Steve Cunningham

I am also seeing this red bar and “Forbidden” in all of my sites on Cloudflare. These sites are on Digital Ocean servers, managed by Server Pilot IO. SP sets up the DO servers on Apache, with nginx doing the transactions on the back. So I also suspect it’s in the API. BTW, after installing the 3.3.2’s, I rolled back to 3.3.1. Same results, including the endless load on Analytics.

Just a note of thanks and to confirm that version 3.0.5 now appears to be fully functional on all my sites that don’t use InfiniteWP. I had many of the other problems with earlier versions, but 3.0.5 seems to have nailed it.

I know it ain’t done for every case. But thanks for the hard work; it is both admired and appreciated.

Best,
Steve C.

Glad to hear there’s an answer that makes sense.

Sounds like someone from Cloudflare will need to have a convo with someone from infinitewp.com. According to www.ads-software.com, IWP have 400,000+ active installs and 1.9m downloads of the client.

Someone needs to have a convo and change some code, methinks.

And it’s entirely possible that some other plugin out there may also make use of php://input, and it just hasn’t been seen yet.

Okay, more news regarding the site on PHP7.0.10 with CF 3.0.3. Disabled all other plugins, no change. Disabled CF and re-activated it and it threw a fatal error (red box at the top of Plugins admin page). Couldn’t disable it again, had to remove it and reinstall new. Still threw fatal error. Went to CF site and purged all files, then tried with no other plugs enabled. Now it’s asking for credentials at the top of the screen. Tried to activate and it’s still throwing a fatal error. Removed and reinstalled, still with no other plugs. Can’t get out of this loop, and re-purging doesn’t fix it.

Fully deleted the IWP plug, trying to install and activate CF. Still throwing the fatal error. Unfortunately still lots of possibilities. Console shows JQMIGRATE: Migrate is installed, version 1.4.1 with an error
‘//@ sourceURL’ and ‘//@ sourceMappingURL’ are deprecated, please use ‘//#sourceURL=’ and ‘..# sourceMappingURL=’ instead. Incidentally, had a problem with and older theme tonite that also involved JQMIGRATE, which IIRC was introduced in WP 4.6 and here it is again. Feels like a JS problem now.
If you’ll tell me what you need from Developer Tools I’ll give you the info at failure time.

Two steps forward, one step back…

Okay, I’ve found the problem on two different sites running 3.0.3 on PHP 5.3.10.

It’s the Infinite WP management plugin. As soon as I deactivate it the CSRF Token disappears and doesn’t return under any conditions. I activated all the normal plugs (I’ll get you a list tomorrow) and the CF plug still works like a champ.

However, the site running 7.0.10 now has the “I can’t select an active zone and all the buttons on the CF screen are dead” problem. I’ve already disabled the IWP plug with no improvement.

I’ll try disabling all other plugs again.

• This reply was modified 8 years, 6 months ago by Steve Cunningham. Reason: replaced more bad news with some good. That's okay, right?

Stoopid editor keeps cutting off long lines:

{value: “off”, cfCSRFToken: “1f866ac472”,…}
cfCSRFToken
:
“1f866ac472”
proxyURL
:
“https://api.cloudflare.com/client/v4/zones/55a08c63de1e6bec63fe9193197aab61/settings/always_online”
value
:
“off”

Done. (BTW, it’s line 47 in proxy.php).

Cleared caches, logged out and in to site. No change in behavior.

Here’s the Request Payload, parsed:

{“value”:”off”,”cfCSRFToken”:”1f866ac472″,”proxyURL”:”https://api.cloudflare.com/client/v4/zones/55a08c63de1e6bec63fe9193197aab61/settings/always_online”}

Is there anything else I can examine to help you understand what’s going wrong here? (yes, I understand you’re kinda busy now).

The request payload, as source:
{“value”:”on”,”cfCSRFToken”:”8c4dbd1c4a”,”proxyURL”:”https://partners.cloudflare/plugins/plugin/55a08c63de1e6bec63fe9193197aab61/settings/plugin_specific_cache”}

Response Headers
access-control-allow-credentials:true
access-control-allow-origin:https://65chero.com
cache-control:no-cache, must-revalidate, max-age=0
cf-ray:2e489fbabc514722-EWR
content-encoding:gzip
content-type:application/json
date:Sun, 18 Sep 2016 23:37:08 GMT
expires:Wed, 11 Jan 1984 05:00:00 GMT
server:cloudflare-nginx
status:200
x-content-type-options:nosniff
x-frame-options:SAMEORIGIN
x-powered-by:PHP/5.3.10-1ubuntu3.24
x-robots-tag:noindex

Request Headers
:authority:65chero.com
:method:PATCH
:path:/wp-admin/admin-ajax.php?action=cloudflare_proxy
:scheme:https
accept:*/*
accept-encoding:gzip, deflate, sdch, br
accept-language:en-US,en;q=0.8
content-length:161
content-type:application/json
cookie:wordpress_310142781ea73d9d3e9aa09f8a7b34a4=synthman%7C1475119997%7CzFgZ5I8lpfKJPitpgQPJAX0BLSNniU539HHQ6Alh7jE%7Cd3f727dc2c72eb6eb645ae3d69af4d85a4831bf25921d782956c2e5426b015a1; wordpress_sec_655473845d827a39cf0bb85b02dc7121=synthman%7C1475261097%7CI37vuCZlRJOI4b32dBrjXsNQ3ROzR1oPjFraw9CKYX8%7Ce4f076c4b346837ae26157deaab9f033ced2556f0b6eea9af3adca12a80d2c98; wordpress_logged_in_310142781ea73d9d3e9aa09f8a7b34a4=synthman%7C1475119997%7CzFgZ5I8lpfKJPitpgQPJAX0BLSNniU539HHQ6Alh7jE%7Cea181a5e568b6109907bd01bd6c74442e7f7aad0de35a38eb922680b465bda27; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_655473845d827a39cf0bb85b02dc7121=synthman%7C1475261097%7CI37vuCZlRJOI4b32dBrjXsNQ3ROzR1oPjFraw9CKYX8%7C069a24bbc7405e68b08b994010c313109f5979370997dfafd706a56a6bca39f5; __cfduid=d4f8825d883e53e78f2cb9e90de7d2fc81474051498; wp-settings-3=editor%3Dtinymce%26mfold%3Do; wp-settings-time-3=1474064463
dnt:1
origin:https://65chero.com
referer:https://65chero.com/wp-admin/options-general.php?page=cloudflare
user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.113 Safari/537.36

Query String Parameters
action=cloudflare_proxy

Yes it is:

Request contents

Request URL:https://65chero.com/wp-admin/admin-ajax.php?action=cloudflare_proxy
Request Method:PATCH
Status Code:200
Remote Address:104.27.130.226:443
Response Headers
access-control-allow-credentials:true
access-control-allow-origin:https://65chero.com
cache-control:no-cache, must-revalidate, max-age=0
cf-ray:2e485745afa94722-EWR
content-encoding:gzip
content-type:application/json
date:Sun, 18 Sep 2016 22:47:39 GMT
expires:Wed, 11 Jan 1984 05:00:00 GMT
server:cloudflare-nginx
status:200
x-content-type-options:nosniff
x-frame-options:SAMEORIGIN
x-powered-by:PHP/5.3.10-1ubuntu3.24
x-robots-tag:noindex
Request Headers
:authority:65chero.com
:method:PATCH
:path:/wp-admin/admin-ajax.php?action=cloudflare_proxy
:scheme:https
accept:*/*
accept-encoding:gzip, deflate, sdch, br
accept-language:en-US,en;q=0.8
content-length:161
content-type:application/json
cookie:wordpress_310142781ea73d9d3e9aa09f8a7b34a4=synthman%7C1475119997%7CzFgZ5I8lpfKJPitpgQPJAX0BLSNniU539HHQ6Alh7jE%7Cd3f727dc2c72eb6eb645ae3d69af4d85a4831bf25921d782956c2e5426b015a1; wordpress_sec_655473845d827a39cf0bb85b02dc7121=synthman%7C1475261097%7CI37vuCZlRJOI4b32dBrjXsNQ3ROzR1oPjFraw9CKYX8%7Ce4f076c4b346837ae26157deaab9f033ced2556f0b6eea9af3adca12a80d2c98; wordpress_logged_in_310142781ea73d9d3e9aa09f8a7b34a4=synthman%7C1475119997%7CzFgZ5I8lpfKJPitpgQPJAX0BLSNniU539HHQ6Alh7jE%7Cea181a5e568b6109907bd01bd6c74442e7f7aad0de35a38eb922680b465bda27; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_655473845d827a39cf0bb85b02dc7121=synthman%7C1475261097%7CI37vuCZlRJOI4b32dBrjXsNQ3ROzR1oPjFraw9CKYX8%7C069a24bbc7405e68b08b994010c313109f5979370997dfafd706a56a6bca39f5; __cfduid=d4f8825d883e53e78f2cb9e90de7d2fc81474051498; wp-settings-3=editor%3Dtinymce%26mfold%3Do; wp-settings-time-3=1474064463
dnt:1
origin:https://65chero.com
referer:https://65chero.com/wp-admin/options-general.php?page=cloudflare
user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.113 Safari/537.36
Query String Parameters
view source
view URL encoded
action:cloudflare_proxy
Request Payload
view source
{value: “on”, cfCSRFToken: “8c4dbd1c4a”,…}
cfCSRFToken
:
“8c4dbd1c4a”
proxyURL
:
“https://partners.cloudflare/plugins/plugin/55a08c63de1e6bec63fe9193197aab61/settings/plugin_specific_cache”
value
:
“on”

• This reply was modified 8 years, 6 months ago by Steve Cunningham. Reason: add text for response

CF request response

Sorry for the break… life is still in session.

Think I found something. When I click a button there’s a single ajax request, status 200, type xhr. When I expose the the request I see this:

{result: null, success: false, errors: [{code: “”, message: “CSRF Token not valid.”}], messages: []}
errors
:
[{code: “”, message: “CSRF Token not valid.”}]
0
:
{code: “”, message: “CSRF Token not valid.”}
code
:
“”
message
:
“CSRF Token not valid.”
messages
:
[]
result
:
null
success
:
false

So the token is getting lost or munged somewhere in there…

Thanks for clarification.

Yup, I get “f33289b5e2”. So the token is there.

Dunno if it helps, but here’s the output just prior.

action @ 21:11:52.405 PLUGIN_SETTINGS_FETCH_SUCCESS
compiled.js:16363 When merging two 55a08c63de1e6bec63fe9193197aab61, found unequal data in their “id” values. Using the earlier value. 921d66affa2478612f14bf7ee2c30322 c46cd410c7887ca0315ae6b36e02384a
compiled.js:16363 When merging two 55a08c63de1e6bec63fe9193197aab61, found unequal data in their “type” values. Using the earlier value. A MX
compiled.js:16363 When merging two 55a08c63de1e6bec63fe9193197aab61, found unequal data in their “content” values. Using the earlier value. 108.174.63.162 mx.hover.com.cust.hostedemail.com
compiled.js:16363 When merging two 55a08c63de1e6bec63fe9193197aab61, found unequal data in their “proxiable” values. Using the earlier value. true false
compiled.js:16363 When merging two 55a08c63de1e6bec63fe9193197aab61, found unequal data in their “proxied” values. Using the earlier value. true false
compiled.js:16363 When merging two 55a08c63de1e6bec63fe9193197aab61, found unequal data in their “modified_on” values. Using the earlier value. 2016-04-13T15:16:52.403860Z 2016-04-13T15:16:52.438206Z
compiled.js:16363 When merging two 55a08c63de1e6bec63fe9193197aab61, found unequal data in their “created_on” values. Using the earlier value. 2016-04-13T15:16:52.403860Z 2016-04-13T15:16:52.438206Z
compiled.js:64362 action @ 21:11:52.597 DNS_RECORD_FETCH_LIST_SUCCESS
compiled.js:36236 Only a single Gateway can be rendered at a time into a GatewayDest.You rendered multiple into “modal”
compiled.js:64362 action @ 21:11:52.623 ZONE_FETCH_SETTINGS_SUCCESS
compiled.js:64362 action @ 21:11:52.676 ZONES_RAILGUNS_FETCH_ALL_SUCCESS
compiled.js:64362 action @ 21:11:53.513 ZONE_FETCH_ANALYTICS_SUCCESS
cfCSRFToken
“f33289b5e2”

• This reply was modified 8 years, 6 months ago by Steve Cunningham. Reason: added console output

Hoping I’ve done this correctly. In the console I wrote a bit of php

<?php
var_dump ( $cfCSRFToken );
?>

Out of this I get nothing but NULL. Which actually makes some sense from the log above this. Any ideas? or did I just prove that my php is about a good as my skills at brain surgery? I’m self-taught…

I found one set of PHP errors in the log from a couple hours ago. Maybe it will help. It appears that the auth email addy is not arriving:

2016/09/16 16:02:11 [error] 14370#14370: *58 FastCGI sent in stderr: “PHP message: [CloudFlare] ERROR: [CLIENT API] Array
(
[type] => request
[method] => GET
[path] => zones/
[headers] => Array
(
[X-Auth-Key] =>
[X-Auth-Email] =>
[Content-Type] => application/json
)

[params] => Array
(
)

[body] => Array
(
[cfCSRFToken] =>
)

)

PHP message: [CloudFlare] ERROR: [CLIENT API] Array
(
[type] => response
[reason] => Forbidden
[code] => 403
[body] => Missing X-Auth-Email header
[stacktrace] => #0 /srv/www/65chero/public_html/wp-content/plugins/cloudflare/vendor/guzzle/guzzle/src/Guzzle/Http/Message/Request.php(145): Guzzle\Http\Exception\BadResponseException::factory(Object(Guzzle\Http\Message\Request), Object(Guzzle\Http\Message\Response))
#1 [internal function]: Guzzle\Http\Message\Request::onRequestError(Object(Guzzle\Common\Event), 'request.error', Object(Symfony\Component\EventDispatcher\EventDispatcher))
#2 /srv/www/65chero/public_html/wp-content/plugins/cloudflare/vendor/symfony/event-dispatcher/EventDispatcher.php(184): call_user_func(Array, Object(Guzzle\Common\Event), 'request.error', Object(Symfony\Component\EventDispatcher\EventDispatcher))
#3 /srv/www/65chero/public_html/wp-content/plugins/cloudflare/vendor/symfony/event-dispatcher/EventDispatcher.php(46): Symfony\Component\EventDispatcher\EventDispatc...
PHP message: [CloudFlare] ERROR: Missing X-Auth-Email header
PHP message: PHP Warning: Invalid argument supplied for foreach() in /srv/www/65chero/public_html/wp-content/plugins/cloudflare/src/WordPress/WordPressAPI.php on line 138" while reading response header from upstream, client: 108.162.219.248, server: https://www.65chero.com, request: "POST /wp-admin/admin-ajax.php?action=cloudflare_proxy HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "65chero.com", referrer: "https://65chero.com/wp-admin/options-general.php?page=cloudflare"

Maybe that will help you. I have a few dev plugs; if I knew what I was looking for perhaps I could find the trouble.

Refreshing does not fix the error. Cleared all browser caches, purged all site caches manually at the CF site, logged out of CF site, no change.

Doesn’t matter what setting I try to change — I get the CSRF Token not valid message. PHP is 5.3 (5.3.10-1ubuntu3.24), could that be the problem? I can try it on a site with PHP 7.