Quic.Cloud image optimatision and WP Cerber REST API restrictions

jerre · March 14, 2024, 10:42pm

I am reaching out to you all, with a challenge I am currently facing in optimizing images via QUIC.cloud in conjunction with the LiteSpeed Cache plugin on my WordPress website. My configuration requires me to adjust the REST API restrictions of WP Cerber to make the image optimization functionality run smoothly.

I have discovered that for successful image optimization via QUIC.cloud, I need to disable the “Disable REST API” option in WP Cerber. Although the functionalities listed within the “Allow these REST API namespaces” work well, there seems to be no specific namespace for LiteSpeed Cache or QUIC.cloud that I can allow. The requests for QUIC.cloud image optimization appear to be sent from IP 0.0.0.0, and adding this IP address to a whitelist seems to me not a secure solution. (this is probably a broadcast that it sends starting from my server it is not an incoming)

I understand that in the free version of WP Cerber, it might not be possible to configure detailed rules for incoming and outgoing traffic. I have tried excluding the path from the firewall, and although whitelisting the HTTP header works partially, the results are only fully satisfactory when I completely disable the “Disable REST API” option. This results in flawless operation of the image optimization, as I have observed and logged.

My question to you is: How can I make the “QUIC.cloud image optimization” functionality work successfully while still blocking access to the WordPress REST API, except for specific roles and allowed REST API namespaces? Is there a specific configuration or a workaround you can recommend to make both security measures and optimization features work effectively together?

I greatly appreciate your product and the security features it offers, and I hope there is a way to overcome this challenge without having to compromise on website security or performance optimization.

Thank you very much for your time and assistance with this issue. I look forward to your bits of advice and any solutions you can provide.

Garry · March 17, 2024, 8:46pm

According to the documentation available at https://docs.quic.cloud/troubleshooting/restapi/, the namespace for your case is litespeed. Please add it to the “Allow these REST API namespaces” list located on the Hardening tab.

Hi! It’s important to understand that any plugin or web service utilizing the WordPress REST API always uses a namespace. Connecting to WordPress without one is not possible. You can easily identify a namespace in the WP Cerber logs for any REST API request. The namespace is located after /wp-json/ in the request URL. For example, in the URL /wp-json/oembed/1.0/proxy, the namespace is oembed. To find the namespace of a blocked request, go to the Activity log, select “Request to REST API denied” from the drop-down list above the log, and click “Filter”. Here is an example from the WP Cerber log showing that the namespace is wp.

jerre · March 17, 2024, 9:24pm

I shared the same opinion about namespaces as what you’ve written here. However, it still didn’t work out with litespeed in the namespace; I did manage to get it right via HTTP headers. Even though I noticed that not all of my data was completely cleaned up upon execution. But with the namespace, it just wouldn’t work out. After reading this message, I sighed… but then I thought, you never know, so for the 55th time, I tried it now, days later, and the conclusion… probably made a typo. I feel so dumb now. THANKS

Garry · March 19, 2024, 7:25am

Can you please elaborate regarding the namespace I suggested. Does it work?

jerre · March 19, 2024, 8:00am

yes my friend like i said I made a typo. thank you