Full WAF slows down backend?

  • Resolved blindtexth

    (@blindtexth)


    4 years, 2 months ago

    Hi there,
    I am using NinjaFirewall (NFW) on many websites without any problems.

    Now I created a fresh new site with all the plugins I use normally.
    Unfortunately, by activating Full WAF it slows down the backEnd of the site to the point it is unusable. I can do exactly two things and then it stops. Sometimes I get an error: Secure Connection failed.

    I reinstalled everything clean and did not change any settings in NFW. After activating Full WAF – the same.

    What can that be? What can I do? And how can I reverse to the before Full WAF setting?
    So far I did not find much of informations.

    Regards, Carsten

Viewing 15 replies - 1 through 15 (of 28 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Follow the documentation here

    If you want to downgrade from Full WAF to WordPress WAF mode, you need to remove the auto_prepend_file directive that were added to your PNP INI (php.ini or .user.ini) or .htaccess file.

    Try to put your blog into debugging mode and see if there’s anything wrong. Check “Site health” too.
    It maybe be due to a session error (conflict with another plugin or your theme that use PHP session).

    Thread Starter blindtexth

    (@blindtexth)

    Hi, thank you for your answer.

    In debug mode Sie health gave me this:

    cURL error 28: Operation timed out after 10001 milliseconds with 0 bytes received (http_request_failed)

    Let’s see, where this comes from.

    Thread Starter blindtexth

    (@blindtexth)

    What I’ve learned so far …

    PHP sessions created with session_start() function may cause issues with REST API and loopback requests due to cURL error 28.

    When I hide the htaccess it seems to work. Of course the login disappears.
    Since I have the WP-Install in a subdirectory, I guess I need the htaccess?

    As you can yee, I am not THAT experienced …

    With NFW in debugmode I still have the same problems. Is there something, that can be turned off within the settings of NFW?

    hm …

    Plugin Author nintechnet

    (@nintechnet)

    NinjaFirewall shouldn’t affect the REST API because it has some code to detect it.
    Do you have some specific rules in your .htaccess? By default, there should be those lines only:

    # BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
    Thread Starter blindtexth

    (@blindtexth)

    In my .htaccess is only what you have shown. Nothing else is added.

    I showed, after I temporarily disabled .htaccess, that the problems recurred.

    Plugin Author nintechnet

    (@nintechnet)

    Can you try to search inside all PHP files located in your “wp-content/themes/” and “wp-content/plugins/” for session_start? If you find it, give me the name of the corresponding theme(s) or plugin(s).
    There may be a conflict with another plugin or your theme.

    Thread Starter blindtexth

    (@blindtexth)

    I found no traces of session_start inside ?wp-content/themes/?

    But in ?wp-content/plugins/? I found:
    wp-content/plugins/ninjafirewall/lib/firewall.php (1)
    wp-content/plugins/ninjafirewall/lib/utils.php (3)
    wp-content/plugins/ninjafirewall/uninstall.php (2)
    wp-content/plugins/ninjafirewall/ninjafirewall.php (3)

    The scan found also:
    wp-content/plugins/pods/classes/fields/pick.php (pods_session_start)
    wp-content/plugins/pods/classes/fields/file.php (pods_session_start)
    wp-content/plugins/pods/classes/PodsInit.php (pods_session_start)
    wp-content/plugins/pods/classes/PodsComponents.php (pods_session_start)
    wp-content/plugins/pods/classes/PodsAdmin.php (pods_session_start)
    wp-content/plugins/pods/includes/general.php (pods_session_start)
    wp-content/plugins/pods/includes/data.php (pods_session_start)
    wp-content/plugins/pods/vendor/freemius/wordpress-sdk/includes/class-freemius.php (XDEBUG_session_start)

    yep my admin is so slow too but the security Is worth it

    Thread Starter blindtexth

    (@blindtexth)

    I agree … the security is essential.

    I might have found a work around for the moment:

    The Plugin ?Native PHP Sessions for WordPress?
    and an added php-file: wp-content/mu-plugins/000-loader.php

    <?php
    require_once WP_PLUGIN_DIR . '/wp-native-php-sessions/pantheon-sessions.php';
    Plugin Author nintechnet

    (@nintechnet)

    I tried the “pods” plugin and there was no problem.

    Can you run the troubleshooter script and paste the result here?

    Thread Starter blindtexth

    (@blindtexth)

    Probably because it is different: pods_session_start ?

    At the moment it works (without WAF mode). I get only an error when I work in more than one window simultaneously.

    The result of the troubleshooter script:

    NinjaFirewall (WP edition) troubleshooter
HTTP server 	: 	Apache/2.4.43 (Unix)
PHP version 	: 	7.4.10
PHP SAPI 	: 	CGI-FCGI
auto_prepend_file 	: 	none
wp-config.php 	: 	found in /mnt/web405/c1/84/54427784/htdocs/ALA/wp-config.php
NinjaFirewall detection 	: 	NinjaFirewall WP Edition is loaded (WordPress WAF mode)
Loaded INI file 	: 	/opt/RZphp74/etc/php.ini
user_ini.filename 	: 	.user.ini
user_ini.cache_ttl 	: 	300 seconds
User PHP INI 	: 	none found
DOCUMENT_ROOT 	: 	/home/strato/http/premium/rid/77/84/54427784/htdocs
ABSPATH 	: 	/mnt/web405/c1/84/54427784/htdocs/ALA/ (ABSPATH != DOCUMENT_ROOT)
WordPress version 	: 	5.5.1
WP_CONTENT_DIR 	: 	/mnt/web405/c1/84/54427784/htdocs/ALA/wp-content
Plugins directory 	: 	/mnt/web405/c1/84/54427784/htdocs/ALA/wp-content/plugins
User Role 	: 	Administrator
User Capabilities 	: 	manage_options: OK - unfiltered_html: OK
Log dir permissions 	: 	/mnt/web405/c1/84/54427784/htdocs/ALA/wp-content/nfwlog dir is writable
Cache dir permissions 	: 	/mnt/web405/c1/84/54427784/htdocs/ALA/wp-content/nfwlog/cache dir is writable
    Plugin Author nintechnet

    (@nintechnet)

    I found that code in Pods:
    https://plugins.trac.www.ads-software.com/browser/pods/trunk/includes/general.php#L2583

    2583	        if ( '' !== session_id() ) {
2584	                // Check if session ID is already set.
2585	                // In separate if clause, to also check for non-file based sessions.
2586	                return false;
2587	        }
2588	
2589	        // Start session
2590	        @session_start();
2591	
2592	        return true;

    That may be the problem. Using session_id() to check for a PHP session was fine up to PHP 5.3, but since 5.4 session_status should be used.
    Can you try to edit that file and replace the above lines of code with those ones:

    if (! function_exists('session_status') ) { // PHP <5.4
   if ( session_id() ==! '' ) {
      return false;
   }
} else {
   if ( session_status() === PHP_SESSION_ACTIVE ) { // PHP >=5.4
      return false;
   }
}
// Start session
@session_start();
return true;
    Thread Starter blindtexth

    (@blindtexth)

    ok … I edited the file but the backend is still painfully slow …

    Around 50 seconds per action or click …

    • This reply was modified 4 years, 2 months ago by blindtexth. Reason: added time

    @blindtexth If you’re having trouble with Pods sessions, and you don’t use them, you can disable it. Set that in the wp-config.php with this: define( 'PODS_SESSION_AUTO_START', false );

    @nintechnet We’ll address that compatibility issue in our upcoming bug fix release.

    FYI — PHP sessions in Pods are used for anonymous submission support, only when you use Pods public forms. So it’s likely you don’t use them and we are already working on a smarter way to deal with this without having sessions on by default.

Viewing 15 replies - 1 through 15 (of 28 total)
  • The topic ‘Full WAF slows down backend?’ is closed to new replies.