CORS Problems out of the Blue

techbill · June 29, 2022, 4:19pm

mikew:

server {
  server_name mymautic.com;
   root /var/www/mautic;
   error_log /var/log/nginx/mautic.error;
   access_log /var/log/nginx/mautic.access;
   client_max_body_size 20M;

   index index.php index.html index.htm index.nginx-debian.html;

   location / {
     # try to serve file directly, fallback to app.php
     try_files $uri /index.php$is_args$args;
   }

   location ~ /(mtc.js|1.js|8.js|9.js|7.js|.*\.js|mtracking.gif|.*\.gif|mtc) {
       # default_type "application/javascript";
       try_files $uri /index.php$is_args$args;
   }

   # redirect some entire folders
     rewrite ^/(vendor|translations|build)/.* /index.php break;

   location ~ \.php$ {
     include snippets/fastcgi-php.conf;
     fastcgi_pass unix:/run/php/php7.4-fpm.sock;
     #Note: If you install Mautic on iRedMail server, you should use the TCP socket instead.
     #fascgi_pass 127.0.0.1:9999


   }

   location ~* ^/index.php {
     # try_files $uri =404;
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
     # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

     fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
     #Note: If you install Mautic on iRedMail server, you should use the TCP socket instead.
     #fascgi_pass 127.0.0.1:9999
     fastcgi_index index.php;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     include fastcgi_params;

     fastcgi_buffer_size 128k;
     fastcgi_buffers 256 16k;
     fastcgi_busy_buffers_size 256k;
     fastcgi_temp_file_write_size 256k;
   }

    # Deny everything else in /app folder except Assets folder in bundles
    location ~ /app/bundles/.*/Assets/ {
        allow all;
        access_log off;
    }
    location ~ /app/ { deny all; }

    # Deny everything else in /addons or /plugins folder except Assets folder in bundles
    location ~ /(addons|plugins)/.*/Assets/ {
        allow all;
        access_log off;
    }
    # location ~ /(addons|plugins)/ { deny all; }

    # Deny all php files in themes folder
      location ~* ^/themes/(.*)\.php {
        deny all;
    }

    # Don't log favicon
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    # Don't log robots
    location = /robots.txt  {
        access_log off;
        log_not_found off;
    }

    # Deny yml, twig, markdown, init file access
    location ~* /(.*)\.(?:markdown|md|twig|yaml|yml|ht|htaccess|ini)$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny all attempts to access hidden files/folders such as .htaccess, .htpasswd, .DS_Store (Mac), etc...
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny all grunt, composer files
    location ~* (Gruntfile|package|composer)\.(js|json)$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny access to any files with a .php extension in the uploads directory
        location ~* /(?:uploads|files)/.*\.php$ {
                deny all;
    }
     # A long browser cache lifetime can speed up repeat visits to your page
  location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
       access_log        off;
       log_not_found     off;
       expires           360d;
  }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mymautic.com/fullchain.pem; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mymautic.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mymautic.com/privkey.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mymautic.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot


    ssl_trusted_certificate /etc/letsencrypt/live/mymautic.com/chain.pem; # managed by Certbot
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot
}
server {
    if ($host = mymautic.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


   listen 80;
   listen [::]:80;
   server_name mymautic.com;

   root /var/www/mautic;
   error_log /var/log/nginx/mautic.error;
   access_log /var/log/nginx/mautic.access;
   client_max_body_size 20M;

   index index.php index.html index.htm index.nginx-debian.html;

   location / {
     # try to serve file directly, fallback to app.php
     try_files $uri /index.php$is_args$args;
   }

   location ~ /(mtc.js|1.js|8.js|.*\.js|mtracking.gif|.*\.gif|mtc) {
       # default_type "application/javascript";
       try_files $uri /index.php$is_args$args;
   }

   # redirect some entire folders
     rewrite ^/(vendor|translations|build)/.* /index.php break;

   location ~ \.php$ {
     include snippets/fastcgi-php.conf;
     fastcgi_pass unix:/run/php/php7.4-fpm.sock;
     #Note: If you install Mautic on iRedMail server, you should use the TCP socket instead.
     #fascgi_pass 127.0.0.1:9999
   }

   location ~* ^/index.php {
     # try_files $uri =404;
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
     # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

     fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
     #Note: If you install Mautic on iRedMail server, you should use the TCP socket instead.
     #fascgi_pass 127.0.0.1:9999
     fastcgi_index index.php;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     include fastcgi_params;

     fastcgi_buffer_size 128k;
     fastcgi_buffers 256 16k;
     fastcgi_busy_buffers_size 256k;
     fastcgi_temp_file_write_size 256k;
   }
    # Deny everything else in /app folder except Assets folder in bundles
    location ~ /app/bundles/.*/Assets/ {
        allow all;
        access_log off;
    }
    location ~ /app/ { deny all; }

    # Deny everything else in /addons or /plugins folder except Assets folder in bundles
    location ~ /(addons|plugins)/.*/Assets/ {
        allow all;
        access_log off;
    }
    # location ~ /(addons|plugins)/ { deny all; }

    # Deny all php files in themes folder
      location ~* ^/themes/(.*)\.php {
        deny all;
    }

    # Don't log favicon
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    # Don't log robots
    location = /robots.txt  {
        access_log off;
        log_not_found off;
    }

    # Deny yml, twig, markdown, init file access
    location ~* /(.*)\.(?:markdown|md|twig|yaml|yml|ht|htaccess|ini)$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny all attempts to access hidden files/folders such as .htaccess, .htpasswd, .DS_Store (Mac), etc...
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny all grunt, composer files
    location ~* (Gruntfile|package|composer)\.(js|json)$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Deny access to any files with a .php extension in the uploads directory
        location ~* /(?:uploads|files)/.*\.php$ {
                deny all;
    }
    # A long browser cache lifetime can speed up repeat visits to your page
  location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
       access_log        off;
       log_not_found     off;
       expires           360d;
  }




}

Never worked with NGINX config before. I learned of this by Googling to see if needed to be configured for CORS and read up that it does. I was curious myself.

From what read, this will open up to all domain if it added into the config

add_header Access-Control-Allow-Origin *;

Try that first and restart NGINX then test it. If that fixes it then replace it with a config that is specific to your domains only. One line per domain.

add_header Access-Control-Allow-Origin "yourdomains.com";

techbill · June 29, 2022, 4:24pm

Did you clear Mautic cache after disabling CORS in configuration setting?

mikew · June 29, 2022, 4:44pm

yes I did - thanks

mikew · June 29, 2022, 5:56pm

I have tried both solutions above and nothing is working. Does not matter if I turn CORS off/ON change everything and still getting the console error:

Access to XMLHttpRequest at 'https://mymauitc.com/mtc/event' from origin 'https://mywordpress.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values 'https://mywordpress.com,(http://mywordpress.com).com', but only one is allowed.

It says only one is allowed, but before I was supporting multiple sites and using @joeyk Multidomain plugin as well.

mikew · June 29, 2022, 5:57pm

I also found this post initially but nothing is helping here: Issues with CORS when trying to configure Mautic 3 and NGinx

and a good reference is : How to Enable CORS in Apache and Nginx?

However I have a hunch that Mautic is somehow ignoring these settings from the local.php file for some reason…

techbill · June 29, 2022, 6:06pm

Send them a DM and see what they did to resolve it… I know post is old however doesn’t hurt to DM

joeyk · June 29, 2022, 7:47pm

Is it data exchange with a wp site? Any wordfence like evil plugin running?

mikew · June 30, 2022, 6:08am

Nope nothing bad is installed recently and no word fence… going to take a big chance and do an upgrade to 4.4.0 and see if that makes a difference.

joeyk · June 30, 2022, 6:09am

We have 4.4.0 in production for couple of clients, no screaming yet.

mikew · June 30, 2022, 6:21am

updated to 4.4.0 and same behaviour.

Weird thing is the forms are showing, but on submit it just hangs

Console error:

Uncaught DOMException: Blocked a frame with origin "https://mymautic.com" from accessing a cross-origin frame.
    at HTMLDocument.<anonymous> (https://mymautic.com/media/js/app.js?v178a5420:274:162)
    at mightThrow (https://mymautic.com/media/js/libraries.js?v178a5420:355:18)
    at process (https://mymautic.com/media/js/libraries.js?v178a5420:357:89)

mikew · June 30, 2022, 7:33am

So I have gone back to basics now.

I went and preview the form and filled it out inside mautic and got this.

Then I went and created a new form and everything worked on Preview.

I took the form and added it both using wp mautic short code and it did not work.

I added the javascript and on submit I get to the internal error page :“Uh oh! I think I broke it. If I do it again, please report me to the system administrator!”

Totally stumped on this one

mikew · June 30, 2022, 7:46am

so I remmebered there was a post to hide the calendar which used myscript.js (How hide calendar menu item - #3 by robm)

So I went and put this back to the way it should be, i.e. original Mautic file and I am getting the following console error:

Failed to load resource: the server responded with a status of 500 () submit:1

In the log the only error I am seeing (and I am not sure this is related as this is a high traffic site) is the following:

2022/06/30 07:44:59 [error] 1325325#1325325: *11445 FastCGI sent in stderr: "PHP message: PHP Notice:  SessionHandler::gc(): ps_files_cleanup_dir: opendir(/var/lib/php/sessions) failed: Permission denied (13) in /var/www/mautic/vendor/symfony/http-foundation/Session/Storage/Handler/StrictSessionHandler.php on line 106" while reading response header from upstream, client: 11.11.111.11, server: mymaiutic.com, request: "PATCH /api/contacts/411274/edit HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.4-fpm.sock:", host: "mymaiutic.com"

Although I checked this contact id and it is an actual user so I do not think this error is related.

mikew · June 30, 2022, 8:07am

checking in Firefox and seeing the following in the console:

mikew · June 30, 2022, 11:29am

I have now taken the tracking code and put it on a different site that I know is tracking and I still get this error:

Failed to load resource: the server responded with a status of 500 () mtcevent

@joeyk ?

joeyk · June 30, 2022, 12:52pm

What is the event? Vanilla tracking code?

joeyk · June 30, 2022, 12:54pm

Does this point you any closer to your goal?
A new default Referrer-Policy for Chrome - strict-origin-when-cross-origin - Chrome Developers.

techbill · June 30, 2022, 1:39pm

If you are getting error 500, I would check the ngnix error log. It may tell you something in there.

That error log would be part of the ngnix log on the server which is not part of Mautic. You would probably would need to ask your server administrator to give you the copy of the error log if you don’t have root access.

mikew · June 30, 2022, 1:53pm

Firstly thank you for everyone that tried to she some light on the matter and help out here.

We found the problem and I have to say it was my fault.

A long time ago we installed the MakeWebBetter plugin and this plugin on Wordpress went and created a ton of new custom fields which inevitably caused issues with creating new fields.

When I wanted to add new fields I would have to go and delete one of the custom fields and my issue was I went and did this inside the database by dropping a column using the command

alter tables leads drop column mob_whatever

This in turn started causing the error, and I must have done this about two weeks ago, and what happened was when Mautic went and wanted to create a new lead it would not find the correct column and was throwing a CRITICAL error that I simply ignored:

Column not found: 1054 Unknown column 'mwb_newsletter_subs' in 'field lis

SO what I did was go into custom fields and delete these fields, and everything was working again.

No idea what the CORS error was and why it was throwing that, but this is what fixed up the problem.

It was a very uncomfortable day but I learnt a good lesson - Keep Calm and Read The Logs! Try and understand and isolate the issue.

techbill · June 30, 2022, 1:56pm

Glad you got it all sorted and thanks for sharing the solution!

rcheesley · June 30, 2022, 1:57pm

I think we need to make this into a tshirt for the swag shop! Glad you got it sorted!