Post by kirkhall » Thu Mar 30, 2023 1:46 am

Hello,
Opencart version 3.0.3.7
The issue also exists on another install of 3.0.3.8 on same VPS but I’m focused on using 3.0.3.7. While I work on this these installs are in /public_html/3037 or 3038

The issue is this.
From Admin when I go to System > Localisation > Geo Zones I have a geo zone in there that will consist of the lower 48 + DC here in the US for free shipping purposes so it will have 49 entries eventually I hope. If I click to edit the “lower 48” geo zone where I am trying to add a zone for each of the 48 states +1 the ones I have already entered will not load completely and I get a popup error after it does show me 4 entries for this geo zone. It only takes a few seconds for the pop error to show itself. The pop up shows...
www.mydomain.com says
error
Not Found
Not Found
<!DOCTYPE html>
The rest of the text in the pop up appears to be HTML source from the home page of a live site running OC 1.5.6.4 that is in the root (public_html) of this same VPS I'm working on for all of this. It has nothing to do with this installation.

There are no errors generated in the log in Admin.

Latest web server error log messages show
[Tue Mar 28 23:08:38.453908 2023] [:error] [pid 760925:tid 47008912598784] [client 151.167.110.17:41664] client denied by server configuration: /home/user/public_html/3037/admin/index.php, referer: https://www.yourdomain.com/3037/admin/i ... _zone_id=5
And it just repeats from all my attempts to have a look. Also that client ip shown is made up but the actual ip that is in the message belongs to a CDN that I use even though I am not using the CDN on these test installs. I have it set to not cache the directories they are in and looking at the dashboard at my provider it isn't.

I have added 10 of the 48 states to this lower 48 geo zone and they appear to be in the oc_zone_to_geo_zone table but I can’t add to the Geo Zone in admin as I get the same pop up I described above every time I try to edit it. Just to be clear when I click to edit this geo zone the 10 entries I have already entered never appear on the screen. Maybe 4 at the most will show themselves to me and then the popup appears and all the rest of the entries are greyed out after I close the popup with my only option for the greyed out lines I can see is to delete.

If I use browser developer tools and have it on console when I click to edit the lower 48 geo zone I see....
console-results.jpt.jpg

console-results.jpt.jpg (32.6 KiB) Viewed 3172 times

and if I click the network tab of the developer tools I see..
network-results.jpt.jpg

network-results.jpt.jpg (217.98 KiB) Viewed 3172 times

Both screenshots are from the 3038 install but 3037 behaves exactly the same way.

Anyone have any idea what the problem is?

Active Member

Posts

Joined
Thu May 22, 2014 11:31 am

Post by by mona » Thu Mar 30, 2023 2:54 pm

looks like a server rate limit provision.
When viewing a geo zone, it fires rapid ajax calls for each entry (twice) in that zone.
I would guess your server config detects this as a probe/scanner activity and after so many requests blocks you with a 404.


and better move this statement in admin/view/template/localisation/geo_zone_form.twig:

Code: Select all

$('select[name$=\'[country_id]\']:disabled:first').trigger('change');
from the success function to the complete function so it doesn't do the call twice for each line.

DISCLAIMER:
You should not modify core files .. if you would like to donate a cup of coffee I will write it in a modification for you.


https://www.youtube.com/watch?v=zXIxDoCRc84


User avatar
Expert Member

Posts

Joined
Mon Jun 10, 2019 9:31 am

Post by kirkhall » Fri Mar 31, 2023 12:30 am

Thanks for the reply.
I contacted my host who only suggested that I disable mod security which I did temporarily but no change. Not sure what else to try.
I did find another post from someone here from just over a year ago with same issue. viewtopic.php?t=222173 Looks like their solution was to switch servers which seems extreme.
Moving that line from success to complete did change the behavior slightly and by that I mean that a few more lines loaded before I got the error popup.
I think you meant that it needed to be done regardless so maybe I will come back to that later but for now I undid the moving.
I know this is a server issue as I have these running on xampp server locally and they work fine.
I'll keep trying things and stuff.

Active Member

Posts

Joined
Thu May 22, 2014 11:31 am

Post by kirkhall » Sat Apr 01, 2023 12:26 am

Removing mod_evasive from my server setup is allowing me to setup the geo zones.
This doesn't seem like something I would want to permanently leave this way.

Active Member

Posts

Joined
Thu May 22, 2014 11:31 am

Post by by mona » Sat Apr 01, 2023 12:33 am

Yes, that move should be permanent.
It does a double request because the calls are async and on success the trigger for the next call is not yet adjusted to the next line so it does the same call for the same line again unnecessarily, doubling the total calls, you can see it in web developer tools.
Moving the next call to the complete function makes sure that the trigger is set correctly to the next line.
These calls are fired rapidly, depending on how fast the result comes back, in your case it comes back with a 404 error result after a certain amount of calls which then triggers the error function because the result returned is not json encoded but a php/server generated html error page (OC ajax error handling does not cater well for server generated error output) and it all stops.
Could be mod_security or mod_evasive or mod_qos or some other limiting measures your host has installed, and may not even be aware of.
I suppose if it is only effecting your ability to geo-zones, once that is done you can turn it back on.

DISCLAIMER:
You should not modify core files .. if you would like to donate a cup of coffee I will write it in a modification for you.


https://www.youtube.com/watch?v=zXIxDoCRc84


User avatar
Expert Member

Posts

Joined
Mon Jun 10, 2019 9:31 am

Post by by mona » Sat Apr 01, 2023 10:00 am

No other page in default admin has this self-propelled ajax call construction to populate a list so it should only affect the geo-zones.

If you have a fixed ip you can whitelist it in these mods or tweak the parameter in mod_evasive:

Code: Select all

<IfModule mod_evasive.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
</IfModule>
default is more than one request for the same url within one second which is rather aggressive in today's internet environment. Besides, OC sites are rarely (D)DOS-ed, most OC sites DOS themselves (poor extensions, poor redirects) making mods like evasive more of an annoyance than a safeguard.

DISCLAIMER:
You should not modify core files .. if you would like to donate a cup of coffee I will write it in a modification for you.


https://www.youtube.com/watch?v=zXIxDoCRc84


User avatar
Expert Member

Posts

Joined
Mon Jun 10, 2019 9:31 am

Post by kirkhall » Sat Apr 01, 2023 11:43 pm

Thanks mona,
Even though I didn't quite understand it (I'm no server admin unless it's via GUI) I did see that one could whitelist your IP if it was static. My host is pretty decent about helping me out with things like that though... but since I do not have a static IP I stopped reading about it.

I have a live 1.5.6.4 LIVE store on this same VPS and when I go have a look at the geo zones (just to see difference) it will show me the zones rather quickly. In the development directory I have this 3.0.3.7 install in it is as slow as molasses but it did allow me to set it up and save so I think I'm good now.

Active Member

Posts

Joined
Thu May 22, 2014 11:31 am
Who is online

Users browsing this forum: No registered users and 48 guests