Domain Key issue on v6.2 – Explained & Solution
-
Since v6.2.x, some users have reported issues with generating the domain key.
This is not a bug, but a misconfiguration on the hosting server.
The reason for this issue is because, in v6.2, we added IP verification for incoming requests to our REST API endpoint (
?rest_route=/litespeed/v1/xxx
). In some cases, when the site is behind a reverse proxy, typically a CDN service, the plugin will not be able to see the remote address from which the request originated, resulting in a 401 error.For LiteSpeed webservers, there is an option called
Use Client IP in Header
. This allows the PHP script to see the true remote address instead of the proxy server IP.However, if this option is not correctly configured, the plugin will only see the proxy server IP instead of our server’s IP for IP verification.
For example:
Our servers (1.1.1.1) -> Reverse proxy server or CDN server (2.2.2.2) -> Origin server IP (3.3.3.3) -> PHP script
With the
Use Client IP in Header
option properly configured:In this case, the PHP script will be able to see that the request came from IP 1.1.1.1 instead of 2.2.2.2.
Without the
Use Client IP in Header
option properly configured:In this case, the PHP script will only see that the request came from IP 2.2.2.2 (the proxy server) instead of our IP, leading to verification failure due to IP mismatch.
Similarly, the Apache server also hasmod_remoteIP
to address such issues and get the client IP behind the proxy.To properly fix this, please contact your hosting provider and kindly forward them this topic to understand the cause and solution.
How to Verify if This is Causing Your Issue with Domain Key Generation:
Go to LiteSpeed Cache -> Toolbox -> Debug Settings:
Set Debug Log to ON.
Set Debug Level to Advanced.
Add litespeed/v1/token to Debug URI Includes.Go to LiteSpeed Cache -> Toolbox -> Log View, and click Clear Logs if there are any existing logs.
Go to LiteSpeed Cache -> General and request/refresh the domain key.
Wait for 10 minutes, then go back to LiteSpeed Cache -> Toolbox -> Log View.
Check the logs for entries related to the domain key generation request.
For example, the query string indicates this is the correct log about the request for domain key generation:
05/18/24 13:46:36.074 [172.69.70.184:17690 1 MqA] :heartbeat: ------POST HTTP/1.1 (HTTPS) / 05/18/24 13:46:36.074 [172.69.70.184:17690 1 MqA] Query String: rest_route=/litespeed/v1/token 05/18/24 13:46:36.074 [172.69.70.184:17690 1 MqA] User Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; qcbot/1.0; +https://quic.cloud/bot.html) Chrome/112.0.0.0 Safari/537.36 ... ... ... 05/18/24 13:46:36.768 [172.69.70.184:17690 1 MqA] :snowflake: :x: Not our cloud IP
In this case, I was sending a request from one of our IPs (https://quic.cloud/ips), but 172.69.70.184 is the reverse proxy server, and the PHP script only sees this IP instead of the actual client that sent the request.
This issue is due to server misconfiguration, causing our plugin to fail to get the real remote IP address for verification.
Solution:
1) As the most optimal solution, kindly ask your provider to enable the option “Use Client IP in Header”.
2) Edit the file /wp-content/plugins/litespeed-cache/src/rest.cls.php at line 150, and change // return true; to return true;.
This will make the behavior the same as in v6.1 by removing the IP verification.
- The topic ‘Domain Key issue on v6.2 – Explained & Solution’ is closed to new replies.