I just spend some part of a week trying to successfully receive PayPal IPN requests. Sent out from the IPN simulator. I got stuck when it (the simulator) kept saying it couldn’t deliver the IPN request: Bad Request. Indeed… bad request!<\/p>\n
Hunting down the differences between two servers — the second one receiving the IPN requests just beautifully — I came upon the module “HttpRequest”. I can safely say that had nothing to do with it. But it did let me trigger another thought: this server uses mod_security — good for generating a ton of error messages in the log file, and, apparently, blocking IPN requests.<\/p>\n
So I don’t know why I didn’t check it sooner, but when I tailed the apache error logfile for the site, and triggered an IPN request from the simulator, there it was: the request was Access denied<\/strong>!<\/p>\n [Sun Jul 24 22:46:16 2011] [error] [client 12.34.56.78] ModSecurity: Access denied with code 400 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file “\/etc\/modsecurity2\/optional_rules\/modsecurity_crs_21_protocol_anomalies.conf”] [line “48”] [id “960009”] [msg “Request Missing a User Agent Header”] [severity “WARNING”] [tag “PROTOCOL_VIOLATION\/MISSING_HEADER”] [hostname “suchanicehostname.nl”] [uri “\/paypal.php”] [unique_id “TiyEmFGrVioAAD66YgIAAAAC”]<\/p><\/blockquote>\n This error message even states the file that you have to hack to overcome this! Which I did. Then, back to triggering an IPN request, trembling fingers…<\/p>\n [Sun Jul 24 22:59:56 2011] [error] [client 12.34.56.78] ModSecurity: Access denied with code 400 (phase 2). Match of “rx ^OPTIONS$” against “REQUEST_METHOD” required. [file “\/etc\/modsecurity2\/optional_rules\/modsecurity_crs_21_protocol_anomalies.conf”] [line “41”] [id “960015”] [msg “Request Missing an Accept Header”] [severity “CRITICAL”] [tag “PROTOCOL_VIOLATION\/MISSING_HEADER”] [hostname “suchanicehostname.nl”] [uri “\/paypal.php”] [unique_id “TiyHzFGrVioAAHT0S90AAAAD”]<\/p><\/blockquote>\n Yep, there was another one. However: disabling this solved the issue! As specified in the above section, it came down in commenting out the next two sections in the file “modsecurity_crs_21_protocol_anomalies.conf” (and restarting apache):<\/p>\n #SecRule &REQUEST_HEADERS:Accept “@eq 0” \\ #SecRule &REQUEST_HEADERS:User-Agent “@eq 0” \\ Apparently, the IPN request does not adhere to the protocol definition. Happy PayPal-IPN-ing!<\/p>\n","protected":false},"excerpt":{"rendered":" I just spend some part of a week trying to successfully receive PayPal IPN requests. Sent out from the IPN simulator. I got stuck when it (the simulator) kept saying it couldn’t deliver the IPN request: Bad Request. Indeed… bad request! Hunting down the differences between two servers — the second one receiving the IPN […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[15,47],"tags":[8,50,49,48],"_links":{"self":[{"href":"https:\/\/www.tripledude.com\/index.php?rest_route=\/wp\/v2\/posts\/520"}],"collection":[{"href":"https:\/\/www.tripledude.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tripledude.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tripledude.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tripledude.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=520"}],"version-history":[{"count":8,"href":"https:\/\/www.tripledude.com\/index.php?rest_route=\/wp\/v2\/posts\/520\/revisions"}],"predecessor-version":[{"id":528,"href":"https:\/\/www.tripledude.com\/index.php?rest_route=\/wp\/v2\/posts\/520\/revisions\/528"}],"wp:attachment":[{"href":"https:\/\/www.tripledude.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tripledude.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tripledude.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n#\u00a0\u00a0\u00a0 “chain,phase:2,skip:1,t:none,deny,log,auditlog,status:400,msg:’Request Missing an Accept Header’, severity:’2′,id:’960015′,tag:’PROTOCOL_VIOLATION\/MISSING_HEADER'”
\n#SecRule REQUEST_METHOD “!^OPTIONS$” “t:none”
\n#SecRule REQUEST_HEADERS:Accept “^$” \\
\n#\u00a0\u00a0\u00a0 “chain,phase:2,t:none,deny,log,auditlog,status:400,msg:’Request Missing an Accept Header’, severity:’2′,id:’960015′,tag:’PROTOCOL_VIOLATION\/MISSING_HEADER'”
\n#SecRule REQUEST_METHOD “!^OPTIONS$” “t:none”<\/p>\n
\n#\u00a0\u00a0\u00a0 “skip:1,phase:2,t:none,deny,log,auditlog,status:400,msg:’Request Missing a User Agent Header’,id:’960009′,tag:’PROTOCOL_VIOLATION\/MISSING_HEADER’,severity:’4′”
\n#SecRule REQUEST_HEADERS:User-Agent “^$” \\
\n#\u00a0\u00a0\u00a0 “t:none,deny,log,auditlog,status:400,msg:’Request Missing a User Agent Header’,id:’960009′,tag:’PROTOCOL_VIOLATION\/MISSING_HEADER’,severity:’4′”<\/p><\/blockquote>\n