Keep getting 401 error from WordPress on AWS Lightsail

I’m trying to post to a WordPress server on an AWS Lightsail instance using node-wpapi.
However, the server returns a 401 error.

I already have a .htaccess file with RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}] to my .htaccess file and I already use ‘application passwords’ plugin.

How can I use node-wpapi to access the server?

My node-wpapi setting is here.

const wp = new WPAPI({
    endpoint: 'http://localhost/wp-json',
    username: 'user', //This is a default admin user.
    password: '*************************', //This is a password for application passwords plugin 
    auth: true,
});

My .htaccess file is here.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

The error message is here.

 code: 'rest_cannot_create',
  message: 'Sorry, you are not allowed to create new posts.',
  data: { status: 401 }

My user profile page keeps displaying the following message.

> Due to a potential server misconfiguration, it seems that HTTP Basic Authorization may not work for the REST API on this site: `Authorization` headers are not being sent to WordPress by the webserver. You can learn more about this problem, and a possible solution, on our GitHub Wiki.

2 Answers
2

I’ve found a solution.

The WordPress made from AWS Lightsail instance image is bitnami WordPress.
And the bitnami WordPress is disabled Basic Authentication as default. So it needs some modification on /opt/bitnami/apps/WordPress/conf/httpd-app.conf to enable Basic Authentication. This modification is adding 3 lines below.

RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]

The httpd-app.conf ended up below.

RewriteEngine On
RewriteRule /<none> / [L,R]

<IfDefine USE_PHP_FPM>
    <Proxy "unix:/opt/bitnami/php/var/run/wordpress.sock|fcgi://wordpress-fpm" timeout=300>
    </Proxy>
</IfDefine>

<Directory "/opt/bitnami/apps/wordpress/htdocs">
    Options +MultiViews +FollowSymLinks
    AllowOverride None
    <IfVersion < 2.3 >
        Order allow,deny
        Allow from all
    </IfVersion>
    <IfVersion >= 2.3>
        Require all granted
    </IfVersion>
    
    

    <IfDefine USE_PHP_FPM>
       <FilesMatch \.php$>
         SetHandler "proxy:fcgi://wordpress-fpm"
       </FilesMatch>
    </IfDefine>

RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
    
    RewriteEngine On
    #RewriteBase /wordpress/
    RewriteRule ^index\.php$ - [S=1]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . index.php [L]

    Include "/opt/bitnami/apps/wordpress/conf/banner.conf"
</Directory>

Include "/opt/bitnami/apps/wordpress/conf/htaccess.conf"
                    

Then restart apache or the instance itself.
Then I installed the Application Passwords plugin and I use it as a normal procedure.
The following message of the plugin displayed on the profile page has gone.

 Due to a potential server misconfiguration, it seems that HTTP Basic Authorization may not work for the REST API on this site: `Authorization` headers are not being sent to WordPress by the webserver. You can learn more about this problem, and a possible solution, on our GitHub Wiki.

The HTTP_AUTHORIZATION environment variable in the .htaccess file doesn’t need to be replaced REMOTE_USER.
Just in case, I show my .htaccess file below.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

This solution is from this page.
The difference of solution between this solution page and my solution above is I use the Application Passwords plugin but they use the JSON Basic authentication plugin.

Leave a Comment