Live Blog
IIssues

Siteground and Cloudflare Captcha Redirect Loop

0
Shares
0
0
0
0
0
0

Introduction

I was browsing Facebook one day and had some mentions on a post about Cloudflare, Siteground and a redirect issue. Here’s the post.

Solution – Disable Siteground AI Firewall

When you’re using Siteground, they have their firewall on all sites they host. It makes sense as to why you would not have something in place to stop resource-wasting attacks? The problem comes when you already have a service doing something similar or different, such as Cloudflare.

The issue wasn’t repeatable; it only happened after a specific amount of time, and then disabling and re-enabling Cloudflare fixed the issue. After sitting down and reviewing everything: plugins, headers and Cloudflare configuration, I decided to wait for the issue to occur. When the issue did occur, it all made sense.

Unfortunately in this screenshot I didn’t capture the first request, but you can see that the first request is for the domain name with www and the next request moves to “/.well-known/captcha/?r=%2f” which then goes back to the domain name with www which is effectively a loop.

If you do some googling for “captcha/?r=%2f” you will find lots of posts in-regards to Siteground on the WordPress.org Support forums for various plugins. This is a good example

its redirecting me to /.well-known/captcha/ once plugin activates | WordPress.org
[This thread is closed.] Hi! When i access my control panel its redirecting my page to http://www.mydomain.com/.well-known/captcha/ and i am not able…
wordpress.org

Which references another stackoverflow.com post.

php – WordPress – Ajax call response with .well-known/captcha – Stack Overflow
stackoverflow.com

Troubleshooting

When troubleshooting with redirects, you can use a couple of methods. I love using curl, available on Windows CMD prompt, WSL and macOS Terminal. Here’s an example of using curl, and I’ll explain what it does.

Troubleshooting #1 – curl command

curl --head -L https://managinwp.io
  • –head – shows the headers returned by the server.
  • -L – will follow the Location: headers returned by the server which your browser uses to move to the next redirect.

You will then see something like this.

❯ curl --head -L https://managingwp.io
HTTP/2 200
date: Fri, 01 Sep 2023 12:44:25 GMT
content-type: text/html; charset=UTF-8
cf-edge-cache: cache,platform=wordpress
link: <https://managingwp.io/wp-json/>; rel="https://api.w.org/"
cache-control: s-maxage=31536000, max-age=60
x-wp-cf-super-cache: cache
x-wp-cf-super-cache-active: 1
x-wp-cf-super-cache-cache-control: s-maxage=31536000, max-age=60
x-wp-cf-super-cache-cookies-bypass: swfpc-feature-not-enabled
vary: Accept-Encoding
x-turbo-charged-by: LiteSpeed
pre-cognitive-push: Enabled
quantum-flux-capacity: Omega
referrer-policy: strict-origin-when-cross-origin
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-litespeed-cache: hit
cf-cache-status: HIT
age: 475
last-modified: Fri, 01 Sep 2023 12:36:30 GMT
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Msszz7aOtUmNZJz1y4ecam9ykVDuXfCEoXJNOiz3ESHmgG%2FJPBf6heD%2BdTu%2BApcaxAOrmRDcRNrBvMymRjnkZwXU5m3pnQHUzjZC2lT1nSr5Y37VtRS8LIxTjO2JLRlx"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 7ffd9ac06bf4a246-YYZ
alt-svc: h3=":443"; ma=86400

There is a ton of information here, but we want to see if there is a “Location:” header; in this case, there isn’t. But let’s try a URL that we know has a redirect. Let’s try non HTTPS URL http://managingwp.io

❯ curl --head -L http://managingwp.io
HTTP/1.1 301 Moved Permanently
Date: Fri, 01 Sep 2023 12:45:08 GMT
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Fri, 01 Sep 2023 13:45:08 GMT
Location: https://managingwp.io/
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ptcoiYlGfhJ%2BZC5NAIciSzknYNURNiV7rueolSUKCyse6EgSltSMWRT8h3AE3pRKTHOk%2FBDZUyZUl8O8gSCAQEZMgA8iOty3GPXJxROM25MhPvXmNU8uEkzTdS9nQdxP"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 7ffd9bcfce86a20a-YYZ
alt-svc: h3=":443"; ma=86400

HTTP/2 200
date: Fri, 01 Sep 2023 12:45:08 GMT
content-type: text/html; charset=UTF-8
cf-edge-cache: cache,platform=wordpress
link: <https://managingwp.io/wp-json/>; rel="https://api.w.org/"
cache-control: s-maxage=31536000, max-age=60
x-wp-cf-super-cache: cache
x-wp-cf-super-cache-active: 1
x-wp-cf-super-cache-cache-control: s-maxage=31536000, max-age=60
x-wp-cf-super-cache-cookies-bypass: swfpc-feature-not-enabled
vary: Accept-Encoding
x-turbo-charged-by: LiteSpeed
pre-cognitive-push: Enabled
quantum-flux-capacity: Omega
referrer-policy: strict-origin-when-cross-origin
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-litespeed-cache: hit
cf-cache-status: HIT
age: 518
last-modified: Fri, 01 Sep 2023 12:36:30 GMT
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LBURGy%2BqITI9mLYeG9wnjy2qVpGX2bahCnXrdEQ6lalKvlxhZYjemuOwsugjAKY3sRgbX6e2DXDK5jP%2FCX4OXImYnF8z9LErwj3nxVSN0emet8zC7tAmWNxmUC%2F3Fq5X"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 7ffd9bd01f5fa222-YYZ
alt-svc: h3=":443"; ma=86400

You can see two requests separate by a new blank line. The first request returns a status “301” which, as we know, is a redirect status code that the requests page has moved to the URL provided in the “Location:” header, which is the same URL as the original request but with https:// instead of http://

Troubleshooting #2 – Developer Console (Chrome, Firefox, Safari, Edge)

You can also use the developer console within Chrome, Firefox, Safari and Edge to see the headers of any requests to a website.

  1. Open a new blank tab.
  2. Right-click and open “inspect”.
  3. Click on the “Network Tab”.
  4. Ensure “Disable Cache” is checked. (You might want this unchecked to see if caching is an issue).
  5. Enter in the URL you want to test.

After the URL is loaded or the redirects are complete. You can then review all the requests under the network tab, starting with the first. As you select each one, a section to the right opens up and provides the “Header” tab, in which you can see your request headers from your browser and the response headers from the server.

0 Shares:
Share 0
Tweet 0
Share 0
Share 0
Share 0

Jordan Trask

With 20 years of experience in technology spanning Linux, Data Center Infrastructure, and related services and applications, Jordan consults with small, medium, and large organizations tackling technology problems and needs. With 10 years of experience in WordPress, he’s created Managing WP as a means of dumping his brain on the web.

Jordan operates LMT Solutions providing Technology Consulting Services and We Power WP for WordPress Care Plans and Support.