file_get_contents 403 in OpenLiteSpeed | PHP 7.4

#1
Hi, first time poster and new to OLS but hoping someone might have some insight into this issue.

Server: VULTR VPS on UBUNTU20.04+11, managed via RunCloud using their Open Lightspeed stack
Software stack: PHP 7.4, WordPress 5.8.1, custom vanilla PHP theme
Plugin of note: iThemes Security

Issue:
In my theme, I am using file_get_contents to pull in the contents of the site logo SVG uploaded to the admin. This is then inlined (so it can be styled differently via css if required) and calcs are run on the logo to set the width based on the desired height of the header.

On NGINX this works perfectly. On migrating the site to a new server running OLS however, the backend call to file_get_contents gets a 403 response each time.

Strangely, if I disable the iThemes Security plugin file_get_contents works with no 403, however on all of my sites running on NGINX servers (over 30) this exact thing works with the exact same code and security plugin. I would like to find a solution that allows me to keep this code working while also running the preferred security plugin if possible.

Worth stating the 403 logs are not giving me any useful info that is allowing me to resolve. The permissions on the upload folders is clearly sufficient for the PHP code to run the commands on these files in some circumstances, but not under the exact conditions mentioned above.

Workaround that worked:

By using curl and setting user agent headers, I was able to resolve these SVG urls and run all my functions:

PHP:
$url = $header_logo['url'];
$agent= 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)';

$ch = curl_init();
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERAGENT, $agent);
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_REFERER, $_SERVER['REQUEST_URI']);
$header_logo_code = curl_exec($ch);
curl_close($ch);
Obviously this is 11 lines of code to replace 1, so I'd like to get to the bottom of allowing file_get_contents to work!

Theory:
My theory is that these requests from the server to files on the same server are somehow flagged by LiteSpeed in a way that makes iThemes Security reject them.

If anyone out there in the OLS world has any thoughts, would love your input, keen to use this server tech a lot more because it's so fast!

Thanks friends.
 
Top