Learn about Centmin Mod LEMP Stack today
Become a Member

IP.Board 403 Error on editing posts

Discussion in 'Forum software usage' started by pamamolf, Aug 23, 2016.

  1. pamamolf

    pamamolf Well-Known Member

    2,724
    243
    63
    May 31, 2014
    Ratings:
    +434
    Local Time:
    10:18 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Hi :)

    A friend has an issue today after upgrading the IPB to latest version as he was not able to edit some posts and looks like an ava/ajax issue maybe and the response from support was:

    Code:
    Do you have mod_security installed? 
    I have disabled javascript and have been able to edit posts just fine so what I think is happening is mod_security is flagging the javascript AJAX edit request as potentially malicious in error. 
    Could you or your host please check if mod security or similar is installed and if so to whitelist the specific rule being hit?
    
    The response is a 403 no permission response from nginx.
    Any ideas?

    Thanks
     
  2. JarylW

    JarylW Active Member

    213
    39
    28
    Jun 19, 2014
    Singapore
    Ratings:
    +99
    Local Time:
    3:18 AM
    He is running centminmod too?

    Maybe check the logs and provide the url where he saw the 403 error together with nginx vhost?
     
  3. pamamolf

    pamamolf Well-Known Member

    2,724
    243
    63
    May 31, 2014
    Ratings:
    +434
    Local Time:
    10:18 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Yes Centminmod latest.

    The support response:

    Code:
    The URL that the edit comment value is being sent to is triggering a server-level 403 error response from the front end nginx server.
    
    Even if you try to visit this URL directly it fails:
    
    http://www.domain.com/topic/5220-sugerencia-t%C3%A1bidos/?do=editComment&comment=28245&url=http://www.domain.com/topic/5220-sugerencia-t%25C3%25A1bidos/
    
    Please contact your host and inquire as to why requesting this URL is throwing a 403 error response. I suspect some sort of firewall or other security software is causing this issue.
    and checking on domain logs there is no any related entry for it....
     
  4. JarylW

    JarylW Active Member

    213
    39
    28
    Jun 19, 2014
    Singapore
    Ratings:
    +99
    Local Time:
    3:18 AM
    First thing would be to look at /home/nginx/domains/domain.com/log/error.log
     
  5. pamamolf

    pamamolf Well-Known Member

    2,724
    243
    63
    May 31, 2014
    Ratings:
    +434
    Local Time:
    10:18 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    I did check but there was no info there......

    I solve it by commenting on domain config this:

    Code:
    # prevent access to ./directories and files
    #location ~ (?:^|/)\. {
    # deny all;
    #}
    Don't know why this one help it and if we can have any fix for it or use another way for it?

    I am wondering what they add on the new version that gets blocked by this rule....

    Any ideas on what to search for so i may find the root cause of it as i prefer to not have this rule off ?

    did they use any .file or something related now?Don't think so.....

    Is there any grep command to search for what exactly this rule blocks and found where exactly the issue is from?

    Thanks
     
    Last edited: Aug 23, 2016
    • Informative Informative x 1
  6. JarylW

    JarylW Active Member

    213
    39
    28
    Jun 19, 2014
    Singapore
    Ratings:
    +99
    Local Time:
    3:18 AM
    Hmm, for wordpress genereated vhost @eva2000 already removed that by default

    Beta Branch - remove dot file block from inc/wpsetup.inc for 123.09beta01 | Centmin Mod Community

    Maybe above that rule you want to specify one for /topic to prevent the error
     
    • Agree Agree x 1
  7. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    5:18 AM
    Nginx 1.13.x
    MariaDB 5.5
    probably the best way
     
  8. pamamolf

    pamamolf Well-Known Member

    2,724
    243
    63
    May 31, 2014
    Ratings:
    +434
    Local Time:
    10:18 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    What rule to use?

    If i use it before then it will not get override from the bellow related rule?

    So what this rule do and should i remove it?
     
    Last edited: Aug 23, 2016
  9. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    5:18 AM
    Nginx 1.13.x
    MariaDB 5.5
    just create a location match for /topic that looks like the location match for the forum index whether it be / or /forum/
     
  10. pamamolf

    pamamolf Well-Known Member

    2,724
    243
    63
    May 31, 2014
    Ratings:
    +434
    Local Time:
    10:18 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    But the location for / doesn't have any special rule inside.....

    Also topic folder doesn't exist as it is dynamic created if that matters....

    so something like this ?
    Don't know what rule to use....confused....
     
  11. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    5:18 AM
    Nginx 1.13.x
    MariaDB 5.5
    yes but you should have a rule in forum web root location for forums if you follow @Jimmy example IP.Board - IPB v4.1.x Files | Centmin Mod Community

    Code (Text):
        location / {
            try_files    $uri $uri/ /index.php;
    
        }

    so replicate it for /topic
    Code (Text):
        location /topic {
            try_files    $uri $uri/ /index.php;
    
        }
     
  12. pamamolf

    pamamolf Well-Known Member

    2,724
    243
    63
    May 31, 2014
    Ratings:
    +434
    Local Time:
    10:18 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok thanks i will test it :)

    But checking his config i can't see anything related to /topic ....
     
  13. JarylW

    JarylW Active Member

    213
    39
    28
    Jun 19, 2014
    Singapore
    Ratings:
    +99
    Local Time:
    3:18 AM
    You mentioned you wanted to keep the
    Code:
    # prevent access to ./directories and files
    location ~ (?:^|/)\. {
     deny all;
    }
    so you just have to specify like @eva2000 said above that (or anywhere else in the vhost conf that is above that line so it becomes:
    Code:
    location /topic {
    try_files $uri $uri/ /index.php;
    }
    
    # prevent access to ./directories and files
    location ~ (?:^|/)\. {
     deny all;
    }
    
     
    • Agree Agree x 1
  14. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    5:18 AM
    Nginx 1.13.x
    MariaDB 5.5
    yeah if you want to keep that location just specify the breakout location /topic exclusion before it
     
  15. pamamolf

    pamamolf Well-Known Member

    2,724
    243
    63
    May 31, 2014
    Ratings:
    +434
    Local Time:
    10:18 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Don't know if it is a security risk to remove it or not .... ?
     
  16. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    5:18 AM
    Nginx 1.13.x
    MariaDB 5.5
  17. pamamolf

    pamamolf Well-Known Member

    2,724
    243
    63
    May 31, 2014
    Ratings:
    +434
    Local Time:
    10:18 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    I didn't disable that include but it works.....how is this possible? Confused....
     
  18. JarylW

    JarylW Active Member

    213
    39
    28
    Jun 19, 2014
    Singapore
    Ratings:
    +99
    Local Time:
    3:18 AM
    As said earlier already the higher up in the conf file definition take precedence over those below them. drop.conf is included all the way below in your vhost.conf by default
     
    • Agree Agree x 1
    • Informative Informative x 1