/ Message template (english)
My YunoHost server : Latest 4.2 -Updated to latest stable release
Hardware: VPS with debian 10
YunoHost version: 4.2.4
**I have access to my server :Through SSH & through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : No
If yes, please explain:
Description of my issue
(1) **What am i trying to do -**I am trying to run a wordpress website with woocommerce in it. users needs to have access to login and logout from their woo commerce account.
(2) Origin of the issue Yunohost makes you install wordpress in subdirectory if you want to install other apps(which i understand). So i have installed wordpress in mydomain.tld/home/
(3) Two issues started happening. one i was able to resolve, another i couldn’t.
(4) Anyone typing in **www.**mydomain.tld/home was being redirected to yunohost. I resolved this by setting up a redirect on *.mydomain.tld to redirect it to mydomain.tld/home. This takes away my capability to keep subdomains in future, but for now, first things first.
(5)I managed to install the wordpress and everything went smoothly. I didn’t pay attention to the SSO plugin (simple LDAP) as it was (i) Not covered in documentation (ii) it was 5 years old (iii) its own page said that it works only till wordpress 4.7 (latest wp is 5.7). i uninstalled it
(6) But one problem is that on logging out of wordpress using simple link https://mydomain.tld/home/my-account/customer-logout/ I log out fine, but wordpress has this security feature of adding a nonce.
(7) so the real link looks like https://mydomain.tld/home/my-account/customer-logout/?_wpnonce=8a7d681a84
(8) When a link with nonce comes in, it doesnt log out, but yunohost steps in with a login page.
If someone could suggest a way to completely sidestep yunohost till the time a URL like mydomain.tld/yunohost appears, it will be best. I have been reading something around .htaccess and nginx config but before that i wanted to see if there is a better way here.
After rummaging around looking for ngnix configuration, i believe that i am in the general area and setting somewhere here is to blame, but i don’t know enough to set it right.
(1) All 404 are being redirected to yunohost, which shouldnt happen. Should be redirected to root wordpress site (which i defined while installing wordpress )
(2) Any redirects and some conditional url also getting redirected to sso…which shouldn’t be the case.
– Get request arguments
uri_args = ngx.req.get_uri_args()
-- Logout is also called via a `GET` method
-- TODO: change this ?
if uri_args.action and uri_args.action == 'logout' then
-- If the `r` URI argument is set, it means that we want to
-- be redirected (typically after a login phase)
elseif is_logged_in and uri_args.r then
-- Decode back url
back_url = ngx.decode_base64(uri_args.r)
-- If `back_url` contains line break, someone is probably trying to
-- pass some additional headers
if string.match(back_url, "(.*)\n") then
logger.error("Redirection url is invalid")
@Aleks please help… i dont code, and thats why i went with yunohost
same issue elsewhere on yunohost as well… i would like to believe that any answer will help multiple people
After over 10 hours of trying to find a workaround, this is how to resolve it if you face the challenge.
(1) Problem is being caused by permissions on yunohost + default implimentation of SSO as far as wordpress is concerned.
(2) How: Post a normal customer/subscriber clicks on logout from woocommerce account , in the yunohost version, wordpress tries to redirect you to wordpress login by default.(and not the woocommerce login as happens elsewhere)
(3) This wordpress login is in the restricted area and therefore yunohost steps in with a SSO page.
Solution I added wordpress admin area permission to visitors and post that the user account was allowed to log out. Not a secure solution and beats the yunohost permission management logic, but there was no option. As a secondary measure, have installed harder rules on limited login attempt logout, tightened recaptcha, cloudflare bot and sucuri to secure the admin page. Not as great, but for timebeing there is no other option.
@Aleks if a minor tweak here or there helps, please do include this in next release
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.