rafaelmagic

Followed this guide:
https://www.danielmiessler.com/blog/changing-your-server-headers-using-varnish

Added the following lines to my default config
sub vcl_deliver {
remove resp.http.Via;
remove resp.http.X-Cacheable;
remove resp.http.X-Powered-By;
remove resp.http.X-Varnish;
remove resp.http.magicmarker;
remove resp.http.Age;
}

Putty:
curl -I https://yoursite.com

Headers Gone. Checked mysite.com/wp-login.php

Still have the the message at wp-login.php

array(1) { [0]=> string(24) “X-Powered-By: PHP/5.4.27” }

Then I uninstalled Nginx and Varnish and still have the message.

Sorta funny. =)

———————————-
Running Apache Only

Tried to “Test Firewall Configuration”, it looped back to start.

However it did not white screen, before it did with a .user.ini

—————————
So something in Apache is setting this header:
array(1) { [0]=> string(24) “X-Powered-By: PHP/5.4.27” }

Weird… Or maybe I am doing something wrong…

I added it to NGinx and it wasn’t it.

I think its Varnish.

I will uninstall Varnish and test the header tonight.

If its doesn’t work with Varnish, you might want to mention it in a FAQ. =)

I got 3 entries about “Headers Already Sent”..

array(1) { [0]=> string(24) “X-Powered-By: PHP/5.4.27” }

————————————————–
#1
Warning: session_start(): Cannot send session cache limiter – headers already sent (output started at /home/user/public_html/wp-content/plugins/ninjafirewall/ninjafirewall.php:2) in /home/user/public_html/wp-content/plugins/ninjafirewall/ninjafirewall.php on line 18

Line 18:if (!session_id() ) { session_start(); }

——————————————————
#2

Warning: Cannot modify header information – headers already sent by (output started at /home/user/public_html/wp-content/plugins/ninjafirewall/ninjafirewall.php:2) in /home/user/public_html/wp-login.php on line 414

Line 414:header(‘Content-Type: ‘.get_bloginfo(‘html_type’).’; charset=’.get_bloginfo(‘charset’));”

———————————————————-
#3

Warning: Cannot modify header information – headers already sent by (output started at /home/user/public_html/wp-content/plugins/ninjafirewall/ninjafirewall.php:2) in /home/mamagi75/public_html/wp-login.php on line 426

Line 426:setcookie(TEST_COOKIE, ‘WP Cookie check’, 0, COOKIEPATH, COOKIE_DOMAIN);

—————————————

I was looking at the NGinx Instruction and I can install Php-fpm since I am running FCGI already. Maybe using the socket will help….

Instead of messing with Varnish or whitelisting IP’s.

I’m going to mess with Nginx config instead.

Trying to get the .user.ini line to nginx. Maybe that will solve the header problem.

auto_prepend_file = /home/user/public_html/wp-content/plugins/ninjafirewall/lib/firewall.php

But can’t find any reference code.

Already tried multiple code =(

Just thinking.

Is their a custom code for the plugin so it could run without being the first sent out headers?

Varnish caches the dynamic websites in ram. Normally it strips out the cookies and sends out headers.

I have Varnish, NGinx and Apache in reverse proxy.

I will disable Varnish late at night when traffic is slow.

If that’s the problem, I have to figure out a workaround.

I’m smart but I am not sure if I’m that smart. ??

I was also thinking of whitelisting the the server Ip. Will solve anything?

Ideally, it would be better for me to use the server-internal php.ini to preprend Ninja Firewall as a security measure.

None of the logs have any entries.

For example.

I just added a .user.ini to the home/user/public_html
and NinjaCheck.php

Outputs a warning:
Warning: session_start(): Cannot send session cache limiter – headers already sent (output started at /home/domain/public_html/ninjacheck.php:25) in /home/domain/public_html/wp-content/plugins/ninjafirewall/ninjafirewall.php on line 45

Which is”if (! session_id() ) { session_start(); }”

My Headers are already sent out, in a clean install of WordPress and only Ninja Firewall.

So now since I am using Varnish Cache. I got to experiment with it.

Be right back………..

Update 4/19

Decided to use the VPS Server php.ini

Deleted user.ini

Added
auto_prepend_file = /home/domain/public_html/wp-content/plugins/ninjafirewall/lib/firewall.php

to server php.ini

Changed lines in .htaccess to server php.ini
and
Chnaged line 744 & 755 in ninjapfirewall.php

Restarted Apache. No luck.

I think the plugin might need code to use the internal php.ini for certain hosting environments.

No other Mod Security Rules triggered. WHM updated, tweaked some settings.

I recompiled Apache with Easy Apache. Still running FCgi.

In ninjafirewall.php I commented out lines 43, 44 and 46, even with lines working.

NinjaCheck is saying “Warning: session_start(): Cannot send session cache limiter – headers already sent (output started at /home/domain/public_html/ninjacheck.php:25) in /home/domain/public_html/wp-content/plugins/ninjafirewall/ninjafirewall.php on line 45

Don’t have any plugins besides Ninja.

Whitelist Mod Security Rules that are being triggered by Ninja Firewall:

In Putty run:

grep YourDomain.com /usr/local/apache/logs/error_log | grep ModSecurity

*Change Domain and path to apache error logs per your environment.

Look for any triggered rules:

Here is a sample;
[Wed Apr 16 20:28:58 2014] [error] [client 23.243.248.121] ModSecurity: Access denied with code 403 (phase 2). Matched phrase “varchar” at ARGS:nfw_conf_arr[phpini_data].
[file “/var/cpanel/cwaf/rules/cwaf_01.conf”] [line “614”] [id “211040”] [msg “COMODO WAF: Blocking SQL injection”] [data “varchar”] [severity “CRITICAL”]
[hostname “www.YourDomain.com”] [uri “/wp-admin/admin.php”] [unique_id “U08gSsDSw-EAAHXmcN8AAAAM”]

Look for ARGS: nfw_conf_arr (nfw=ninja firewall).

After whitelisting 4 rules. I am getting a 500 Internal Server Error.

Surprisingly when I use a php.ini file and not a .user.ini, I get to the “Test Ninja Configuration” button and it loops back to the beginning.

Almost there.

I don’t think that my server is restricted. Its a brand new install of WP with only your plugin.

I am running CSF Firewall and Mod Security. Can’t find any Rules.

My VPS is running CentOS, WHM and Cpanels. I have root access.

Running FCGI, PHP Version 5.4.26
memory_limit= 256mb

What Server Modules, php settings, session settings are needed to enable Ninja Firewall?

I understand about the Holidays. If your not on Holiday do you have any suggestions for:

Warning: session_start(): Cannot send session cookie – headers already sent by (output started at /home/directory/public_html/ninjacheck.php:25) in /home/directory/public_html/wp-content/plugins/ninjafirewall/ninjafirewall.php on line 45

Warning: session_start(): Cannot send session cache limiter – headers already sent (output started at /home/directory/public_html/ninjacheck.php:25) in /home/directory/public_html/wp-content/plugins/ninjafirewall/ninjafirewall.php on line 45

OK.

So I installed WP to brand new domain and the Only plugin is Ninja Firewall.

I commented out lines 43, 44 and 46.

In NinjaCheck.php I get the following 2 messages referencing Line 45:

Warning: session_start(): Cannot send session cookie – headers already sent by (output started at /home/directory/public_html/ninjacheck.php:25) in /home/directory/public_html/wp-content/plugins/ninjafirewall/ninjafirewall.php on line 45

Warning: session_start(): Cannot send session cache limiter – headers already sent (output started at /home/directory/public_html/ninjacheck.php:25) in /home/directory/public_html/wp-content/plugins/ninjafirewall/ninjafirewall.php on line 45

I also sent a request for install help thru your site. I may just have a funky system that needs your help.

NinjaCheck (auto prepend disabled):
N
injaFirewall (WP edition) troublershooter v1.01

========================== %< ============================

HTTP server: Apache
PHP version: 5.4.26
PHP SAPI: CGI-FCGI
Loaded INI file: /home/directory/public_html/.user.ini
auto_prepend_file: none (
user_ini.filename: .user.ini
user_ini.cache_ttl: 300
user INI: .user.ini found
PHPRC: /home/directory/public_html/.user.ini
DOCUMENT_ROOT: /home/directory/public_html
wp-config.php: found

Warning: Cannot modify header information – headers already sent by (output started at /home/directory/public_html/ninjacheck.php:25) in /home/directory/public_html/wp-content/plugins/mainwp-child/mainwp-child.php on line 10

Warning: Cannot modify header information – headers already sent by (output started at /home/directory/public_html/ninjacheck.php:25) in /home/directory/public_html/wp-content/plugins/wp-super-cache/wp-cache-phase2.php on line 91

Warning: session_start(): Cannot send session cache limiter – headers already sent (output started at /home/directory/public_html/ninjacheck.php:25) in /home/directory/public_html/wp-content/plugins/ninjafirewall/ninjafirewall.php on line 45

ABSPATH: /home/directory/public_html/
WP version: 3.8.2
WP_CONTENT_DIR: /home/directory/public_html/wp-content

========================== %< ============================

I then checked your FAQ.

https://ninjafirewall.com/wordpress/help.php#troubleshooting
Blank page after installing NinjaFirewall :
In some cases, right after installing it, you may get a blank page and/or the following error message :
Warning: session_start() [function.session-start]: Cannot send session cache limiter – headers already sent (output started at …/…/wp-content/plugins/ninjafirewall/lib/firewall.php…
The problem may come from your PHP session save handler (session.save_handler) configuration which is not set up to use files.

HERE IS MY SESSIONS from phpinfo:
session.auto_start Off Off
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file /dev/urandom /dev/urandom
session.entropy_length 32 32
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 4 4
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /home/directory/public_html/tmp/ /home/directory/public_html/tmp/
session.serialize_handler php php
session.upload_progress.cleanup On On
session.upload_progress.enabled On On
session.upload_progress.freq 1% 1%
session.upload_progress.min_freq 1 1
session.upload_progress.name PHP_SESSION_UPLOAD_PROGRESS PHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefix upload_progress_ upload_progress_
session.use_cookies On On
session.use_only_cookies On On
session.use_trans_sid 0 0

Any further advice?