Image Optimization Not Working

v3.x of the plugin uses WordPress’ Rest API (/wp-json/litespeed/v1/notify_img to be specific) to do callbacks.

Your site seems to be blocking this callback:

{"code":"rest_not_logged_in","message":"You do not have sufficient permission to access this endpoint. Access to REST API requests is restricted.","data":{"status":401}}

If you have anything that restricts access to the REST API, then you have to allow /wp-json/litespeed calls.

@lucasrolff

Thanks for the feedback.

For security reasons we have the following code on our site:

//Restricts REST API Access
add_filter( ‘rest_authentication_errors’, function( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
if ( ! is_user_logged_in() ) {
return new WP_Error( ‘rest_not_logged_in’, ‘You do not have sufficient permission to access this endpoint. Access to REST API requests is restricted.’,
array( ‘status’ => 401 ) )

Our site gets viciously attack on a daily basis via REST API.

Under LiteSpeed V 2.9 Restricting API was not at issue at all, including image optimization.

Is there a way to “Whitelist” the REST API calls from LiteSpeed That we can implement in our code shown above?

Giving everyone access to REST API is not a solution for us.

Best regards,

Hi,

Perhaps this topic helps ,you can get our IPs here

Best regards,

@qtwrk

Thanks for the information. Let me look into this and see how it goes.

Regarding your IP list. Do I need to use every single IP? the reason I am asking is because I ran your IPs trough an IP abuse database and it flagged some of the IPs.

https://www.abuseipdb.com/check/185.149.235.173
https://www.abuseipdb.com/check/199.59.247.242
https://www.abuseipdb.com/check/94.75.232.90
https://www.abuseipdb.com/check/212.162.151.34
https://www.abuseipdb.com/check/18.188.223.222

Best regards,

Hi,

That might be the “good thing ” done by previous owner , as you know , our nodes are hosted on DO or AWS and some are from donation of providers, many people might have used that IP before we do and leave some bad record.

Yes, you should whitelist all of them.

Best regards,

@qtwrk

Thanks for the explanation.

Let me give it a try and see how it goes.

Best regards

Hi,

Please let us know if image opt works now or not

Best regards,

I am still testing, I have not managed to work yet.

If we can’t get it to work, we might give up on the image optimization. The Security of REST API is too important for us.

Best regards,

Hi,

They are many ways to secure it , something like

RewriteCond %{REMOTE_ADDR} ....our IPs....
RewriteCond %{REQUEST_URI} wp-json
RewriteRule .* - [F]

if it requests wp-json and doesn’t come from designated IP , 403s it.

I am sure there are also some plugins or code snippet to get same effect.

Best regards,

@qtwrk

Hello,

We were able to make it work using the format suggested here:
https://www.ads-software.com/support/topic/restrict-rest-api-access-2/

But in the process it breaks other plugins that uses REST API in a different way than LiteSpeed does, like for example the plugin “Redirection”, it completely breaks it.

So we are back to square 1. We don’t have image optimization.

We were so happy with version 2.9 of this plugin everything worked from the get go.
You would think that with the enterprise version of the LiteSpeed Server that we have these REST API calls could run in the background as a core function, but I guess this is not how it all works.

Best regards,

Hi,

So when you use

//Restricts REST API Access
add_filter( ‘rest_authentication_errors’, function( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
if ( ! is_user_logged_in() ) {
return new WP_Error( ‘rest_not_logged_in’, ‘You do not have sufficient permission to access this endpoint. Access to REST API requests is restricted.’,
array( ‘status’ => 401 ) )

your redirection plugins works without problem ?

Best regards,

@qtwrk

Hi,

That is correct. Redirection plugin has been working for the past 2 years with the code above.

Best regards,

Hi,

For your situation , we added a new API.

Please upgrade to v3.2.3 RC2 or wait for new release, and then change your code

from

if ( ! is_user_logged_in() ) {

to

if ( ! is_user_logged_in() && ( ! defined( 'LSCWP_V' ) || ! apply_filters( 'litespeed_is_from_cloud', false ) ) ) {

this will add a check to incoming IP , if it is not from our nodes , it will be 401 by your following code.

Best regards,

@qtwrk

Hello,

Thanks for the information and feedback.

I am going to wait for the new release just to make things simple on my end and I will make sure to add the new modified code that you have suggested here after the update

Many thanks for developing a solution to this.

Best regards,

Hi,

New version has been released

Best regards,