddress) OR preg_match('#^' . $banned_ip_regex . '#U', $user_alt_ipaddress))
            {

                header('X-LiteSpeed-Cache-Control: no-cache');

                eval(standard_error(fetch_error('banip', $vbulletin->options['contactuslink'])));
            }
        }
    }
}

 

[NiteWave]

I don't under your php code well. but here's a more explanation of 'X-LiteSpeed-Cache-Control: no-cache'

1. it won't show up in the response header. it's internal header, when lsws receive this header from php script, it won't save the output as cache and won't pass the header to response headers which user can see it. while "X-LiteSpeed-Cache:hit" can be seen by user.

2. to know its exact behavior, can make a unit test.
step 1: hello.php
just one line: echo "hello";

step 2: .htaccess
RewriteEngine On
RewriteRule hello.php - [L,E=Cache-Control:max-age=300]

step 3:

now access hello.php a few times, you'll see the "X-LiteSpeed-Cache:hit" response header after 2nd visits.

step 4: wait for the cache expire. or just delete all folders/files under root of cache storage path

step 5: update hello.php

<?php
header('X-LiteSpeed-Cache-Control: no-cache');

echo "hello";
?>

now repeat step 3. you should never see "X-LiteSpeed-Cache:hit" in response headers.
also, can add
http_response_code(403)
to hello.php (for php >= 5.4.0), to do unit test on 403 and cache.

if unit test fails, need resolve it first before proceed.