Learn about Centmin Mod LEMP Stack today
Register Now

Beta Branch add jetpack_ip_whitelist_cronsetup function in 123.09beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, Nov 19, 2020 at 6:54 AM.

  1. eva2000

    eva2000 Administrator Staff Member

    45,633
    10,356
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,070
    Local Time:
    10:01 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    add jetpack_ip_whitelist_cronsetup function in 123.09beta01

    - For Wordpress centmin.sh menu option 22 fresh installs switch to totally disabling xmlrpc.php requests instead of rate limiting them and disabling specific functions via Disable XML-RPC wordpress plugin. So with this update, public requests to /xmlrpc.php will get 403 permission denied with the exception of whitelisting Jetpack Wordpress plugin's IP address ranges to continue to have xmlrpc.php access as per IP range outlined at Hosting FAQ
    - Setup a system cronjob to read the latest Jetpack IP ranges published at https://jetpack.com/ips-v4.txt to populate the generated include file at /usr/local/nginx/conf/jetpack_whitelist_ip.conf which is added to fresh centmin.sh menu option 22 wordpress installs' xmlrpc.php location context
    - For existing Wordpress installs created via centmin.sh menu option 22, after running cmupdate to update your local Centmin Mod code you can either run centmin.sh once and exit or manually run the new tool at /usr/local/src/centminmod/tools/jetpackips.sh - either method will create the system cronjob (and backup system cronjobs to /etc/centminmod/cronjobs/before_jetpack_ip_whitelist_cronjoblist) and to populate and create the include file at /usr/local/nginx/conf/jetpack_whitelist_ip.conf.
    - If you manually run /usr/local/src/centminmod/tools/jetpackips.sh, it will have instructions on adding include file to your xmlrpc.php location context. Example below:

    Code (Text):
    /usr/local/src/centminmod/tools/jetpackips.sh
    
    populating include file /usr/local/nginx/conf/jetpack_whitelist_ip.conf with:
    
    # jetpack ip whitelist https://jetpack.com/support/hosting-faq/
    allow 122.248.245.244/32;
    allow 54.217.201.243/32;
    allow 54.232.116.4/32;
    allow 192.0.80.0/20;
    allow 192.0.96.0/20;
    allow 192.0.112.0/20;
    allow 195.234.108.0/22;
    deny all;
    
    update your wordpress site nginx vhost's xml-rpc.php location context with
    include file for /usr/local/nginx/conf/jetpack_whitelist_ip.conf
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://jetpack.com/support/hosting-faq/
        include /usr/local/nginx/conf/jetpack_whitelist_ip.conf;
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    if you need to disable deny all, comment out with hash #
    in front of include directive & restart nginx
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://jetpack.com/support/hosting-faq/
        #include /usr/local/nginx/conf/jetpack_whitelist_ip.conf;
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }

    contents of generated include file /usr/local/nginx/conf/jetpack_whitelist_ip.conf
    Code (Text):
    # jetpack ip whitelist https://jetpack.com/support/hosting-faq/
    allow 122.248.245.244/32;
    allow 54.217.201.243/32;
    allow 54.232.116.4/32;
    allow 192.0.80.0/20;
    allow 192.0.96.0/20;
    allow 192.0.112.0/20;
    allow 195.234.108.0/22;
    deny all;

    and created system cronjob
    Code (Text):
    crontab -l | grep -w jetpackips
    11 */12 * * * /usr/local/src/centminmod/tools/jetpackips.sh >/dev/null 2>&1
    


    Continue reading...

    123.09beta01 branch